Contact us anytime to know more — Abhishek P., Founder & CFO CISIN
Firewalls, security devices used to secure networks, are an indispensable component. They protect infrastructures against attacks from outside sources and unwanted traffic while providing access to those with unauthorized intentions.
These devices may be hardware or software and provide different levels of protection based on their use, the security policy of an entity, and where they are located.
Due to differences in network topologies and exploits that take various forms, traditional firewalls may no longer provide adequate protection.
With open-source tools at our disposal, a distributed firewall with reduced costs and additional features may be created using these tools. This paper proposes a distributed firewall to enhance network protection and address problems. We suggest implementing firewall security policies across distributed devices that work together for increased performance.
Traffic is divided between firewalls which analyze packets to decide whether or not they will enter the network; our distributed firewall can quickly scale to accommodate different client and network device operational technology counts.
Network Security Architecture
Network architecture should be centered around security. In this article, we'll talk about network security architecture, its advantages for companies, and different approaches for designing safe architectures.
How Does A Security Architect Create A Network Security Architecture?
Security architects are responsible for identifying potential cyber threats and working to stop them from harming an organization's systems and networks.
Security architects create network architecture and security protocols that provide the visibility and control necessary to detect and respond to cyber threats to an organization. It is vitally important to create a plan to place security controls where it would provide maximum protection to your company.
- Assess: At this phase, business and architectural reviews include data capture, business modeling, risk evaluation, and risk mitigation. Within the Design phase, requirements will be addressed by building logical design blueprints which provide recommendations.
- Implementation: Implementation is designed for partners and professional services. Add more low-level details to the design and deliver a statement of unauthorized access work for a real-world solution.
- Manage: Phase 4 involves continuous improvement and incremental development of security posture.
Network Security Architecture Frameworks
A few frameworks are available to design network security architectures. Zero trust and Sherwood Applied Business Security Architecture are two of the most commonly used models.
Zero Trust
The Zero Trust Security Model offers an alternative to perimeter-based security systems that implicitly trust users, devices, and applications within the network.
Zero trust removes network perimeters by treating all devices as potential threats, irrespective of location.
Zero-trust security architectures enable visibility and control of all actions within a corporate network. This is accomplished through solid authentication systems (multi-factor authentication (MFA), access control mechanisms implemented with micro-segmentation) and visibility into all actions within firewall rules.
8 Best Practices In Firewall Security
An adequate firewall security best practices guide can be an invaluable asset to your organization in communicating its security goals, meeting industry regulations, and strengthening its overall security posture.
Plan Your Firewall Deployment
Firewalls provide zero-trust security, monitoring both inbound and outbound traffic between network boundaries within microsegments.
This holds for Layer 3 routed Firewall deployments (where a firewall acts as a bridge connecting multiple networks) and Layer 2 Bridge Firewall deployments.
As part of a firewall deployment, network interfaces must be connected to zones or networks, which allows administrators to simplify policies.
A perimeter firewall, for instance, will have one zone externally connected to the Internet and one or more interfaces internally connected to internal networks - plus, it could include a DMZ network for added control. It may even include customizable policies which provide further options.
The firewall's management must also consider its management console requirements; lights-out and serial console access must only be available through secure networks.
One firewall can be a single point of failure. Security can remain intact even if one fails by deploying two or more in High Availability (HA).
Hyperscale security provides an alternative that utilizes all resources available across each member in a cluster; it should be specially considered by networks experiencing seasonal traffic peaks.
Firewalls Are Secure
Firewalls are essential to an organization's security system and must be protected against attacks. Take the following steps to safeguard your firewall:
Utilizing a secure SNMP configuration to restrict insecure protocols like Telnet or SNMP is critical to protecting databases and configurations from damage.
Schedule regular backups of both, while for forensics; use sends logs directly to a SIEM or firewall management server via secure Syslog for storage or any other method available.
Implement a stealth policy into the firewall to hide it during network scans and restrict management access for specific hosts.
Firewalls do not offer immunity against vulnerabilities; always ask your vendor if they know about any security patches to address vulnerabilities that have arisen in their product.
Want More Information About Our Services? Talk to Our Consultants!
Secure User Accounts
Cyber threat actors use account takeover as a tactic; to protect user accounts in your firewall and keep hackers at bay, implement these safeguards immediately.
Change Default Passwords And Account Names
Set a firm password policy or mandate multi-factor authentication (12-character minimum password; no repeats allowed).
Lock Down Zone Access for Approved Traffic
Firewalls serve to monitor and enforce access to network segmentation.
Firewalls provide the ability to inspect and control north-south traffic across network boundaries. Firewalls allow macro-segmentation by creating zones like external, internal, and guest Wi-Fi access points; or business units on separate networks - such as data center operations, HR & Finance departments, or production floors using Industrial Control Systems.
Virtualized clouds offer unique opportunities for firewall monitoring of traffic between servers and applications since instances create themselves dynamically.
Micro-segmentation enables this ability, where zones may be defined based on web apps or database applications; tags may also be used to set the function of virtual servers that can then be automatically included in firewall policies without human involvement, reducing errors that result from configuration mistakes.
