How Network Firewalls Promote Open Source Security (by Gilad David Maayan)
Updated: Jun 22
What Is a Firewall?
A network firewall is a firmware or software that monitors traffic and prevents unauthorized access to a network. It uses predetermined rules when inspecting incoming and outgoing traffic to identify and block threats.
Firewalls are an essential part of network security in the client-server model, which is the central architecture of modern computing. They are installed on personal devices and enterprise networks and built-into Windows, Linux, and Mac computers.
What Is a Next-Generation Firewall (NGFW)?
A next-generation firewall (NGFW) enforces security policies at the port, protocol, and application levels that enable it to detect and block sophisticated attacks. NGFWs provide additional context to the firewall's decision-making process, equipping the firewall with the ability to understand web application traffic in detail as it passes and take action to block suspicious traffic.
Common NGFW features include application and identity awareness, bridged and routed modes, integrated intrusion prevention systems (IPS), and connectivity with external intelligence sources.
Open Source Security Risks
Open source is used in a majority of enterprise software projects and applications. It creates amazing efficiencies, but also represents new risks for organizations. Here are some of the major risks that raise the need for robust open source security.
Vulnerabilities Are Public Knowledge
Once open source contributors discover vulnerabilities, they disclose the information to the public. In addition to contributors, other organizations make information about vulnerabilities publicly available, such as the National Vulnerability Database (NVD) and the Open Web Application Security Project (OWASP).
The main challenge here is that not only users of the open source components learn about the vulnerabilities but also threat actors. Developers and organizations who are part of the project’s community get advanced warnings before the vulnerability is made public to NVD and OWASP. The rest learn about it when it’s publicly disclosed, and need to quickly update to a parched version before threat actors can exploit the vulnerability.
Open source components can cause various operational inefficiencies that introduce significant risk. For example, failure to track open source components during automated software deployments can cause critical security issues, because organizations may not be aware they are deploying vulnerable components into production systems.
In some cases, open source components are safe at the time of deployment, but zero day vulnerabilities are discovered later and attackers may strike before the organization can update its libraries.
You can address this issue by keeping an inventory of all open source components across the entire pipeline. An inventory introduces visibility and transparency. You can use it with a policy that defines open source usage and employ software composition analysis tools to enforce this policy automatically.
In addition to monitoring components for updates, you should also keep an eye on the entire project. Some projects begin with an active community but eventually become inactive as there is no one to update them. Using these projects as libraries or frameworks requires more work as you need to fix any future vulnerabilities and take responsibility because there are no community contributors to release patches.
Lack of Integrity
Open source projects typically do not provide warranties that guarantee security, content, or support. This is because open source projects are supported by volunteers, who can stop work on the project at any time. These volunteers are also the ones who evaluate the software for any security issues and offer support through forums—but this is all voluntary work, and they are not obligated to continue it indefinitely. They are also not held liable for faulty guidance.
Another challenge is that anyone can contribute to the project, which means contributors are not required to reveal their real identities. As a result, it can be difficult to verify that the contributed code is original and not taken from a certain third-party source with established intellectual property (IP) rights. If you use open source components that are found to contain code with infringed rights, you can be accused of infringement.
How NGFW Can Prevent Open Source Vulnerabilities
When attackers exploit open source vulnerabilities, they almost always do so by transmitting malicious payloads over a network. This could be malware that attackers attempt to deploy on the network, or command and control (C&C) communications performed by malware already running inside the network. NGFW can help by identifying these communications and blocking them.
All data transmitted over the Internet or other network is segmented into small pieces known as packets. These packets contain all content coming into the network. The network firewall inspects the packets and allows or blocks them to stop the entrance of malicious content (such as malware attacks) into the network. Every firewall has packet filtering capabilities.
Packet filtering involves examining each packet's source and destination IP addresses, protocols, and ports. That is, the firewall investigates each packet's origin, destination, and transmission method and allows or blocks packets based on this information. This approach filters out suspicious packets.
NGFW uses an improved version of packet filtering called deep packet inspection (DPI). Like packet filtering, DPI examines each packet's source and destination ports, IP addresses, etc. The packet contains all this information in the Layer 3 and 4 headers.
However, DPI also examines each packet's body, inspecting it for threat indicators like malware signatures and comparing the packet's contents with known malicious packets.
The DPI feature of NGFW usually includes intrusion prevention capabilities, often in the form of an Intrusion Prevention System (IPS). These analyze incoming traffic, identify potential and known threats, and block confirmed threats.
IPS can detect threats using a variety of methods, including:
Signature detection—retrieves information from incoming packets and compares them to known threats.
Statistical anomaly detection—scans traffic to detect abnormal behavioral changes.
Stateful protocol analysis detection—scans traffic (like statistical anomaly detection) but focuses on the network protocol used and compares it to the normal protocol usage.
Threat intelligence is actionable information about potential exploits. Up-to-date threat intelligence is critical to stopping advanced attacks, given the ever-changing attack methods and malware types. NGFW receives and responds to feeds from external threat intelligence sources.
Threat Intelligence provides up-to-date malware signatures to maintain IPS signature detection effectively. It can also provide insights into an IP's reputation, identifying IP addresses associated with frequent attacks, especially bot attacks. IP reputation feeds provide information on the current known malicious IP addresses, enabling the NGFW to block them.
In this article, I explained the basics of open source security and showed how NGFW can help promote a safer open source ecosystem. When organizations deploy NGFW, they have a robust way to intercept and block malicious communication, both inbound and outbound on their networks. This can be a critical defense against many exploits of open source vulnerabilities. As soon as attackers attempt to send malware over the network or communicate with C&C servers, the NFGW can identify and block these communications.
Network-level protection is an important line of defense against open source vulnerabilities, but is not enough. There is no replacement for scanning open source components, detecting vulnerabilities, and remediating them as a preventive measure. By combining preventive measures with a last line of defense at the network layer, organizations can ensure they have robust protection against open source security threats.