Firewalls play a critical part in the security of any network. In this post we will discuss what firewalls do, why you need them, and the different types.
Firewalls are your first line of defense in protecting your computers and network from viruses, ransomware and all the other bad stuff out there on the Internet. A firewall is either hardware or software that separates your computer or network from the Internet. To help understand the whys and whats, we are going to use an analogy.
Your computer as an office building
Think of your computer as an office building with 50,000 doors to the outside world. Each of those doors represents a “port” on your computer, which is a way it can communicate to other computers and networks. As an aside, normal web traffic either uses port 80, or port 443 if it is encrypted. A computer without a firewall is like having all of those doors unlocked, so anyone who wants to can open them up and look inside. If the room behind the door is empty it isn’t a big deal, but if you are actually doing something with that room, you don’t want random people poking around in it and possibly taking something or leaving something behind (think: virus).
A software firewall can be thought of as hiring a security guard for each door. The guard is there to make sure that only authorized people (traffic) gets through the various doors. The ease of sneaking past your guard will depend on how smart the guard (firewall) is, but it is always going to be at least a little harder to get by than when there is no guard (firewall) in place.
Now think of your network as a group of office buildings (a campus), one for each computer or device on your network. A hardware firewall can be thought of as restricting the traffic to the entire campus so that it has to be inspected before it gets onto your network. Once again, the intelligence of the guard (firewall) determines how easy it is to sneak by, get in, and do bad things.
Software Firewalls
Software firewalls are only present on the computer they are protecting. All modern versions of Windows come with a firewall and it is turned on by default. Macs come with a firewall, but for some inexplicable reason it is NOT turned on by default. If you have a Mac you should turn the firewall on.
Software firewalls are most useful for laptops that will be traveling and connecting to foreign networks, such as free internet at cafes, airports or hotels. These firewalls help to keep unwanted people from accessing your computer. For computers that stay in one place, software firewalls are just an extra form of insurance, but are still useful and should be kept on unless you have a specific reason to turn them off.
Hardware Firewalls
Hardware firewalls are a device that actually physically is plugged in between the internet and your network. For most consumers and small businesses, your Internet service provider (ISP) has provided you one in combination with the modem used to connect to the internet. These modem/firewalls combos also likely include wireless. This is fine for a consumer, but for a business this is not an ideal setup.
If you are using the ISP’s firewall then they can access it and change it whenever they want, which could cause problems to your network. They also have access to your network as well, which is a violation of HIPAA, PCI and other compliance requirements. These devices are often deployed with default usernames and passwords in place and are almost never updated or patched by the ISP. Not only is that still a further violation of most compliance requirements, but you are giving the bad guys a leg up in penetrating your system. Your IP address tells someone who your ISP is and it is pretty easy to figure out the default equipment that each ISP uses.
The short of this is that you should NOT be relying on the ISP to provide your firewall and wireless access. If you do have a combo-style device, you should get your own firewall and wireless system and place it behind the one from the ISP and either have the ISP swap out their device for a straight modem or have them put their device into something called “bridge mode” which turns off all the unnecessary features.
Now that we understand why you need your own hardware firewall, let’s discuss the different types. Hardware firewalls can be broken down into three main types:
- Consumer class
- Business class
- Next Generation (Next Gen) or Unified Threat Model (UTM)
Consumer Class Firewalls
As you might imagine, these types of firewalls are designed for home use. They are designed to be easy to use and set up and can be very cheap to purchase as they start around $50 and go up. These kinds of devices almost always have wireless built right into them so you don’t need any extra hardware or setup to connect wirelessly.
This class of firewalls will not always meet any compliance requirements for a variety of reasons. They are not as stable (require more rebooting) as the other classes and don’t have as long of a life expectancy and should really not be expected to last more than two or three years. So while you *can* run a business with one of these, you might want to consider otherwise.
Firewall as Office Campus Security
Going back to the office building analogy, these devices are the cheapest security you can find. They will check to make sure that you have the proper paperwork to get in, but can’t really spot forged documents well and won’t check to make sure nothing else is coming in on the vehicle with you. If things get complicated they often get confused.
Some common brands for these are:
- Netgear
- D-Link
- Linksys
Business Class Firewalls
Until fairly recently, the only types of firewalls were consumer and business. The only difference between what you would find at a huge data center and at a small business was simply the size and power of the device. There was no real difference of kind, just a difference in scale.
Business class firewalls, out-of-the-box, will keep your system more secure than most consumer class devices due to the way they look at network traffic. Since these are geared towards businesses with more complex needs than consumers, this class of equipment requires more expertise to set up and manage, even for simple configurations.
Business class devices also offer a wide range of features that you are likely to need in a business. They include:
- The ability to support multiple connections to the Internet. This allows you to do things like have a backup connection that will automatically take over if the primary goes down or route certain traffic over one connection and other traffic over another (such as VOIP phones vs normal internet traffic).
