I started writing this article late last week or earlier this week, but some unknown issue happened (gotta love driver issues). The point of this article is to cover the benefits and costs of both passive and restrictive firewalls. When I first got into I.T. security I always thought restrictive firewalls were the most secure (which they are), and that passive firewalls were completely pointless. However, over the years (and learning) I have found that they both really serve purposes, and just depends on what you are wanting the firewall to protect.The only note I can really stress prior is that this article is based on software firewalls (iptables to be specific), although they still apply to hardware (and non-iptables) firewalls as well to one extent or another. Its just that I do not have enough experience to really critique hardware firewalls enough extensively.
In the shortest sense, passive firewalls are like locking your car door but leaving the car keys laying right next to the car. It adds security, but its essentially nonsensical to rely on JUST the firewall as it doesn’t block anything. Passive firewalls serve to main purposes from what I’ve found:
- Port-forwarding to either another device or other chain (i.e.: NAT table)
- Is behind a restrictive firewall
The first point is pretty self-explanatory, and to an extent the second one is as well. However, with the second one, the only real reason I can see there being a firewall even in this scenario is to see what other (read: unexpected access requests to) ports are made on the network. In a strange twist of events you can also view this as a honey pot of sorts, but not a very robust one.
Passive firewalls have a great purpose in the form of testing network connectivity. For example if you’re experiencing dropped connections using a restrictive firewall, you can make it a restrictive firewall and see if its a port issue (or even a rule issue with conditions). On a personal level I always start with a passive firewall because (at least with iptables) it is very easy to make it a restrictive firewall.
This type of firewall is similar to placing Robocop in front of your locked car to oh-so politely stop those pesky car thieves. I personally favor restrictive firewalls but they are also not without their faults.
Restrictive firewalls of course offer a stronger sense of security. I say “sense” because if old or improper rules are in place, security breaches are still very possible due to the firewall. Another aspect to consider, if you are ever thinking of starting your own eCommerce website, is that if you decide to store sensitive information (like credit card numbers), PCI compliance requires you to have a restrictive firewall put in place.
There’s not a whole lot to cover about restrictive firewalls, however, given that they are the polar opposite of a passive firewall.
Network Bandwidth Differences
To put it shortly, passive firewalls are not for high-trafficed networks. Passive firewalls allow all of the traffic to pass through the firewall’s NIC(s), which increases bandwidth. This has been a major concern for me in staying with a passive firewall (among some other, network-related issues). Restrictive firewalls, while they do receive all the incoming traffic, drops any packets that are not in the rule set, possibly severely reducing the bandwidth on the network due to the reduction of packet transmissions going out.
Depending on how your network is set up, how you want it set up, and where security is of major concern its your choice as to whether you use a passive or restrictive firewall. Personally I prefer using restrictive in my set ups as it adds a more in-depth layer to security. Is it bypassable? What isn’t these days.