Firewall guide Part 1: Introduction to firewalls

Part one of our guide explains what firewalls are and the many different types.

What is a network firewall? What types of firewalls are there, and which kind best protect your company's data?...

Learn how to keep your network secure without slowing it down or causing latency. This page introduces you to what a firewall is and which types there are.

Table of contents:

Introduction to firewalls

A firewall is a hardware or software system that prevents unauthorized access to or from a network. They can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. All data entering or leaving the Intranet pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria.

Generally, firewalls are configured to protect against unauthenticated interactive logins from the outside world. This helps prevent hackers from logging into machines on your network. More sophisticated firewalls block traffic from the outside to the inside, but permit users on the inside to communicate a little more freely with the outside.

Introduction to types of firewalls

Security expert Michael Gregg says National Institute of Standards and Technology (NIST) 800-10 divides firewalls in to five basic types:

  • Packet filters
  • Stateful Inspection
  • Proxys
  • Dynamic
  • Kernel

In reality, these divisions are not quite that simple as most modern firewalls have a mix of abilities that place them in more than one of the categories shown above. The NIST document provides more details into each of these categories.

To simplify the most commonly used firewalls, expert Chris Partsenidis breaks them down into two categories: application firewalls and network layer firewalls. The International Standards Organization (ISO) Open Systems Interconnect (OSI) model for networking defines seven layers, where each layer provides services that higher-level layers depend on. The important thing to recognize is that the lower-level the forwarding mechanism, the less examination the firewall can perform.

Network layer firewalls

This type generally makes its decisions based on the source address, destination address and ports in individual IP packets. A simple router is the traditional network layer firewall, since it is not able to make particularly complicated decisions about what a packet is actually talking to or where it actually came from. Modern network layer firewalls have become increasingly more sophisticated, and now maintain internal information about the state of connections passing through them at any time

One thing that's an important difference about many network layer firewalls is that they route traffic directly though them, so to use one you either need to have a validly assigned IP address block or a private internet address block. The network layer firewalls tends to be very fast and almost transparent to its users.

Application layer firewalls

Run-of-the-mill network firewalls can't properly defend applications. As Michael Cobb explains, application-layer firewalls offer Layer 7 security on a more granular level, and may even help organizations to get more out of existing network devices.

Application layer firewalls generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform elaborate logging and examination of traffic passing through them. Since proxy applications are simply software running on the firewall, it is a good place to do lots of logging and access control. Application layer firewalls can be used as network address translators, since traffic goes in one side and out the other, after having passed through an application that effectively masks the origin of the initiating connection.

Having an application in the way in some cases may impact performance and may make the firewall less transparent. Early application layer firewalls are not particularly transparent to end-users and may require some training. However more modern application layer firewalls are often totally transparent. Application layer firewalls tend to provide more detailed audit reports and tend to enforce more conservative security models than network layer firewalls.

The future of firewalls sits somewhere between both network layer firewalls and application layer firewalls. It is likely that network layer firewalls will become increasingly aware of the information going through them, and application layer firewalls will become more and more transparent. The end result will be kind of a fast packet-screening system that logs and checks data as it passes through.

Proxy firewalls

Proxy firewalls offer more security than other types of firewalls, but this is at the expense of speed and functionality, as they can limit which applications your network can support. So, why are they more secure? Unlike stateful firewalls, which allow or block network packets from passing to and from a protected network, traffic does not flow through a proxy. Instead, computers establish a connection to the proxy, which serves as an intermediary, and initiates a new network connection on behalf of the request. This prevents direct connections between systems on either side of the firewall and makes it harder for an attacker to discover where the network is, because they will never receive packets created directly by their target system.

Proxy firewalls also provide comprehensive, protocol-aware security analysis for the protocols they support. This allows them to make better security decisions than products that focus purely on packet header information

Unified threat management

A new product category called unified threat management (UTM) has emerged. These devices promise integration, convenience and protection from pretty much every threat out there -- and are especially valuable to small and medium-sized businesses (SMBs).

Security expert Puneet Mehta defines unified threat management as a firewall appliance that not only guards against intrusion but performs content filtering, spam filtering, intrusion detection and anti-virus duties traditionally handled by multiple systems. These devices are designed to combat all levels of malicious activity on the computer network.

An effective UTM solution delivers a network security platform that comprises of a robust and fullyiintegrated security and networking functions such as network firewalling, intrusion detection and prevention (IDS/IPS) and gateway anti-virus (AV) along with other features such as security management and policy management by group or user. It is designed to protect against next generation application layer threats and offers a centralized management through a single console, all without impairing the performance of the network.

Advantages of using UTM

Convenience and ease of installation are the key advantages of threat management security appliances. There is very less human intervention required to install and configure these appliances. The advantages of UTM responsible for the growth of threat management security appliance market are the following:

  • Reduced complexity: The integrated all-in-one approach not only simplifies product selection, but product integration, and ongoing support as well.
  • Ease of deployment: Since there is very less human intervention required, so customers themselves or vendors can easily install and maintain these products.
  • Integration capabilities: These appliances can easily be deployed at remote sites without the help of any security professional on ground. In this scenario a plug-and-play appliance can be installed and managed remotely. This kind of management is synergistic with large, centralized software-based firewalls.
  • The black box approach: Users have a tendency to play with things, and the black box approach limits the damage users can do. This reduces trouble calls and improves security.
  • Troubleshooting ease: When a box fails, it is easier to swap it out than troubleshoot. This process gets the node back online quicker, and a non-technical person can also do it. This feature is especially important for remote offices without dedicated technical staff onsite.

NEXT: Who is responsible for a firewall, and where should you place it?