Picking the best firewall software, hardware or application
A comprehensive collection of articles, videos and more, hand-picked by our editors
What is a network firewall? What are the different types of firewalls? These questions, and more, are answered...
in our network security firewall guide. Part one of this tutorial will help IT pros learn about the types of firewalls -- from unified threat management (UTM) to proxys – and parts two and three give advice on firewall purchasing and placement and firewall maintenance and management.
Introduction to firewalls
A firewall is a hardware or software system that prevents unauthorized access to or from a network. It can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. All data entering or leaving the intranet pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria.
Generally, firewalls are configured to protect against unauthenticated interactive logins from the outside world. This helps prevent hackers from logging into machines on your network. More sophisticated firewalls block traffic from the outside to the inside, but permit users on the inside to communicate a little more freely with the outside.
Firewalls are essential since they provide a single block point, where security and auditing can be imposed. Firewalls provide an important logging and auditing function; often, they provide summaries to the administrator about what type/volume of traffic has been processed through it. This is an important benefit: Providing this block point can serve the same purpose on your network as an armed guard does for your physical premises.
What are the different types of firewalls?
The National Institute of Standards and Technology (NIST) 800-10 divides firewalls into three basic types:
These three categories, however, are not mutually exclusive, as most modern firewalls have a mix of abilities that may place them in more than one of the three. For more information and detail on each category, see the NIST Guidelines on firewalls and firewall policy.
One way to compare firewalls is to look at the Transmission Control Protocol/Internet Protocol (TCP/IP) layers that each is able to examine. TCP/IP communications are composed of four layers; they work together to transfer data between hosts. When data transfers across networks, it travels from the highest layer through intermediate layers to the lowest layer; each layer adds more information. Then the lowest layer sends the accumulated data through the physical network; the data next moves upward, through the layers, to its destination. Simply put, the data a layer produces is encapsulated in a larger container by the layer below it. The four TCP/IP layers, from highest to lowest, are described further in the figure below.
The firewall remains a vital component in any network security architecture, and today's organizations have several types to choose from. It's essential that IT professionals identify the type of firewall that best suits the organization's network security needs.
Once selected, one of the key questions that shapes a protection strategy is "Where should the firewall be placed?" There are three common firewall topologies: the bastion host, screened subnet and dual-firewall architectures. Enterprise security depends on choosing the right firewall topology.
The next decision to be made, after the topology chosen, is where to place individual firewall systems in it. At this point, there are several types to consider, such as bastion host, screened subnet and multi-homed firewalls.
Remember that firewall configurations do change quickly and often, so it is difficult to keep on top of routine firewall maintenance tasks. Firewall activity, therefore, must be continuously audited to help keep the network secure from ever-evolving threats.
Network layer firewalls
Network layer firewalls generally make their decisions based on the source address, destination address and ports in individual IP packets. A simple router is the traditional network layer firewall, since it is not able to make particularly complicated decisions about what a packet is actually talking to or where it actually came from.
One important distinction many network layer firewalls possess is that they route traffic directly through them, which means in order to use one, you either need to have a validly assigned IP address block or a private Internet address block. Network layer firewalls tend to be very fast and almost transparent to their users.
Application layer firewalls
Application layer firewalls are hosts that run proxy servers, which permit no traffic directly between networks, and they perform elaborate logging and examination of traffic passing through them. Since proxy applications are simply software running on the firewall, it is a good place to do logging and access control. Application layer firewalls can be used as network address translators, since traffic goes in one side and out the other after having passed through an application that effectively masks the origin of the initiating connection.
However, run-of-the-mill network firewalls can't properly defend applications. As Michael Cobb explains, application layer firewalls offer Layer 7 security on a more granular level, and may even help organizations get more out of existing network devices.
In some cases, having an application in the way may impact performance and make the firewall less transparent. Older application layer firewalls that are still in use are not particularly transparent to end users and may require some user training. However, more modern application layer firewalls are often totally transparent. Application layer firewalls tend to provide more detailed audit reports and tend to enforce more conservative security models than network layer firewalls.
