Everyone understands the basic function of a firewall – to protect your network from malware and unauthorized access. But the exact details of how firewalls work are less well known.
What exactly is a firewall? How do the different types of firewalls work? And perhaps most importantly, which type of firewall is best?
Simply put, a firewall is just another network endpoint. What makes it special is its ability to intercept and scan incoming traffic before it enters the internal network, preventing malicious actors from gaining access.
Verifying the authentication of every connection, hiding the destination IP from hackers and even scanning the contents of every data packet – firewalls do it all. A firewall serves as a sort of checkpoint and carefully monitors the type of communication that is let in.
Packet filtering firewalls
Packet filtering firewalls are the simplest and least resource intensive firewall technology available. Though out of favor today, they were the staple of network security on old computers.
A packet filtering firewall works at the packet level and scans every incoming packet from the network router. But it doesn’t really scan the contents of the data packets – just their headers. This allows the firewall to verify metadata such as the source and destination addresses, port numbers, etc.
As you might suspect, this type of firewall is not very effective. All a packet filtering firewall can do is reduce unnecessary network traffic according to the access control list. Since the contents of the package itself are not checked, malware can still get through.
Circuit Level Gateways
Another resource-efficient way to verify the legitimacy of network connections is a circuit-level gateway. Rather than checking the headers of individual data packets, a circuit-level gateway verifies the session itself.
Again, a firewall like this doesn’t go through the contents of the transmission itself, leaving it vulnerable to a myriad of malicious attacks. That said, verifying Transmission Control Protocol (TCP) connections from the session layer of the OSI model costs very little resources and can effectively shut down unwanted network connections.
This is why circuit-level gateways are often built into most network security solutions, especially software firewalls. These gateways also help to mask the user’s IP address by creating virtual connections for each session.
Stateful Inspection Firewalls
Both Packet-Filtering Firewall and Circuit Level Gateway are stateless firewall implementations. This means they work with a static rule set, which limits their effectiveness. Each package (or session) is treated individually, allowing only very basic checks to be performed.
A Stateful Inspection Firewall, on the other hand, keeps track of the status of the connection, along with the details of each packet sent through it. By monitoring the TCP handshake during the connection duration, a stateful inspection firewall can compile a table containing the source and destination IP addresses and port numbers and match incoming packets to this dynamic rule set.
This makes it difficult for malicious data packets to sneak past a stateful inspection firewall. On the other hand, this kind of firewall has higher resource costs, slowing down performance and giving hackers the opportunity to use Distributed Denial-of-Service (DDoS) attacks against the system.
Proxy Firewalls, more commonly known as Application Level Gateways, operate at the front-facing layer of the OSI model – the application layer. As the last layer separating the user from the network, this layer allows for the most thorough and expensive checking of data packets, at the expense of performance.
Similar to circuit-level gateways, proxy firewalls work through the intermediary between the host and the client, obscuring internal IP addresses of the destination ports. In addition, application-level gateways perform an in-depth packet inspection to ensure no malicious traffic can penetrate.
And while all these measures significantly increase network security, it also slows down incoming traffic. Network performance takes a hit because of the resource-intensive checks performed by a stateful firewall like this, making it unsuitable for performance-sensitive applications.
In many computer configurations, the main hub of cybersecurity is to provide a private network, hiding the individual IP addresses of client devices from both hackers and service providers. As we’ve already seen, this can be accomplished using a proxy firewall or a circuit-level gateway.
A much simpler method of hiding IP addresses is to use a Network Address Translation (NAT) firewall. NAT firewalls do not require a lot of system resources to function, making them the ideal link between servers and the internal network.
Web Application Firewalls
Only network firewalls operating at the application layer can scan data packets in depth, such as a Proxy Firewall, or better yet, a Web Application Firewall (WAF).
Working from the network or the host, a WAF traverses all the data sent by various web applications and makes sure no malicious code gets through. This type of firewall architecture specializes in packet inspection and provides better security than surface firewalls.
Traditional firewalls, both hardware firewalls and software, do not scale well. They should be installed with the needs of the system in mind, either focused on high traffic performance or low network traffic security.
But Cloud Firewalls are much more flexible. Deployed from the cloud as a proxy server, this type of firewall intercepts network traffic before it enters the internal network, authorizes each session and verifies each data packet before it is let in.
Best of all, such firewalls can be scaled up and down in capacity as needed, adapting to different levels of inbound traffic. It is offered as a cloud-based service, requires no hardware and is maintained by the service provider itself.
Next Generation Firewalls
Next generation can be a misleading term. All technology-based industries love to throw these buzzwords around, but what does it really mean? What type of features qualifies a firewall to be considered next-gen?
In reality, there is no strict definition. In general, you can think of solutions that combine different types of firewalls into one efficient security system as a Next-Generation Firewall (NGFW). Such a firewall is capable of deep packet inspection, while also warding off DDoS attacks, providing a multi-layered defense against hackers.
Most Next-Generation firewalls will often combine multiple network solutions, such as: VPNs, Intrusion Prevention Systems (IPS) and even an antivirus in one powerful package. The idea is to provide a complete solution that addresses all types of network vulnerabilities, providing absolute network security. To this end, some NGFWs can also decrypt Secure Socket Layer (SSL) communications, which also allows them to detect encrypted attacks.
What type of firewall is best to protect your network?
The thing with firewalls is that different types of firewalls use different approaches to protect a network.
The simplest firewalls only authenticate the sessions and packets and do nothing with the content. Gateway firewalls are all about creating virtual connections and preventing access to private IP addresses. Stateful firewalls track connections through their TCP handshakes and build a state table with the information.
Then there are Next-Generation firewalls, which combine all of the above processes with deep packet inspection and a host of other network security features. It’s obvious to say that an NGFW would provide your system with the best possible security, but that’s not always the right answer.
Depending on the complexity of your network and the type of applications running, your systems may be better off with a simpler solution that protects against the most common attacks. The best idea might be to just use a third-party cloud firewall service, with the firewall tuning and maintenance being handed over to the service provider.