Introduction to Firewall

A firewall is a network security device, either hardware or software-based, which monitors all incoming and outgoing traffic and, based on a defined set of security rules, accepts, rejects or drops that specific traffic.

A firewall establishes a barrier between secured internal networks and outside untrusted networks, such as the Internet.

Before Firewalls, network security was performed by Access Control Lists (ACLs) residing on routers. ACLs are rules that determine whether network access should be granted or denied to a specific IP address.

However, ACLs cannot determine the nature of the packet it blocks. Also, ACL alone does not have the capacity to keep threats out of the network. Hence, the Firewall was introduced.

Connectivity to the Internet is no longer optional for organizations. However, accessing the Internet provides benefits to the organization; it also enables the outside world to interact with the internal network of the organization. This creates a threat to the organization. In order to secure the internal network from unauthorized traffic, we need a Firewall.

Firewall Generations

First Generation- Packet Filtering Firewall

A packet filtering firewall is used to control network access by monitoring outgoing and incoming packets and allowing them to pass or stop based on source and destination IP address, protocols and ports. It analyses traffic at the transport protocol layer (but mainly uses the first three layers).

Second Generation- Stateful Inspection Firewall

Stateful firewalls (perform Stateful Packet Inspection) are able to determine the connection state of the packet, unlike Packet filtering firewalls, which makes it more efficient. It keeps track of the state of network connections travelling across it, such as TCP streams. So, the filtering decisions would not only be based on defined rules but also on the packet’s history in the state table.

Third Generation- Application Layer Firewall

The application layer firewall can inspect and filter the packets on any OSI layer, including the application layer. It has the ability to block specific content and recognize when certain applications and protocols (like HTTP and FTP) are being misused.

Next-Generation Firewalls (NGFW)

Next-generation firewalls are being deployed these days to stop modern security breaches like advanced malware attacks and application-layer attacks. NGFW consists of deep packet inspection, application inspection, SSL/SSH inspection, and many other functionalities to protect the network from these modern threats.

Types of Firewalls

Firewalls are a key component of network security and can be categorized in several ways based on their function, deployment, and technology. Here's a detailed explanation of the different types of firewalls, drawing on the provided sources:

By Function

Packet Filtering Firewalls

These are the earliest and simplest forms of firewalls. They operate at the network layer and inspect individual packets of data as they travel across a network. Each packet has metadata attached, including source and destination IP addresses, protocol and port numbers. The firewall uses an access control list (ACL) that contains rules to decide whether to allow or block a packet based on its metadata. Actions taken include silently discarding the packet, discarding it with an ICMP or TCP reset response, or forwarding it to the next hop. Packet filtering is efficient but has limitations as it doesn't track the state of network connections or analyze the actual content of the data.

Stateful Packet Inspection Firewalls

These firewalls build on the capabilities of packet filtering by also keeping track of the state of active connections. They maintain a record of the port numbers used for communication between two IP addresses at the transport layer (Layer 4 of the OSI model). This allows them to examine the overall exchange between the nodes and determine if a packet is part of an existing, valid connection or the start of a new one. Packets that don't fit either of these criteria are considered useless and can be dropped. Stateful inspection is more secure than simple packet filtering because it can identify unusual or malicious activity that might not be apparent by just looking at individual packets.

Application-Layer Firewalls

These firewalls operate at the application layer (Layer 7 of the OSI model) and go beyond just inspecting packet metadata. They understand specific applications and protocols like FTP, DNS, or HTTP. This allows them to analyze the actual data being transmitted and determine if it's valid for the specific protocol being used. Application-layer firewalls can identify malicious content or unusual activity, such as unwanted applications or services using non-standard ports or abuse of an allowed protocol. They can also provide features like unified security management with encrypted DNS and virtual private networking.

Next-Generation Firewalls (NGFWs)

These represent the third generation of firewall technology and combine the functions of traditional firewalls with advanced features. NGFWs include intrusion prevention systems (IPS), which actively detect and block malicious activities. They perform deep packet inspection (DPI), which analyzes packet payloads for malicious content and signatures. NGFWs also offer other advanced features such as TLS/SSL-encrypted traffic inspection, website filtering, quality of service (QoS) and bandwidth management, and integration with third-party identity management systems like LDAP, RADIUS and Active Directory. NGFWs provide a much more granular and thorough approach to network security compared to earlier firewalls.

Web Application Firewalls (WAFs)

A WAF is a specialized firewall that focuses on filtering HTTP traffic. ModSecurity is an example of an open-source WAF that uses rules to monitor, log, and filter HTTP communications. WAFs are commonly used to protect against common web vulnerabilities, using rule sets like the OWASP ModSecurity Core Rule Set. WAFs can be deployed within web servers or as proxy servers.

By Deployment

Network-Based Firewalls

These firewalls are positioned between two or more networks, such as between a local area network (LAN) and a wide area network (WAN). Their primary function is to control the flow of data between the connected networks. They can be implemented as software running on general-purpose hardware, hardware appliances running on special-purpose hardware, or virtual appliances. These firewalls often provide non-firewall features, like DHCP or VPN services.

Host-Based Firewalls

These are deployed directly on a host to control network traffic and computing resources. They can be implemented as a daemon or service that is part of the operating system or as an agent application. Host-based firewalls protect the machine they are installed on and are typically used in conjunction with network-based firewalls.

Endpoint-Based Application Firewalls

These firewalls focus on controlling connections at the process level of a device. They filter connections based on the process ID of data packets and compare them to a defined rule set. These firewalls use hooks into socket calls, which are also called socket filters, and filter connections between the application and lower network layers.

