Are you trying to improve the cybersecurity of your SMB and trying to figure out which security controls you actually need?
Then you’ll love today’s post.
Because I am going to break down a misunderstanding that some people have.
We’re going to talk about firewalls vs antivirus.
And which do you actually need.
Before we get into the details, let’s go ahead and answer this question:
Are firewalls and antivirus the same thing?
The short answer is, no. These controls have very different purposes. Firewalls are designed to regulate the network traffic flowing into and out of a device. Antivirus, on the other hand, looks at all of the files present on the device (or interacting with the device like websites) to check for malicious intent. They find malware.
What exactly do firewalls and antivirus do?
To understand the different roles performed by antivirus vs firewalls, you need to understand what exactly each one does.
Let’s talk about it.
Let’s get a little backstory on firewalls.
You up to it?
The terms firewall is much older than computers.
It actually can be traced back to the 1850s.
You’ve probably seen the images of old row houses, right?
One right next the other.
Builders realized fairly quickly that there was a huge risk of fire spreading from one building to the next very easily and quickly.
So they started building special walls between them.
The walls were built to stop fires from spreading between the buildings.
And that is precisely what computer firewalls do – regulate traffic between devices.
Firewalls are like border guards.
When traffic comes to the firewall, the firewall inspects it for certain characteristics.
Different types of firewalls check for different characteristics.
For simplicity, we’ll use a port-based firewall.
When the firewall gets a packet that is the FTP type, for example, it looks at the rule list to see if it is allowed.
The firewall works through the list of rules to see where FTP falls.
In this case, since FTP is not explicitly allowed, so it’s dropped.
Traffic that is permitted can continue on to the internal network.
Everything else is blocked.
Note: While people have traditionally considered firewalls to be a perimeter security control, they should actually be deployed throughout the network where possible. Each endpoint should have a firewall. For better security, you can even segment your network with firewalls between the segments.
Antivirus has a completely different purpose from firewalls.
They work on a file level.
Antivirus software had a very simple start.
Simply put, there was a need for it.
The Morris worm was one of the first viruses released on the internet (ARPANet back then).
It affected around 6,000 machines or 10% of the devices “online” at the time.
As people created more viruses, the need arose to counteract them.
Early antivirus was a cat-and-mouse game.
Can you guess why?
Antivirus developers waited until a virus was released.
They would then analyze it and create “____” that their software would look for to identify the malware.
This forced antivirus to be a step behind attackers.
Of course, antivirus has evolved tremendously over the last few decades.
This is the reason that the line between antivirus systems and firewalls sometimes blur.
Firewalls vs Antivirus: Quick Characteristic Comparison
I thought it might make it super simple for you to see a side-by-side comparison of the characteristics of firewalls vs antivirus.
So, take a look at the graphic, and I’ll see you underneath to explain.
Port blocking is the traditional firewall inspection method. It looked at where traffic was going and what protocol of traffic it was. It then made a decision whether to allow or deny it. Because it’s easy to tunnel traffic through another protocol, next-generation firewalls dig into the traffic more.
Web filtering can be done by both the firewall and antivirus today.
Mail inspection is best done as its own solution, but many next-generation firewalls will work with the antivirus on the system to filter emails for malicious payloads.
Searching for malicious payloads – Both perform this task. However, firewalls are usually looking at traffic coming into the network, while antivirus is searching the systems. Remember, malicious files can come from places other than the internet – USB devices, CDs, etc.
Anti Spam – Like email inspection, ant-spam is best done by an email tool, but some firewalls can inspect for URLs and IP addresses of known attackers.
File inspection – Firewalls inspect files traversing or entering the network. Antivirus inspects files present on a device or soon-to-be on the device.
Scheduled scans – Antivirus can perform this task. Firewalls should always be doing their jobs.
Device Checks – Antivirus or endpoint protection will handle restricting devices allowed to function on the endpoint. You can choose to block USBs for example.
Remove Malicious Code – Antivirus will remove malicious code from a system. Firewalls may identify malicious code while scanning, but they usually either reject the traffic or isolate the endpoint.
Access computer’s health – This is a task that antivirus performs. When antivirus does identify an unhealthy device, it can work with the firewall to isolate it from the network.
Which is right for you? Antivirus or firewall?
The answer is actually both.
No security control will itself stop all attackers.
Simply put, there is a way around every security control your organization can implement.
When we perform penetration tests, we exploit these all the time.
Instead of installing a single security tool – firewall or antivirus – you need to think about a layered approach to security.
This is super important.
The more layers you have to security, the more likely an attacker is to give up and move on to an easier target.
Antivirus & Firewall Solutions for Small Businesses
One of our favorite solutions for small businesses is SOPHOS.
It’s very affordable and packs a ton of power into just a few tools….
One of the ways that it really shines is its integration between endpoint protection and firewall.
They integrate and communicate with each other.
When the antivirus detects a computer has been compromised, it will notify the firewall and the firewall will isolate the computer until it can be investigated.