What is a firewall? How they work and how they fit into enterprise security

Network firewalls were created as the primary perimeter defense for most organizations, but since its creation the technology has spawned many iterations: proxy, stateful, Web app, next-generation that are explained here.

firewall UTM next-generation firewall
Thinkstock

Firewalls been around for three decades, but they’ve evolved drastically to include features that used to be sold as separate appliances and to pull in externally gathered data to make smarter decisions about what network traffic to allow and what traffic to block.

Now just one indespensible element in an ecosystem of network defenses, the latest versions are known as enterprise firewalls or next-generation firewalls (NGFW) to indicate who should use them and that they are continually adding functionality.

What is a firewall?

A firewall is a network device that monitors packets going in and out of networks and blocks or allows them according to rules that have been set up to define what traffic is permissible and what traffic isn’t.

There are several types of firewalls that have developed over the years, becoming progressively more complex and taking more parameters into consideration when determining whether traffic should be allowed to pass. Firewalls started off as packet filters, but the newest do much much more.

Initially placed at the boundaries between trusted and untrusted networks, firewalls are now also deployed to protect internal segments of networks, such as data centers, from other segments of organizations’ networks.

They are commonly deployed as appliances built by individual vendors, but they can also be bought as virtual appliances – software that customers install on their own hardware.

Here are the major types of firewalls.

Proxy-based firewalls

These firewalls act as a gateway between end users who request data and the source of that data. Host devices connect to the proxy, and the proxy makes a separate connection to the source of the data. In response, source devices make connections to the proxy, and the proxy make a separate connection to the host device. Before passing on packets to a destination address, the proxy can filter them to enforce policies and mask the location of the recipient’s device, but also to protect the recipient’s device and network.

The upside of proxy-based firewalls is that machines outside the network being protected can gather only limited information about the network because they are never directly connected to it.

The major downside of proxy-based firewalls is that terminating incoming connections and creating outgoing connections plus filtering causes delays that can degrade performance. In turn, that can eliminate using some applications across the firewall because response times become too slow.

Stateful firewalls

A performance improvement over proxy-based firewalls came in the form of stateful firewalls, which keep track of a realm of information about connections and make it unnecessary for the firewall to inspect every packet. This greatly reduces delay introduced by the firewall.

By maintaining the state of connections, these firewalls can, for example, forego inspecting incoming packets that they identify as responses to legitimate outgoing connections that have already been inspected. The initial inspection establishes that the connection is allowable, and by preserving that state in its memory, the firewall can pass through subsequent traffic that is part of that same conversation without inspecting every packet.

Web application firewalls

Web application firewalls sit logically between servers that support Web applications and the internet, protecting them from specific HTML attacks such as cross-site scripting, SQL injection and others. They can be hardware- or cloud-based or they can be baked into applications themselves to determine whether each client trying to reach the server should be allowed access.

Next-generation firewalls

Packets can be filtered using more than the state of connections and source and destination addresses. This is where NGFWs come into play. They incorporate rules for what individual applications and users are allowed to do, and blend in data gathered from other technologies in order to make better informed decisions about what traffic to allow and what traffic to drop.

For example, some of these NGFWs perform URL filtering, can terminate secure sockets layer (SSL) and transport layer security (TLS) connections,  and support software-defined wide area networking (SD-WAN) to improve the efficiency of how dynamic SD-WAN decisions about connectivity are enforced.

Firewalls are not enough

Features that historically were handled by separate devices are now included in many NGFWs and include:

Intrusion Prevention Systems (IPS)

Whereas basic firewall technologies identify and block certain types of network traffic, IPSes use more granular security such as signature tracing and anomaly detection to prevent threats from entering networks. Once separate platforms, IPS functionality is more and more a standard firewall feature.

Deep packet inspection (DPI)

Deep packet inspection is a type of packet filtering that looks beyond where packets are coming from and going to and inspects their content, revealing, for example, what application is being accessed or what type of data is being transmitted. This information can make possible more intelligent and granular policies for the firewall to enforce. DPI could be used to block or allow traffic, but also restrict the amount of bandwidth particular applications are allowed to use. It could also be a tool for protecting intellectual property or sensitive data from leaving a secure network

SSL/TLS termination

SSL-encrypted traffic is immune to deep-packet inspection because its content cannot be read. Some NGFWs can terminate SSL traffic, inspect it, then create a second SSL connection to the intended destination address. This can be used to prevent, for instance, malicious employees from sending proprietary information outside the secure network while also allowing legitimate traffic to flow through. While it’s good from a data-protection point of view, DPI can raise privacy concerns. With the advent of transport layer security (TLS) as an improvement on SSL, this termination and proxying can apply to TLS as well.

Sandboxing

Incoming attachments or communications with outside sources can contain malicious code. Using sandboxing, some NGFWs can isolate these attachments and whatever code they contain, execute it and find out whether it’s malicious. The downside of this process is this can consume a lot of CPU cycles and introduce noticeable delay in traffic flowing through the firewall.

There are other features that could be incorporated in NGFWs. They can support taking in data gathered by other platforms an using it to make firewall decisions. For example, if a new malware signature has been identified by researchers, the firewall can take in that information and start filtering out traffic that contains the signature.

Gartner, which once used the term NGFW, now says that previous incarnations of firewalls are outmoded and that they now call NGFWs simply enterprise firewalls.

Most popular firewall vendors

According to the latest Gartner ranking of enterprise firewalls, the vendors designated leaders are Checkpoint, Cisco, Fortinet and Palo Alto Networks. Sophos is on the verge of the leader quadrant but falls just shy in both ability to execute and completeness of its vision.

The four leaders in the Gartner Magic Quadrant are also tops when measured by the amount of revenue their products generate, according to IDC. Combined, they controlled more than half the firewall market share in the first quarter of last year, IDC said.

Five years ago, the Gartner firewall leaders included just Checkpoint and Palo Alto, but in 2017 Fortinet broke through, and in 2018 Cisco joined the top category.

Of those vendors, Gartner also awarded Cisco, Fortinet and Palo Alto its Customer Choice Awards, which are based on customer reviews of their products. In all, the customers reviewed 17 vendors and submitted a total of 3,406 reviews, of which 2,943 were about the vendors ranked as leaders.

The other 12 vendors not already mentioned here are AhnLab, Barracuda Networks, Forcepoint, GreyHeller, Hillstone Networks, Huawei, Juniper Networks, New H3C, Sangfor, Sonic Wall, Stormshield and Watchguard.

By contrast, Forrester ranks many of the top firewall vendors not only on their firewalls, but on a framework it designed called Zero Trust, which takes into account all the security components vendors provide and how well they are integrated. Reliance on firewalls alone is history, according to its report “The Forrester Wave: Zero Trust eXtended (ZTX) Ecosystem Providers, Q4 2018.” In it, Forrester gives its top ranking to just two vendors, Palo Alto and Symantec.

This story, "What is a firewall? How they work and how they fit into enterprise security" was originally published by Network World.

  
Shop Tech Products at Amazon