Macro and micro deployments utilize firewalls to manage access. They do this by setting up policy rules that define access based on traffic source/destination pairs.
You can also specify what services/ports your applications use - for instance, 80/443/444 are often the default ports used by web traffic - only these should have access on web servers while all others should be blocked; allow listing allows traffic in these cases.
Allowlisting may not be adequate for outgoing traffic because it can be challenging to determine the ports required for Internet access.
Blocklisting is often employed as an effective egress policy solution; known lousy traffic will be blocked while everything else passes through using an "accept all firewall policy rule."
Firewall Policy And Use Must Comply With Standards
Firewalls must adhere to specific regulations. Any Network Firewall Security best practice must meet these regulations and could require additional security controls on an installed firewall, including virtual private networks (VPNs), antivirus software that detects malware, and intrusion detection/prevention systems (IDS/IPS) that detect any network intrusion attempts.
PCI DSS requires zone-based firewall controls between trusted zones and untrusted ones, including using DMZs or perimeter firewalls to keep wireless networks separate from cardholder data environments.
In addition, PCI DSS includes the following requirements:
Anti-spoofing measures detect and block false IP addresses from entering your network. When one of your internal networks' addresses attempts to access an external interface, block inbound traffic using anti-spoofing measures to ensure a safe browsing experience.
Use Network Address Translation (NAT), and avoid posting advertisements of private networks to stop third parties from accessing or acquiring IP addresses or routing data that would allow them to gain entry to them.
Cleanse all rules every half year to identify and eliminate outdated or incorrect regulations and ensure that only authorized services and ports are allowed.
Send cardholder data securely over public networks. Install vendor-supplied patches of security. Install any critical updates within one month after release.
Companies may change the default to automatically install patches when they become available, given how quickly attackers exploit known vulnerabilities. A Next Generation Firewall with Automatically Updating IPS Signatures could protect networks against newly disclosed vulnerabilities.
Establish processes that control access according to need and job responsibilities, with monitoring of network resource accesses, cardholder info, and clock synchronization technology being critical components in overall system protection.
Test The Policy And Identify Risks
Understanding a security policy's response to new connections may be challenging. Tools are available for path analyses, while there may also be rules in the security system that can be searched and found.
Some security management systems offer additional functionality which will alert you if an identical item is produced or refuse to install policies containing rules which conceal multiple objects.
You should test your policy regularly to ensure it works as designed to detect unwanted or duplicate items.
Firewall policies should be applied top-down and can be optimized by moving the top-hit rule higher in the inspection order.
To maximize the performance of your firewall, its policy should be reviewed regularly.
To protect your business, it's advisable to conduct regular penetration tests to identify any additional security measures required beyond what can be covered by your firewall.
Audit software or Firmware Logs
Implement a formal plan to monitor changes to your security policy to maintain its integrity and ensure its effectiveness.
Security policies containing rules with any source, destination, or port can weaken their strength; to strengthen it further, add any specific source, destination, or service directly into each rule.
Create sections or layers to simplify reading, then include cleanup rules relevant to each layer (e.g., allow-all/deny-all).
Assign names and comments to rules to help identify their original purpose.
Logging provides visibility for forensic investigations by tracking network flow. Consult audit logs to ascertain who made changes to firewall policies.
Read More: Utilize Firewalls To Protect Networks From External Threats
Firewall Architecture
Firewall technology is vast. Every day brings advancements in design, firmware updates, and software features that enhance its capabilities.
There are various architectures for firewalls, including screened host firewalls, packet filtering routers, and dual-homed and screened Subnet designs - these must all be chosen based on industrial needs and network designs to select an effective firewall design.
A firewall serves to defend an organization or internal environment against external attacks. The configuration of a firewall depends on three primary factors, including network objectives from an organizational viewpoint, development capabilities, and implementation methods; budget considerations also come into play when selecting hardware.
Firewall Architecture In Detail
Different types of architecture are available for firewalls.
Screened Host Firewall Architecture
With our screened-host firewall architecture, we have enhanced the architecture of packet-filtering firewall routers.
In this architecture, we use packet-filtering routers in combination with dedicated or separate firewalls. This technique is known as an application proxy server. Filtering network traffic in our firewall architecture for packet-filtering routers is time-consuming, leading to many issues as the list of access controls grows.
To address these difficulties, we have installed a dedicated firewall; this technique enables the routers to connect directly to it while pre-screening network packets to reduce network overhead and distribute the load more evenly.
Filters packets at an application level, filtering HTTP, HTTPS, FTP, and SFTp traffic as needed. It is sometimes known as the bastion server because there is a greater chance for attacks from outside and less security provided.
Web documents stored on an action host (also called separate application proxy servers) must be compromised before any attacks are launched against internal data systems.
Workflow: In this architecture, a separate host known as the bastion host serves as a proxy to balance out the workload on the firewall, where all rules and access controls are stored.
Bastion will filter network traffic before sending it via proxy to an internal filter router for further processing within its internal network.
Firewall Architecture For Packet Filtering Routers
Many organizations require internet connectivity for various reasons. Unfortunately, without installing and configuring a firewall, we open ourselves up to external threats that could compromise the organization.
