The network firewall is the first line of defense for traffic that passes in and out of a network. The firewall examines traffic to ensure it meets the security requirements set by the organization, and unauthorized access attempts are blocked.
The intention behind network firewalls is that they filter internet transmissions so that only traffic that belongs is allowed into an organization. Decisions are based on pre-set rules or policies. Like many areas of technology, firewalls have evolved greatly over time and are more sophisticated in terms of efficacy as well as flexibility of deployment. For example, they have developed the ability to be deployed in completely virtual environments to protect data transferred to and from the cloud or to protect remote branches.
Types of network firewalls
The foundation of IP communications is still based on a variety of factors, such as source, destination, IP addresses, protocols and ports and URLs, so packet filtering remains at the core of firewall defense and is the best first line of defense for an organization’s network.
Main types of firewalls as:
- Packet filtering firewalls: An early type of firewall security that relied on packet characteristics like source and destination IP address, port and protocol of individual packets to determine if the packet should be allowed through or dropped.
- Stateful inspection firewalls: This form of firewall protection added the capability to look at packets that belong to one complete session. Once a session is established, the source and destination are allowed to communicate without the need to look at subsequent packets in that session.
- Application layer firewalls: These network security firewalls examine packet-level information and application-layer information such as the URL of the HTTP request.
- Next-generation firewalls: The latest firewall technology adds so many capabilities that it merits its own section below.
Gartner defines a next-generation firewall (NGFW) as a deep-packet inspection tool that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention and intelligence from outside the firewall. This is not to be confused with a network intrusion prevention system (IPS), which typically includes either a basic commodity firewall or consists of an appliance containing a poorly integrated firewall and IPS.
Some next-generation firewalls can perform full-packet inspection on encrypted traffic. Additionally, they can apply application-specific and user-specific security policies. This helps protect against threats, manages how network bandwidth is allocated and maintains appropriate access controls. Some NGFWs may also prevent malware from getting into the network. “Advanced firewalls can detect intrusion attempts, user identity and application control, in addition to simply identifying unauthorized traffic access,” said Maniar.
Next-generation firewalls, then, are regular network firewalls that have additional capabilities that allow them to do more than static filtering of traffic. They inspect at the application layer and can do SSL traffic inspection, intrusion and other prevention techniques. They can be deployed at the perimeter, inside the network as core firewalls to segment traffic, and also within a host to protect virtual workloads.
But network security firewalls, no matter how advanced or next-gen, won’t stop everything. They generally don’t detect and stop threats that have entered a network via social engineering, insider threats, email or Bring Your Own Device (BYOD). Other security tools are required to take care of that side of the equation.
Yet some vendors have begun to integrate these features into their firewall products. Whether these tools can validly be termed “firewalls” is a matter of debate. But the reality is that the combination of traditional firewall technology with the latest security techniques provides a formidable obstacle for cyber criminals.
Examples of common endpoints in the workplace include:
Network firewall hardware and software
Firewalls were originally hardware-based before software-based firewalls arrived on the scene. Some vendors insist software firewalls can now perform and scale similarly to their hardware-native counterparts for most use cases. They concede that the only real exceptions may be the largest and most demanding environments may require a heavy duty hardware firewall.
Others say that software firewalls are only for home users and personal devices. Hardware firewalls, on the other hand, can protect the entire network, whether it is the home network, a small branch, an enterprise or a large service provider.
The common denominator of all these viewpoints is that the firewall of today is quite different from those of a decade ago. How different, though, depends on the vendor’s technology emphasis. The various software and hardware camps make liberal use of terminology such as virtual firewall and virtual appliances. Thus virtualization has blurred the lines between what were once quite distinct software- and hardware-based firewalls.
Next-generation firewall solutions
Gartner analyst Adam Hils said next-generation vendors can be differentiated based on feature strengths. Each has their own take on what next generation means.
“Buyers must consider the trade-offs between best-of-breed function and costs,” said Hils.
Gartner added that less than 50% of enterprise internet connections today are secured using next-generation firewalls. By year-end 2019, however, this is expected to rise to 90% of the installed base. Understandably, there are many vendors seeking to exploit this surge in the firewall market. Here are a few of the candidates which fared well in the most recent Gartner next-generation firewall Magic Quadrant.
Juniper Networks offers a portfolio of network firewalls that can service mid-size enterprises, large enterprises, service providers in a private or public cloud, and hybrid environments. Juniper’s Software-Defined Secure Network (SDSN) runs the JUNOS operating system, which provides uniform administration across its hardware-based and software firewalls.
Palo Alto Networks claims that some firewalls masquerade as next-generation firewalls by tacking deep inspection modules onto traditional port- and protocol-based architectures. It characterizes its own offering as true a NGFW that natively classifies all traffic based on applications, users and content.
Barracuda Networks NextGen Firewalls allow users to regulate application usage and prioritize network traffic with features like link balancing and WAN optimization. They can be deployed in cloud, virtual, and on-premises scenarios. This includes small remote offices, a single desktop, or a large campus. They can defend against: intrusion attempts and exploit patterns at the network layer; unauthorized access control attempts; DoS and DDoS attacks; malware such as viruses, worms and Trojans; and advanced threats such as backdoor attacks or covert phone home activity from botnets, as well as blocking access to unwanted websites and servers via web filtering, said Gheri.
Check Point Software‘s firewall gateway can be augmented via subscriptions to provide advanced malware protection and multiple threat intelligence feeds. Its firewall can support public clouds such as Amazon Web Services and Microsoft Azure. It also integrates with VMware NSX and Cisco Application Centric Infrastructure.