What is a Firewall? The Different Firewall Types & Architectures
One of the major challenges that companies face when trying to secure their sensitive data is finding the right tools for the job. Even for a common tool such as a firewall (sometimes called a network firewall), many businesses might not know how to find the right firewall (or firewalls) for their needs, how to configure those firewalls, or why such firewalls might be necessary.
What is a Firewall?
A firewall is a type of cybersecurity tool used to filter traffic on a network. Firewalls can separate network nodes from external traffic sources, internal traffic sources, or even specific applications. Firewalls can be software, hardware, or cloud-based, with each type of firewall having unique pros and cons.
The primary goal of a firewall is to block malicious traffic requests and data packets while letting through legitimate traffic.
8 Types of Firewalls and Deployment Architectures
You can divide firewall types into several categories based on their general structure and method of operation. Here are the five types of firewalls and their three modes of deployment.
- Packet-filtering firewalls
- Circuit-level gateways
- Stateful inspection firewalls
- Application-level gateways (a.k.a. proxy firewalls)
- Next-gen firewalls
Firewall Delivery Methods:
- Software firewalls
- Hardware firewalls
- Cloud firewalls
How do these firewalls work? And which ones are the best for your business's cybersecurity needs?
Here are a few brief explainers:
Type 1: Packet-Filtering Firewalls
As the most “basic” and oldest type of firewall architecture, packet-filtering firewalls create a checkpoint at a traffic router or switch. The firewall performs a simple check of the data packets coming through the router—inspecting information such as the destination and origination IP address, packet type, port number, and other surface-level details without opening the packet to examine its contents. It then drops the packet if the information packet doesn’t pass the inspection.
The good thing about these firewalls is that they aren’t very resource-intensive. Using fewer resources means they are relatively simple and don’t significantly impact system performance. However, they’re also relatively easy to bypass compared to firewalls with more robust inspection capabilities.
Type 2: Circuit-Level Gateways
Circuit-level gateways are another simplistic firewall type meant to quickly and easily approve or deny traffic without consuming significant computing resources. Circuit-level gateways work by verifying the transmission control protocol (TCP) handshake. This TCP handshake check is designed to ensure that the session the packet is from is legitimate.
While extremely resource-efficient, these firewalls do not check the packet itself. So, if a packet held malware but had the proper TCP handshake, it would easily pass through. Vulnerabilities like this are why circuit-level gateways are not enough to protect your business by themselves.
Type 3: Stateful Inspection Firewalls
This firewall type combines packet inspection technology and TCP handshake verification to create a more significant level of protection than either of the two architectures could provide alone.
However, these firewalls also put more of a strain on computing resources. This may slow down the transfer of legitimate packets compared to the other solutions.
Type 4: Proxy Firewalls (Application-Level Gateways/Cloud Firewalls)
Proxy firewalls operate at the application layer to filter incoming traffic between your network and the traffic source—hence, the name “application-level gateway.” These firewalls are delivered via a cloud-based solution or another proxy device. Rather than letting traffic connect directly, the proxy firewall first establishes a connection to the source of the traffic and inspects the incoming data packet.
This check is similar to the stateful inspection firewall in looking at both the packet and the TCP handshake protocol. However, proxy firewalls may also perform deep-layer packet inspections, checking the actual contents of the information packet to verify that it contains no malware.
Once the check is complete and the packet is approved to connect to the destination, the proxy sends it off. This creates an extra layer of separation between the “client” (the system where the packet originated) and the individual devices on your network—obscuring them to create additional anonymity and protection for your network.
The one drawback to proxy firewalls is that they can create a significant slowdown because of the extra steps in the data packet transfer process.
Type 5: Next-Generation Firewalls
Many of the most recently-released firewall products are touted as “next-generation” architectures. However, there is no consensus on what makes a firewall genuinely next-gen.
Some typical features of next-generation firewall architectures include deep-packet inspection (checking the actual contents of the data packet), TCP handshake checks, and surface-level packet inspection. Next-generation firewalls may consist of other technologies, such as intrusion prevention systems (IPSs), that automatically stop attacks against your network.
The issue is that there is no one definition of a next-generation firewall, so verifying what specific capabilities such firewalls have before investing in one is essential.
Firewall Deployment Architecture 1: Software Firewalls
Software firewalls include any type of firewall that is installed on a local device rather than a separate piece of hardware (or a cloud server). The big benefit of a software firewall is that it's highly useful for creating defense in depth by isolating individual network endpoints from one another.
However, maintaining individual software firewalls on different devices can be difficult and time-consuming. Furthermore, not every device on a network may be compatible with a single software firewall, which may mean having to use several different software firewalls to cover every asset.
Firewall Deployment Architecture 2:
Hardware firewalls use a physical appliance that acts like a traffic router to intercept data packets and traffic requests before they're connected to the network's servers. Physical appliance-based firewalls like this excel at perimeter security by ensuring malicious traffic from outside the network are intercepted before the company's network endpoints are exposed to risk.
However, the major weakness of a hardware-based firewall is that it is often easy for insider attacks to bypass them. Also, the actual capabilities of a hardware firewall may vary depending on the manufacturer—some may have a more limited capacity to handle simultaneous connections than others, for example.
Firewall Deployment Architecture 3: Cloud Firewalls
Whenever you use a cloud solution to deliver a firewall, it can be called a cloud firewall or firewall-as-a-service (FaaS). Many consider cloud firewalls synonymous with proxy firewalls since a cloud server is often used in a firewall setup (though the proxy doesn't necessarily have to be on the cloud, it frequently is).
The primary benefit of having cloud-based firewalls is that they are straightforward to scale with your organization. As your needs grow, you can add additional capacity to the cloud server to filter larger traffic loads. Cloud firewalls, like hardware firewalls, excel at perimeter security.
Which Firewall Architecture is Right for Your Company?
So, which firewall architecture is the right one for your business?
- Does the simple packet filtering or circuit-level gateway provide essential protection with minimal performance impact?
- The stateful inspection architecture combines the capabilities of the previous two options but has a more considerable performance impact.
- A proxy or next-gen firewall offers far more robust protection in exchange for additional expenses and an even higher performance impact.
The real question is “why would you only use one?”
No one protection layer, no matter how robust, will ever be enough to protect your business. To provide better protection, your networks should have multiple layers of firewalls, both at the perimeter and separating different assets on your network. For example, you could have a hardware or cloud firewall at the perimeter of your network, then individual software firewalls on each of your network assets.
Having additional firewalls helps make your network tougher to crack by creating additional defense-in-depth that isolates different assets. Hence, attackers must perform extra work to reach all your most sensitive information.
The particular firewalls you want to use will depend on your network's capabilities, relevant compliance requirements for your industry, and the resources you have to manage these firewalls.
Need help finding the ideal firewall architecture for your business needs? Click below for our FREE comprehensive guide on how to accelerate your firewall monitoring and management to keep your network significantly more secure.