Firewalls are among the basic and most important IT security measures for companies. We present the best-known types and their differences.
Since its introduction in the late 1980s, the firewall has constantly evolved. The security classic is still considered an essential component for protection against attacks on the company network. Learn how a firewall works and what the differences are between the different variants.
Firewall - A definition
In general terms, a firewall is a network device that monitors packets entering or leaving the network. If a firewall is installed on a computer, it is called a personal or desktop firewall. If it is not located on the system to be protected itself, but on its own device in the network, it is called an external firewall. Other terms are network firewall or hardware firewall.
Firewalls block or allow data transit based on defined rules that decide which traffic is allowed and which is not. In this way, they fend off attacks from outside via open ports on a computer or network. These include, for example, Internet worms such as SQL Slammer, Sasser, etc. In addition, firewalls block harmful traffic from the inside to the outside, for example, if malware that has gained a foothold internally despite all countermeasures wants to contact a control server.
Over the years, many different types of firewalls have evolved. They have become increasingly complex and use a larger number of parameters to decide whether traffic is allowed to pass. Modern variants are usually called Next Generation Firewalls (NGFW). They contain a number of features that go beyond filtering techniques.
Originally, firewalls were used as guards at the borders between trusted and untrusted networks. Now companies also use them to shield internal network segments, such as the data centre, from other segments of the corporate network.
Network firewalls are usually deployed as hardware appliances. However, they are also available as virtual variants, so that they are installed as software on a company's own hardware.
This type of firewall acts as a security gateway between users requesting data and the source of that data. For this reason, it is often referred to as a "gateway firewall". It is a proxy between the resources to be protected and other networks such as the Internet and checks all exchanges between the two.
For example, if an external device wants to access a resource on the protected network via the Internet, this request goes through the firewall - the device and the network never communicate directly with each other. The device's request is intercepted by the firewall and the transmitted packets are checked. The firewall can filter them to apply policies and mask the location of the receiving device. It then establishes a separate secure connection between itself and the destination resource. The response from within the network also goes back to the external device in two stages via the proxy. In this way, it protects the receiving device and the network itself.
The advantage of a proxy firewall is that devices are never directly connected to the network. The firewall has its own IP address, which is used exclusively for communication from the outside. Therefore, this type of firewall is considered one of the most secure. Since not only the network address and port number of an incoming data packet are examined, but the network packets as a whole, proxy firewalls usually also have extensive logging functions. This makes them a valuable resource for administrators in the event of a security incident, as log data can be easily analysed.
On the other hand, performance can suffer as delays occur when the firewall constantly cuts, rebuilds and filters incoming connections. This in turn makes it impossible to use some applications through the firewall because the response times are too slow. It is also possible that the firewall only supports certain network protocols and thus only certain applications from the outset. Since all traffic passes through the firewall, it also becomes a kind of Single Point of Failure (SPoF), whose failure can paralyse the entire network.
In order to get a grip on the performance disadvantages of the proxy firewall, the IT security provider Check Point developed the stateful firewall in the early 1990s. Instead of examining each individual packet, it monitors the connection status - a so-called stateful inspection. This reduces the delay.
At the beginning of a connection, the firewall checks in depth whether the packets are permitted and secure. If it classifies the traffic as legitimate, the firewall establishes a connection to the destination and allows the packets to pass. It now keeps this status in memory and allows all subsequent packets that are part of this communication to pass through without any further in-depth checks. The status contains details such as the IP addresses and ports involved in the connection as well as the sequence numbers of the sent packets. Invalid packets that do not belong to an existing connection, for example because they belong to a denial-of-service (DoS) attack, are blocked.
Since the stateful firewall keeps all connection information - allowed and blocked - in a table in its memory, a targeted distributed denial-of-service (DDoS) attack can cause difficulties. Under the sheer volume of blocked connections that the table holds in the event of such an attack, the processing of legitimate connections, and thus the service, can suffer.
To mitigate this risk, many companies distribute the processing of network traffic across several firewall appliances. Cloud-based solutions are often chosen, as they scale with the workloads and thus exclude a failure due to overload.
Next Generation Firewall (NGFW)
Next Generation Firewalls (NGFW) filter packets according to other characteristics in addition to connection status and source and destination addresses. They include rules about what individual applications and users are allowed to do and use more information to make better decisions about whether to allow traffic.
