When used properly, firewalls provide reliable and consistent security from external threats. However, firewalls have limitations and are only part of the complete security strategy. By itself, a firewall cannot protect a network against every threat.
There is no doubt that, a firewall is an essential part of network security, but it is not the whole network security. Don’t make the mistake of deploying a firewall while ignoring other security management activities. A firewall is only one piece of the large complex puzzle to address network security. A firewall cannot do all things.
A firewall is primarily for network traffic and packet filtering. It is not an authentication system. Firewalls are not designed to check login credentials, compare biometric scans, or even confirm the validity of digital certificates or e-sign certificates. These are the functions of an authentication service, typically hosted on a domain controller or primary network server.
That said, you might find it necessary for a firewall to allow authentication before granting access to a resource or allowing a session.
Some firewalls like Next-Generation Firewalls can have enhancement features that provide for firewall-hosted authentication services. However, in many cases, a better solution would be to have the firewall offload that task to a dedicated authentication server or service, such as 802.1x, public key infrastructure (PKI), or directory services.
Most security experts do not recommend using a firewall to authenticate users, or at least not as a replacement for a network’s directory service or centralized authentication solution.
Remote Access Server
A firewall is not a remote access server. Connections from remote users do not have an endpoint at the firewall. Instead, the endpoint is a remote access server (RAS) or network access server (NAS). A firewall may function before or after the RAS/NAS to filter remote access traffic. However, that doesn’t mean the firewall is the RAS/NAS.
Your firewall should filter all remote traffic, especially because remote traffic is much more likely to be purposefully malicious or accidentally damaging than local traffic.
Why? An organization has much more control over who can connect to its network locally than it does when it allows remote connectivity.
Unlike Superman, your firewall does not have X-ray vision into encrypted traffic; in other words, it cannot see the contents of encrypted traffic. A firewall can filter on the header of traffic using transport mode encryption, since the original header is in plaintext form.
However, a firewall cannot filter the original header of traffic using tunnel mode encryption, since the only plaintext component is a temporary tunnel header that only includes information about the endpoints of the tunnel. It would be like trying to guess what’s in the boxcars of a train by observing only the locomotive and the caboose.
Position your firewall where it can be most effective. If the security design requires that all traffic content be examined by a firewall, then you need to position the firewall after encryption is removed from the traffic. If the security design requires filtering only on non-encrypted traffic, then positioning the firewall is not as critical.
Firewalls designed for use by web e-commerce sites may have an additional ability to act as the endpoint of a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) tunnel from an Internet client. This grants the client protection for its data as the information traverses the Internet. This allows a firewall to filter the content of the traffic before the web server receives and processes the information.
Encryption is one method to evade filtering. Users and hackers can employ client-side encryption solutions that encode the data before transmission, or create unauthorized encrypted encapsulation tunnels to prevent firewall filtering.
In this situation, your network security policy may stipulate that the firewall needs to block encrypted transmission initiated by clients, especially if the destination is on the Internet.
Malicious Code Scanner
A firewall is also not a malicious code scanner. Firewalls are traditionally rule-based filtering products. These rule sets usually have only a few dozen to at most a few hundred rules.
Suggested Read: Top 12 Most Common Cyber Security Mistakes
To filter malicious code, the rule list would need millions of entries. Some firewall products include an enhancement or add-on module for malicious code scanning.
Such an enhancement is just an add-on component, not a core feature of a firewall. In most cases, it is more efficient and more secure to use separate anti-malware scanners than to add this function to your firewall.
Many firewall rules block traffic with spoofed addresses, uncommon ports, unauthorized protocols, invalid header constructions or values, and so on. Such rules block a significant amount of traffic caused by malicious code, but these rules do not directly block malware from entering or leaving a network.
A firewall is not an intrusion detection system (IDS). An IDS is a type of network burglar or intruder alarm that detects and responds to unauthorized activity inside your network.
An IDS performs this task by monitoring all network traffic. Although an IDS can be deployed on a network border or outside the network against the Internet, most operate inside private networks and provide the ability to watch all internal network traffic.