Installing and configuring firewalls are essential in protecting against external cyber security attacks; router concepts used as packet filtering routers serve this function for organizations; they act as an intermediary between organizations and internet service providers for more efficient network packet filtering on an equal level.
Filtering routers will also filter unwanted packages, dropping or rejecting them and not making the network available at organizational levels.
Implementation is relatively simple, and this solution reduces external threats as it will eliminate network access for those not permitted into organizational networks. While implementation may reduce external threats, packet filtering routers have their drawbacks: auditing of network traffic will decrease due to solid authentication mechanisms and slow network performance due to the enormous overhead created by filtering network packets; we may sometimes experience delays.
Workflow To implement a firewall, we first need an ISP connection between our organization and the Internet and an external filter router.
Next, we must add ACLs and configurations to our firewall so network traffic can be filtered before being sent to an internal filter router for further processing in our organization's internal network.
Dual-Homed Firewall Architecture
Needing to improve network performance increases the complexity of architecture. In the prior firewall architecture, we used one network interface card.
However, with this new firewall architecture, we will use two distinct network interface cards connected externally and internally from bastion hosts in this architecture, and all network traffic will physically pass from the firewall into both networks simultaneously.
Workflow This architecture does not incorporate a proxy server. Instead, this firewall architecture utilizes two NICs; one connects directly to an ISP connection while the second acts as the internal network NIC.
A firewall will filter and send traffic toward this internal network when necessary while not passing invalid packets along to it.
Network segmentation
The network is divided into logical or physical zones that share similar security needs, enabling each section to focus on any security threats impacting its section of ICS.
Segmentation also benefits device managers by assigning responsibility for one segment rather than all parts of ICS.
Define Zone-To-Zone Interactions
Once you have established which traffic must pass between security zones, industrial firewalls can filter unauthorized traffic by using deep packet inspection to filter industrial protocols more precisely than traditional firewalls.
Most industrial firewalls install transparent mode into existing networks without changing IP schemes or routing tables.
A vital practice when connecting ICS networks to enterprise information technology networks or the Internet is creating a Demilitarized Zone (DMZ).
A DMZ prevents direct connections between enterprise networks and secure ICS networks while making data servers available for both. Eliminating direct links dramatically decreases the risk of unauthorized traffic entering different zones.
Secure Remote Access For Industrial Networks
Industrial automation industries face an ever-increasing need to access remote sites for maintenance or monitoring purposes, increasing the chance that someone with malicious intentions could enter their network.
Virtual private networks (VPNs) are ideal for networks requiring remote sites to remain constantly connected to an ICS. Such VPNs should utilize secure encryption technologies like IPsec, OpenVPN, or PPTP that prevent unauthorized users from gaining entry to the network.
VPNs have three significant benefits. First, data transmission is encrypted when it goes out; secondly, the sender and receiver must authenticate themselves to ensure only verified devices can exchange information; thirdly, by enforcing authentication and encryption, you can ensure data integrity.
Secure Device Configuration
Once your network architecture is in place, the next step should be ensuring the switches and other network devices meet your security requirements.
For engineers with no extensive networking knowledge, this task may seem daunting - however, the IEC 62443 standard offers guidance by outlining some key features you should look out for on switches and devices - please see the seven functional requirements outlined by IEC 62443 with brief explanations as to their relevance here.
- Identification and Authentication Control: Public key authentication should be utilized to safeguard server-to-device and device-to-device connections, with every network device capable of validating security certificates by verifying their signatures and revocation statuses to control identification and authentication controls effectively.
- Use Control: Every device connected to a network must support login authentication to prevent unauthorized users from gaining entry to devices or the network. To prevent users from mistyping passwords, applications or devices must limit how often someone can incorrectly enter their password before being locked out and restricted access.
- Data Integrity: Regarding ICS networks, data integrity is significant in guaranteeing accurate processing and retrieval. You can employ various security measures to protect this information, including SSL, which provides encryption between the web browser and server.
- Data confidentiality: Data stored or transmitted across networks must remain safe from all types of threats ranging from simple to sophisticated attacks, while remaining protected from those looking to intercept communications, alter settings, or steal them.
- Restricting Data Flow: One effective strategy for restricting data flows is dividing your network into different zones with specific security features for each zone, so only authorized personnel can access and send data from that zone. Another advantage is if one zone becomes compromised, its infiltrate does not spread quickly across your entire network, helping limit any damage from security breaches.
- Timely Response to Events: System operators must be able to respond rapidly when security incidents arise on their network. To do so, features should exist that alert system operators of problems as soon as they arise and keep an accurate record of abnormalities that arise on it. All network events should be processed quickly enough that system operators can respond quickly to prevent further damage to ICS networks.
Want More Information About Our Services? Talk to Our Consultants!
Conclusion
A comprehensive explanation has been given of "firewall architecture." There are various kinds of firewall architecture; we must select one that best suits our needs and budget.
A firewall also tracks traffic at an application-level level.
Zero-trust architecture evaluates each access request individually. Suppose it meets with RBACs or contextual information requirements.
In that case, access will be granted for as long as necessary to the requested asset at its requested level and level.
