What is a firewall?

A firewall is software or firmware that prevents unauthorized access to a network.

It inspects incoming and outgoing traffic using a set of rules to identify and block
threats.

Firewalls are used in both personal and enterprise settings, and many devices come
with one built-in, including Mac, Windows, and Linux computers. They are widely
considered an essential component of network security.

Why are firewalls important?

Firewalls are important because they have had a huge influence on modern security
techniques and are still widely used. Firewalls have since become the foundation of
network security in the client-server model – the central architecture of modern
computing. Most devices use firewalls – or closely related tools – to inspect traffic
and mitigate threats.

Uses
Firewalls are used in both corporate and consumer settings. Modern organizations
incorporate them into a security information and event management (SIEM)
strategy along with other cybersecurity devices. They may be installed at an
organization's network perimeter to guard against external threats, or within the
network to create segmentation and guard against insider threats.

In addition to immediate threat defense, firewalls perform important logging and

audit functions. They keep a record of events, which can be used by administrators
to identify patterns and improve rule sets. Rules should be updated regularly to
keep up with ever-evolving cybersecurity threats. Vendors discover new threats
and develop patches to cover them as soon as possible.

In a single home network, a firewall can filter traffic and alert the user to
intrusions. They are especially useful for always-on connections, like Digital
Subscriber Line (DSL) or cable modem, because those connection types use static
IP addresses. They are often used alongside to antivirus applications. Personal
firewalls, unlike corporate ones, are usually a single product as opposed to a
collection of various products. They may be software or a device with firewall
firmware embedded. Hardware/firmware firewalls are often used for setting
restrictions between in-home devices.

How does a firewall work?

A firewall establishes a border between an external network and the network it
guards. It is inserted inline across a network connection and inspects all packets
entering and leaving the guarded network. As it inspects, it uses a set of pre-
configured rules to distinguish between benign and malicious packets.

The term 'packets' refers to pieces of data that are formatted for internet transfer.
Packets contain the data itself, as well as information about the data, such as where
it came from. Firewalls can use this packet information to determine whether a
given packet abides by the rule set. If it does not, the packet will be barred from
entering the guarded network.

Rule sets can be based on several things indicated by packet data, including:

 Their source.
 Their destination.
 Their content.

These characteristics may be represented differently at different levels of the

network. As a packet travels through the network, it is reformatted several times to
tell the protocol where to send it. Different types of firewalls exist to read packets
at different network levels.
Types of firewalls
Firewalls are either categorized by the way they filter data, or by the system they
protect.
When categorizing by what they protect, the two types are: network-based and
host-based. Network-based firewalls guard entire networks and are often
hardware. Host-based firewalls guard individual devices – known as hosts – and
are often software.

When categorizing by filtering method, the main types are:

 A packet-filtering firewall examines packets in isolation and does not know

the packet's context.
 A stateful inspection firewall examines network traffic to determine whether
one packet is related to another packet.
 A proxy firewall (aka application-level gateway) inspects packets at the
application layer of the Open Systems Interconnection (OSI) reference model.
 A Next Generation Firewall (NGFW) uses a multilayered approach to
integrate enterprise firewall capabilities with an intrusion prevention system
(IPS) and application control.

Each type in the list examines traffic with higher level of context than the one
before – i.e., stateful has more context than packet-filtering.

Packet-filtering firewalls
When a packet passes through a packet-filtering firewall, its source and destination
address, protocol and destination port number are checked. The packet is dropped
– meaning not forwarded to its destination – if it does not comply with the
firewall's rule set. For example, if a firewall is configured with a rule to
block Telnet access, then the firewall will drop packets destined for Transmission
Control Protocol (TCP) port number 23, the port where a Telnet server application
would be listening.
A packet-filtering firewall works mainly on the network layer of the OSI reference
model, although the transport layer is used to obtain the source and destination port
numbers. It examines each packet independently and does not know whether any
given packet is part of an existing stream of traffic.

The packet-filtering firewall is effective, but because it processes each packet in

isolation, it can be vulnerable to IP spoofing attacks and has largely been replaced
by stateful inspection firewalls.

