By Giorgio Bonuccelli of Parallels
Learn the basics about the various types of firewalls, the difference between them and how each type can protect your network in different ways.
A firewall is a basic but essential layer of security that acts as a barrier between your private network and the outside world. From first-generation, stateless firewalls to next-generation firewalls, firewall architectures have evolved tremendously over the past four decades. Today, organizations can choose between several types of firewalls-including application-level gateways (proxy firewalls), stateful inspection firewalls and circuit-level gateways-and even use multiple types simultaneously for a deep-layer, comprehensive security solution.
What Is a Firewall, and What Is It Used for?
A firewall is a security tool that monitors incoming and/or outgoing network traffic to detect and block malicious data packets based on predefined rules, allowing only legitimate traffic to enter your private network. Implemented as hardware, software or both, firewalls are typically your first line of defense against malware, viruses and attackers trying to make it to your organization's internal network and systems.
Much like a walk-through metal detector door at a building's main entrance, a physical or hardware firewall inspects each data packet before letting it in. It checks for the source and destination addresses, and based on predefined rules, it determines if a data packet should pass through or not. Once a data packet is inside your organization's intranet, a software firewall can further filter the traffic to allow or block access to specific ports and applications on a computer system, allowing better control and security from insider threats.
An access control list may define specific Internet Protocol (IP) addresses that cannot be trusted. The firewall will drop any data packets coming from those IPs. Alternatively, the access control list may specify trusted-source IPs, and the firewall will only allow the traffic coming from those listed IPs. There are several techniques for setting up a firewall. The scope of security they provide also depends generally on the type of firewall and how it is configured.
What Are the Types of Firewalls?
Structurally, firewalls can be software, hardware or a combination of both. Software firewalls are installed separately on individual devices. They provide more granular control, in that they can allow access for one application or feature while blocking others. But they can be expensive in terms of resources since they utilize the CPU and RAM of the devices they are installed on, and administrators must configure and manage them individually for each device. Additionally, all devices within an intranet may not be compatible with a single software firewall, and several different firewalls may be required.
Hardware firewalls, on the other hand, are physical devices, each with its own computing resources. They act as gateways between internal networks and the internet, keeping data packets and traffic requests from untrusted sources outside the private network. Physical firewalls are rather convenient for organizations with many devices on the same network. While they block malicious traffic well before it reaches any of the endpoints, they do not provide security against insider attacks. Therefore, a combination of both software and hardware firewalls can provide optimal security to your organization's network.
Firewalls are also categorized based on how they operate, and each type can be set up either as a software or a physical device. Based on their method of operation, there are four different types of firewalls.
Packet filtering firewalls
Packet filtering firewalls are the oldest, most basic type of firewalls. Operating at the network layer, they simply check a data packet for its source IP and destination IP, the protocol, source port and destination port against predefined rules to determine whether to pass or discard the packet. Packet filtering firewalls are essentially stateless, monitoring each packet independently without any track of the established connection or the packets that have passed through that connection previously. This makes these firewalls very limited in their capacity to protect against advanced threats and attacks.
Packet filtering firewalls are fast, cheap and effective. But the security they provide is very basic. Since these firewalls cannot examine the content of the data packets, they are incapable of protecting against malicious data packets coming from trusted source IPs. Being stateless, they are also vulnerable to source routing attacks and tiny fragment attacks. But despite their minimal functionality, packet filtering firewalls paved the way for modern firewalls that offer stronger and deeper security.
Circuit-level gateways
Working at the session layer, circuit-level gateways verify established Transmission Control Protocol (TCP) connections and keep track of the active sessions. They are quite similar to packet filtering firewalls in that they perform a single check and utilize minimal resources. However, they function at a higher layer of the Open Systems Interconnection (OSI) model. Primarily, they determine the security of an established connection. When an internal device initiates a connection with a remote host, circuit-level gateways establish a virtual connection on behalf of the internal device to keep the identity and IP address of the internal user hidden.
Circuit-level gateways are cost-efficient, simplistic and have barely any impact on a network's performance. However, their inability to inspect the content of data packets makes them an incomplete security solution on their own. A data packet containing malware can bypass a circuit-level gateway easily if it has a legitimate TCP handshake. That is why another type of firewall is often configured on top of circuit-level gateways for added protection.
Stateful inspection firewalls
A step ahead of circuit-level gateways, stateful inspection firewalls, in addition to verifying and keeping track of established connections, also perform packet inspection to provide better, more comprehensive security. They work by creating a state table with source IP, destination IP, source port and destination port once a connection is established. They create their own rules dynamically to allow expected incoming network traffic instead of relying on a hardcoded set of rules based on this information. They conveniently drop data packets that do not belong to a verified active connection.
