top of page
Host-based firewalls vs. network-based firewalls for network security?

Network Segmentation

Host-based firewalls vs. network-based firewalls for network security?

Prof. Avishai Wool

Prof. Avishai Wool

Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam.

Tags

Share this article

8/28/23

Published

Before your organization can move business applications to the cloud, it must deploy network security solutions that can reliably block cybercrime and malware.


Firewalls are essential cybersecurity tools that protect network traffic against threat actors. There are many different types of firewalls available, but put the same basic principles in action.


Before finding out which types of firewalls offer the best security performance for your cloud implementation, it’s important to cover how firewalls work and what characteristics set them apart.


How firewalls work: Different types of firewalls explained

Firewalls are best explained through analogy. Think of firewalls as 24/7 security guards with deep knowledge of millions of criminals. Whenever the security guard sees a criminal approaching an access point, they block access and turn the criminal away.


This kind of access control is accomplished in a few different ways. Some firewalls inspect packets for suspicious characteristics. Others use stateful inspection to identify malicious traffic. Some incorporate contextual awareness to tell the difference between harmless traffic and cyberattacks.


Here are some of the major types of firewalls and how they work:


  • Packet filtering firewalls inspect data traveling through inline junction points like routers and switches. They don’t route data packets themselves, but compare them to a list of firewall rules. For example, they may filter packets that are traveling to untrusted IP addresses and drop them.

  • Circuit-level gateways monitor TCP handshake data and other protocol messages for signs of unauthorized access. These firewalls don’t inspect individual packets or application layer monitoring, though.

  • Proxy firewalls apply application layer filtering that filters data according to a wide range of characteristics. This category includes web application firewalls, which are a type of reverse proxy firewall – they protect the server from malicious traffic by filtering clients before they reach the server.

  • Stateful inspection firewalls examine and compare multiple packets to find out if they are part of an established network session. This offers a high degree of control over incoming and outgoing traffic while providing comprehensive logs on network connections.

  • Next-generation firewalls combine packet inspection, stateful inspection, antivirus, and additional technologies to protect organizations against unknown threats and vulnerabilities. These firewalls are expensive and have high bandwidth requirements, but they also offer a high level of protection.


All of these firewalls exist in different forms. Traditional hardware firewalls are physical devices that sit between network devices and the internet. Network-based firewalls are software-defined apps designed to do the same thing.


Hardware, software, or cloud? firewall deployment methods compared

Organizations have multiple options when deciding to host firewalls on their private networks. The market offers a vast number of security devices and firewall providers, ranging from Cisco hardware to software solutions like Microsoft’s Windows firewall.


Large enterprises use a combination of firewall solutions to adopt a multi-layered security posture. This allows them to achieve network scalability and segmentation while offering different levels of protection to data centers, individual devices, and user endpoints.


As firewall technology becomes more accessible, smaller organizations are following suit. Here are some of the delivery formats that firewall solutions commonly come in:


  • Network-based Firewalls are self-contained hardware appliances. They typically run custom operating systems using Linux distributions designed for secure computer networking. They can be challenging to configure and deploy, but are appropriate for a wide range of use cases.

  • Host-based Firewalls run as software on a server or other device. You can run host-based firewalls on individual computers, or at the host level of a cloud environment. The firewalls offer granular control over security rules and individual hosts, but consume resources in the process.

  • Cloud Hosted Firewalls are provided by third-party security partners as a service. These firewalls may be entirely managed by a third-party partner, making them ideal for small organizations that can’t afford building their own security infrastructure from the ground up.


How to select an optimal firewall solution for your organization

Every organization has a unique security risk profile. Finding the right firewall deployment for your organization requires in-depth knowledge of your network’s security vulnerabilities and potential for long-term growth.


Some of the issues you have to consider include:


  • Identifying technical objectives for individual firewalls. There are no one-size-fits-all firewall solutions. One solution may match a particular use case that another does not. Both stateless packet inspection firewalls and sophisticated next-generation solutions operate at different levels of the OSI model, which means each device should serve a well-defined purpose.

