Network Security Essentials: Firewalls and VPNs

Network security plays a critical role in protecting networks from unauthorized intrusion and data breaches. According to Ponemon Institute research, the average cost of a single network attack in 2022 was $5 million, with $1.25 million attributed to enforced employee downtime owing to compromised systems.

Encryption, Zero Trust and Network Segmentation are being increasingly adopted by tech giants and newer organizations alike which improves security through deliberate design of the network architecture. However, some traditional methods might still come in handy to ensure that your network is being properly accessed, limit authorized access to ensure that no high risk requests are being made to remote servers, and triggering alerts when an anomalous activity is identified.

Configuring Firewalls

Setting up a firewall for a cloud resource in your infrastructure involves, careful setup of security rules, access controls and network zones to regulate traffic, and protect against cyber threats. There are different ways to set up a firewall and it depends on the use case and the kind of resource in question. Following are few ways you can enable a firewall on an AWS resource—

Using AWS Security Groups

Security groups on AWS can act as virtual firewalls for your EC2 instances to control inbound and outbound traffic.

Steps to set up a security group on AWS—

1. Start by creating a Security Group:
   • Sign in to the AWS Management Console.
   • Navigate to the EC2 Dashboard.
   • Select "Security Groups" from the left-hand menu.
   • Click "Create Security Group".
   • Define the inbound and outbound rules (e.g., allow SSH on port 22, HTTP on port 80).
2. Assign Security Group to EC2 Instance:
   • When launching a new instance, select the created security group.
   • For existing instances, select the instance, go to "Actions" > "Networking" > "Change Security Groups", and assign the security group.

This will set up the virtual firewall on your EC2 instance.

Using firewalld on EC2 Instances

firewalld is a dynamic firewall management tool for Linux based servers.

Steps to set up a dynamic firewall using firewalld are as follows—

1. Install and Start firewalld:
   • SSH into your EC2 instance.
   • Install firewalld using the package manager (e.g., sudo apt install firewalld).
   • Start and enable the service: sudo systemctl start firewalld and sudo systemctl enable firewalld.
2. Configure Firewall Rules:
   • Use firewall-cmd to add rules, e.g., sudo firewall-cmd --permanent --add-port=80/tcp.
   • Reload the firewall to apply changes: sudo firewall-cmd --reload.

Using iptables on EC2 Instances

iptables is a command-line firewall utility for Linux.

Steps to set up iptables work are as follows—

1. Install iptables:
   • SSH into your EC2 instance.
   • Ensure iptables is installed (usually pre-installed on most Linux distributions).
2. Configure Rules:
   • Add rules using the iptables command, e.g., sudo iptables -A INPUT -p tcp -s <your_ip_address> --dport 22 -j ACCEPT. This command will accept requests to port 22 from your_ip_address only and reject all other requests.
   • Save the rules to ensure they persist across reboots (e.g., sudo service iptables save).

The aforementioned are only a few ways you can provide firewall security to your cloud resources. In addition, or as an alternative, you can also make use of AWS network firewall, or AWS Web Application Firewall (WAF) for enhanced Security.

Using Virtual Private Networks (VPNs)

VPNs are ubiquitous easy to use. Although, when setting up a VPN for your organizations, technical considerations need to be considered which might directly affect the employee productivity.

Based on your business considerations like the access type (on prem or remote), usage type (limiting external access or connecting internal network nodes), etc, one type of VPN offering/setup might suit better than the other. Here are a few types of VPNs available to choose from—

Remote Access VPN

A remote access VPN allows individual user’s to connect to the organization’s network from remote locations. This VPN type is ideal for remove workers or employees whose job requires them to travel frequently. Of course, the location of the VPN server/gateway will define the latency of the VPN itself.

Site-to-Site VPN

A Site-to-Site VPN connects entire networks to each other, such as linking branch offices to the main office. This setup is useful for organizations with multiple locations. With a Site-to-Site VPN, employees can then securely access other resources in the network, across branches. This VPN can be configured (using firewalls) to not allow any external traffic that is not included in the internal network of resources.

Cloud VPN

A Cloud VPN leverages cloud infrastructure to provide secure connections. This type is suitable for organizations that use cloud services extensively. Cloud VPN can be configured to restrict or allow access to certain IPs, and monitor access patterns to detect any unnatural activity for faster response in case of an incident. Unlike other VPNs, Cloud VPNs are are the easiest to set up and use through cloud based user platforms.

Conclusion

For smaller organizations, before transitioning to a more sophisticated cybersecurity platform for managing their organization’s security platform, it makes sense to use the traditional security measures to properly secure their infrastructure. Firewalls and VPNs are two effective security measures towards that cause. Firewalls, or VPNs or both might be required from a case-to-case basis.

• Use Firewalls to restrict access to certain geographic locations, or known secure IPs. Firewalls can provide effective security by denying unauthorized requests.
• Use VPNs to create a secure server over a less secure network (internet). VPNs can provide a secure gateway to access your internal network while being unavailable through other IPs.

Private networks use a combination of Firewalls to ensure access through a single IP signature and a VPN to mask requests through that IP. Users subscribed to this VPN can then make requests to the restricted private network from anywhere in the world.