Stateful inspection firewalls check for legitimate connections as well as source and destination IPs to determine which data packets can pass through. Although these extra checks provide advanced security, they consume a lot of system resources and can slow down traffic considerably. Hence, they are prone to DDoS (distributed denial-of-service attacks).
Application-level gateways (proxy firewalls)
Application-level gateways, also known as proxy firewalls, are implemented at the application layer via a proxy device. Instead of an outsider accessing your internal network directly, the connection is established through the proxy firewall. The external client sends a request to the proxy firewall. After verifying the authenticity of the request, the proxy firewall forwards it to one of the internal devices or servers on the client's behalf. Alternatively, an internal device may request access to a webpage, and the proxy device will forward the request while hiding the identity and location of the internal devices and network.
Unlike packet filtering firewalls, proxy firewalls perform stateful and deep packet inspection to analyze the context and content of data packets against a set of user-defined rules. Based on the outcome, they either permit or discard a packet. They protect the identity and location of your sensitive resources by preventing a direct connection between internal systems and external networks. However, configuring them to achieve optimal network protection can be a bit hard. You must also keep in mind the tradeoff-a proxy firewall is essentially an extra barrier between the host and the client, causing considerable slowdowns.
What Is a Next-Generation Firewall?
Next-generation firewalls (NGFWs) are meant to overcome the limitations of traditional firewalls while offering some additional security features as well. Despite flexible features and architectures, what makes a firewall truly next-generation is its ability to perform deep packet inspection in addition to port/protocol and surface-level packet inspection. Although there is no concrete, agreed-upon definition, according to Gartner, a next-generation firewall is "a deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention and bringing intelligence from outside the firewall."
A next-generation firewall combines the features of other types of firewalls into a single solution without affecting network performance. They are more robust and offer wider and deeper security than any of their predecessors. In addition to carrying out deep packet inspection to detect anomalies and malware, NGFWs come with application awareness feature for intelligent traffic and resource analysis. These firewalls are fully capable of blocking DDoS attacks. They feature Secure Sockets Layer (SSL) decryption functionality to gain complete visibility across applications enabling them to identify and block data breach attempts from encrypted applications as well.
Next-generation firewalls can identify users and user-roles, but their predecessors relied mainly on the IP addresses of systems. This break-through feature enables users to leverage wireless, portable devices whilst providing broad-spectrum security across flexible working environments and bring your own device (BYOD) policies. They may also incorporate other technologies such as anti-virus and intrusion-prevention systems (IPS) to offer a more comprehensive approach towards security.
Next-generation firewalls are suitable for businesses that need to comply with the Health Insurance Portability and Accountability Act (HIPAA) or payment card industry (PCI) rules or for those that want multiple security features integrated into a single solution. But they do come at a higher price point than other types of firewalls, and depending on the firewall you choose, your administrator may need to configure them with other security systems.
Which Type of Firewall Best Suits My Organization?
There is no one-size-fits-all solution that can fulfill the unique security requirements of each and every organization. In fact, each one of the different types of firewalls has its own benefits and limitations. Packet filtering firewalls are simplistic but offer limited security, while stateful inspection and proxy firewalls can compromise network performance. Next-generation firewalls seem to be a complete package, but not all organizations have the budget or resources to configure and manage them successfully.
As attacks become more sophisticated, your organization's security defenses must catch up. A single firewall protecting the perimeter of your internal network from external threats is not enough. Each asset within the private network needs its own individual protection as well. It is best to adopt a layered approach towards security instead of relying on the functionality of a single firewall. And why even settle on one when you can leverage the benefits of multiple firewalls in an architecture optimized specifically for your organization's security needs.
Using Parallels RAS to Protect Access to Your Data
Detecting and mitigating cyberattacks in an ever-evolving threat landscape is as daunting as it is crucial. Regardless of how sophisticated they are, firewalls alone cannot offer enough protection. As flexible work environments and work-from-home business models become mainstream, employers and employees alike must take impending threats earnestly. Employees trying to access internal resources remotely must do so via a virtual private network (VPN) and use devices that are in compliance with the organization's policy.
Parallels® Remote Application Server (RAS) offers a wide range of tools and features to monitor and secure applications and data in a multi-cloud environment. It provides advanced access control and granular client policies to allow or restrict access based on gateway, media access control (MAC) address, client type, IP address, specific user or user role.
Parallels RAS enhanced data security also protects sensitive data and prevents unauthorized access through encryption and multi-factor authentication in addition to highly-granular permission policies. With Parallels RAS, your employees can switch between devices and access on-premises data and applications from any location, all while your resources remain securely within the internal network.
Interested in learning more about how Parallels RAS enhanced data security can protect your corporate data? Download our 30-day trial today!