By Jeff Kabachinski, MS-T, BS-ETE, MCNE
This installment of Networking concerns network firewalls. We will define what firewalls are and what they do. We will also explore what are known as next-generation firewalls (NGFs) and how they play a role in cybersecurity and network protection.
In general, a firewall is a software or software-and-hardware appliance used to create a boundary between your enterprise network and the Internet. Although a firewall can help control communication between any two networks, most of the time it applies to the boundary of your trusted network and an untrusted network such as the internet.1
The OSI Model
Consider the network communication layers ISO spells out in its OSI Reference Model, established way back in the 1960s and now part of our networking vernacular. Recall that bridges and switches operate at Layer 2, the Data Link Layer (see the February 2015 Networking column in 24×7 for details of the OSI Model). This is the LAN Layer and defines the activity that occurs at this layer. Layer 3 defines WAN connectivity and is the level that routers operate in. Layer 4 deals with the transfer of information and connection to the network operating system’s protocols, most often via TCP ports. At the top of the model is the application connection layer, or Layer 7. These are also the layers that firewalls are concerned about.
The term firewall originally comes from a use in buildings. It referred to a wall made to confine or limit a fire between different parts of a building. Another type of firewall can be found in your car in the form of a metal sheet between the engine and the passenger compartment.2
In networking applications, firewalls did not at first protect against malware, viruses, or spam emails. For that you needed other methods of protection, but as we will see, that’s changing.
In general, firewalls are either positively or negatively controlled. On one end of the extreme—the positive approach—firewalls could be strict by only allowing traffic with known and registered external hosts and blocking all other traffic from hosts not on the “allowed” list. This approach can severely limit traffic and online function. The opposite extreme—the negative approach—is to be permissive (AKA “promiscuous”) and allow all traffic except for those on a “blocked” list to cross the firewall. Obviously, it is somewhere between these extremes that firewalls are most useful.3
Port Monitoring and Packet Filtering
A basic firewall should be able to do port monitoring and packet filtering. This involves mainly TCP ports at Layer 4 of the OSI model. The firewall can block traffic that wants to use a specific TCP port, making the pass or deny call based on policy. Or it can block outsiders from starting a connection with an internal node at the TCP level.4 The firewall can examine the Layer-4 packet to determine what’s happening and what direction the traffic is travelling. For example, TCP uses a 3-way handshake to set up a communication session. The node initiating the communication sends a SYN TCP packet to the node it wants to communicate with. The recipient sends back a SYN-ACK packet indicating that it is willing to communicate. Finally, the initiator sends back another SYN-ACK packet to acknowledge that they are now connected and communication can commence. The packet filtering firewall can read these packets and either block any communication where the initial SYN packet comes from the untrusted side or allow an internal node to initiate a session with an outsider. Firewalls not only need to read into the packet, but also to consider the timing and direction of communication.5
App Level Filtering
There are a few different types of firewalls, from the network level packet filter described above to an application layer gateway. Gateways by definition are translators, translating protocols or languages at any level of the OSI Reference Model. The term gateway is also loosely used for routers, network address translators, and firewalls—don’t let loose talk trip you up.
An Application Layer gateway or firewall also can mask the host node on the trusted network by making it appear that the traffic originated from the firewall to the untrusted side. The firewall can be programmed to examine all traffic that traverses the boundary of the trusted and untrusted. The firewall compares the information it is set up to monitor with the programmed rules in its database. Since we’re talking about the Application Layer or Layer 7 of the OSI model, at this point we’re peering into the deepest depths of network communication.
As we’ve seen, if the firewall sees an Internet node trying to connect directly to an enterprise node, the firewall can block that traffic. If the expected type of payload is not seen at the Application Layer, the firewall can also block that traffic. In still other cases it may allow a direct connection for streaming video or audio programs to avoid latency (delay) once the initialization process is complete and verified.1
Applications that use nonstandard ports or encryption intend to bypass port-based and firewall packet filtering. This approach is an attempt by the application to make itself more accessible and evade added latency from nosy firewalls. Some applications that use the Secure Socket Layer (SSL) never use its assigned port 443, preferring either port hopping or using ports in the highest TCP port address range.
For these reasons, NGFs are now based on the application itself (called deep inspection) to identify and control traffic, rather than just the port and protocol used. The NGF is rapidly becoming critical to cybersecurity.
