What is Firewall?
Firewall devices and services can offer protection beyond standard firewall function — for example, by providing intrusion detection, denial-of-service attack protection and other security services to protect servers and other devices within the private network. While some types of firewalls can work as multifunctional security devices, don’t allow such offerings to distract from the key question: Does this firewall protect the private network from external threats by examining protocol data units?
How do the firewalls work?
Firewalls are inserted inline across a network connection and look at all the traffic passing through that point. As they do so, they are tasked with telling which network protocol traffic is benign and which packets are part of an attack.
A computer program that can generally look at a string of computer instructions and determine its intent runs abruptly into a fundamental thesis of computer science: No computer program can perfectly predict the outcome of another computer program without running it to see what it does. By extension, it’s not possible to generally look at network traffic and discern its intent.
Firewalls work by examining packets to keep the bad ones at bay enterprise networks.
It is, however, entirely feasible to look for known patterns in network packet data that signal attacks that have been seen previously, and this is precisely what early packet filter network firewalls did — and still do. Generally, whatever sort of firewall is deployed on a network, it is deployed with a constantly updated set of firewall rules that define the criteria under which a given packet — or set of packets in a transaction — can safely be routed forward to the intended recipient device.
Five Types of firewalls
Here are the five types of firewalls that continue to play significant roles as the firewall category has evolved.
The five types of firewall are:
- Packet filtering firewall
- Circuit-level gateway
- Stateful inspection firewall
- Application-level gateway (aka proxy firewall)
- Next-generation firewall (NGFW)
Packet filtering firewall
Packet filtering firewalls operate inline at junction points where devices such as routers and switches do their work. However, these firewalls don’t route packets, but rather they compare each packet received to a set of established criteria — such as the allowed IP addresses, packet type, port number and other aspects of the packet protocol headers. Packets that are flagged as troublesome are, generally speaking, unceremoniously dropped — that is, they are not forwarded and, thus, cease to exist.
Circuit-level gateway
Using another relatively quick way to identify malicious content, circuit-level gateways monitor TCP handshakes and other network protocol session initiation messages across the network as they are established between the local and remote hosts to determine whether the session being initiated is legitimate — whether the remote system is considered trusted. They don’t inspect the packets themselves, however.
Stateful inspection firewall
State-aware devices, on the other hand, not only examine each packet, but also keep track of whether or not that packet is part of an established TCP or other network session. This offers more security than either packet filtering or circuit monitoring alone but exacts a greater toll on network performance.
A further variant of stateful inspection is the multilayer inspection firewall, which considers the flow of transactions in process across multiple protocol layers of the seven-layer Open Systems Interconnection (OSI) model.
Application-level gateway
This kind of device — technically a proxy and sometimes referred to as a proxy firewall puts together some of the attributes of packet filtering firewalls with those of circuit-level gateways. They filter packets not only according to the service for which they are intended — as specified by the destination port — but also by certain other characteristics, such as the HTTP request string.
While gateways that filter at the application layer provide good amount of data security, they can dramatically affect network performance.
Next-generation firewall
A high-end, next-gen firewall from Palo Alto Networks, which was among the first vendors to offer advanced features, such as identifying the applications producing all the traffic passing through and integrating with other major network components, like Active Directory.A typical NGFWcombines packet inspection with stateful inspection and also includes some variety of deep packet inspection, as well as other network security systems, such as intrusion detection/prevention, malware filtering and antivirus.
While packet inspection in traditional firewalls looks exclusively at the protocol header of the packet, deep packet inspection looks at the actual data carried by the packet. A deep packet inspection firewall tracks the progress of a web browsing session and is capable of noticing whether a packet payload, when assembled with other packets in an HTTP server reply, constitutes a legitimate HTML formatted response.
How to choose the right type of firewall
Choosing the right type of firewall means answering questions about what the firewall is meant to do, how it will be used, what it is intended to protect and any number of general questions about the infrastructure it is intended to protect. The right firewall for different organizations will almost invariably differ from one to another, as each private network is unique and has its own unique requirements.
Issues to consider include:
- What are the technical objectives for the firewall, and can a simpler product work better instead of a firewall with more features and capabilities that may not be necessary?
- How does the firewall itself fit into the organization’s architecture? This means considering whether the firewall is intended to protect a low-visibility service exposed on the internet or a web application.
- Understanding what kind of traffic inspection is necessary; some applications may require monitoring the contents of all packets, while others can be achieved simply by sorting packets based on source/destination addresses and ports.
Many firewall implementations incorporate features of different types of firewalls, so choosing a type of firewall is rarely a matter of finding one that fits neatly into any particular category. For example, an NGFW may incorporate features of packet filtering firewalls, application-level gateways or stateful inspection firewalls.
Choosing the ideal firewall begins with understanding the architecture and functions of the private network being protected but also calls for understanding the different types of firewalls and firewall policies that are most effective for the organization.
Whichever of the types of firewalls you select, bear in mind that a misconfigured firewall can, in some ways, be worse than no firewall at all because it creates a false sense of security, while providing little or none.