


Asher Benbenisty
Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam.
Tags
Share this article
10/25/23
Published
Firewalls form the first line of defense against intrusive hackers trying to infiltrate internal networks and steal sensitive data. They act as a barrier between networks, clearly defining the perimeters of each.
The earliest generation of packet-filter firewalls were rudimentary compared to today’s next-generation firewalls, but cybercrime threats were also less sophisticated.
Since then, cybersecurity vendors have added new security features to firewalls in response to emerging cyber threats. Today, organizations can choose between many different types of firewalls designed for a wide variety of purposes.
Optimizing your organization’s firewall implementation requires understanding the differences between firewalls and the network layers they protect.
How Do Firewalls Work?
Firewalls protect networks by inspecting data packets as they travel from one place to another. These packets are organized according to the transmission control protocol/internet protocol (TCP/IP), which provides a standard way to organize data in transit. This protocol is a concise version of the more general OSI model commonly used to describe computer networks.
These frameworks allow firewalls to interpret incoming traffic according to strictly defined standards. Security experts use these standards to create rules that tell firewalls what to do when they detect unusual traffic.
The OSI model has seven layers:
- Application 
- Presentation 
- Session 
- Transport 
- Network 
- Data link 
- Physical 
Most of the traffic that reaches your firewall will use one of the three major Transport layer protocols in this model, TCP, UDP, or ICMP. Many security experts focus on TCP rules because this protocol uses a three-step TCP handshake to provide a reliable two-way connection.
The earliest firewalls only operated on the Network Layer, which provides information about source and destination IP addresses, protocols, and port numbers. Later firewalls added Transport Layer and Application Layer functionality. The latest next-generation firewalls go even further, allowing organizations to enforce identity-based policies directly from the firewall.
Related Read: Host-Based vs. Network-Based Firewalls
1. Traditional Firewalls
Packet Filtering Firewalls
Packet-filtering firewalls only examine Network Layer data, filtering out traffic according to the network address, the protocol used, or source and destination port data. Because they do not inspect the connection state of individual data packets, they are also called stateless firewalls.
These firewalls are simple and they don’t support advanced inspection features. However, they offer low latency and high throughput, making them ideal for certain low-cost inline security applications.
Stateful Inspection Firewalls
When stateful firewalls inspect data packets, they capture details about active sessions and connection states. Recording this data provides visibility into the Transport layer and allows the firewall to make more complex decisions. For example, a stateful firewall can mitigate a denial-of-service attack by comparing a spike in incoming traffic against rules for making new connections – stateless firewalls don’t have a historical record of connections to look up.
These firewalls are also called dynamic packet-filtering firewalls. They are generally more secure than stateless firewalls but may introduce latency because it takes time to inspect every data packet traveling through the network.
Circuit-Level Gateways
Circuit-level gateways act as a proxy between two devices attempting to connect with one another. These firewalls work on the Session layer of the OSI model, performing the TCP handshake on behalf of a protected internal server. This effectively hides valuable information about the internal host, preventing attackers from conducting reconnaissance into potential targets.
Instead of inspecting individual data packets, these firewalls translate internal IP addresses to registered Network Address Translation (NAT) addresses. NAT rules allow organizations to protect servers and endpoints by preventing their internal IP address from being public knowledge.
2. Next-Generation Firewalls (NGFWs)
Traditional firewalls only address threats from a few layers in the OSI model.
Advanced threats can bypass these Network and Transport Layer protections to attack web applications directly. To address these threats, firewalls must be able to analyze individual users, devices, and data assets as they travel through complex enterprise networks.
Next-generation firewalls achieve this by looking beyond the port and protocol data of individual packets and sessions. This grants visibility into sophisticated threats that simpler firewalls would overlook.
For example, a traditional firewall may block traffic from an IP address known for conducting denial-of-service attacks. Hackers can bypass this by continuously changing IP addresses to confuse and overload the firewall, which may allow routing malicious traffic to vulnerable assets.
A next-generation firewall may notice that all this incoming traffic carries the same malicious content. It may act as a TCP proxy and limit the number of new connections made per second. When illegitimate connections fail the TCP handshake, it can simply drop them without causing the organization’s internal systems to overload.
This is just one example of what next-gen firewalls are capable of. Most modern firewall products combine a wide variety of technologies to provide comprehensive perimeter security against comprehensive cyber attacks.
How do NGFWs Enhance Network Security?
- Deep Packet Inspection (DPI): NGFWs go beyond basic packet filtering by inspecting the content of data packets. They analyze the actual data payload and not just header information. This allows them to identify and block threats within the packet content, such as malware, viruses, and suspicious patterns. 
