A firewall is a network device that monitors packets going in and out of networks and blocks or allows them according to rules that have been set up to define what traffic is permissible and what traffic isn’t.
There are several types of firewalls that have developed over the years, becoming progressively more complex over time and taking more parameters into consideration when determining whether traffic should or should not be allowed to pass. The most modern are commonly known as next-generation firewalls (NGF) and incorporate many other technologies beyond packet filtering.
Initially placed at the boundaries between trusted and untrusted networks, firewalls are now also deployed to protect internal segments of networks, such as data centers, from other segments of organizations’ networks.
Firewalls are commonly deployed as appliances built by individual vendors, but they can also be bought as virtual appliances – software that customers install on their own hardware.
Here are the major types of firewalls.
These firewalls act as a gateway between end users who request data and the source of that data. Host devices connect to the proxy, and the proxy makes a separate connection to the source of the data. In response, source devices make connections to the proxy, and the proxy make a separate connection to the host device. Before passing on packets to a destination address, the proxy can filter them to enforce policies and mask the location of the recipient’s device, but also to protect the recipient’s device and network.
The upside of proxy-based firewalls is that machines outside the network being protected can gather only limited information about the network because they are never directly connected to it.
The major downside of proxy-based firewalls is that terminating incoming connections and creating outgoing connections plus filtering causes delays that can degrade performance. In turn, that can eliminate using some applications across the firewall because response times become too slow.
A performance improvement over proxy-based firewalls came in the form of stateful firewalls, which keep track of a realm of information about connections and make it unnecessary for the firewall to inspect every packet. This greatly reduces delay introduced by the firewall.
By maintaining the state of connections, these firewalls can, for example, forego inspecting incoming packets that they identify as responses to legitimate outgoing connections that have already been inspected. The initial inspection establishes that the connection is allowable, and by preserving that state in its memory, the firewall can pass through subsequent traffic that is part of that same conversation without inspecting every packet.
Packets can be filtered using more than the state of connections and source and destination addresses. This is where next-generation firewalls (NGFW) come into play. They incorporate rules for what individual applications and users are allowed to do, and blend in data gathered from other technologies in order to make better informed decisions about what traffic to allow and what traffic to drop.
For example, some of these NGFWs perform URL filtering, can terminate SSL connections, and support software-defined wide area networking (SD-WAN) to improve the efficiency of how dynamic SD-WAN decisions about connectivity are enforced.
Features that historically were handled by separate devices are now included in many NGFWs and include:
Intrusion Prevention Systems (IPS): Whereas basic firewall technologies identify and block certain types of network traffic, IPSes use more granular security such as signature tracing and anomaly detection to prevent threats from entering networks. Once separate platforms, IPS functionality is more and more a standard firewall feature.
Deep-packet inspection (DPI): DPI is a type of packet filtering that looks beyond where packets are coming from and going to and inspects their content, revealing, for example, what application is being accessed or what type of data is being transmitted. This information can make possible more intelligent and granular policies for the firewall to enforce. DPI could be used to block or allow traffic, but also restrict the amount of bandwidth particular applications are allowed to use. It could also be a tool for protecting intellectual property or sensitive data from leaving a secure network
SSL termination: Secure Sockets Layer (SSL)-encrypted traffic is immune to deep-packet inspection because its content cannot be read. Some NGFWs can terminate SSL traffic, inspect it, then create a second SSL connection to the intended destination address. This can be used to prevent, for instance, malicious employees from sending proprietary information outside the secure network while also allowing legitimate traffic to flow through. While it’s good from a data-protection point of view, DPI can raise privacy concerns.
Sandboxing: Incoming attachments or communications with outside sources can contain malicious code. Using sandboxing, some NGFWs can isolate these attachments and whatever code they contain, execute it and find out whether it’s malicious. The downside of this process is this can consume a lot of CPU cycles and introduce noticeable delay in traffic flowing through the firewall.
There are other features that could be incorporated in NGFWs. They can support taking in data gathered by other platforms an using it to make firewall decisions. For example, if a new malware signature has been identified by researchers, the firewall can take in that information and start filtering out traffic that contains the signature.
Gartner, which once used the term NGFW, now says that previous incarnations of firewalls are outmoded and that they now call NGFWs simply enterprise firewalls.
Web application firewalls
These firewalls sit logically between servers that support Web applications and the internet, protecting them from specific HTML attacks such as cross-site scripting, SQL injection and others. They can be hardware- or cloud-based or they can be baked into applications themselves to determine whether each client trying to reach the server should be allowed access.