Factors to Consider When Designing a Firewall
Baixe o Infográfico
What does a firewall do? A firewall is a system engineered to prevent unwanted data from coming into or exiting a private network. You can use either hardware or software to implement a firewall, as well as a combination of the two. In a business setting, an organization may have an intranet that they protect using a network firewall. The goal is to keep unauthorized users from penetrating the intranet and therefore gaining access to sensitive data and systems.
How does a firewall work? To provide network security, a firewall setup has to have the following attributes:
There are several basic factors to consider in firewall design. Giving appropriate forethought to these factors can prevent many firewall design issues. The following firewall design principles can ensure you have the most secure defense system:
To enforce security policies and control access to your network, you can take advantage of a few different techniques. Some of these include service control, as well as controlling the directions of requests, users, and their behavior.
You can use service control to specify the kinds of internet services that users can access. For example, a firewall can filter traffic based on its Internet Protocol (IP) address or the port it uses. You can also use a proxy to serve as a perimeter firewall. It can be positioned between your organization’s network and the internet and used to interpret requests from services before allowing them to enter or exit your network.
With direction control, you can specify the directions in which requests are allowed to be made. For instance, if you suspect that an application in a certain area of your network has been compromised, you can prevent computers and devices within that segment from sending requests out to the internet.
With user control, you can decide which users are allowed to access a server. This can include people inside your network's perimeter and those outside. Regardless of where the individual is, the most common way of ensuring they—and only they—have access is to use authentication technology, such as two-factor authentication (2FA) and multi-factor authentication (MFA).
Behavior control enables you to control how specific services are used. For example, you can use a firewall to limit the kinds of information on your web server that can be accessed by people from the outside. In other words, you control their behavior by limiting their options.
To ensure adequate protection for your network and devices, it is best to take a systematic approach. Some primary concerns should be the control and visibility of applications, preventing threats, ensuring high throughput, and focusing on protecting devices from remote users. Here is a more detailed description of each element:
Baixe o Infográfico
There are several basic factors to consider in firewall design. Giving appropriate forethought to these factors can prevent many firewall design issues. The following firewall design principles can ensure you have the most secure defense system:
To design an effective firewall, you need to develop a security policy and a simple design solution, ensure devices are used correctly, set up a layered defense, and address internal threats.
Developing a security policy is one of the most important steps you can take as you strategize your firewall setup. These are the policies that will drive your decisions, so be specific as opposed to general when crafting them. Consider the following as you design your policies:
As is the case with many technologies, it can be tempting to simply throw a bunch of solutions at a problem, hoping this kind of shotgun approach will prevent potential issues. However, it is best to systematically evaluate what you need to protect and the best tools for protecting them—keeping in mind that less is often more.
For example, an NGFW should typically be used to the full extent of its capabilities instead of combining multiple devices to perform what can be accomplished with one unit.
Similar to how you will not use a screwdriver to bang in a nail, you do not want to use network devices for purposes that they can maybe accomplish but are not designed for. For example, while it may be possible to use a layer switch to filter traffic, it is really designed to prevent collisions of data and manage bandwidth.
Using a combination of configurations on your switch as well as the devices that connect to it may protect you—temporarily—from some threats. However, as devices and other network factors change, your system can be exposed to a variety of different threats. It is best to address security issues with security-specific devices.
A layered defense is often more effective than using only one line of defense. With multiple layers in place, if the first layer gets compromised, those after it may be able to catch the threat. To take advantage of this strategy, carefully think about how you will configure each layer.
It is always easier to access sensitive data and systems from within an organization. Many IT administrators make the mistake of focusing solely on external threats, trusting those within the company. But because people inside often have too much access to too many components, they frequently present a far more dangerous threat. You may want to consider implementing policies such as:
With a FortiGate Next-generation firewall (NGFW), you gain full control over what users and devices are allowed to access, thanks to integration with FortiOS. The FortiGate NGFW also provides faster processing because it features dedicated security processing units whose sole job is to protect your network.
You also get the most recent threat intel powered by FortiGuard, ensuring you are shielded from a wide range of new and old threats. Machine learning capabilities enable the FortiGate NGFW to detect threats based on their behavior, not just their signatures, giving it the ability to stop zero-day attacks.
Firewalls are designed to protect your network from threats, as well as prevent malicious actors from using resources inside your network to launch attacks.
While there are a number of techniques, there are four primary approaches: service control, direction control, user control, and behavior control.
Firewall design is the process of deciding which digital assets and resources you need to protect, what your available firewalls are capable of, and how to position and configure them. The design process also includes ensuring you have adequate throughput so core business processes are not interrupted by your firewall.