Many NGFWs today combine security functions that were traditionally provided by other solutions. These include, for example:
Intrusion Prevention Systems (IPS) - As a separate solution, the IPS usually sat directly behind the traditional firewall and took action against detected anomalies and attack patterns that made it past the firewall. Many NGFW extend the classic IPS capabilities with more finely granulated security factors. For example, they match the analysed traffic against a database of known attack patterns and can detect and prevent unknown attacks based on deviations from normal operation. The integration of the IPS into the NGFW reduces the administrative effort for administrators, as there is no extra communication to configure and control between the solutions.
Deep Packet Inspection (DPI) - In contrast to classic packet filters, this variant inspects not only the header part with the origin and destination of packets, but also their data content. For example, DPI checks which application is being accessed and what type of data is being transmitted. Based on this information, more intelligent and detailed policies can be defined for the firewall. In addition to traffic admission control, DPI can also be used to limit the bandwidth that certain applications are allowed to use or to prevent sensitive information from leaving the secure network.
SSL/TLS Termination - Traffic encoded with the encryption protocol Transport Layer Security (TLS) or its predecessor Secure Sockets Layer (SSL) cannot be inspected by DPI because the content is not readable. Some NGFW therefore offer the possibility to stop this traffic, decrypt it, inspect it and finally establish a second TLS/SSL connection to the destination address. For example, employees can be prevented from sending internal information out of the secure network, while legitimate traffic can pass through unhindered. Since it is possible that personal data will be processed automatically when DPI is used in this depth, it is important to check carefully what is necessary and possible in terms of data protection.
Sandboxing - Incoming emails with attachments may contain malicious code. Sandboxing allows an NGFW to run attachments and any code they contain in a shielded environment and determine if they are malicious. The disadvantage of this is: sandboxing adds an additional step to the transmission - similar to the proxy firewall - which sometimes requires a lot of computing power. Therefore, performance can suffer here and the traffic flow can be delayed.
In addition to the above, an NGFW can also contain other features. For example, it is possible to preventively include data that is still unknown to the system in the firewall's decision-making process. For example, if researchers have identified the signature of a new malware, the NGFW can obtain this information and filter out traffic that has this signature.
The latest developments continuously expand the functions of the NGFW and implement, for example, context-sensitive protection against advanced persistent threats (ATPs) or explicitly support virtualised and cloud environments. The degree of automation is increasing so that IT can react more quickly to threats and the management effort is reduced.
Unified Threat Management (UTM)
In the beginning, Next Generation Firewalls were only designed for intrusion prevention and deep packet inspection. Everything that went beyond that and included, for example, antivirus features, was called Unified Threat Management (UTM). By default, UTM devices combine several functions in one solution. They stand out above all because they are easy and simple to install and require only a few steps to configure.
On the other hand, it can happen that a UTM solution is not suitable for an individual environment or a company already has individual security products in use that have similar performance features. Then the entire range of functions of the UTM does not necessarily pay off. Large companies, on the other hand, may reach the limits of UTM if security solutions are to scale in large networks. Here, an individual solution that can flexibly grow with the company may be the better option.
In the meantime, more and more functions are being integrated into NGFW so that they are largely congruent with UTM. The most striking difference is that UTM offers less throughput than NGFW, but is easier to deploy and manage. An NGFW, on the other hand, offers higher throughput rates and more detailed customisation options, but is more complex to manage.
Web Application Firewall (WAF)
This type of firewall sits between web servers and the Internet. It protects against certain HTML attacks such as zero-day exploits, SQL injection (SQLi), in which the database can be read out and manipulated via a web application, or cross-site scripting (XSS). The latter method exploits a vulnerability on the client or server to embed malicious code in trusted environments and use it to manipulate websites, take over browsers or steal confidential information.
WAFs are available as hardware, software or cloud-based. It is also possible to integrate them directly into applications to check whether every client trying to reach a server is allowed to do so. This uses classic blacklisting or whitelisting of recognised patterns, which can lead to false positives in some circumstances. Current WAF incarnations use, among other things, self-learning functions to detect and ward off previously unknown attacks.
With a WAF, IT can simultaneously close several security gaps in applications that lie behind the firewall. It is also a way to protect legacy systems that are no longer updated and are therefore vulnerable.