A firewall is a security system that prevents unauthorized access to a secure, private network or intranet that’s connected to an unsecure external network, like the internet. It does this by monitoring the incoming and outgoing web traffic on that network like a gatekeeper, so that no unwanted or malicious traffic can gain access to the devices or applications connected to that network.
Firewalls allow or block data packets—units of data that are transmitted over a virtual network—from entering a network based on pre-configured security rules. These rules determine what type of traffic should be trusted—and anything that isn’t trusted is automatically blocked. And because the firewall acts as the point of contact between the internal network and the internet, this filtering works both ways, meaning that businesses can also use firewalls to set up browsing restrictions to prevent employees from accessing potentially malicious websites via the company network.
Traditionally, firewalls enabled security teams to filter traffic based on web addresses, IP addresses or ports—entry points where computers exchange information with external devices. Now, many firewalls combine these features with machine learning to help detect evolving threats, and intrusion prevention systems designed to block advanced malware threats and suspicious applications.
Firewalls can be software, hardware, or a hybrid combination of the two, and no two firewalls have exactly the same feature set. This is so that organizations can choose the best firewall to help them solve the specific challenges they’re facing on a daily basis, such as controlling their bandwidth, preventing web-based malware, and stopping users from accessing malicious websites.
However, there are some firewall features that every business needs—and those are what we’re going to talk about.
The internet provides us with a wealth of knowledge, countless means of communication, and endless opportunities. But it also makes us vulnerable to web-based cyberthreats, such as malware, phishing, botnets and monitoring software, or “spyware”.
When successful, these attacks can cause disruption to productivity, financial damage and reputational damage, as well as potentially irreversible data loss. On average, it takes 287 days to identify and contain such a breach—giving cybercriminals plenty of time to cause damage. The best way to minimize that damage is by preventing the threats from entering your network in the first place.
That’s why it’s critical that your chosen firewall be able to identify and block these threats before they cross the network boundary. There are few ways in which they can do this:
- Packet inspection is the process of examining each data packet being passed through the firewall, in real-time. The firewall searches for malicious activity, and can either block the sender, drop the packet, or deliver it, according to the results of the inspection.
- Sandboxing is when the firewall opens a file, URL or executable—as the user downloads it from the internet or an email—in an isolated environment, or “sandbox”. In the sandbox, the file is run and scanned for malicious properties. If the file is deemed safe, it’s passed onto the end user who can open and use it as normal; if malicious, the threat has been detected without causing any damage to your actual network environment. Sandboxing is particularly effective for protecting against unknown or evolving zero-day threats.
- Bandwidth monitoring, also known as “traffic shaping”, is the process of controlling how much bandwidth is available for certain users, applications and websites. Businesses don’t always have unlimited bandwidth, so it’s important that you allocate it carefully—not doing so can cause problems with productivity, as processes and systems slow down and prevent your users from working effectively. With integrated bandwidth monitoring and control tools, you can allocate certain amounts of bandwidth for all the services your business uses, and prioritize ones that are business-critical, such as phone and video conferencing apps. You can also set backups to take place out-of-hours and via your lower-quality links, so that they have less impact on your users’ productivity. Finally, monitoring your bandwidth allows you to detect whether a malicious actor is using it for their own criminal activities.
- Web filtering is the process of monitoring the web data packets that your network sends and receives for unwanted or malicious content, according to admin-configured rules. These rules can be set up to stop users from visiting unsecure or known malicious websites, and some organizations also use them to restrict access to sites that they don’t want users visiting via the corporate network, like social media platforms, gambling sites and adult content. Firewall providers often offer their own list of trusted or malicious IP addresses and domain names, but you should also be able to create or own allow or deny lists.
- Malware filtering is when the firewall scans for malicious software, websites, and files, as well as scanning SSL and TLS encrypted traffic to make sure they don’t contain any malicious content. Some firewalls automatically block access to devices that have been infected with malware to prevent the attack spreading before it’s mitigated. When over 70% of all system intrusion breaches involve malware, this is a critical threat detection feature of any firewall.
- Intrusion prevention systems monitor your network for malicious activity and user activities that break corporate policy, capturing data on any events that seem suspicious or anomalous. This data is sent to your security admins, who can use the new information to configure their firewall to prevent repeat attacks and block the traffic of users carrying out actions that breach security policies.
