One of the major challenges that companies face when trying to secure their sensitive data is finding the right tools for the job. Even for a common tool such as a firewall (sometimes called a network firewall), many businesses might not have a clear idea of how to find the right firewall (or firewalls) for their needs, how to configure those firewalls, or why such firewalls might be necessary.
What is a Firewall?
A firewall is a type of cybersecurity tool that is used to filter traffic on a network. Firewalls can be used to separate network nodes from external traffic sources, internal traffic sources, or even specific applications. Firewalls can be software, hardware, or cloud-based, with each type of firewall having its own unique pros and cons.
The primary goal of a firewall is to block malicious traffic requests and data packets while allowing legitimate traffic through.
How Does a Firewall Work?
The first step in finding the right firewalls to protect your company’s data is to know what kinds of firewalls there are and how they work. Firewall architectures can be divided into several different categories based on their general structure and method of operation:
- Packet-filtering firewalls
- Stateful inspection firewalls
- Circuit-level gateways
- Application-level gateways (a.k.a. proxy firewalls)
- Next-gen firewalls
- Software firewalls
- Hardware firewalls
- Cloud firewalls
Note: The last three bullets list methods of delivering firewall functionality, rather than being types of firewall architectures in and of themselves.
How do these firewalls work? And, which ones are the best for your business’ cybersecurity needs?
Here are a few brief explainers:
As the most “basic” and oldest type of firewall architecture, packet-filtering firewalls basically create a checkpoint at a traffic router or switch. The firewall performs a simple check of the data packets coming through the router—inspecting information such as the destination and origination IP address, packet type, port number, and other surface-level information without opening up the packet to inspect its contents.
If the information packet doesn’t pass the inspection, it is dropped.
The good thing about these firewalls is that they aren’t very resource-intensive. This means they don’t have a huge impact on system performance and are relatively simple. However, they’re also relatively easy to bypass compared to firewalls with more robust inspection capabilities.
As another simplistic firewall type that is meant to quickly and easily approve or deny traffic without consuming significant computing resources, circuit-level gateways work by verifying the transmission control protocol (TCP) handshake. This TCP handshake check is designed to make sure that the session the packet is from is legitimate.
While extremely resource-efficient, these firewalls do not check the packet itself. So, if a packet held malware, but had the right TCP handshake, it would pass right through. This is why circuit-level gateways are not enough to protect your business by themselves.
Stateful Inspection Firewalls
These firewalls combine both packet inspection technology and TCP handshake verification to create a level of protection greater than either of the previous two architectures could provide alone.
However, these firewalls do put more of a strain on computing resources as well. This may slow down the transfer of legitimate packets compared to the other solutions.
Proxy Firewalls (Application-Level Gateways/Cloud Firewalls)
Proxy firewalls operate at the application layer to filter incoming traffic between your network and the traffic source—hence, the name “application-level gateway.” These firewalls are delivered via a cloud-based solution or another proxy device. Rather than letting traffic connect directly, the proxy firewall first establishes a connection to the source of the traffic and inspects the incoming data packet.
This check is similar to the stateful inspection firewall in that it looks at both the packet and at the TCP handshake protocol. However, proxy firewalls may also perform deep-layer packet inspections, checking the actual contents of the information packet to verify that it contains no malware.
Once the check is complete, and the packet is approved to connect to the destination, the proxy sends it off. This creates an extra layer of separation between the “client” (the system where the packet originated) and the individual devices on your network—obscuring them to create additional anonymity and protection for your network.
If there’s one drawback to proxy firewalls, it’s that they can create significant slowdown because of the extra steps in the data packet transferal process.
Many of the most recently-released firewall products are being touted as “next-generation” architectures. However, there is not as much consensus on what makes a firewall truly next-gen.
Some common features of next-generation firewall architectures include deep-packet inspection (checking the actual contents of the data packet), TCP handshake checks, and surface-level packet inspection. Next-generation firewalls may include other technologies as well, such as intrusion prevention systems (IPSs) that work to automatically stop attacks against your network.
The issue is that there is no one definition of a next-generation firewall, so it’s important to verify what specific capabilities such firewalls have before investing in one.
Software firewalls include any type of firewall that is installed on a local device rather than a separate piece of hardware (or a cloud server). The big benefit of a software firewall is that it's highly useful for creating defense in depth by isolating individual network endpoints from one another.
However, maintaining individual software firewalls on different devices can be difficult and time-consuming. Furthermore, not every device on a network may be compatible with a single software firewall, which may mean having to use several different software firewalls to cover every asset.
Hardware firewalls use a physical appliance that acts in a manner similar to a traffic router to intercept data packets and traffic requests before they're connected to the network's servers. Physical appliance-based firewalls like this excel at perimeter security by making sure malicious traffic from outside the network is intercepted before the company's network endpoints are exposed to risk.
The major weakness of a hardware-based firewall, however, is that it is often easy for insider attacks to bypass them. Also, the actual capabilities of a hardware firewall may vary depending on the manufacturer—some may have a more limited capacity to handle simultaneous connections than others, for example.
Whenever a cloud solution is used to deliver a firewall, it can be called a cloud firewall, or firewall-as-a-service (FaaS). Cloud firewalls are considered synonymous with proxy firewalls by many, since a cloud server is often used in a proxy firewall setup (though the proxy doesn't necessarily have to be on the cloud, it frequently is).
The big benefit of having cloud-based firewalls is that they are very easy to scale with your organization. As your needs grow, you can add additional capacity to the cloud server to filter larger traffic loads. Cloud firewalls, like hardware firewalls, excel at perimeter security.
Which Firewall Architecture is Right for Your Company?
So, which firewall architecture is the right one for your business?
- The simple packet filtering or circuit-level gateway, which provides basic protection that has minimal performance impact?
- The stateful inspection architecture that combines the capabilities of both of the previous two options, but has a larger performance impact? Or
- A proxy or next-gen firewall that offers far more robust protection in exchange for additional expenses and an even higher performance impact?
The real question is “why would you only use one?”
No one protection layer, no matter how robust, will ever be enough to protect your business. To provide better protection, your networks should have multiple layers of firewalls, both at the perimeter and separating different assets on your network. For example, you could have a hardware or cloud firewall at the perimeter of your network, then individual software firewalls on each of your network assets.
Having additional firewalls helps to make your network tougher to crack by creating additional defense-in-depth that isolates different assets—making it so attackers have to perform extra work to reach all of your most sensitive information.
The particular firewalls that you will want to use will depend on the capabilities of your network, relevant compliance requirements for your industry, and the resources you have in place to manage these firewalls.
Need help finding the ideal firewall architecture for your business’ needs? Consider starting with a security policy audit and assessment first. This can help you identify all of the assets on your network that need protecting so you can better optimize your firewall implementation.
Or, contact Compuquip Cybersecurity to get more assistance with perfecting your company’s cybersecurity strategy.
Back to Cybersecurity Basics
Master the 8 basic elements of a strong cybersecurity posture.