Firewalls - a bit of theory for beginners or what you need to know before you buy
Several years ago, I had to plunge into the world of firewalls and find the right option. Paid / free, open / closed, hardware or software. There are plenty of options. Today, all this is over and I have a favorite firewall for a long time, which I set up in a few minutes, but I would like to help those who are just starting to work in this area by bringing at least some clarity. Hope that helps.
(I can’t force myself to write a “firewall”, a firewall - it is in Africa a firewall).
1. Initially, firewalls are divided into 2 types: host-based and network. Host-based is installed directly on the client machine (on top of the existing OS) and protects only this one machine. This can be useful at home (especially if you have only one computer and it is directly connected to the modem) or in a network environment, as an additional means of security.
A network firewall protects the entire network and usually serves as a gateway to this network. A network can consist of one computer as well as many thousands. The type of firewall is chosen depending on the network environment and needs.
')
2. Network firewalls are divided into 2 types: PC-based (based on a common computer) and ASIC-accelerated.
ASIC - application-specific integrated circuit. This refers to the machines in which the main functionality of the firewall occurs at the hardware level. As a rule, these are very expensive systems, the cost of which often reaches several tens or even hundreds of thousands of dollars. Usually used in ISP-like organizations that need very high throughput.
All other firewalls are PC-based. Do not fall for fishing tricks of sellers and marketers: all other firewalls are PC-based.
3. In turn, PC-based firewalls are divided into 2 types: distributions and appliances (boxes). Each of them has its pros and cons.
In favor of the distributions:
- Depending on the situation, you may already have the right hardware available, which you can allocate under the firewall. Or you can buy a server / computer at a relatively cheap price. Those. most likely it will be cheaper.
- You can buy a computer or server, which can be small or huge - your choice.
- You can add several additional network cards to this computer / server, or, for example, put the OS on a RAID array - flexibility.
- If necessary, you can transfer (reinstall) software to another server - mobility.
- You specifically know all the technical characteristics of your server.
- You are much less dependent on the supplier.
In favor of appliances:
- Less headache when choosing iron, especially when trying to embrace the immense and calculate in advance the growth of the company, the amount of traffic, etc. The supplier’s specialists, as a rule, can suggest which particular device from their product range should be taken and will often be right.
- Not all hardware is supported by all distributions. Often the software is “cut off” pretty tough. When installing software on a new shiny server, you can get into a situation where you see on one of the forums that your hardware is definitely not supported. Moreover, it is rather difficult to predict such a situation, because it usually gets into it when the money is already spent and progress has begun.
- Usually they have the “correct” form, i.e. small neat boxes or 1U rackmounts (i.e. under the server rack).
- As a rule, they are already fitted to certain categories of use, i.e. CPU, RAM, HD will be suitable for your needs, and by the number of network interfaces they will exceed the standard 1U server.
- Supported as an appliance, i.e. one support address for both hardware and software.
- No headache with installing software.
- And finally, they often look pretty good.
4. (Now by tradition), distributions are divided into 2 types: with open source and proprietary.
Without going too much into the details and holivars, it can be noted that people often fall for the “FUD (Fear, uncertainty and doubt) campaign” fishing rods, which vendors of proprietary software lead, and mistakenly consider free / open software as insufficiently protected, not having support, poorly written, etc. Of course, all this is just FUD and nothing more. Open source firewalls are in no way inferior in quality to their close comrades. But some points should be noted:
- Even without being a programmer, you can enjoy the pleasures of open source software, because there are enough people on the forums who will be happy to help you, even if they can write small patches.
- You can always look into the code and try to understand what works and how. This often helps with problem solving.
“On the other hand, the supplier of proprietary software will provide you with support (for a lot of money) and specially trained professionals will help solve any problem.
Of course, this kind of support exists in open source software, but there, as a rule, people try to cope on their own.
5. Now let's see what firewalls have acquired over all this time.
UTM - Unified Threat Management. In fact, this is the same PC-based firewall, just overgrown with additional functionality. Both standard (today) firewall functions are added here: IDS / IPS, VPN, load-balancing, routing, and others: content filtering, antivirus, anti-spam, etc.
Usually, only small organizations with a small budget use UTM. Experts strongly recommend to still share and set up the machine with UTM functionality behind the firewall.
6. Server. Which “does all the server stuff”. There is such a bird. He has firewall, mail, ftp, file storage, and a lot of things. Despite the incredible convenience of such a rich functionality, it is extremely not recommended to use it, because in terms of security it is just one big hole.
7. IDS / IPS. Some kind of traffic analyzer that works on the basis of a signature base and tries to detect anomalies. IDS (intrusion detection system) tries to detect them, while IPS (intrusion prevention system) also tries to stop them.
Many firewalls today have this functionality built in or added as a package.
8. IDS / IPS are not ideal, because they do not understand the protocols, therefore a Layer 7 firewall is used for more serious protection. As a rule, it is available in most firewalls.
It is worth noting that both the IDS / IPS and Layer 7 firewall are quite voracious in terms of CPU and RAM.
9. Functional. Most firewalls try to incorporate all kinds of nishtyaki, and with proper marketing it sounds beautiful.
Do you need all this functionality? Not. Do you need it in part? Yes. Therefore, it is advisable to understand what you need, what you are offered and read in more detail about each function, so as not to fall for the bait and not pay for what you will not use in 10 years.
10. Support. This is one of the most important things in the world of firewalls: someone must be able to operate on them and be able to figure out if they fail. If you have competent employees or you yourself are so - fine. If not, you will have to pay. And take care of this should already have when buying a firewall. Often, support is not cheap at all, but this is your guarantee. Is it worth the risk in this case?
