This blog was written by a third party author.
Finding the right network security tools to secure your sensitive data can be a significant challenge for any organization. Choosing a firewall may seem like a simple task, but companies can get overwhelmed by the different firewall types and options. Making the distinction between a firewall and other security solutions can also pose challenges.
Here are the answers to some of the most common firewall questions.
What is a firewall? And what isn’t a firewall?
A firewall is a network security perimeter device that inspects traffic entering and leaving the network. Depending on the security rules assigned specifically to it, the firewall either permits safe traffic or denies traffic it deems as dangerous.
A firewall’s main objective is to establish a barrier (or “wall”) that separates an internal network from incoming external traffic (such as the internet) for the purpose of blocking malicious network packets like malware and hacking.
When discussing firewalls, it is critical to clear up any confusion regarding what constitutes a firewall and what does not. For instance, intrusion detection systems, routers, proxy servers, VPNs and antivirus solutions are not firewalls. Many firewall architectures are built into other security solutions, and many security solutions are built into firewalls.
How does firewall technology work?
Firewalls carefully analyze incoming traffic arriving on a computer’s entry point, called a port, which determines how external devices communicate with each other and exchange information.
Firewalls operate using specific firewall rules. A firewall rule will typically include a source address, a protocol, a port number and a destination address.
Here’s an analogy to explain the components of a firewall rule. Instead of protecting a network, think of a giant castle. The source address represents a person wishing to enter the castle. The port represents a room in the castle. The protocol represents a mode of transportation, and the destination address represents the castle.
Only trusted people (source addresses) may enter the castle (destination address) at all. Or perhaps only people that arrive on foot (protocol). Once inside, only people within the house are permitted to enter certain rooms (destination ports), depending on who they are. The king may be allowed in any room (any port), while guests and servants may only access a certain number of rooms (specific ports).
In this analogy, the firewall would act like an elaborate alarm system.
Network-based firewall service
Fully managed, cloud-based firewall providing continuous inspection and treatment of internet traffic.Learn more
Types of firewalls and deployment options
Adding to the confusion of what constitutes a firewall, there are numerous firewall types to be aware of.
First, firewalls are classified by what they are and where they reside. For example, firewalls can either be hardware or software, cloud-based or on-premises.
A software firewall resides on an endpoint (like a computer or mobile device) and regulates traffic directly from that device. Hardware firewalls are physical pieces of equipment that reside between your gateway and network. Cloud-based firewalls, also known as Firewall-as-a-service (FaaS), act like any other internet-based SaaS solutions, performing their work in the cloud.
Next, and this is the most common distinction between types, firewalls are classified by functionality.
The most common firewall types based on methods of operation are:
- Packet-filtering firewalls
- Proxy firewalls
- NAT firewalls
- Web application firewalls
- Next-gen firewalls (NGFW)
Packet-filtering firewalls, the most basic firewall type, examine packets and prevent them from moving on if the specific security rule is not met. This firewall's function is to perform a simple check of all data packets arriving from the network router and inspecting the specifics like source and destination IP address, port number, protocol, and other surface-level data.
Packet filtering firewalls don’t open data packets to inspect their contents. Any data packet that fails the simple inspection is dropped.
These firewalls are not resource-intensive and have a low impact on system performance. Their main drawback is that they provide only basic protection and are therefore more vulnerable to being bypassed.
Packet-filtering firewalls can either be stateful and stateless. Stateless firewalls only analyze each packet individually, whereas stateful firewalls — the more secure option — take previously inspected packets into consideration.
Proxy firewalls, also known as application-level firewalls, filter network traffic at the application layer of the OSI network model. As an intermediary between two systems, proxy firewalls monitor traffic at the application layer (protocols at this layer include HTTP and FTP). To detect malicious traffic, both stateful and deep packet inspection are leveraged.
Proxy firewalls typically operate in the cloud or through another proxy device. Instead of allowing traffic to connect directly, a connection to the traffic’s source is established and the data packet is inspected.
Speed can be a key weakness of proxy firewalls, as the transfer process creates extra steps that may slow things down.
Network address translation (NAT) firewalls work by assigning a public address to a group of devices inside a private network. With NAT, individual IP addresses are hidden. Therefore, attackers scanning for IP addresses on a network are prevented from discovering specific details.
NAT firewalls and proxy firewalls both act as a go-between connecting groups of devices with outside traffic.
Web application firewalls
Web application firewalls (WAF) are responsible for filtering, monitoring, and blocking data packets as they travel in and out of websites or web applications. A WAF can either reside on the network, at the host or in the cloud and is typically placed in front of one or many websites or applications. WAFs are available as server plugins, cloud services, or network appliances.
A WAF is most similar to the proxy firewall, but has a more specific focus on defending against application layer web-based attackers.
As the threat landscape intensifies, the Next-generation firewall (NGFW) is the most popular firewall type available today.
Thanks to the major improvements in storage space, memory, and processing speeds, NGFWs build upon traditional firewalls' features and add other critical security functions like intrusion prevention, VPN, anti-malware, and even encrypted traffic inspection. NGFW’s ability to handle deep packet inspection means that the firewall can unpack the packet's data to prevent any packets with malicious data from moving forward.
NGFWs can also integrate with Software-defined wide area networks (SDWAN).
Compared to traditional firewalls, these firewalls provide extensive application control and visibility, distinguish between safe and dangerous applications, and block malware from entering a network.
While most recent firewall solutions on the market are touted as NGFWs, the security industry lacks consensus on what classifies a next-gen firewall. Without a clear definition, companies must do their due diligence to understand what specific security features are available before making an investment.
Comparing firewall to VPN, IDS, IPS and proxies
While NGFWs can combine the functionality of a VPN, IPS and proxies, it’s important to note that a firewall is fundamentally different from a VPN, IPS, secure web gateway, or proxy.
A firewall, by definition, filters traffic. While an intrusion prevention system also filters traffic, it bases its decision on analysis of malicious traffic patterns or “signatures” that it knows to be troublesome. Signatures are automatically updated regularly and usually daily. An IPS is a step up from the intrusion detection system (IDS) in that administrators can take specific actions based on the detected traffic patterns.
Unlike a firewall, a VPN does not filter traffic. VPNs encrypt traffic between devices so that the session can safely traverse public networks (usually over the Internet) and has been made virtually private. VPNs also terminate connections and build tunnels for that encrypted traffic to pass through.
A secure web gateway, on the other hand, has some firewall functionality but is not the same as a firewall and only focuses on outgoing web traffic (often restricted to ports 80 and 443).
Finally, while a proxy can be a part of a firewall, a firewall is not a proxy.
Deciding on a firewall
When choosing the right firewall architecture for your organization, the question you need to ask may not be, “Which firewall type should we go with?”
Better questions to ask might include, “What combination of firewalls do we need?” and “What are the assets that I want to protect and where are they located?”
Only one layer of protection, no matter how secure, is probably not enough security for your business. By deploying multiple layers of firewalls in different areas on your network and even on your endpoints, you’ll be creating a defense-in-depth strategy necessary for today’s threat landscape.
A hybrid solution that leverages your existing on-site devices and solutions with managed network security services is even better. Because when it comes to protecting your business, it’s not just a decision about firewalls, it’s a decision about how firewalls fit into your overall security strategy.