BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
A firewall is software or firmware that enforces a set of rules about what data packets will be allowed to enter or leave a computer network. A firewall's main purpose is to filter traffic and lower the risk that malicious packets traveling over the public internet will be able to impact the security of a private network. Firewalls are incorporated into a wide variety of networked devices and may also be purchased as stand-alone software applications.
The term firewall is a metaphor that compares a type of physical barrier that's put in place to limit the damage a fire can cause with a virtual barrier that's put in place to limit damage from an external or internal cyberattack. When located at the perimeter of a network, a firewall provides low-level network protection, as well as important logging and auditing functions.
When organizations began moving from mainframe computers and dumb clients to the client-server model, the ability to control access to the server became a priority. Before the first firewalls emerged based on work done in the late 1980s, the only real form of network security was enforced through access control lists (ACLs) residing on routers. ACLs specified which Internet Protocol (IP) addresses were granted or denied access to the network.
The exponential growth of the internet and the resulting increase in connectivity of networks, however, meant that filtering network traffic by IP address alone was no longer enough. Static packet-filtering firewalls, which examine packet headers and use rules to make decisions about what traffic to let through, arguably became the most important part of every network security initiative by the end of the last century.
How does a firewall work?
A network firewall works by establishing a border between the internet and the network it guards. It is inserted inline across a network connection and inspects all packets entering the network. As it inspects, a rules engine distinguishes between traffic that is benign and traffic that is potentially dangerous.
A firewall is not capable of making judgments on its own -- no computer is. Instead, it follows programmed rules created by humans. These rules dictate whether the firewall should let a packet through the network barrier. If a packet matches a pattern that indicates danger, the corresponding rule will instruct the firewall not to let the packet through. These rules have to be constantly updated because the criteria for what patterns indicate a dangerous packet change frequently.
Why are firewalls important?
A firewall is the most basic and oldest form of network security. The term has grown gradually in familiar usage to the point where it can be assumed that any conversation about cybersecurity will at least include its mention.
A firewall ideally eliminates, or at least reduces, exposure to external hosts, protocols and networks that are known to be vectors for network threats. It is the foundation from which current network security technologies build. As the nature of network threats and networks themselves change, the firewall still plays an important role -- albeit alongside other, more recent technologies.
The primary function of all firewalls is the same: screen network traffic to prevent unauthorized access between computer networks. There are many ways to perform that function, which vary based on the user's needs and the size and state of the user's network. As a result, there are several types of firewalls. The two main types are host-based and network-based.
A host-based firewall is installed on individual servers and monitors incoming and outgoing signals. Network-based firewalls can be built into the cloud's infrastructure or be delivered as a virtual firewall service.
Types of firewalls
- A packet-filtering firewall examines packets in isolation and does not know the packet's context.
- A stateful inspection firewall examines network traffic to determine whether one packet is related to another packet.
- A proxy firewall (aka application-level gateway) inspects packets at the application layer of the Open Systems Interconnection (OSI) reference model.
- An NGFW uses a multilayered approach to integrate enterprise firewall capabilities with an intrusion prevention system (IPS) and application control.
- A personal firewall is software used to protect a single internet-connected computer from attacks, as opposed to a multitude of devices.
How packet-filtering firewalls work
When a packet passes through a packet-filtering firewall, its source and destination address, protocol and destination port number are checked. The packet is dropped -- it's not forwarded to its destination -- if it does not comply with the firewall's rule set. For example, if a firewall is configured with a rule to block Telnet access, then the firewall will drop packets destined for Transmission Control Protocol (TCP) port number 23, the port where a Telnet server application would be listening.
A packet-filtering firewall works mainly on the network layer of the OSI reference model, although the transport layer is used to obtain the source and destination port numbers. It examines each packet independently and does not know whether any given packet is part of an existing stream of traffic.
The packet-filtering firewall is effective, but because it processes each packet in isolation, it can be vulnerable to IP spoofing attacks and has largely been replaced by stateful inspection firewalls.
How stateful inspection firewalls work
Stateful inspection firewalls -- also known as dynamic packet-filtering firewalls -- maintain a table that keeps track of all open connections. When new packets arrive, the firewall compares information in the packet header to the state table and determines whether it is part of an established connection. If it is part of an existing connection, then the packet is allowed through without further analysis. If the packet doesn't match an existing connection, it is evaluated according to the rule set for new connections.