NGFs have a big job to do. Not only do they inspect and control Application Layer packet payloads, but they also are used for advanced malware detection, intrusion prevention techniques, and the ability to decrypt SSL traffic. Meanwhile, they’re also performing port monitoring and content filtering as in the original firewalls. In the long run, this approach can help thwart employees from using non-business, non-approved Web applications and sites, thus furthering network security.
This kind of consolidation into one utility or network appliance reduces the hardware and software that was needed when these functions were separate. It also can help to reduce the required amount of IT admin control and associated license management.
The NGF brings a lot more functionality and detailed control. This essentially widens what is known as the 5-tuple. In database terminology, tuple refers to an ordered set of values. These values are usually separated by a comma. Consider the following group:
8, nine, *, F9
This is an example of a 4-tuple, where there is a mixture of types of values. A 5-tuple would be 5 items or columns of values, and each row or tuple will fill in the values. (Think of rows and columns as in Excel.) Commonly, the 5-tuples for firewalls would be the source and destination IP addresses, the source and destination TCP port addresses, and the protocol in use. This is what we need to know for port monitoring and protocol-based packet filtering.
Next-generation firewalls widen the firewall rule base by adding elements (columns) to each 5-tuple, starting with “application” and “user identity” and perhaps going wider still, factoring in other elements such as “reputation.” 6,7
The NGF also brings scalability options as your network grows and changes, in terms of how deep you want the packet inspection to go into the OSI model. As stated earlier, application inspection indicates that the NGF is looking all the way into Layer 7 payloads.8
Unfortunately it’s not a good idea to try and upgrade an older firewall utility with newer NGF concepts. It really needs to be designed from the bottom up, taking advantage of parallel processing with processors designed to process network data traffic by splitting the work of opening packets and making pass/deny decisions as quickly as the data arrives (AKA “wire speed”). Designing from scratch also allows lowest power consumption, generating less heat to boot.
Firewalls are really the access control point for all network traffic, allowing or denying traffic to pass, in either direction, based on policy. The firewall is usually the only place that sees all traffic flowing across the network and is the most logical place to enforce access and control policies. Positive control models are most often seen as a better choice, allowing only pre-approved communication and denying all others.
As technology progresses and processing power and speeds forever increase, so will the use of deep-inspection firewalls. NGFs allows for full stack inspection with supporting intrusion protection and granular policy control. The ability to check every single packet crossing a firewall in either direction currently has latency, causing communication delays that may not be acceptable. I expect that to improve.
Next-generation firewalls go a long way in enabling cybersecurity. Cybersecurity should be forever at the top of our list of healthcare IT objectives, spurring us to keep learning and using the latest techniques—such as next-generation firewalls. While it’s tough to keep up with hackers and their forever improving set of tools, a properly configured NGF can be key to providing cybersecurity in healthcare.
Jeff Kabachinski is the director of technical development for Aramark Healthcare Technologies in Charlotte, NC. For more information, contact [email protected].
- Newton, H. (2014). Newton’s Telecom Dictionary. New York: Telecom Publishing.
- Wikipedia. (2015, Jan 26). Firewall (Computing). Retrieved from Wikipedia, the free encyclopedia : http://en.wikipedia.org/wiki/Firewall_(computing)
- Hall, E. (1996, November 15). Internet Firewall Essentials. Retrieved from Network Design Manual from Network Computing: http://www.networkcomputing.com/netdesign/wall1.html
- Cisco Systems. (2006). Internetworking Technology Handbook. Cisco Systems.
- Pickering, R. (2015, Jan 24). Internet Firewall Tutorial. Retrieved from ipcortex: http://www.ipcortex.co.uk/wp/fw.rhtm
- Techtarget.com. (2015, Jan 26). Tuple. Retrieved from WhatIs.com: http://whatis.techtarget.com/definition/tuple
- Snyder, J. (2011, Aug 22). What is a next-generation firewall? It’s all about widening the 5-tuple. Retrieved from Network World: http://www.networkworld.com/article/2179975/network-security/what-is-a-next-generation-firewall-.html
- Dell SonicWALL. (2013). How to Build a Massively Scalable Next-Generation Firewall. TechTarget Custom Media.