- Virtual private networks (VPNs) use site-to-site encryption to create a private network across a public internet connection, preventing anyone from seeing what your users are doing on the internet and, as a result, keeping your company’s data secure against man-in-the-middle attacks and hackers who may be trying to spy on their online activities. They can also allow your users to securely access the corporate network from a remote location.
Corporate networks are becoming increasingly complex, with mobile devices, Internet of Things (IoT) devices, and Software-as-a-Service (SaaS) applications and cloud deployments becoming as popular as traditional workstations and on-prem servers. This increase in infrastructure diversity alone can be challenging enough for IT and security teams to manage—but it comes with the additional task of securing that infrastructure against an increasing number of sophisticated, targeted cyberattacks.
To achieve this, it’s widely recommended that organizations take a layered approach to security, using various solutions—such as email security, identity and access management, and endpoint security—to protect each part of their network against cyberthreats. While this provides effective protection, it can also be tricky to keep track of so many different sources of information.
Because of this, it’s critical that your chosen firewall integrates with your existing security solutions, enabling you to unify data feeds for more efficient threat analysis and easier policy configuration across your entire network.
Log data is information about what takes place across your network. Log data could include operating system startups and shutdowns, file changes, capacity limits being reached, security incidents—basically, pretty much anything that happens on your company’s network.
Your firewall should aggregate log data and store it centrally, enabling your security team to access these logs easily for real-time insights on network activities. The types of logs that you might want your firewall to capture include:
- Firewall performance
- Source address and port data
- Destination address and port data
- Anomalous or suspicious activities, such as repeated unsuccessful login attempts
Some firewall solutions also offer log data visualization capabilities, which make it easier for security teams to identify trends in the data and anomalous behaviors that could be attributed to a cyberattack.
Flexible Deployment Options
It’s important that your chosen firewall offers a deployment option that’s compatible with your company’s existing architecture. This will make it much easier to set the firewall up and integrate it with your existing security tools.
92% of organizations are currently hosting at least some of their IT environment in the cloud—be that their own private cloud, a public cloud, or a hybrid combination of the two. Even if your business isn’t yet utilizing the cloud, you may want to consider looking for a firewall with flexible deployment options that support a hybrid cloud environment, because the likelihood is that you’ll start relying on cloud technologies more in the future—be that to improve productivity, reduce costs, or better support remote workers.
On top of that, public and private cloud environments require different approaches to security; public clouds often come with in-built security tools offered by the cloud service provider (CSP), while private clouds enable organizations to completely manage their own security infrastructure.
Because of this, it’s important that your chosen firewall enables you to create consistent rules and policies across your entire environment, no matter where it’s hosted or who is hosting it.
Scalability is important for similar reasons to having flexible deployment options: the modern workplace is a volatile environment that’s continuously striving to become more efficient and more productive. A natural part of that is encouraging growth but, as your business grows, you need to have the infrastructure in place to secure it.
So, you need to ensure that your chosen firewall can scale to meet the needs of your business as you take on more employees, expand your device fleet or start utilizing more cloud application. There are a few things to look for here:
- Quick, simple deployment and provisioning
- Intuitive policy creator/editor
- Seamless integrations with other third-party security tools and workplace applications
Identity Management Integration
As more and more organizations around the world have adopted a hybrid work format, it’s becoming increasingly common for employees to work outside of the office perimeter—and outside the boundary of the firewall protecting that perimeter. For these users, identity has become the new perimeter.
But what exactly do we mean by that?
Well, instead of being granted access to corporate applications, systems and data simply because they’re working within the network boundary, users are being granted access based on their identities—and the fact they can prove they are who they claim to be.
To support a hybrid culture, it’s important that a firewall offers integrations with identity and access management solutions, such as multi-factor authentication (MFA) and single sign-on (SSO) tools. This could be a direct integration, or one via a RADIUS server. By integrating with MFA and SSO tools, your firewall will be able to ensure the security of those working outside the traditional network perimeter, as well as those within it.
When configured correctly, firewalls provide effective protection against a wide range of threats to your organization’s network, from malware to man-in-the-middle attacks, from malicious botnets to cybercriminals trying to use your bandwidth for illicit activities.
No two firewalls will offer you the exact same feature set, so it’s important that you analyze your business’ security needs and prioritize the features that will help you combat the specific challenges your company is facing.
Having said that, making sure that the solution you’re considering offers the features we’ve outlined in this article is a pretty good starting point.