Future firewalls will likely combine some characteristics of network layer firewalls and application layer firewalls. It is likely that network layer firewalls will become increasingly aware of the information going through them, and application layer firewalls have already become more transparent. The end result will be kind of a fast packet-screening system that logs and checks data as it passes through.
Proxy firewalls offer more security than other types of firewalls, but at the expense of speed and functionality, as they can limit which applications the network supports.
Why are they more secure? Unlike stateful firewalls or application layer firewalls, which allow or block network packets from passing to and from a protected network, traffic does not flow through a proxy. Instead, computers establish a connection to the proxy, which serves as an intermediary, and initiate a new network connection on behalf of the request. This prevents direct connections between systems on either side of the firewall and makes it harder for an attacker to discover where the network is, because they don't receive packets created directly by their target system.
Proxy firewalls also provide comprehensive, protocol-aware security analysis for the protocols they support. This allows them to make better security decisions than products that focus purely on packet header information.
Unified threat management
A new category of network security products -- called unified threat management (UTM) -- promises integration, convenience and protection from pretty much every threat out there; these are especially valuable for enterprise use. As Mike Rothman explains, the evolution of UTM technology and vendor offerings make these products even more valuable to enterprises.
Security expert Karen Scarfone defines UTM products as firewall appliances that not only guard against intrusion but also perform content filtering, spam filtering, application control, Web content filtering, intrusion detection and antivirus duties; in other words, a UTM device combines functions traditionally handled by multiple systems. These devices are designed to combat all levels of malicious activity on the computer network.
An effective UTM solution delivers a network security platform comprised of robust and fully integrated security and networking functions along with other features, such as security management and policy management by a group or user. It is designed to protect against next generation application layer threats and offers a centralized management through a single console, all without impairing the performance of the network.
Advantages of using UTM
Convenience and ease of installation are the two key advantages of unified threat management security appliances. There is also much less human intervention required to install and configure them appliances. Other advantages of UTM are listed below:
- Reduced complexity: The integrated all-in-one approach simplifies not only product selection but also product integration, and ongoing support as well.
- Ease of deployment: Since there is much less human intervention required, either vendors or the customers themselves can easily install and maintain these products.
- Integration capabilities: UTM appliances can easily be deployed at remote locations without the on-site help of any security professional. In this scenario a plug-and-play appliance can be installed and managed remotely. This kind of management is synergistic with large, centralized software-based firewalls.
- Black box character: Users have a tendency to play with things, and the black box nature of a UTM limits the damage users can do and, thus, reduces help desk calls and improves security.
- Troubleshooting ease: When a box fails, it is easier to swap out than troubleshoot. This process gets the node back online quicker, and a non-technical person can do it, too. This feature is especially important for remote offices without dedicated technical staff on site.
Challenges of using UTM
UTM products are not the right solution for every environment. Many organizations already have a set of point solutions installed that, combined, provide network security capabilities similar to what UTMs offer, and there can be substantial costs involved in ripping and replacing the existing technology install a UTM replacement. There are also advantages to using the individual products together, rather than a UTM. For instance, when individual point products are combined, the IT staff is able to select the best product available for each network security capability; a UTM can mean having to compromise and acquire a single product that has stronger capabilities in some areas and weaker ones in others.
Another important consideration when evaluating UTM solutions is the size of the organization in which it would be installed. Smallest organizations might not need all the network security features of a UTM. There is no need for a smaller firm to tax its budget with a UTM if many of its functions aren't needed. On the other hand, a UTM may not be right for larger, more cyber-dependent organizations either, since these often need a level of scalability and reliability in their network security that UTM products might not support (or at least not support as well as a set of point solutions). Also a UTM system creates a single point of failure for most or all network security capabilities; UTM failure could conceivably shut down an enterprise, with a catastrophic effect on company security. How much an enterprise is willing to rely on a UTM is a question that must be asked, and answered.
Continue to the next section of this tutorial on choosing a firewall.
Mike Chapple explains how carefully deployed application firewalls plug critical holes in enterprise defenses.
The Integration of Networking and Security School features a tip, webcast and quiz from Michael Cobb.
Learn to deploy managed UTM remote firewall/VPN appliances