Sergey Nivens - Fotolia
Once early internet systems administrators began to understand that they were frequently being attacked, the network firewall was inevitable. There was destined to be some sort of process that looked at network traffic for clear signs of attackers. Exactly how this was going to work was less clear.
Steven Bellovin, then a fellow at AT&T Labs Research in Florham Park, N.J., and currently a professor in the computer science department at Columbia University, is generally credited -- although not by himself -- with first using the term firewall to describe the process of filtering out unwanted network traffic, sometime around 1987. The name was a metaphor, likening the device to partitions that keep a fire from migrating from one part of a physical structure to another. In the networking case, the idea was to insert a filter of sorts between the ostensibly safe internal network and any traffic entering or leaving from that network's connection to the broader internet.
The term has grown gradually in familiar usage to the point that no casual conversation about network security can take place without at least mentioning it. Along the way, the firewall has evolved in various ways to produce different types of firewalls. This article somewhat arbitrarily argues that there are five key types of firewalls, but the exact number of options is not nearly as important as the idea that different kinds of firewall products do rather different things.
The five types of firewall are:
- Packet filtering firewall
- Circuit-level gateway
- Stateful inspection firewall
- Application-level gateway (aka proxy firewall)
- Next-generation firewall (NGFW)
Firewall devices and services can offer protection beyond standard firewall function -- for example, by providing intrusion detection, denial-of-service attack protection and other security services to protect servers and other devices within the private network. While some types of firewalls can work as multifunctional security devices, don't allow such offerings to distract from the key question: Does this firewall protect the private network from external threats by examining protocol data units?
How do the different types of firewalls work?
Firewalls are inserted inline across a network connection and look at all the traffic passing through that point. As they do so, they are tasked with telling which network protocol traffic is benign and which packets are part of an attack.
A computer program that can generally look at a string of computer instructions and determine its intent runs abruptly into a fundamental thesis of computer science: No computer program can perfectly predict the outcome of another computer program without running it to see what it does. By extension, it's not possible to generally look at network traffic and discern its intent.
Firewalls examine packets to keep the bad ones out of enterprise networks.
It is, however, entirely possible to look for known patterns in network packet data that signal attacks that have been seen previously, and this is precisely what early packet filter network firewalls did -- and still do. Generally, whatever sort of firewall is deployed on a network, it is deployed with a constantly updated set of firewall rules that define the criteria under which a given packet -- or set of packets in a transaction -- can safely be routed forward to the intended recipient device.
Here are the five types of firewalls that continue to play significant roles as the firewall category has evolved.
Packet filtering firewall
Packet filtering firewalls operate inline at junction points where devices such as routers and switches do their work. However, these firewalls don't route packets, but rather they compare each packet received to a set of established criteria -- such as the allowed IP addresses, packet type, port number and other aspects of the packet protocol headers. Packets that are flagged as troublesome are, generally speaking, unceremoniously dropped -- that is, they are not forwarded and, thus, cease to exist.
Using another relatively quick way to identify malicious content, circuit-level gateways monitor TCP handshakes and other network protocol session initiation messages across the network as they are established between the local and remote hosts to determine whether the session being initiated is legitimate -- whether the remote system is considered trusted. They don't inspect the packets themselves, however.
Stateful inspection firewall
State-aware devices, on the other hand, not only examine each packet, but also keep track of whether or not that packet is part of an established TCP or other network session. This offers more security than either packet filtering or circuit monitoring alone but exacts a greater toll on network performance.
A further variant of stateful inspection is the multilayer inspection firewall, which considers the flow of transactions in process across multiple protocol layers of the seven-layer Open Systems Interconnection (OSI) model.
This kind of device -- technically a proxy and sometimes referred to as a proxy firewall -- combines some of the attributes of packet filtering firewalls with those of circuit-level gateways. They filter packets not only according to the service for which they are intended -- as specified by the destination port -- but also by certain other characteristics, such as the HTTP request string.
While gateways that filter at the application layer provide considerable data security, they can dramatically affect network performance.
A typical NGFW combines packet inspection with stateful inspection and also includes some variety of deep packet inspection, as well as other network security systems, such as intrusion detection/prevention, malware filtering and antivirus.
While packet inspection in traditional firewalls looks exclusively at the protocol header of the packet, deep packet inspection looks at the actual data the packet is carrying. A deep packet inspection firewall tracks the progress of a web browsing session and is capable of noticing whether a packet payload, when assembled with other packets in an HTTP server reply, constitutes a legitimate HTML formatted response.
How to choose the right type of firewall
Choosing the right type of firewall means answering questions about what the firewall is intended to do, how it will be used, what it is intended to protect and any number of general questions about the infrastructure it is intended to protect. The right firewall for different organizations will almost invariably differ from one to another, as each private network is unique and has its own unique requirements.
Issues to consider include:
- What are the technical objectives for the firewall, and can a simpler product work better instead of a firewall with more features and capabilities that may not be necessary?
- How does the firewall itself fit into the organization's architecture? This means considering whether the firewall is intended to protect a low-visibility service exposed on the internet or a web application.
- Understanding what kind of traffic inspection is necessary; some applications may require monitoring the contents of all packets, while others can be achieved simply by sorting packets based on source/destination addresses and ports.
Many firewall implementations incorporate features of different types of firewalls, so choosing a type of firewall is rarely a matter of finding one that fits neatly into any particular category. For example, an NGFW may incorporate features of packet filtering firewalls, application-level gateways or stateful inspection firewalls.
Choosing the ideal firewall begins with understanding the architecture and functions of the private network being protected but also calls for understanding the different types of firewalls and firewall policies that are most effective for the organization.
Whichever of the types of firewalls you choose, keep in mind that a misconfigured firewall can, in some ways, be worse than no firewall at all because it lends the dangerous impression of security, while providing little or none.
Peter Loshin contributed to this report.