Skip to content Skip to navigation Skip to footer

Firewall Design Principles in Network Security

Firewall Characteristics

What does a firewall do? A firewall is a system engineered to prevent unwanted data from coming into or exiting a private network. You can use either hardware or software to implement a firewall, as well as a combination of the two. In a business setting, an organization may have an intranet that they protect using a network firewall. The goal is to keep unauthorized users from penetrating the intranet and therefore gaining access to sensitive data and systems.

How does a firewall work? To provide network security, a firewall setup has to have the following attributes:

  1. All data moving into and out of the organization's network has to pass through the firewall.
  2. Local security policies decide which kinds of traffic are allowed to pass through the firewall. You can use multiple kinds of firewalls to enable a variety of security policies.
  3. The firewall cannot be vulnerable to penetration, so you have to use a reliable provider with a strong reputation for having dependable products.

Importance of Firewall Design for Advanced Network Security

There are several basic factors to consider in firewall design. Giving appropriate forethought to these factors can prevent many firewall design issues. The following firewall design principles can ensure you have the most secure defense system:

  1. Pinpoint the kinds of security controls your organization needs. This will involve checking the security requirements as outlined by upper management, evaluating the current security posture, and deciding how firewalls can address any concerns.
  2. Outline your security policy. If your security policies are well-defined, they will include access policies, network resources, and the appropriate authorization controls.
  3. Choose your firewall philosophy. This process centers around the identification of applications, resources, and services that you want to protect. All firewall design principles in cybersecurity hinge on these decisions.
  4. Choose the kinds of communications that will be allowed. This one involves deciding which people, devices, and applications will be allowed to use your network and access your organization’s web services.
  5. Choose where the firewalls will be deployed. Figuring out the locations of your firewall should be done strategically. They should be specifically focused on safeguarding the communications and systems you identified in the previous steps. For example, you can use a packet filter firewall at the edge of your network or a proxy firewall between your internal network and your web server.

Firewall Techniques to Control Access and Enforce Security Policy

To enforce security policies and control access to your network, you can take advantage of a few different techniques. Some of these include service control, as well as controlling the directions of requests, users, and their behavior.

Service Control

You can use service control to specify the kinds of internet services that users can access. For example, a firewall can filter traffic based on its Internet Protocol (IP) address or the port it uses. You can also use a proxy to serve as a perimeter firewall. It can be positioned between your organization’s network and the internet and used to interpret requests from services before allowing them to enter or exit your network.

Direction Control

With direction control, you can specify the directions in which requests are allowed to be made. For instance, if you suspect that an application in a certain area of your network has been compromised, you can prevent computers and devices within that segment from sending requests out to the internet.

User Control

With user control, you can decide which users are allowed to access a server. This can include people inside your network's perimeter and those outside. Regardless of where the individual is, the most common way of ensuring they—and only they—have access is to use authentication technology, such as two-factor authentication (2FA) and multi-factor authentication (MFA).

Behavior Control

Behavior control enables you to control how specific services are used. For example, you can use a firewall to limit the kinds of information on your web server that can be accessed by people from the outside. In other words, you control their behavior by limiting their options.

Factors to Consider When Designing the Firewall

To ensure adequate protection for your network and devices, it is best to take a systematic approach. Some primary concerns should be the control and visibility of applications, preventing threats, ensuring high throughput, and focusing on protecting devices from remote users. Here is a more detailed description of each element:

  1. Control and visibility of applications. Consider which applications you want people within your network to be able to access as well as the visibility you need to achieve. For example, there may be some applications, such as Facebook, that may be more of a distraction than an asset. You can control access to these applications, as well as which elements of the applications users gain access to. For instance, you can prevent users from using all facets of Facebook except messaging. You can also specify which kinds of usage you need to establish visibility into. This gives you the ability to see what your users are doing while connected to your network.
  2. Preventing threats. A next-generation firewall (NGFW) not only controls which applications are being used, but it can also scan applications to ensure they do not present a threat. Depending on how you configure the firewall, you can also use it to reduce the amount of bandwidth specific applications use.
  3. Adequate throughput. Applying filters and processing information can significantly limit throughput. If you opt for an NGFW, choose one that gives you at least one full gigabit of throughput, which is enough for most organizations to run necessary applications and processes.
  4. Focus on devices. Focusing on devices instead of IP addresses is often a better way of protecting your network. This is because a malicious user can use a device with an IP address that has been approved but still infect your network with malware. You can use a next-generation firewall that can help you search for a device using a username. In this way, you can stop a malicious user, find the device, and prevent it from accessing the network.
  5. Beware of remote users. Whether your organization uses remote employees who work from home or a co-working space, if they connect insecurely, they can present a significant threat. A next-generation firewall can identify safe users. You can also use a firewall to set up a virtual private network (VPN), which creates a secure tunnel through which remote users can access your network. This way, even if they use less secure, public networks, their communications are encrypted, protecting both you and them.

