Once early internet system administrators began to understand that they were frequently being attacked, the network...
firewall was inevitable. There was destined to be some sort of process that looked at network traffic for clear signs of attackers. Exactly how this was going to work was less clear.
AT&T's Steven M. Bellovin is generally credited -- although not by himself -- with first using the term firewall to describe the process of filtering out unwanted network traffic, sometime around 1987. The name was a metaphor, likening the device to partitions that keep a fire from migrating from one part of a physical structure to another. In the networking case, the idea was to insert a filter of sorts between the ostensibly safe internal network and any traffic entering or leaving from that network's connection to the broader internet.
The term has grown gradually in familiar usage to the point that no casual conversation about network security can take place without at least mentioning it. Along the way, the firewall has evolved in various ways to produce different types of firewalls. This article somewhat arbitrarily argues that there are five key types of firewalls, but the exact number of options is not nearly as important as the idea that different kinds of firewall products do rather different things.
One thing to note is that all firewalls, regardless of what particular types of firewalls they are, exist to do something that is arguably impossible. They are inserted inline across a network connection and look at all the traffic passing through that point. As they do so, they are tasked with telling what traffic is benign and what is part of an attack.
Firewalls examine packets to keep the bad ones out of enterprise networks.
A computer program that can generally look at a string of computer instructions and determine its intent runs abruptly into a fundamental thesis of computer science, namely that there cannot exist a computer program that can perfectly predict the outcome of another computer program without running it to see what it does. By extension, it's not possible to generally look at network traffic and discern its intent.
It is, however, entirely possible to look for known patterns in network packet data that signal attacks that have been seen previously, and this is precisely what early packet filter network firewalls did -- and still do. Generally, whatever sort of firewall is deployed on a network, it is deployed with a constantly updated set of firewall rules that define the criteria under which a given packet -- or set of packets in a transaction -- can safely be routed forward to the intended recipient device.
Here are five types of firewalls that have played significant roles as the firewall category has evolved:
Packet filtering firewalls
This, the original type of firewall, operates inline at junction points where devices such as routers and switches do their work.
However, this firewall doesn't route packets, but instead compares each packet received to a set of established criteria -- such as the allowed IP addresses, packet type, port number, etc. Packets that are flagged as troublesome are, generally speaking, unceremoniously dropped -- that is, they are not forwarded and, thus, cease to exist.
Using another relatively quick way to identify malicious content, these devices monitor the TCP handshakes across the network as they are established between the local and remote hosts to determine whether the session being initiated is legitimate -- whether the remote system is considered trusted. They don't inspect the packets themselves, however.
Stateful inspection firewalls
State-aware devices, on the other hand, not only examine each packet, but also keep track of whether or not that packet is part of an established TCP session. This offers more security than either packet filtering or circuit monitoring alone, but exacts a greater toll on network performance.
A further variant of stateful inspection is the multilayer inspection firewall, which considers the flow of transactions in process across multiple layers of the ISO Open Systems Interconnection seven-layer model.
This kind of device, technically a proxy, and sometimes referred to as a proxy firewall, combines some of the attributes of packet filtering firewalls with those of circuit-level gateways. They filter packets not only according to the service for which they are intended -- as specified by the destination port -- but also by certain other characteristics, such as the HTTP request string.
While gateways that filter at the application layer provide considerable data security, they can dramatically affect network performance.
This looser category is the most recent -- and least-well delineated -- of the types of firewalls. A typical next-gen product combines packet inspection with stateful inspection, but also includes some variety of deep packet inspection.
What is meant by deep packet inspection depends a great deal on the vendor in question, but the heart of the matter is that, whereas packet inspection in traditional firewalls looks exclusively at the header of the packet, deep packet inspection looks at the actual data that the packet is carrying. Thus, such a firewall might track the progress of a web browsing session and notice that the payload of a packet, when assembled with other packets in an HTTP server reply, does not constitute a legitimate HTML formatted response.
Whichever of the types of firewalls you choose, keep in mind that a misconfigured firewall can, in some ways, be worse than no firewall at all because it lends the dangerous impression of security, while providing little or none.