BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Many different types of firewalls share a basic gatekeeping function preventing unauthorized traffic from flowing...
into or out of a private network, while allowing sanctioned traffic to continue uninterrupted. A firewall might sit between an enterprise network and the internet, for example, allowing internal users to access information from external networks with varying levels of trust, without compromising security or taking unnecessary risks.
Part one of this tutorial provides a basic introduction to firewall technology and how it helps keep organizations' sensitive data and resources secure. It also explains how various types of firewalls -- from unified threat management (UTM) to proxies -- work.
How do firewalls work?
A firewall typically works by filtering network traffic and comparing each data packet against a set of firewall rules -- preestablished, user-defined security policies tailored to meet organizational requirements. These rules determine how the firewall application will treat various types of traffic. The two main types of firewall rules are inbound rules -- which apply to incoming, or ingress, network traffic -- and outbound rules -- which apply to outgoing, or egress, network traffic.
Inbound firewall rules are most common, as they work to guard a secure network against unauthenticated interactive logins from the outside world. This helps prevent hackers from logging in to machines on a private network, such as in a denial-of-service or malware attack. All data entering the intranet must pass through the firewall, which then examines each packet and in turn denies or blocks those that do not meet the specified security criteria.
Outbound firewall rules, on the other hand, work to keep certain information inside a private network -- guarding against illegal uploads and data exfiltration related to corporate espionage, for example. Inbound and outbound firewall rules can dictate the filtering of packets based on a number of variables, such as source or destination IP address, source or destination port, type of protocol or packet state.
Both inbound and outbound firewall rules are unilateral and one-directional in nature, meaning they apply to only one end of a connection. In contrast, the less common connection security rules require that the computers on both sides of a connection meet predefined security requirements, before the firewall will allow them to connect. Connection security rules are not as widely used as inbound and outbound firewall rules, and are typically seen in environments with particularly stringent security requirements.
Based on its predefined rules, a firewall can either decide to allow, reject or drop network traffic. Here's what each firewall action entails:
- Allow: Accept incoming or outgoing network traffic
- Deny: Block incoming or outgoing network traffic and send the client an error response (such as "destination unreachable")
- Drop: Block incoming or outgoing network traffic and send no response
Firewalls also play an important role in monitoring, logging and auditing. Often, they can provide summaries to network administrators about what type and volume of traffic they have processed in a given time period. This is an important benefit because providing this block point can serve the same purpose on your network as an armed guard does for your physical premises. In this way, firewalls can help keep bad actors out of a private network, while also offering valuable information about who has come in or gone out, as well as when and why they did so.
Different types of firewalls
A firewall is a hardware or software system that prevents unauthorized access to or from a network. It can be implemented in hardware, software or a combination of both, and can operate in traditional or virtualized network environments. The National Institute of Standards and Technology (NIST) 800-10 identifies three basic types of firewalls:
These three categories, however, are not mutually exclusive, as some firewalls have a mix of abilities that may place them in more than one of the three. For more information and detail on each category, see the NIST Guidelines on firewalls and firewall policy.
One way to compare types of firewalls is to look at the Transmission Control Protocol/Internet Protocol (TCP/IP) layers that each is able to examine. TCP/IP communications are composed of four layers; they work together to transfer data between hosts. When data transfers across networks, it travels from the highest layer through intermediate layers to the lowest layer; each layer adds more information. Then the lowest layer sends the accumulated data through the physical network; the data next moves upward, through the layers, to its destination. Simply put, the data a layer produces is encapsulated in a larger container by the layer below it. The four TCP/IP layers, from highest to lowest, are compared against the OCI Model further in the figure below.
Network layer firewalls
Network layer firewalls generally make their decisions based on the source address, destination address and ports in individual IP packets. A simple router is the traditional network layer firewall, since it is not able to make particularly complicated decisions about what a packet is actually talking to or where it actually came from.
One important distinction many network layer firewalls possess is that they route traffic directly through them, which means in order to use one, you either need to have a validly assigned IP address block or a private internet address block. Network layer firewalls tend to be very fast and almost transparent to their users.
Application layer firewalls
Application layer firewalls are hosts that run proxy servers, which permit no traffic directly between networks, and they perform elaborate logging and examination of traffic passing through them. Since proxy applications are simply software running on the firewall, it is a good place to do logging and access control. Application layer firewalls can be used as network address translators, since traffic goes in one side and out the other after having passed through an application that effectively masks the origin of the initiating connection.
Run-of-the-mill network firewalls can't properly defend applications, however. Application layer firewalls address this challenge by offering Layer 7 security on a more granular level, and may even help organizations get more out of existing network devices.
In some cases, having an application in the way may impact performance and make the firewall less transparent. Older application layer firewalls that are still in use are not particularly transparent to end users and may require some user training. However, more modern application layer firewalls are often totally transparent. Application layer firewalls tend to provide more detailed audit reports and tend to enforce more conservative security models than network layer firewalls.
Proxy firewalls offer more security than other types of firewalls but at the expense of speed and functionality, as they can limit which applications the network supports.
Why are proxy firewalls more secure? Unlike stateful firewalls or application layer firewalls, which allow or block network packets from passing to and from a protected network, traffic does not flow through a proxy. Instead, computers establish a connection to the proxy, which serves as an intermediary, and initiate a new network connection on behalf of the request. This prevents direct connections between systems on either side of the firewall and makes it harder for an attacker to discover where the network is, because they don't receive packets created directly by their target system.
