Everything you ever wanted to know about security policy management, and much more.
Firewalls form the first line of defense against intrusive hackers trying to infiltrate internal networks and steal sensitive data. They act as a barrier between networks, clearly defining the perimeters of each.
The earliest generation of packet-filter firewalls were rudimentary compared to today’s next-generation firewalls, but cybercrime threats were also less sophisticated.
Since then, cybersecurity vendors have added new security features to firewalls in response to emerging cyber threats. Today, organizations can choose between many different types of firewalls designed for a wide variety of purposes.
Optimizing your organization’s firewall implementation requires understanding the differences between firewalls and the network layers they protect.
Firewalls protect networks by inspecting data packets as they travel from one place to another. These packets are organized according to the transmission control protocol/internet protocol (TCP/IP), which provides a standard way to organize data in transit. This protocol is a concise version of the more general OSI model commonly used to describe computer networks.
These frameworks allow firewalls to interpret incoming traffic according to strictly defined standards. Security experts use these standards to create rules that tell firewalls what to do when they detect unusual traffic.
The OSI model has seven layers:
Most of the traffic that reaches your firewall will use one of the three major Transport layer protocols in this model, TCP, UDP, or ICMP. Many security experts focus on TCP rules because this protocol uses a three-step TCP handshake to provide a reliable two-way connection.
The earliest firewalls only operated on the Network Layer, which provides information about source and destination IP addresses, protocols, and port numbers. Later firewalls added Transport Layer and Application Layer functionality. The latest next-generation firewalls go even further, allowing organizations to enforce identity-based policies directly from the firewall.
Related Read: Host-Based vs. Network-Based Firewalls
Packet-filtering firewalls only examine Network Layer data, filtering out traffic according to the network address, the protocol used, or source and destination port data. Because they do not inspect the connection state of individual data packets, they are also called stateless firewalls.
These firewalls are simple and they don’t support advanced inspection features. However, they offer low latency and high throughput, making them ideal for certain low-cost inline security applications.
When stateful firewalls inspect data packets, they capture details about active sessions and connection states. Recording this data provides visibility into the Transport layer and allows the firewall to make more complex decisions. For example, a stateful firewall can mitigate a denial-of-service attack by comparing a spike in incoming traffic against rules for making new connections – stateless firewalls don’t have a historical record of connections to look up.
These firewalls are also called dynamic packet-filtering firewalls. They are generally more secure than stateless firewalls but may introduce latency because it takes time to inspect every data packet traveling through the network.
Circuit-level gateways act as a proxy between two devices attempting to connect with one another. These firewalls work on the Session layer of the OSI model, performing the TCP handshake on behalf of a protected internal server. This effectively hides valuable information about the internal host, preventing attackers from conducting reconnaissance into potential targets.
Instead of inspecting individual data packets, these firewalls translate internal IP addresses to registered Network Address Translation (NAT) addresses. NAT rules allow organizations to protect servers and endpoints by preventing their internal IP address from being public knowledge.
Traditional firewalls only address threats from a few layers in the OSI model.
Advanced threats can bypass these Network and Transport Layer protections to attack web applications directly. To address these threats, firewalls must be able to analyze individual users, devices, and data assets as they travel through complex enterprise networks.
Next-generation firewalls achieve this by looking beyond the port and protocol data of individual packets and sessions. This grants visibility into sophisticated threats that simpler firewalls would overlook.
For example, a traditional firewall may block traffic from an IP address known for conducting denial-of-service attacks. Hackers can bypass this by continuously changing IP addresses to confuse and overload the firewall, which may allow routing malicious traffic to vulnerable assets.
A next-generation firewall may notice that all this incoming traffic carries the same malicious content. It may act as a TCP proxy and limit the number of new connections made per second. When illegitimate connections fail the TCP handshake, it can simply drop them without causing the organization’s internal systems to overload.
This is just one example of what next-gen firewalls are capable of. Most modern firewall products combine a wide variety of technologies to provide comprehensive perimeter security against comprehensive cyber attacks.
Proxy firewalls are also called application-level gateways or gateway firewalls. They define which applications a network can support, increasing security but demanding continuous attention to maintain network functionality and efficiency.
Proxy firewalls provide a single point of access allowing organizations to assess the threat posed by the applications they use. It conducts deep packet inspection and uses proxy-based architecture to mitigate the risk of Application Layer attacks.
Many organizations use proxy servers to segment the parts of their network most likely to come under attack. Proxy firewalls can monitor the core internet protocols these servers use against every application they support. The proxy firewall centralizes application activity into a single server and provides visibility into each data packet processed.
This allows the organization to maintain a high level of security on servers that make tempting cyberattack targets. However, these servers won’t be able to support new applications without additional firewall configuration. These types of firewalls work well in highly segmented networks that allow organizations to restrict access to sensitive data without impacting usability and production.
Hardware firewalls are physical devices that secure the flow of traffic between devices in a network. Before cloud computing became prevalent, most firewalls were physical hardware devices. Now, organizations can choose to secure on-premises network infrastructure using hardware firewalls that manage the connections between routers, switches, and individual devices.
While the initial cost of acquiring and configuring a hardware firewall can be high, the ongoing overhead costs are smaller than what software firewall vendors charge (often an annual license fee). This pricing structure makes it difficult for growing organizations to rely entirely on hardware devices. There is always a chance that you end up paying for equipment you don’t end up using at full capacity.
Hardware firewalls offer a few advantages over software firewalls:
Many firewall vendors provide virtualized versions of their products as software. They typically charge an annual licensing fee for their firewall-as-a-service product, which runs on any suitably provisioned server or device.
Some software firewall configurations require the software to be installed on every computer in the network, which can increase the complexity of deployment and maintenance over time. If firewall administrators forget to update a single device, it may become a security vulnerability.
At the same time, these firewalls don’t have their own operating systems or dedicated system resources available. They must draw computing power and memory from the devices they are installed on. This leaves less power available for mission-critical tasks.
However, software firewalls carry a few advantages compared to hardware firewalls:
Most firewalls are well-equipped to block simple threats, but advanced threats can still cause problems.
There are many different types of advanced threats designed to bypass standard firewall policies.
Only next-generation firewalls have security features that can address these types of attack. Anti-data exfiltration tools may prevent users from sending their login credentials to unsecured destinations, or prevent large-scale data exfiltration altogether. Identity-based policies may block authenticated users from accessing assets they do not routinely use.
The success of any firewall implementation is determined by the quality of its security rules. These rules decide which types of traffic the firewall will allow to pass, and what traffic it will block.
In a modern network environment, this is done using four basic types of firewall rules:
Firewalls can impact network performance and introduce latency into networks.
Optimizing network performance with firewalls is a major challenge in any firewall implementation project.
Firewall experts use a few different approaches to reduce latency and maintain fast, reliable network performance:
Receive notifications of new posts by email.