Well, almost everything. If you forgot something - write.
(I can’t force myself to write a “firewall”, a firewall - it is in Africa a firewall).
1. Initially, firewalls are divided into 2 types: host-based and network. Host-based is installed directly on the client machine (on top of the existing OS) and protects only this one machine. This can be useful at home (especially if you have only one computer and it is directly connected to the modem) or in a network environment, as an additional means of security.
A network firewall protects the entire network and usually serves as a gateway to this network. A network can consist of one computer as well as many thousands. The type of firewall is chosen depending on the network environment and needs.
')
2. Network firewalls are divided into 2 types: PC-based (based on a common computer) and ASIC-accelerated.
ASIC - application-specific integrated circuit. This refers to the machines in which the main functionality of the firewall occurs at the hardware level. As a rule, these are very expensive systems, the cost of which often reaches several tens or even hundreds of thousands of dollars. Usually used in ISP-like organizations that need very high throughput.
All other firewalls are PC-based. Do not fall for fishing tricks of sellers and marketers: all other firewalls are PC-based.
3. In turn, PC-based firewalls are divided into 2 types: distributions and appliances (boxes). Each of them has its pros and cons.
In favor of the distributions:
- Depending on the situation, you may already have the right hardware available, which you can allocate under the firewall. Or you can buy a server / computer at a relatively cheap price. Those. most likely it will be cheaper.
- You can buy a computer or server, which can be small or huge - your choice.
- You can add several additional network cards to this computer / server, or, for example, put the OS on a RAID array - flexibility.
- If necessary, you can transfer (reinstall) software to another server - mobility.
- You specifically know all the technical characteristics of your server.
- You are much less dependent on the supplier.
In favor of appliances:
- Less headache when choosing iron, especially when trying to embrace the immense and calculate in advance the growth of the company, the amount of traffic, etc. The supplier’s specialists, as a rule, can suggest which particular device from their product range should be taken and will often be right.
- Not all hardware is supported by all distributions. Often the software is “cut off” pretty tough. When installing software on a new shiny server, you can get into a situation where you see on one of the forums that your hardware is definitely not supported. Moreover, it is rather difficult to predict such a situation, because it usually gets into it when the money is already spent and progress has begun.
- Usually they have the “correct” form, i.e. small neat boxes or 1U rackmounts (i.e. under the server rack).
- As a rule, they are already fitted to certain categories of use, i.e. CPU, RAM, HD will be suitable for your needs, and by the number of network interfaces they will exceed the standard 1U server.
- Supported as an appliance, i.e. one support address for both hardware and software.
- No headache with installing software.
- And finally, they often look pretty good.
4. (Now by tradition), distributions are divided into 2 types: with open source and proprietary.
Without going too much into the details and holivars, it can be noted that people often fall for the “FUD (Fear, uncertainty and doubt) campaign” fishing rods, which vendors of proprietary software lead, and mistakenly consider free / open software as insufficiently protected, not having support, poorly written, etc. Of course, all this is just FUD and nothing more. Open source firewalls are in no way inferior in quality to their close comrades. But some points should be noted:
- Even without being a programmer, you can enjoy the pleasures of open source software, because there are enough people on the forums who will be happy to help you, even if they can write small patches.
- You can always look into the code and try to understand what works and how. This often helps with problem solving.
“On the other hand, the supplier of proprietary software will provide you with support (for a lot of money) and specially trained professionals will help solve any problem.
Of course, this kind of support exists in open source software, but there, as a rule, people try to cope on their own.
5. Now let's see what firewalls have acquired over all this time.
UTM - Unified Threat Management. In fact, this is the same PC-based firewall, just overgrown with additional functionality. Both standard (today) firewall functions are added here: IDS / IPS, VPN, load-balancing, routing, and others: content filtering, antivirus, anti-spam, etc.
Usually, only small organizations with a small budget use UTM. Experts strongly recommend to still share and set up the machine with UTM functionality behind the firewall.
6. Server. Which “does all the server stuff”. There is such a bird. He has firewall, mail, ftp, file storage, and a lot of things. Despite the incredible convenience of such a rich functionality, it is extremely not recommended to use it, because in terms of security it is just one big hole.
7. IDS / IPS. Some kind of traffic analyzer that works on the basis of a signature base and tries to detect anomalies. IDS (intrusion detection system) tries to detect them, while IPS (intrusion prevention system) also tries to stop them.
Many firewalls today have this functionality built in or added as a package.
8. IDS / IPS are not ideal, because they do not understand the protocols, therefore a Layer 7 firewall is used for more serious protection. As a rule, it is available in most firewalls.
It is worth noting that both the IDS / IPS and Layer 7 firewall are quite voracious in terms of CPU and RAM.
9. Functional. Most firewalls try to incorporate all kinds of nishtyaki, and with proper marketing it sounds beautiful.
Do you need all this functionality? Not. Do you need it in part? Yes. Therefore, it is advisable to understand what you need, what you are offered and read in more detail about each function, so as not to fall for the bait and not pay for what you will not use in 10 years.
10. Support. This is one of the most important things in the world of firewalls: someone must be able to operate on them and be able to figure out if they fail. If you have competent employees or you yourself are so - fine. If not, you will have to pay. And take care of this should already have when buying a firewall. Often, support is not cheap at all, but this is your guarantee. Is it worth the risk in this case?
Well, almost everything. If you forgot something - write.
Source: https://habr.com/ru/post/130090/
All Articles