Proxy firewalls also provide comprehensive, protocol-aware security analysis for the protocols they support. This allows them to make better security decisions than products that focus purely on packet header information.
Next-generation firewalls and unified threat management
Both next-generation firewalls (NGFWs) and UTM products promise to integrate multiple security features for context-rich decision-making and greater convenience, offering protection from a wide range of threats.
Capabilities of individual products vary, but typically, NGFWs have some combination of packet inspection, stateful inspection and deep packet inspection -- along with additional features like intrusion detection/prevention, antivirus, SSL and SSH inspection, application awareness and malware filtering. While packet inspection looks at a packet's protocol header, deep packet inspection looks at the data inside, at the application layer.
UTM appliances are similar to NGFWs, consolidating multiple functions into one application. Security expert Karen Scarfone defines UTM products as firewall appliances that not only guard against intrusion but also perform content filtering, spam filtering, application control, web content filtering, intrusion detection and antivirus duties. In other words, a UTM device combines functions traditionally handled by multiple systems. These devices are designed to combat all levels of malicious activity on the computer network.
An effective UTM solution delivers a network security platform comprised of robust and fully integrated security and networking functions along with other features, such as security management and policy management by a group or user. It is designed to protect against next-generation application layer threats and offers a centralized management through a single console, all without impairing the performance of the network.
Advantages of using NGFWs and UTM
NGFWs offer the significant benefit of consolidating several key cybersecurity application features in one place, resulting in fewer devices for enterprise IT pros to manage, while also offering more robust capabilities on the whole. NGFWs tend to be more technologically advanced and have a more context-aware view of network security -- in some cases allowing them to stop malware from entering where traditional appliances would have failed, for example.
Convenience and ease of installation are the two key advantages of unified threat management security appliances. There is also much less human intervention required to install and configure them. Other advantages of UTM are listed below:
- Reduced complexity: The integrated all-in-one approach simplifies not only product selection but also product integration, and ongoing support as well.
- Ease of deployment: Since there is much less human intervention required, either vendors or the customers themselves can easily install and maintain these products.
- Integration capabilities: UTM appliances can easily be deployed at remote locations without the on-site help of any security professional. In this scenario a plug-and-play appliance can be installed and managed remotely. This kind of management is synergistic with large, centralized software-based firewalls.
- Black box character: Users have a tendency to play with things, and the black box nature of a UTM limits the damage users can do and, thus, reduces help desk calls and improves security.
- Troubleshooting ease: When a box fails, it is easier to swap out than troubleshoot. This process gets the node back online quicker, and a nontechnical person can do it, too. This feature is especially important for remote offices without dedicated technical staff on site.
In general, UTM products tend to be simpler to deploy and use -- often attractive to smaller organizations -- while NGFWs offer the option for greater customization and might have higher throughput -- appealing to large enterprises. Some of the leading UTM and NGFW vendors are Check Point, Cisco, Dell, Fortinet, HP, IBM and Juniper Networks.
Challenges of using UTM and NGFW products
UTM products are not the right option for every environment. Many organizations already have a set of point appliances installed that, combined, provide network security capabilities similar to what UTMs offer, and there can be substantial costs involved in ripping and replacing the existing technology to install a UTM replacement. There are also advantages to using the individual products together, rather than a UTM or NGFW. For instance, when individual point products are combined, the IT staff is able to select the best product available for each network security capability; a UTM can mean having to compromise and acquire a single product that has stronger capabilities in some areas and weaker ones in others.
Another important consideration when evaluating UTM or NGFW products is the size of the organization in which they would be installed. Smallest organizations might not need all the network security features of a UTM. There is no need for a smaller firm to tax its budget with a UTM if many of its functions aren't needed. On the other hand, a UTM may not be right for larger, more cyber-dependent organizations either, since these often need a level of scalability and reliability in their network security that UTM products might not support (or at least not support as well as a set of point solutions). Also a UTM system creates a single point of failure for most or all network security capabilities; UTM failure could conceivably shut down an enterprise, with a catastrophic effect on company security. How much an enterprise is willing to rely on a UTM is a question that must be asked, and answered.
How to implement a firewall
The firewall remains a vital component in any network security architecture, and organizations have many types of firewalls from which to choose. It's essential that IT professionals first identify the type of firewall that best suits the organization's network security needs -- traditional, NGFW or UTM, hardware-based, virtualized, etc.
Once selected, one of the key questions that shapes a protection strategy is "Where should the firewall be placed?" There are three common firewall topologies: the bastion host, screened subnet and dual-firewall architectures. Enterprise security depends on choosing the right firewall topology.
The next decision, after the topology chosen, is where to place individual firewall systems within it.
Remember that firewall configurations do change quickly and often, so it is difficult to keep on top of routine firewall maintenance tasks. Firewall activity, therefore, must be continuously audited to help keep the network secure from ever-evolving threats.
Continue to the next section of this tutorial to learn more about how to choose a firewall.
Mike Chapple explains how carefully deployed application firewalls plug critical holes in enterprise defenses.
The Integration of Networking and Security School features a tip, webcast and quiz from Michael Cobb.
Learn to deploy managed UTM remote firewall/VPN appliances