Why Your Port-Based Firewall is Putting Your Network at Risk
No matter what the industry, IT professionals know that having the right defense (network security infrastructure) is just as important as or possibly more important than any other element in their entire system.
Since the beginning, port-based firewalls have been at the center of nearly every IT manager’s network security strategy. Today, however, things have changed.
Applications and mobile devices dominate the landscape today; they bring with them many advantages both to our personal and business lives, but they also create new challenges for IT staff such as:
- New cyber security threats
- Data compromise risks
- Compliance issues
Yes, port-based firewalls are relatively inexpensive, simple to operate and maintain, have decent throughput, and have been the old standard for nearly 20 years.
However, the reality is that these types of firewalls and their variations are simply not positioned to handle the current and emerging challenges of today effectively.
Some might even consider this type of technology from the dark-ages.
To help better explain why legacy (port-based) firewalls are inadequate to support today’s network security challenges, we’ve put together a short-list of the four reasons it might be time to update your port-based firewall solution.
1 Limited Control
Port-based firewalls are ancient in many ways and in most cases are simplistic in their approach, usually all or nothing, or in this case allow or block.
Legacy firewalls of this type use both source destination IP addresses and TCP/UDP port data to figure out if a packet should be allowed to pass between networks or different parts of your network. They quickly scan the first few bytes of the TCP or UDP header to establish the appropriate application protocol i.e. SMTP port 25 and HTTP port 80.
If you like Game of Thrones and I’m sure most people do, think about it like a drawbridge on a castle, for instance the castle at River Run, it’s either up to keep the Lannisters out (block) or down to let the Starks in (allow) and that’s it. This is not a very effective way to control access.
2 Not Everyone Plays by the Rules on the Internet
The majority of traffic taking place on our networks today comes from the internet; however this doesn’t only come in the way of web traffic.
Organizations are dealing with newer, more sophisticated applications both for our daily lives and for business operations. While many of these applications do make us more productive and increase our efficiency, they also consume a lot of bandwidth and in many cases can increase your risk of a data leak or compliance issue.
One of the biggest problems with newer applications today is that they incorporate a lot of new methods to avoid traditional port-based firewalls such as port hopping and tunneling.
The Band-Aid to this flaw when using port-based firewalls has been to incorporate other systems to help compensate.
Often times this means using things like intrusion prevention systems, URL filtering, proxies and other expensive and complex systems. Unfortunately, today’s application and threat landscape has made this approach not only costly but mostly ineffective as well.
Suggested Reading: "3 Reasons a Next Generation Firewall is a Must!"
3 Data Compromise
Data loss prevention is sometimes considered a viable solution; however because of the size and usually distributed make-up of many businesses data, it’s almost impossible to figure out where your sensitive data is located and who owns it.
Did you know that the firewall is in the perfect position to see everything that is accessing your network or parts of your network? Whether between the inside or outside or between internal users and internal resources in the data center the firewall is the perfect solution to support this task.
Here’s the deal though, port and protocol based firewalls are blind to your applications, users, and content. This makes controlling any and all applications that are used to compromise data whether that’s directly or part of a larger system impossible to do.
It’s critical that you can control the all of your applications and the movement of your sensitive or private data across your network, doing so could prevent your business from ending up in the news for another catastrophic data breach. Just remember, port-based firewalls can’t provide you with this type of functionality, only a next-generation firewall can.
Compliance and security regulations such as HIPAA, FISMA, or FINRA are adding constant pressure on IT teams to make sure their data protection and network security strategies are up to date and successful.
The cost of a data breach is incredibly expensive, and even more so when you consider the damage that can be done to your businesses reputation and what it might cost the individual victims.
It’s important to always remember that security an compliance while definitely related, they’re not the same thing.
The challenges posed by today’s cyber threats and mobile/application based environments requires that your firewall has the ability to track and precisely control all of your applications, while at the same time having complete visibility and control over all of the traffic flowing in and out of your network.
Again, the problem is that port-based firewalls simply don’t have the proper capabilities to meet these requirements today.
At SecurEdge, we deliver affordable, robust, and secure wireless platforms – it’s all we do. If you have any questions about implementing a next-generation firewall solution or would like to discuss an upcoming project, please contact us here.
Danny is the Marketing Manager at SecurEdge Networks. This basically means it’s his mission in life to make sure you have the secure mobility tools and resources that you actually want and can use. P.S. He also loves a good craft beer.