- The ability to have employees access your network remotely in a secure and manageable fashion, via virtual private networking (VPN).
- The ability to securely host externally facing servers, such as web servers, in a separate virtual network called a demilitarized zone (DMZ). This allows the outside world to reach only the servers in that DMZ and not the rest of your network. So, they can see your website, but not your accounting information.
- The ability to separate your network out into different security zones. This is most commonly done for a guest network where you want guests to have the ability to access the internet, but not the rest of your network.
- The ability to integrate with your Windows domain if you have one, allowing you to set up roles and groups that have different access privileges
The more expensive consumer class devices offer some of the features you would find in the business class devices, such as VPN. However, they are very different and you should not be fooled into thinking they are the same.
Business class devices will meet most compliance requirements. Wireless is sometimes included in these, but more often is not. We generally don’t recommend getting the built-in wireless on this class of devices. These should last 5 to 10 years, assuming you don’t outgrow their capabilities and need to upgrade to a more powerful device. It is generally more cost effective to use separate wireless access points (WAP’s) on your network which can be easily upgraded as wireless standards evolve and can be better positioned for optimum coverage. You can also get extended warranties and support from the manufacturer on these business class firewalls which you cannot on the consumer lines.
As you might imagine, these devices do cost more. For just a firewall, you are looking at starting around $200 and quickly climbing. To add wireless to your network you would need to get a wireless access point, which is likely to be an extra $200+.
Firewall as Office Campus Security
Going back to the office campus analogy, business class devices would be a more professional security guard than the consumer ones. They are more likely to spot forged documents and do a better job, in general, and handle more complex jobs. However, if a bad guy managed to get past them, they don’t really do anything to stop him from getting back out again.
Some common brands for these are:
- Netgear
- D-Link
- Cisco
Next Gen or UTM devices
Firstly, there are really no differences between “Next Generation Firewalls” and “Unified Threat Model” devices. These different names are the relics of a marketing war that went on between manufacturers and are now considered interchangeable. So, when in the market for one these devices feel free to compare on brand’s Next Gen to another’s UTM. Concentrate on the feature set they have and their performance, not their marketing names.
In a large organization, there are often dedicated devices that sit on the network and do things like look for spam, viruses, or indications that there has been a breach in the network from a hacker and then actively respond to such threats. Each of these devices generally carries a very hefty price tag ranging from the low thousands to the upper hundreds of thousands. The UTM device is an attempt to bring all of these devices into a single piece of hardware at a price that the small or medium business can afford.
In addition to the features in the Business Class Firewalls heading (above), you will often find advanced features like:
- Virus scanning on incoming traffic before it reaches a computer
- Blocking access to content that is inappropriate to your company
- Blocking access from certain countries or locations
- Spam filtering
- Traffic monitoring for virus activity and signs of hacking
The newest versions of these devices can inspect encrypted (SSL) web traffic . This is an emerging technology that is designed to counter more sophisticated threats that use encryption to hide their communications. Since this is an emerging technology, there are still some kinks to work out and some applications will not work with it. That said it is worth considering depending on your security needs or regulatory compliance requirements.
As you might imagine, the advanced functionality comes with higher price tag. Also, they are more complicated to set up and mange. They generally start at $500 and go up in price for more capabilities and the ability to handle larger bandwidth. The advanced features have a yearly maintenance cost. However, the extra cost is worth it, as a properly configured device will add an extra layer of protection to your network to prevent malicious activity.
Some common brands in this category are:
- Sonicwall
- Cisco
- Fortinet
You will almost certainly need to buy one of these from a dealer and have someone help set them up.
Firewall as Personal Office Security Guard
Once more going back to our analogy, next gen devices are like top-of-the-line security. They not only stop you to make sure you are authorized to be there, but they inspect your vehicle as well. The really good ones will even open up locked trucks to look inside. Also, they will patrol the perimeter of the property to make sure that if anyone did sneak past them they have a hard time getting back out.
Firewalls as a service
Do to the substantial cost and ongoing configuration requirements of more sophisticated firewalls, they are often marketed as a service. The business pays a monthly fee for the use and maintenance on the device rather than purchasing it outright.
“I’m a small company, I don’t need to worry about security.”
Big companies tend to be hard to penetrate. They have big budgets to spend on keeping their networks safe and secure. It is much easier to compromise a smaller business. To that end there has been a trend in attacks to get into big business through their smaller vendors. This is what happened to Target. The initial breach came in through an HVAC company.
Even if you don’t have any big clients like Target, the bad guys are looking for you. The data they can get from you is just as valuable as ones they can get from bigger companies, there may just be less of it.
Not everyone’s budget will allow them to buy a high-end device, and that is ok. A good firewall is an important part of good network security, but it is only a part. Every business must evaluate what their needs are and what they can afford to do. If you have any questions or need help with this, Sawyer Solutions would be happy to lend a hand.
No Fields Found.