Stateful inspection firewalls monitor communication packets over time and examine both incoming and outgoing packets. Outgoing packets that are requests for specific types of incoming packets are tracked, and only those incoming packets constituting a proper response are allowed through the firewall. Although stateful inspection firewalls are quite effective, they can be vulnerable to denial-of-service (DoS) attacks.
As attacks against web servers became more common, it became apparent that there was a need for firewalls to protect networks from attacks at the application layer. Packet-filtering and stateful inspection firewalls can't distinguish among valid application layer protocol requests, data and malicious traffic encapsulated within apparently valid protocol traffic.
Firewalls examine packets to keep the bad ones out of enterprise networks.
How application layer and proxy firewalls work
An application firewall may also be referred to as a proxy-based or reverse-proxy firewall. They provide application layer filtering and can examine the payload of a packet and distinguish among valid requests, data and malicious code disguised as a valid request or data.
Since this type makes a decision based on the payload's content, it gives security engineers more granular control over network traffic and sets rules to permit or deny specific application requests or commands. For example, it can allow or deny a specific incoming Telnet command from a particular user, whereas other types can only control general incoming requests from a particular host.
If this type of firewall can also prevent an attacker from connecting directly to the network, it works even better. When the firewall lives on a proxy server, it makes it harder for an attacker to discover where the network actually is and creates yet another layer of security.
When there is a proxy firewall in place, both the client and the server are forced to conduct the session through an intermediary -- the proxy server that hosts an application layer firewall. Now, each time an external client requests a connection with an internal server or vice versa, the client will open a connection with the proxy instead.
If the connection meets the criteria in the firewall rule base, the proxy will open a connection to the requested server. Because the firewall is placed in the middle of the logical connection, it can watch traffic for any signs of malicious activity at the application layer.
The key benefit of application layer filtering is the ability to block specific content, such as known malware or certain websites, and recognize when certain applications and protocols, such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) and domain name system (DNS), are being misused. Application layer firewall rules can also be used to control the execution of files or the handling of data by specific applications.
These are especially useful for users with always-on connections, like Digital Subscriber Line (DSL) or cable modem, because those connection types use static IP addresses. These attributes make a network especially vulnerable to potential hackers. As with all firewalls, the personal model's main function is to filter inbound and outbound traffic and to alert the user to intrusions. The difference is that it is for personal use and guards a single home network, as opposed to a large network with many potentially dispersed devices. It is often compared to antivirus applications.
A firewall can either be software- or hardware-based. It is possible to have both and advisable to have both, depending on the user's needs. The benefit of having a physical firewall device is that it tends to be relatively tamper-proof because it needs to be accessed physically in order to do so. Also, because it is a dedicated network device, data passes through it quickly. It should not have a negative impact on network speed.
However, a hardware firewall device is incapable of reading the content that passes through it. It is only capable of blocking sources of information, such as a device. For this reason, it is good for setting restrictions between in-home devices but is not optimal for monitoring network traffic, as it is not able to filter network traffic based on content.
For an organization to be truly secure, it must engage in security information and event management (SIEM) using a firewall or a combination of cybersecurity devices. There are several vulnerabilities and threats that must be prevented using a firewall. Just having one of the types of firewalls mentioned above is not enough to ensure security. Effective firewall use comes from having the right type, as well as proper maintenance and use of that firewall. Some use cases include the following:
- Detecting an insider attack: A perimeter firewall is only meant to guard against attackers outside of a system. It is useless against insider attacks. The only firewall-based guard against insider attacks is the use of internal firewalls on top of a perimeter firewall. An internal firewall helps partition individual assets in a network. Organizations should audit all sensitive files, folders and documents to detect a potential insider threat. All the audits should measure up to baseline documentation within the organization that outlines best practices for using the organization's network. Some examples of behavior that might indicate an insider threat include the following:
- transmission of sensitive data in plain text
- resource access outside of business hours
- sensitive resource access failure by the user
- third-party users network resource access
- Updating patches and settings: Failing to install security patches can cause vulnerabilities to go untreated. Vendors discover these and develop patches to cover them as soon as possible. If users fail to implement the patches, the vulnerability sits waiting to be exploited. Also, poorly or improperly configuring the settings of a firewall can be costly and time-consuming.
- Deep packet inspection (DPI): Layer 7 inspection is an inspection mode used by NGFWs to check the information within the packets it inspects. Less advanced firewalls simply check the origin and destination of the packet without looking inside. Not checking the contents of a packet enables malware to get through.
