BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
In computing, a firewall is software or firmware that enforces a set of rules about what data packets will be allowed to enter or leave a network. Firewalls are incorporated into a wide variety of networked devices to filter traffic and lower the risk that malicious packets traveling over the public internet can impact the security of a private network. Firewalls may also be purchased as stand-alone software applications.
The term firewall is a metaphor that compares a type of physical barrier that's put in place to limit the damage a fire can cause, with a virtual barrier that's put in place to limit damage from an external or internal cyberattack. When located at the perimeter of a network, firewalls provide low-level network protection, as well as important logging and auditing functions.
While the two main types of firewalls are host-based and network-based, there are many different types that can be found in different places and controlling different activities. A host-based firewall is installed on individual servers and monitors incoming and outgoing signals. A network-based firewall can be built into the cloud's infrastructure, or it can be a virtual firewall service.
Types of firewalls
- A packet-filtering firewall examines packets in isolation and does not know the packet's context.
- A stateful inspection firewall examines network traffic to determine whether one packet is related to another packet.
- A proxy firewall inspects packets at the application layer of the Open Systems Interconnection (OSI) reference model.
An NGFW uses a multilayered approach to integrate enterprise firewall capabilities with an intrusion prevention system (IPS) and application control.
When organizations began moving from mainframe computers and dumb clients to the client-server model, the ability to control access to the server became a priority. Before the first firewalls emerged based on work done in the late 1980s, the only real form of network security was enforced through access control lists (ACL) residing on routers. ACLs specified which Internet Protocol (IP) addresses were granted or denied access to the network.
The exponential growth of the internet and the resulting increase in connectivity of networks, however, meant that filtering network traffic by IP address alone was no longer enough. Static packet-filtering firewalls, which examine packet headers and use rules to make decisions about what traffic to let through, arguably became the most important part of every network security initiative by the end of the last century.
How packet-filtering firewalls work
When a packet passes through a packet-filtering firewall, its source and destination address, protocol and destination port number are checked. The packet is dropped -- it's not forwarded to its destination -- if it does not comply with the firewall's rule set. For example, if a firewall is configured with a rule to block Telnet access, then the firewall will drop packets destined for Transmission Control Protocol (TCP) port number 23, the port where a Telnet server application would be listening.
Firewalls examine packets to keep the bad ones out of enterprise networks.
Packet-filtering firewalls work mainly on the network layer of the OSI reference model, although the transport layer is used to obtain the source and destination port numbers. They examine each packet independently and do not know whether any given packet is part of an existing stream of traffic. Packet-filtering firewalls are effective, but because they process each packet in isolation, they can be vulnerable to IP spoofing attacks and have largely been replaced by stateful inspection firewalls.
How stateful inspection firewalls work
Stateful inspection firewalls -- also known as dynamic packet-filtering firewalls -- maintain a table that keeps track of all open connections. When new packets arrive, the firewall compares information in the packet header to the state table and determines whether it is part of an established connection. If it is part of an existing connection, then the packet is allowed through without further analysis. If the packet doesn't match an existing connection, it is evaluated according to the rule set for new connections.
Stateful inspection firewalls monitor communication packets over a period of time and examine both incoming and outgoing packets. Outgoing packets that are requests for specific types of incoming packets are tracked, and only those incoming packets constituting a proper response are allowed through the firewall. Although stateful inspection firewalls are quite effective, they can be vulnerable to denial-of-service (DoS) attacks.
How application layer and proxy firewalls work
As attacks against web servers became more common, it became apparent that there was a need for firewalls to protect networks from attacks at the application layer. Packet filtering and stateful inspection firewalls can't distinguish among valid application layer protocol requests, data and malicious traffic encapsulated within apparently valid protocol traffic.
Firewalls that provide application layer filtering can examine the payload of a packet and distinguish among valid requests, data and malicious code disguised as a valid request or data. Since this type of firewall makes a decision based on the payload's content, it gives security engineers more granular control over network traffic and sets rules to permit or deny specific application requests or commands. For example, it can allow or deny a specific incoming Telnet command from a particular user, whereas other firewalls can only control general incoming requests from a particular host.
If this type of firewall could also prevent an attacker from connecting directly to the network, it would be even better. Putting the firewall on a proxy server would make it harder for an attacker to discover where the network actually is and create yet another layer of security.
When there is a proxy firewall in place, both the client and the server are forced to conduct the session through an intermediary -- a proxy server that hosts an application layer firewall. Now, each time an external client requests a connection with an internal server (or vice versa), the client will open a connection with the proxy instead. If the connection meets the criteria in the firewall rule base, the proxy will open a connection to the requested server. Because the firewall is placed in the middle of the logical connection, it can watch traffic for any signs of malicious activity at the application layer.
The key benefit of application layer filtering is the ability to block specific content, such as known malware or certain websites, and recognize when certain applications and protocols, such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) and domain name system (DNS), are being misused. Application layer firewall rules can also be used to control the execution of files or the handling of data by specific applications.
The future of the firewall
In the early days of the internet, when AT&T's Steven M. Bellovin first used the firewall metaphor, network traffic primarily flowed north-south. This simply means that most of the traffic in a data center flowed from client-to-server and server-to-client. In the past few years, however, virtualization and trends such as converged infrastructure have created more east-west traffic, which means that sometimes the largest volume of traffic in a data center is moving from server-to-server. To deal with this change, some enterprise organizations have migrated from the traditional three-layer data center architectures to various forms of leaf-spine architectures.
This change in architecture has caused some security experts to warn that, while firewalls still have an important role to play in keeping a network secure, modern network perimeters have so many entry points and different types of users that stronger access control and security at the host are required. The need for an even greater multilayer approach has led to the emergence of what vendors are calling next-generation firewalls.
An NGFW integrates three key assets: traditional firewall capabilities, application awareness and an IPS. Like the introduction of stateful inspection to first-generation firewalls, NGFWs bring additional context to the firewall's decision-making process.
NGFWs combine the capabilities of traditional enterprise firewalls -- including network address translation (NAT), Uniform Resource Locator (URL) blocking and virtual private networks (VPN) -- with quality of service (QoS) functionality and features not traditionally found in firewall products. These products support intent-based networking by including Secure Sockets Layer (SSL) and Secure Shell (SSH) inspection, deep packet inspection (DPI) and reputation-based malware detection, as well as application awareness.