Importance of Firewall Design for Advanced Network Security

There are several basic factors to consider in firewall design. Giving appropriate forethought to these factors can prevent many firewall design issues. The following firewall design principles can ensure you have the most secure defense system:

  1. Pinpoint the kinds of security controls your organization needs. This will involve checking the security requirements as outlined by upper management, evaluating the current security posture, and deciding how firewalls can address any concerns.
  2. Outline your security policy. If your security policies are well-defined, they will include access policies, network resources, and the appropriate authorization controls.
  3. Choose your firewall philosophy. This process centers around the identification of applications, resources, and services that you want to protect. All firewall design principles in cybersecurity hinge on these decisions.
  4. Choose the kinds of communications that will be allowed. This one involves deciding which people, devices, and applications will be allowed to use your network and access your organization’s web services.
  5. Choose where the firewalls will be deployed. Figuring out the locations of your firewall should be done strategically. They should be specifically focused on safeguarding the communications and systems you identified in the previous steps. For example, you can use a packet filter firewall at the edge of your network or a proxy firewall between your internal network and your web server.

Firewall Design Guidelines

To design an effective firewall, you need to develop a security policy and a simple design solution, ensure devices are used correctly, set up a layered defense, and address internal threats.

Develop a Security Policy

Developing a security policy is one of the most important steps you can take as you strategize your firewall setup. These are the policies that will drive your decisions, so be specific as opposed to general when crafting them. Consider the following as you design your policies:

  1. Resources that need to be accessed by external and internal users
  2. The various vulnerabilities that these resources may present
  3. What you can do to protect these resources and the tools you can use
  4. A comparison of the costs involved when using different tools to safeguard different resources

Simple Design Solution

As is the case with many technologies, it can be tempting to simply throw a bunch of solutions at a problem, hoping this kind of shotgun approach will prevent potential issues. However, it is best to systematically evaluate what you need to protect and the best tools for protecting them­—keeping in mind that less is often more. 

For example, an NGFW should typically be used to the full extent of its capabilities instead of combining multiple devices to perform what can be accomplished with one unit.

Using Devices Correctly

Similar to how you will not use a screwdriver to bang in a nail, you do not want to use network devices for purposes that they can maybe accomplish but are not designed for. For example, while it may be possible to use a layer switch to filter traffic, it is really designed to prevent collisions of data and manage bandwidth. 

Using a combination of configurations on your switch as well as the devices that connect to it may protect you—temporarily—from some threats. However, as devices and other network factors change, your system can be exposed to a variety of different threats. It is best to address security issues with security-specific devices.

A Layered Defense

A layered defense is often more effective than using only one line of defense. With multiple layers in place, if the first layer gets compromised, those after it may be able to catch the threat. To take advantage of this strategy, carefully think about how you will configure each layer.

Solutions to Internal Threats

It is always easier to access sensitive data and systems from within an organization. Many IT administrators make the mistake of focusing solely on external threats, trusting those within the company. But because people inside often have too much access to too many components, they frequently present a far more dangerous threat. You may want to consider implementing policies such as:

  1. Least privilege
  2. Multi-factor authentication
  3. Time-based privileges, which limit when users can use certain services

How Fortinet Can Help

With a FortiGate Next-generation firewall (NGFW), you gain full control over what users and devices are allowed to access, thanks to integration with FortiOS. The FortiGate NGFW also provides faster processing because it features dedicated security processing units whose sole job is to protect your network. 

You also get the most recent threat intel powered by FortiGuard, ensuring you are shielded from a wide range of new and old threats. Machine learning capabilities enable the FortiGate NGFW to detect threats based on their behavior, not just their signatures, giving it the ability to stop zero-day attacks.

FAQs

What are the design goals of a firewall?

Firewalls are designed to protect your network from threats, as well as prevent malicious actors from using resources inside your network to launch attacks.

How many techniques are in firewall control design?

While there are a number of techniques, there are four primary approaches: service control, direction control, user control, and behavior control.

What is firewall design?

Firewall design is the process of deciding which digital assets and resources you need to protect, what your available firewalls are capable of, and how to position and configure them. The design process also includes ensuring you have adequate throughput so core business processes are not interrupted by your firewall.