A firewall can detect malicious traffic only when such traffic enters one of the firewall’s interfaces. Firewalls usually do not watch over general interior network activity.
Firewalls are either border devices for networks and subnets, or they are software products watching over a single host. In either case, they cannot see the same traffic, nor can they perform the same tasks as an IDS. A firewall, therefore, is not interchangeable with a good IDS.
Insider Attacks and Social Engineering
A common misconception is that firewalls protect against insider attacks. A firewall can be a border device, or a firewall can be software on a host.
A border firewall can filter traffic entering or leaving a network or subnet. A border firewall is unable to see any interior traffic.
When an attacker from an inside client attacks a target that is also an internal host, a border firewall is not part of the communication; thus, it can neither detect nor block the attack. A host software firewall can only see the traffic entering or leaving that one host. A host software firewall is unable to see any other interior traffic.
Of course, if traffic does not pass through its interfaces, a firewall cannot filter the traffic. A firewall can filter only what it sees. If malicious or unwanted traffic does not enter an interface of a firewall, the firewall will not be able to filter that traffic.
For the best strategy, you should place firewalls on each host, on every border gateway or chokepoint, and between each significant subnet or interior network division.
Another thing firewalls cannot do is protect against social engineering. Social engineering is a category of attacks that focus on the personnel of an organization.
These attacks get information from people just by asking for it in clever ways or convincing someone to perform an action that breaches network security. The only real protection against social engineering is worker training and awareness.
A firewall cannot protect against the significant threat posed by the use of removable media. There are many different types of removable media: USB hard drives, USB thumb drives, CDs, DVDs, Blu-ray discs, HD-DVD discs, other optical discs, flash memory cards, storage devices, tape media, email attachments, a smartphone connected via USB cable, and more.
A firewall is not involved in the use of removable media or in any of the contents these devices may contain. A firewall cannot protect your network against the ongoing threat posed by removable media. Again, the best defense against this threat is good company policy, worker training, and awareness.
A firewall, of course, cannot protect against physical incursions or attacks. Physical attacks bypass any and all logical and electronic protection mechanisms.
A firewall does not protect against theft of devices, planting of eavesdropping mechanisms, disconnection of cables, connecting a rogue device to an open node, destruction of equipment, dousing electronics with liquids, building fires, or any other form of physical attack.
Only effective physical defenses can deter physical attacks. A firewall is not designed or intended to thwart physical attacks.
Misconfigurations and Security Management
Computer equipment and software can do only what each is designed and programmed to do. If an administrator misconfigures a security device, the device does not automatically compensate for that oversight. If a security administrator fails to learn about all of the features and defaults of new equipment, the product cannot secure itself autonomously.
Security requires training, research, careful planning, thoughtful implementation, and ongoing review and maintenance. This process is known as security management—and it takes work.
The old expression was never more true than it is today: “Garbage in, garbage out.” What you put into network security is precisely what you will get out of it. So, remember that a firewall cannot compensate for ineptitude or ignorance on the part of administrators.
You may also read: Top 10 Common Types of Hacking Attacks
Firewalls cannot compensate for poor security management. Proactive security management is essential for the success of any security endeavor. Security management is the process of reviewing, testing, tuning, and updating an organization’s security policies and security infrastructure.
This is an ongoing effort that requires knowledge, research, and vigilance. The threats and risks facing an organization are constantly evolving to become more persistent and virulent. Your security strategy should be just as rigorous and purposeful in defense.
Keeping up-to-date on current threats and trends in network security is a big part of this job. Networking with security professionals, attending relevant conferences, and reading the latest industry literature are ways to keep yourself and your security efforts sharp.
Finally, firewalls are not a perfect solution. They cannot self-adjust to changing conditions or future threats. Firewalls are mostly software (even when operating on dedicated hardware) and are written by fallible humans; therefore, they are subject to bugs and flaws.
Fortunately, in spite of all the things a firewall is not, a firewall is a solid filtering solution. It can and should protect the borders of networks and individual hosts as part of a complete security infrastructure.