  • Selecting firewall solutions that match your team’s expertise. Consider your IT team’s technical qualifications. If configuring a sophisticated next-generation firewall requires adding talent with specialized certifications to your team, the cost of that deployment will rise considerably.

  • Deploying firewalls in ways that improve security performance while reducing waste. Optimal firewall architecture requires effective network segmentation and good security policies. Deploying a secure local area network (LAN) and using virtual private networks (VPNs) can help optimize firewall placement throughout the organization.

  • Determining which kinds of traffic inspection are necessary. Different types of network connections require different levels of security. For example, a public-facing Wi-Fi router is far more likely to encounter malicious traffic than an internal virtual local area network (VLAN) that only authenticated employees can access.

How to choose between host-based firewalls and network-based firewalls when moving to the cloud

Organizations that are transitioning to cloud infrastructure need to completely rethink their firewall deployment strategy. Firewalls are the cornerstone of access control, and cloud-hosted infrastructure comes with the shared responsibility model that puts pressure on security leaders to carefully deploy security resources.


In many cases, you’ll face tough decisions concerning which type of firewall to deploy at particular points in your network. Building an optimal deployment means working through the pros and cons of each option on a case-by-case basis.


Host-based firewalls and network-based firewalls are the two main options you’ll encounter for most use cases. Let’s look at what each of those options look like from a complete network security perspective.


1. Host-based firewalls offer flexibility but may introduce vulnerabilities

A cloud-native organization that exclusively uses host-based firewalls will have a cloud environment filled with virtual machines that take the place of servers and individual computers. To protect those devices, the organization will implement host-based firewalls on every virtual machine and configure them accordingly.


This provides the organization with a great deal of flexibility. IT team members can clone virtual machines and move them within the cloud on demand. The host-based firewalls that protect these machines can move right alongside them, ensuring consistent security policies are enforced without painstaking manual configuration.


It’s even possible to move virtual machines between cloud environments – like moving a virtual server from Amazon AWS to Microsoft Azure – without having to create completely new security policies in the process. This makes it easy for IT teams to work securely without introducing friction.


However, if attackers gain privileged access to host-based firewalls, they gain the same level of control. They may switch off the firewall or install malicious code in ways that other security technologies cannot detect.


Even highly secure organizations are subject to this kind of risk. Imagine an attacker compromises the credentials of a system administrator with firewall configuration privileges. Very few obstacles stand between an insider threat and the sensitive data they wish to exfiltrate.


Network-based firewalls offer independent security

Compared to host-based firewall products, it’s much harder for a malicious insider to compromise a network-based firewall solution managed by a cloud provider. That’s because the physical hardware is operating on a completely separate system from the host.


In a cloud-native environment, the network-based firewall would be a fully hardened device managed by a third-party provider running their own intrusion detection systems. This makes it much harder for attackers to successfully infiltrate and compromise systems without being noticed.


At the same time, independent network-based firewall architecture means that the attacker would have to compromise both your network and the cloud provider’s network without triggering security alerts from either. This adds a great deal of complexity to any attack, and significantly increases the chance it will be detected.


However, few organizations can afford to exclusively deploy hardware firewalls at every layer of their network. Even those that can afford it will run into significant challenges when planning for growth and scalability.


Segment your network for optimal protection

While they offer increased security, hardware firewalls are costly to deploy and maintain. Most organizations segment their networks in ways that offer extensive multi-layered protection to their most sensitive data while allowing more flexible host-based firewalls to protect less critical assets.


Every organization has a unique balance between optimal network-based firewall and host-based firewall deployment. This depends heavily on the volume of sensitive data the organization regularly accesses, and the security of its connections with users and third-party service providers. Proper network segmentation helps reduce the organization’s attack surface and decrease the risk of business disruption.

Related Articles

Azure Security Best Practices

Azure Security Best Practices

Cloud Security

Mar 19, 2023 · 2 min read

How to Implement a Security-as-Code Approach

How to Implement a Security-as-Code Approach

Cloud Security

Mar 19, 2023 · 2 min read

A secure VPC as the main pillar of cloud security

A secure VPC as the main pillar of cloud security

Cloud Security

Mar 19, 2023 · 2 min read

Speak to one of our experts

bottom of page