Stateful inspection firewalls

Stateful inspection firewalls – also known as dynamic packet-filtering firewalls –
monitor communication packets over time and examine both incoming and
outgoing packets.

This type maintains a table that keeps track of all open connections. When new
packets arrive, it compares information in the packet header to the state table – its
list of valid connections – and determines whether the packet is part of an
established connection. If it is, the packet is let through without further analysis. If
the packet does not match an existing connection, it is evaluated according to the
rule set for new connections.

Although stateful inspection firewalls are quite effective, they can be vulnerable
to denial-of-service (DoS) attacks. DoS attacks work by taking advantage of
established connections that this type generally assumes are safe.

Application layer and proxy firewalls

This type may also be referred to as a proxy-based or reverse-proxy firewall. They
provide application layer filtering and can examine the payload of a packet to
distinguish valid requests from malicious code disguised as a valid request for data.
As attacks against web servers became more common, it became apparent that
there was a need for firewalls to protect networks from attacks at the application
layer. Packet-filtering and stateful inspection firewalls cannot do this at the
application layer.

Since this type examines the payload's content, it gives security engineers more
granular control over network traffic. For example, it can allow or deny a specific
incoming Telnet command from a particular user, whereas other types can only
control general incoming requests from a particular host.

When this type lives on a proxy server – making it a proxy firewall -- it makes it
harder for an attacker to discover where the network actually is and creates yet
another layer of security. Both the client and the server are forced to conduct the
session through an intermediary -- the proxy server that hosts an application layer
firewall. Each time an external client requests a connection to an internal server or
vice versa, the client will open a connection with the proxy instead. If the
connection request meets the criteria in the firewall rule base, the proxy firewall
will open a connection to the requested server.

The key benefit of application layer filtering is the ability to block specific content,
such as known malware or certain websites, and recognize when certain
applications and protocols, such as Hypertext Transfer Protocol (HTTP), File
Transfer Protocol (FTP) and domain name system (DNS), are being misused.
Application layer firewall rules can also be used to control the execution of files or
the handling of data by specific applications.

Next generation firewalls (NGFW)

This type is a combination of the other types with additional security software and
devices bundled in. Each type has its own strengths and weaknesses, some protect
networks at different layers of the OSI model. The benefit of a NGFW is that it
combines the strengths of each type cover each type's weakness. An NGFW is
often a bundle of technologies under one name as opposed to a single component.
Modern network perimeters have so many entry points and different types of users
that stronger access control and security at the host are required. This need for a
multilayer approach has led to the emergence of NGFWs.

A NGFW integrates three key assets: traditional firewall capabilities, application

awareness and an IPS. Like the introduction of stateful inspection to first-
generation firewalls, NGFWs bring additional context to the firewall's decision-
making process.

NGFWs combine the capabilities of traditional enterprise firewalls -- including

Network Address Translation (NAT), Uniform Resource Locator (URL) blocking
and virtual private networks (VPNs) -- with quality of service (QoS) functionality
and features not traditionally found in first-generation products. NGFWs support
intent-based networking by including Secure Sockets Layer (SSL) and Secure
Shell (SSH) inspection, and reputation-based malware detection. NGFWs also use
deep packet inspection (DPI) to check the contents of packets and prevent
malware.

When a NGFW, or any firewall is used in conjunction with other devices, it is

termed unified threat management (UTM).

Firewall vendors
Enterprises looking to purchase a firewall should be aware of their needs and
understand their network architecture. There are many different types, features, and
vendors that specialize in those different types. Here are a few reputable NGFW
vendors:

 Palo Alto: extensive coverage but not cheap.

 SonicWall: good value and has a range of size enterprises it can work for.
SonicWall has solutions for small, medium or large-scale networks. Its only
downfall is it is somewhat lacking in cloud features.
 Cisco: largest breadth of features for an NGFW but not cheap either.
 Sophos: good for midsize enterprises and easy to use.
 Barracuda: decent value, great management, support and cloud features.
 Fortinet: extensive coverage, great value and some cloud features.