Using firewalls and secure network design

Firewalls regulate information flow between networks. They can be software only, running on a computer or server used primarily for other purposes, or specialist hardware and software used for no other purpose.

Many routers have built-in firewalls, particularly those designed to connect to a broadband service provided by an Internet Service Provider (ISP).

Firewalls examine data and decide if it should be permitted to pass on to its claimed destination. The rules that govern these decisions can be simple or highly sophisticated, however, a firewall won’t provide the complete solution.

Your local area networks (LANs) must also be secure. For example, if you have multiple data servers, you don’t want a firewall slowing down traffic between the servers, but you do want all user requests for data sent to the servers to be checked. Other cases where you may want separation by design include isolating guest devices such as personally owned devices (BYOD - bring your own device) from your trusted devices or when you want to distinguish between wireless and wired users.

A common technique is to place two firewalls from different manufacturers in series between your internal network and the internet. This has two functions. Firstly, if a hacker manages to subvert one of your firewalls, the second firewall still provides protection. Secondly, the connection between the two firewalls is a good place to connect partially trusted users (eg business partners) or place ‘open access’ web servers where you do not trust their external users. Such an area is called a ‘DMZ’.

Message validation is another firewall function. When large or complex messages are sent over the internet they are broken down into multiple pieces that are sent separately. An attacker can create specially designed messages whose individual components are legal, but when reassembled they cause the recipient computer to crash or perform unauthorised functions. A proxy server can be used by a firewall to reassemble messages, validate them and pass them on to the intended recipient. If a message is malformed, the worst that can happen is the proxy server crashes, but it can be restarted automatically. The intended target never sees the hostile message and is unaffected.