Firewalls been around for three decades, but they\u2019ve evolved drastically to include features that used to be sold as separate appliances and to pull in externally gathered data to make smarter decisions about what network traffic to allow and what traffic to block.\nNow just one indespensible element in an ecosystem of network defenses, the latest versions are known as enterprise firewalls or next-generation firewalls (NGFW) to indicate who should use them and that they are continually adding functionality.\nWhat is a firewall?\nA firewall is a network device that monitors packets going in and out of networks and blocks or allows them according to rules that have been set up to define what traffic is permissible and what traffic isn\u2019t.\n\nThere are several types of firewalls that have developed over the years, becoming progressively more complex and taking more parameters into consideration when determining whether traffic should be allowed to pass. Firewalls started off as packet filters, but the newest do much much more.\nInitially placed at the boundaries between trusted and untrusted networks, firewalls are now also deployed to protect internal segments of networks, such as data centers, from other segments of organizations\u2019 networks.\nThey are commonly deployed as appliances built by individual vendors, but they can also be bought as virtual appliances \u2013 software that customers install on their own hardware.\nHere are the major types of firewalls.\nProxy-based firewalls\nThese firewalls act as a gateway between end users who request data and the source of that data. Host devices connect to the proxy, and the proxy makes a separate connection to the source of the data. In response, source devices make connections to the proxy, and the proxy make a separate connection to the host device. Before passing on packets to a destination address, the proxy can filter them to enforce policies and mask the location of the recipient\u2019s device, but also to protect the recipient\u2019s device and network.\nThe upside of proxy-based firewalls is that machines outside the network being protected can gather only limited information about the network because they are never directly connected to it.\nThe major downside of proxy-based firewalls is that terminating incoming connections and creating outgoing connections plus filtering causes delays that can degrade performance. In turn, that can eliminate using some applications across the firewall because response times become too slow.\nStateful firewalls\nA performance improvement over proxy-based firewalls came in the form of stateful firewalls, which keep track of a realm of information about connections and make it unnecessary for the firewall to inspect every packet. This greatly reduces delay introduced by the firewall.\nBy maintaining the state of connections, these firewalls can, for example, forego inspecting incoming packets that they identify as responses to legitimate outgoing connections that have already been inspected. The initial inspection establishes that the connection is allowable, and by preserving that state in its memory, the firewall can pass through subsequent traffic that is part of that same conversation without inspecting every packet.\nWeb application firewalls\nWeb application firewalls sit logically between servers that support Web applications and the internet, protecting them from specific HTML attacks such as cross-site scripting, SQL injection and others. They can be hardware- or cloud-based or they can be baked into applications themselves to determine whether each client trying to reach the server should be allowed access.\nNext-generation firewalls\nPackets can be filtered using more than the state of connections and source and destination addresses. This is where NGFWs come into play. They incorporate rules for what individual applications and users are allowed to do, and blend in data gathered from other technologies in order to make better informed decisions about what traffic to allow and what traffic to drop.\nFor example, some of these NGFWs perform URL filtering, can terminate secure sockets layer (SSL) and transport layer security (TLS) connections, \u00a0and support software-defined wide area networking (SD-WAN) to improve the efficiency of how dynamic SD-WAN decisions about connectivity are enforced.\n\n\n\n\n\nFirewalls are not enough\nFeatures that historically were handled by separate devices are now included in many NGFWs and include:\nIntrusion Prevention Systems (IPS)\nWhereas basic firewall technologies identify and block certain types of network traffic, IPSes use more granular security such as signature tracing and anomaly detection to prevent threats from entering networks. Once separate platforms, IPS functionality is more and more a standard firewall feature.\nDeep packet inspection (DPI)\nDeep packet inspection is a type of packet filtering that looks beyond where packets are coming from and going to and inspects their content, revealing, for example, what application is being accessed or what type of data is being transmitted. This information can make possible more intelligent and granular policies for the firewall to enforce. DPI could be used to block or allow traffic, but also restrict the amount of bandwidth particular applications are allowed to use. It could also be a tool for protecting intellectual property or sensitive data from leaving a secure network\nSSL\/TLS termination\nSSL-encrypted traffic is immune to deep-packet inspection because its content cannot be read. Some NGFWs can terminate SSL traffic, inspect it, then create a second SSL connection to the intended destination address. This can be used to prevent, for instance, malicious employees from sending proprietary information outside the secure network while also allowing legitimate traffic to flow through. While it\u2019s good from a data-protection point of view, DPI can raise privacy concerns. With the advent of transport layer security (TLS) as an improvement on SSL, this termination and proxying can apply to TLS as well.\nSandboxing\nIncoming attachments or communications with outside sources can contain malicious code. Using sandboxing, some NGFWs can isolate these attachments and whatever code they contain, execute it and find out whether it\u2019s malicious. The downside of this process is this can consume a lot of CPU cycles and introduce noticeable delay in traffic flowing through the firewall.\nThere are other features that could be incorporated in NGFWs. They can support taking in data gathered by other platforms an using it to make firewall decisions. For example, if a new malware signature has been identified by researchers, the firewall can take in that information and start filtering out traffic that contains the signature.\nGartner, which once used the term NGFW, now says that previous incarnations of firewalls are outmoded and that they now call NGFWs simply enterprise firewalls.\nMost popular firewall vendors\nAccording to the latest Gartner ranking of enterprise firewalls, the vendors designated leaders are Checkpoint, Cisco, Fortinet and Palo Alto Networks. Sophos is on the verge of the leader quadrant but falls just shy in both ability to execute and completeness of its vision.\nThe four leaders in the Gartner Magic Quadrant are also tops when measured by the amount of revenue their products generate, according to IDC. Combined, they controlled more than half the firewall market share in the first quarter of last year, IDC said.\nFive years ago, the Gartner firewall leaders included just Checkpoint and Palo Alto, but in 2017 Fortinet broke through, and in 2018 Cisco joined the top category.\nOf those vendors, Gartner also awarded Cisco, Fortinet and Palo Alto its Customer Choice Awards, which are based on customer reviews of their products. In all, the customers reviewed 17 vendors and submitted a total of 3,406 reviews, of which 2,943 were about the vendors ranked as leaders.\nThe other 12 vendors not already mentioned here are AhnLab, Barracuda Networks, Forcepoint, GreyHeller, Hillstone Networks, Huawei, Juniper Networks, New H3C, Sangfor, Sonic Wall, Stormshield and Watchguard.\nBy contrast, Forrester ranks many of the top firewall vendors not only on their firewalls, but on a framework it designed called Zero Trust, which takes into account all the security components vendors provide and how well they are integrated. Reliance on firewalls alone is history, according to its report \u201cThe Forrester Wave: Zero Trust eXtended (ZTX) Ecosystem Providers, Q4 2018.\u201d In it, Forrester gives its top ranking to just two vendors, Palo Alto and Symantec.