- Preventing distributed DoS (DDos) attacks: A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted network by overwhelming the target or its surrounding infrastructure with a flood of traffic. It utilizes multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources, such as internet of things (IoT) devices. A DDoS attack is like a traffic jam preventing regular traffic from arriving at its desired destination. The key concern in mitigating a DDoS attack is differentiating between attack and normal traffic.
The future of the firewall
In the early days of the internet, when AT&T's Steven M. Bellovin first used the firewall metaphor, network traffic primarily flowed north-south. This simply means that most of the traffic in a data center flowed from client to server and server to client. In the past few years, however, virtualization and trends such as converged infrastructure have created more east-west traffic, which means that, sometimes, the largest volume of traffic in a data center is moving from server to server. To deal with this change, some enterprise organizations have migrated from the traditional three-layer data center architectures to various forms of leaf-spine architectures.
This change in architecture has caused some security experts to warn that, while firewalls still have an important role to play in keeping a network secure, modern network perimeters have so many entry points and different types of users that stronger access control and security at the host are required. The need for an even greater multilayer approach has led to the emergence of NGFWs.
An NGFW integrates three key assets: traditional firewall capabilities, application awareness and an IPS. Like the introduction of stateful inspection to first-generation firewalls, NGFWs bring additional context to the firewall's decision-making process.
NGFWs combine the capabilities of traditional enterprise firewalls -- including Network Address Translation (NAT), Uniform Resource Locator (URL) blocking and virtual private networks (VPNs) -- with quality of service (QoS) functionality and features not traditionally found in firewall products. These products support intent-based networking by including Secure Sockets Layer (SSL) and Secure Shell (SSH) inspection, DPI and reputation-based malware detection, as well as application awareness.
Vulnerabilities and the future of network security
Despite the advancement of NGFWs from earlier incarnations of the firewall, there are still vulnerabilities. The firewall was the ideal form of network security in the days of computing when a singular network needed to be protected.
With the way networks are gradually changing, other security methods are better for handling advanced persistent threats (APTs). These alternative, yet complementary methods include the following:
- Software-defined perimeters (SDPs): With the recent and exponentially growing shift to more cloud-based frameworks, such as infrastructure as a service (IaaS) and software as a service (SaaS), firewalls are becoming less optimal. An SDP is more aptly suited than firewalls to these frameworks because it doesn't add latency in the same way that a firewall does. It also works better within increasingly identity-centric security models. This is because it focuses on securing user access rather than IP address-based access. An SDP is based on a zero-trust framework.
- IPS: An IPS functions in the same general space as a firewall: between the network and the user. However, instead of just inspecting packet headers and IP addresses, it inspects the actual payload of packets. It then logs the threat and attempts to mitigate its damage.
- Intrusion detection system (IDS): This is the same basic system as the IPS, but it does not actively mitigate the threats after it detects them. An IDS is a passive system that only logs and alerts threats. It does not act.
- Unified threat management (UTM): UTM is the combination of multiple security services and features into one appliance or service. While NGFWs are comparable to UTM systems, UTM systems include more features, such as VPNs, spam filtering and URL filtering for web content. Many UTM solutions also include either an IDS or IPS in conjunction with a firewall.
In today's security environment, there is still a demand for firewalls alongside these newer solutions as part of a UTM approach. Enterprises looking to purchase a firewall should be aware of their needs and choose accordingly, as there are many different types of firewalls with different features and many different vendors that specialize in those different types. Here are a few reputable NGFW vendors:
- Palo Alto: extensive coverage but not cheap.
- SonicWall: good value and has a range of size enterprises it can work for. SonicWall has solutions for small, medium or large-scale networks. Its only downfall is it is somewhat lacking in cloud features.
- Cisco: largest breadth of features for an NGFW but not cheap either.
- Sophos: good for midsize enterprises and easy to use.
- Barracuda: decent value, great management, support and cloud features.
- Fortinet: extensive coverage, great value and some cloud features.
Firewall vendors face increasing pressure because even an NGFW can't protect an organization's digital assets against all cloud-based and insider threats. Still, the enterprise firewall market remains strong, despite software and cloud-based solutions, such as SDP, becoming more popular.
Continue Reading About firewall
- Learn about the similarities and differences among five basic types of firewalls, including packet filtering firewalls, application-level gateways and next-gen firewalls
- Learn how a firewall strategy can secure the internal network -- including mission-critical applications and data -- down to the workload level? The answer lies in microsegmentation