By Implementation

Software-Based Firewalls

These are often programs installed on computers that are used for other tasks. They are commonly referred to as "personal firewalls". These are suitable for individual machines and home networks, providing basic protection.

Hardware-Based Firewalls

These firewalls are implemented as dedicated hardware appliances. They offer higher performance compared to software firewalls, but they also tend to be more expensive. Hardware firewalls are often used to protect larger and more complex networks.

Other Firewall Functions

Tunneling

Firewalls can create secure connections between two networks, which is called tunneling. The data is typically encrypted and decrypted at each end, making the network unaware of this secure passage.

Network Address Translation (NAT)

Firewalls can translate IP addresses, allowing multiple computers to share a smaller number of public IP addresses. This feature helps to conceal the internal network structure and addresses, adding an extra layer of security.

Each of these types of firewalls plays a critical role in different contexts, with the type needed depending on the specific requirements of the network that needs to be protected.

Difference Between Traditional and NGFW Firewalls

Traditional Firewall

A traditional firewall is a network security device which typically provides stateful inspection of network traffic that enters or exits points inside the network based on state, port, and protocol. So, in simple, traditional firewalls mainly control the flow of control. It has Virtual Private Network (VPN) capabilities. But nowadays days, traditional firewalls are not so effective in offering al

l required protection to deal with the advanced and various types of cyber threats that are happening today.

Next-Generation Firewall

A Next Generation firewall is a network security device which not only typically provides stateful inspection of network traffic that enters or exits points inside the network based on state, port, and protocol but also includes far more additional features than a traditional firewall. In short, the Next Generation Firewall is only termed NGFW.

Firewall Features

The additional features which are included in the Next Generation Firewall are as follows –

• Application awareness and control

• Integrated intrusion prevention

• Deep Packet Inspection (DPI)

• Integrated Intrusion Protection System (IPS)

• Cloud-delivered threat intelligence

• Secure Sockets Layer (SSL) Inspection and Secure Shell (SSH) Control

• Sandbox Integration

• No impact of a list of protections enabled on performance

• Advanced Threat Protection

• Web Filtering

• Antivirus, Antispam, Antimalware

Top 10 Firewall Vendors in the Market

Palo Alto Networks: Palo Alto Networks is a cybersecurity company focused on AI-powered security. They provide platforms for network, cloud, and AI-driven security operations. They offer solutions like the Strata Network Security Platform and Prisma Cloud. Their Unit 42 team provides threat intelligence and incident response. They have a large customer base, including 95% of the Fortune 100. They also have a global presence and provide solutions for various industries.

Checkpoint Firewall Technology: Check Point offers AI-powered security gateways with high threat prevention. Their Quantum firewalls provide network security, including remote access VPN, SASE, and SD-WAN. They defend against IoT, DDoS, and Zero Day attacks. Check Point achieves a 99.8% block rate against zero-day attacks. They provide a unified policy to manage network security. The company has solutions for various industries and organization sizes. They offer firewall clustering, load balancing and high-performance data center security.

Fortunet: Fortinet's FortiGate firewalls offer AI-powered security with a focus on threat intelligence, including IPS, sandboxing, and web filtering. They offer a single operating system for their security solutions and claim to provide the highest threat protection performance in the industry. Fortinet delivers converged networking and security with its firewalls, including features such as zero-trust network access (ZTNA) and secure SD-WAN. FortiGate firewalls also provide centralized management. They offer a broad range of firewall appliances and products and serve a large global customer base. They also offer cloud-based firewalls.

Cisco FTD: Cisco Secure Firewall Threat Defense is a firewall product released in 2016. It has setup resources, including guides and videos. There are multiple security notices and advisories related to the product and its software. Various end-of-life announcements exist for related appliances. Documentation is categorized for configuration, design, installation, and troubleshooting. The product has compatibility guides, release notes, command references, and licensing information. There are also migration tools for moving from other firewalls. It includes a REST API.

Juniper: Juniper's Next-Generation Firewall offers robust security by providing comprehensive threat detection and prevention with integrated SD-WAN and secure networking capabilities. It delivers high performance, scalability, and low latency while ensuring seamless security management across hybrid networks. The platform emphasizes advanced AI-driven security and automation for improved risk management.

Huwaei: Huawei is a global leader in ICT solutions, offering innovative technologies in telecommunications, enterprise networking, cloud computing, and cybersecurity. With a focus on digital transformation, Huawei empowers businesses and industries with reliable, secure, and scalable solutions.

Sophos: Sophos Next-Gen Firewall is designed to provide comprehensive network security by integrating various protective features, including deep packet inspection, VPN support, and advanced threat prevention capabilities. It delivers powerful visibility and control to protect against evolving cyber threats, simplifying security management. The solution also includes advanced reporting and analytics for real-time monitoring and response.

Force point: Forcepoint's Next-Generation Firewall (NGFW) offers advanced protection against cyber threats by integrating industry-leading security with flexible networking capabilities. It provides scalable solutions for various network environments, from remote offices to large enterprises, with high throughput and unified policy management. The platform also includes integrated SD-WAN functionality for efficient traffic management.

Barracuda: Barracuda CloudGen Firewall offers advanced security features to protect network environments, including secure SD-WAN, zero-trust access, and centralized management for enhanced visibility and control. It supports multi-cloud and hybrid network environments and helps organizations optimize performance while securing remote and branch offices.

Watch Guard: WatchGuard's Firebox provides advanced threat protection with high-performance firewalls for businesses of all sizes. It offers physical appliances, virtual firewalls, and cloud-based options to safeguard on-premises, virtual, and cloud environments. With features like modular ports, dual power supplies, and PoE+, Firebox is ideal for both small offices and larger enterprises. The platform integrates security tools for simplified management, ensuring comprehensive protection across hybrid networks.