- Application-Level Control: NGFWs can identify and control applications and services running on the network. This enables administrators to define and enforce policies based on specific applications, rather than just port numbers. For example, you can allow or deny access to social media sites or file-sharing applications. 
- Intrusion Prevention Systems (IPS): NGFWs often incorporate intrusion prevention capabilities. They can detect and prevent known and emerging cyber threats by comparing network traffic patterns against a database of known attack signatures. This proactive approach helps protect against various cyberattacks. 
- Advanced Threat Detection: NGFWs use behavioral analysis and heuristics to detect and block unknown or zero-day threats. By monitoring network traffic for anomalies, they can identify suspicious behavior and take action to mitigate potential threats. 
- User and Device Identification: NGFWs can associate network traffic with specific users or devices, even in complex network environments. This user/device awareness allows for more granular security policies and helps in tracking and responding to security incidents effectively. 
- Integration with Security Ecosystem: NGFWs often integrate with other security solutions, such as antivirus software, intrusion detection systems (IDS), and security information and event management (SIEM) systems. This collaborative approach provides a multi-layered defense strategy. 
- Security Automation: NGFWs can automate threat response and mitigation. For example, they can isolate compromised devices from the network or initiate other predefined actions to contain threats swiftly. In a multi-layered security environment, these firewalls often enforce the policies established by security orchestration, automation, and response (SOAR) platforms. 
- Content Filtering: NGFWs can filter web content, providing URL filtering and content categorization. This helps organizations enforce internet usage policies and block access to potentially harmful or inappropriate websites. Some NGFWs can even detect outgoing user credentials (like an employee’s Microsoft account password) and prevent that content from leaving the network. 
- VPN and Secure Remote Access: NGFWs often include VPN capabilities to secure remote connections. This is crucial for ensuring the security of remote workers and branch offices. Advanced firewalls may also be able to identify malicious patterns in external VPN traffic, protecting organizations from threat actors hiding behind encrypted VPN providers. 
- Cloud-Based Threat Intelligence: Many NGFWs leverage cloud-based threat intelligence services to stay updated with the latest threat information. This real-time threat intelligence helps NGFWs identify and block emerging threats more effectively. 
- Scalability and Performance: NGFWs are designed to handle the increasing volume of network traffic in modern networks. They offer improved performance and scalability, ensuring that security does not compromise network speed. 
- Logging and Reporting: NGFWs generate detailed logs and reports of network activity. These logs are valuable for auditing, compliance, and forensic analysis, helping organizations understand and respond to security incidents. 
3. Proxy Firewalls
Proxy firewalls are also called application-level gateways or gateway firewalls. They define which applications a network can support, increasing security but demanding continuous attention to maintain network functionality and efficiency.
Proxy firewalls provide a single point of access allowing organizations to assess the threat posed by the applications they use. It conducts deep packet inspection and uses proxy-based architecture to mitigate the risk of Application Layer attacks.
Many organizations use proxy servers to segment the parts of their network most likely to come under attack. Proxy firewalls can monitor the core internet protocols these servers use against every application they support. The proxy firewall centralizes application activity into a single server and provides visibility into each data packet processed.
This allows the organization to maintain a high level of security on servers that make tempting cyberattack targets. However, these servers won’t be able to support new applications without additional firewall configuration. These types of firewalls work well in highly segmented networks that allow organizations to restrict access to sensitive data without impacting usability and production.
4. Hardware Firewalls
Hardware firewalls are physical devices that secure the flow of traffic between devices in a network. Before cloud computing became prevalent, most firewalls were physical hardware devices. Now, organizations can choose to secure on-premises network infrastructure using hardware firewalls that manage the connections between routers, switches, and individual devices.
While the initial cost of acquiring and configuring a hardware firewall can be high, the ongoing overhead costs are smaller than what software firewall vendors charge (often an annual license fee). This pricing structure makes it difficult for growing organizations to rely entirely on hardware devices. There is always a chance that you end up paying for equipment you don’t end up using at full capacity.
Hardware firewalls offer a few advantages over software firewalls:
- They avoid using network resources that could otherwise go to value-generating tasks. 
- They may end up costing less over time than a continuously renewed software firewall subscription fee. 
- Centralized logging and monitoring can make hardware firewalls easier to manage than complex software-based deployments. 
5. Software Firewalls
Many firewall vendors provide virtualized versions of their products as software. They typically charge an annual licensing fee for their firewall-as-a-service product, which runs on any suitably provisioned server or device.
