``` --- # Firewalls ## Used to secure devices from outside access * Enforces access control policy between two networks * Two designs: restrict _bad traffic_ or permit _good traffic_ * Designed to operate at different layers of the network stack -- ## Can influence traffic going out as well * e.g. [Great Firewall of China](http://www.greatfirewallofchina.org/) * We are primarily concerned with inbound traffic -- ## Can be standalone hardware devices or software * Often included in multi-purpose device, e.g. switch or load balancer --- # When to use a Firewall * Use firewalls only when they significantly reduce risk * Employ firewalls to protect sensitive data * Critical personally identifiable information * PCI compliance * Firewalls should be treated like perimeter security * Like the locks on your house * Consider the value of what you are protecting and the cost to firewall it * Like your house, there are some things that are not worth protecting (can you think of examples?) --- # Firewall Use * Firewalls are often overused. > Failed firewalls are the #2 driver of site downtime after failed databases Scalability Rules, by Martin Abbott * Can create difficult to scale choke-point for either network traffic or transaction volume * May have impact on availability * DDoS attacks on session state memory --- # Common Firewalls ## Software * Included with operating systems (ipfw) * Can also buy standalone ## Hardware * Cisco ASA, Citrix AppFirewall, F5 AFM ## EC2 Security Groups * Allow specific protocols and ports to access server * Can restrict machines to only accept traffic from Elastic Load Balancer A typical large scale web service will use both hardware and software firewalls --- # References Slide images from "High Performance Browser Networking": * "Certificate Authorities (CAs)" * "TLS Handshake" * "Abbreviated TLS Handshake"