Better safe than sorry: How firewalls should protect against network attacks

Firewalls have the primary task of preventing unwanted access to the (local) networks to be protected.
Such systems are basically used at two different points in the IT infrastructure.

A distinction is made between personal firewalls and network firewalls:

• personal firewalls are installed on the end device (PC, notebook, tablet, etc.) while network
• firewalls are used at the border between the internal network area (LAN) and the public network area (WAN).
• network firewalls therefore control all data traffic between internal and external networks, such as the Internet, at a central point.

Firewall solutions now check much more than the original packet filter firewalls, which allowed, blocked or dropped network traffic according to source, destination and the protocol or service used. Increasingly frequent and also more complex attacks on companies show why dedicated firewalls with extensive protection and logging capabilities are enormously important. Because once attackers get into the victim's network, the damage is often immense!

An attack method on networks and their server systems that has been used for a long time but is still frequently used are DoS (Denial of Service) or DDoS attacks (Distributed Denial of Service). The aim of these attacks is to bring a certain service or server to a standstill by sending a very high number of requests. In DoS attacks, one computer is used to send the constant requests to the target system, whereas in DDoS, many different systems paralyse the affected target. Other threats are viruses, worms and Trojan horses. These belong to the class of malware, i.e. malicious software that can lead to data theft and data loss, among other things. In seemingly harmless programmes or scripts, there is embedded malicious code. As soon as this code has been executed, the end device is considered infected and the malware begins to read sensitive data (such as passwords, address data, account data, etc.) in the background. One type of attack that has become particularly popular in recent years is the infiltration of ransomware. This can be described as an encryption Trojan and usually blocks complete access to the captured system by encrypting all data. The attackers often blackmail the victims with a ransom demand in order to regain access to the system. However, such a payment is no guarantee that the user data will be decrypted again afterwards!

Firewalls play a major role in increasing the level of protection against such unwanted access or attacks. Next-generation firewalls in particular can contribute to better defence against the attacks described. This means that the data packets are analysed down to the last detail so that possible malware can be detected and blocked even in the case of supposedly harmless traffic. Manufacturers sometimes use the following protective mechanisms for this purpose:

• Deep Packet Inspection (DPI)
  The DPI examines the data packets up to layer 7 of the ISO/OSI reference model. In this way, the user data part is also checked, which may contain potential malicious code.
• Intrusion Detection System (IDS) or Intrusion Prevention System (IPS)
  These systems should not only detect anomalies or threats, such as signs of a DoS attack in network data traffic, but also combat them directly through automatic countermeasures (e.g. immediate cutting of the connection).
• HTTPs-Inspection
  Due to the sharp increase in the share of encrypted web traffic through https connections, firewalls also had to be able to check this traffic for possible dangers to the network. For this purpose, modern firewall solutions offer the possibility of acting as their own certification authority (CA). This means that the data traffic passing through is decrypted, analysed and finally re-encrypted and forwarded.
• Sandboxing
  The sandbox method is used to test executable files in an isolated environment. In this way, possible threats from hidden malware, for example, can be uncovered before they are made available in the productive system environment.

In addition, next-generation firewalls nowadays also offer functions such as spam filters, quality of service guidelines or even application- or user-specific filtering options. Depending on the requirements, different modules can be combined and activated according to the desired level of protection.