Some software firewall configurations require the software to be installed on every computer in the network, which can increase the complexity of deployment and maintenance over time. If firewall administrators forget to update a single device, it may become a security vulnerability.
At the same time, these firewalls don’t have their own operating systems or dedicated system resources available. They must draw computing power and memory from the devices they are installed on. This leaves less power available for mission-critical tasks.
However, software firewalls carry a few advantages compared to hardware firewalls:
- The initial subscription-based cost is much lower, and many vendors offer a price structure that ensures you don’t pay for resources you don’t use. 
- Software firewalls do not take up any physical space, making them ideal for smaller organizations. 
- The process of deploying software firewalls often only takes a few clicks. With hardware firewalls, the process can involve complex wiring and time-consuming testing. 
Advanced Threats and Firewall Solutions
Most firewalls are well-equipped to block simple threats, but advanced threats can still cause problems.
There are many different types of advanced threats designed to bypass standard firewall policies.
- Advanced Persistent Threats (APTs) often compromise high-level user accounts and slowly spread throughout the network using lateral movement. They may move slowly, gathering information and account credentials over weeks or months before exfiltrating the data undetected. By moving slowly, these threats avoid triggering firewall rules. 
- Credential-based attacks bypass simple firewall rules by using genuine user credentials to carry out attacks. Since most firewall policies trust authenticated users, attackers can easily bypass rules by stealing user account credentials. Simple firewalls can’t distinguish between normal traffic and malicious traffic by an authenticated, signed-in user. 
- Malicious insiders can be incredibly difficult to detect. These are genuine, authenticated users who have decided to act against the organization’s interest. They may already know how the firewall system works, or have privileged access to firewall configurations and policies. 
- Combination attacks may target multiple security layers with separate, independent attacks. For example, your cloud-based firewalls may face a Distributed Denial of Service (DDoS) attack while a malicious insider exfiltrates information from the cloud. These tactics allow hackers to coordinate attacks and cover their tracks. 
Only next-generation firewalls have security features that can address these types of attack. Anti-data exfiltration tools may prevent users from sending their login credentials to unsecured destinations, or prevent large-scale data exfiltration altogether. Identity-based policies may block authenticated users from accessing assets they do not routinely use.
Firewall Configuration and Security Policies
The success of any firewall implementation is determined by the quality of its security rules. These rules decide which types of traffic the firewall will allow to pass, and what traffic it will block.
In a modern network environment, this is done using four basic types of firewall rules:
- Access Control Lists (ACLs). These identify the users who have permission to access a certain resource or asset. They may also dictate which operations are allowed on that resource or asset. 
- Network Address Translation (NAT) rules. These rules protect internal devices by hiding their original IP address from the public Internet. This makes it harder for hackers to gain unauthorized access to system resources because they can’t easily target individual devices from outside the network. 
- Stateful packet filtering. This is the process of inspecting data packets in each connection and determining what to do with data flows that do not appear genuine. Stateful firewalls keep track of existing connections, allowing them to verify the authentication of incoming data that claims to be part of an already established connection. 
- Application-level gateways. These firewall rules provide application-level protection, preventing hackers from disguising malicious traffic as data from (or for) an application. To perform this kind of inspection, the firewall must know what normal traffic looks like for each application on the network, and be able to match incoming traffic with those applications. 
Network Performance and Firewalls
Firewalls can impact network performance and introduce latency into networks.
Optimizing network performance with firewalls is a major challenge in any firewall implementation project.
Firewall experts use a few different approaches to reduce latency and maintain fast, reliable network performance:
- Installing hardware firewalls on high-volume routes helps, since separate physical devices won’t draw computing resources away from other network devices. 
- Using software firewalls in low-volume situations where flexibility is important. Sometimes, being able to quickly configure firewall rules to adapt to changing business conditions can make a major difference in overall network performance. 
- Configuring servers to efficiently block unwanted traffic is a continuous process. Server administrators should avoid overloading firewalls with denied outbound requests that strain firewalls at the network perimeter. 
- Firewall administrators should try to distribute unwanted traffic across multiple firewalls and routers instead of allowing it to concentrate on one or two devices. They should also try reducing the complexity of the firewall rule base and minimize overlapping rules. 
Related Articles
5 Types of Firewalls for Enhanced Network Security
Firewall Change Management
Mar 19, 2023 · 2 min read
10 Best Firewall Monitoring Software for Network Security
Firewall Policy Management
Mar 19, 2023 · 2 min read

Speak to one of our experts



