8. The Means of Cybersecurity: Access Control 209 8.2.4 Firewalls In computer networks, authorization is enforced by firewalls. As we saw in Chapter 5, a firewall is a software application or hardware appliance that allows or denies network traffic based on a set of rules. Firewalls act as a gatekeeper, inspecting all incoming and outbound traffic. Rules are created to either allow or deny packets based on their contents. Different types of firewalls inspect packets at different levels. A packet filter firewall focuses only on metadata in the TCP and IP headers of individual packets. For example, certain source IP addresses or destination TCP ports could be blocked. A stateful firewall maintains a memory of inbound and outbound packets for a window of time and uses that context to determine a packet’s fate. For example, if a computer from inside the network initiates a connection outside the network, the firewall might permit the response packet to come back into the network. However, if an outside computer tries to initiate a connection to a computer inside the network unsolicited, the firewall might block it. An application firewall inspects not only packet metadata, but also the payload of packets. The payload of a packet is the application layer data that it carries. By inspecting the payload, an application firewall can scan incoming packets for dangerous executables and other malware and prevent them from coming into the network. These types of firewalls can also scan for sensitive and proprietary information in outbound packets and block them from leaving the network. This practice is known as data loss prevention and can help prevent a data leak. Firewalls are installed on network appliances such as routers and also on endpoints. Endpoints are the computers, smartphones, and other devices on the network. Windows computers come configured with Windows Defender Firewall (see Figure 8.9). The Windows firewall can be configured to block applications from communicating over the network. Firewalls can also block access to websites, preventing users from visiting them. If a user tries to visit a blocked website, they may see a generic HTTP 404 “Page Not Found” error or a message from the firewall informing the user that the site was blocked. There are two main approaches to blocking websites: whitelists and blacklists. A whitelist is a list of explicitly approved resources. Any resource not on the list is denied. This approach is highly restrictive because, by default, all websites are blocked. A website must be explicitly allowed in order for a user to visit it. Whitelists prioritize security over costs. They ensure a high degree of security because websites are vetted and approved before being added to the whitelist. They come with a cost, however, because it is difficult to maintain a whitelist and make sure that all the websites a user needs are available. There are many websites, with new ones coming online everyday, and users may need access to different websites across time in order to do their jobs. If they need access to a website that is not on the whitelist, then the user must wait for the site to be vetted and approved before he is able to visit it, reducing his productivity.
RkJQdWJsaXNoZXIy MTM4ODY=