What is a Firewall, and How Does it Work?

Most organizations rely heavily on communication with external networks, like the Internet, to make sales, communicate with clients, and pay suppliers. While the productivity gains are enormous, connecting with external networks makes their internal networks easier for someone with an internet connection and the right tool to discover them. 

Firewalls can help reduce this risk by:  

• Centralizing network traffic to minimize attack pathways: This includes channeling all network communication through a single point to limit the number of open connections between private and external networks. This makes it easier to manage and mitigate security threats. 

• Preventing Remote Access: A firewall can prevent remote access to a network or system unless authorized. This is important because it prevents remote logins from hackers who try to access and steal data.

• Mitigating DDoS Attacks: Firewalls can help mitigate Distributed Denial of Service (DDoS) attacks. In a DDoS attack, a network is flooded with traffic until it becomes unavailable. Firewalls can identify and block such traffic.

   

Enforcing Policy: Firewalls can also enforce network security policies. Administrators can configure a firewall to block access to specific sites, ensuring network computers cannot be used to access unauthorized or inappropriate websites.

Hardware firewalls are physical devices installed between computers and the external network. Typically used by organizations to protect many devices, they require professional knowledge to configure and manage. However, they can offer better network performance as they do not consume any resources of the devices in the network.

Software firewalls use the same technology as hardware firewalls, but they are software solutions deployed on servers, virtual machines, virtualized networks, or cloud environments. They are easier to deploy and manage than hardware firewalls and can protect the entire network or individual devices.

Internal firewalls control and monitor internal traffic between trusted networks. They can help segment these networks to provide an additional layer of protection.

Network firewalls are positioned between trusted and untrusted networks to monitor and control incoming and outgoing traffic. They protect an entire network of connected devices, including computers, servers, printers, and IoT devices.

Host-based firewalls are installed on individual network devices. They are typically software solutions and can provide access to specific applications and services not permitted under default firewall settings.

Stateless inspection firewalls are first generation firewall technology with basic filtering of packets as they travel between networked devices. They filter packets based on IP addresses, ports, and packet protocols. Each packet is analyzed in isolation, with no context regarding the state of the connection or the data being sent.

Stateful inspection firewalls are the most well-known type of firewall. It controls and monitors traffic based on the state, port, and protocol. It can monitor all activity from opening a connection until it is closed. The filtering decisions are made based on administrator-defined rules and context. This means it can use information from previous connections to confirm that packets belong to the same connection.

Proxy firewalls are also known as application-level firewalls because they apply rules to determine which applications are allowed to send and receive data from external networks. They a data packet’s content, or payload, and prevent direct connections between internal users and external services.

Web application firewalls (WAF) are placed in front of websites to monitor and control Hypertext Transfer Protocol (HTTP) traffic. They filter any potentially harmful traffic that might exploit web vulnerabilities.

Next-generation firewalls (NGFWs) offer the highest firewall protection and combine conventional firewall technology with additional security features like deep packet inspection, malware filtering, antivirus, IPS/IDS, application control, and more.

Early Days (1990s): Stateless Packet Filtering

The first generation of firewalls relied on stateless packet filtering. These basic systems analyzed individual data packets based on pre-defined rules, including source and destination IP addresses, ports, and protocols. However, they lacked context about ongoing connections, making them vulnerable to spoofing attacks and complex threats. 

Stateful Inspection (Early 2000s)

Stateful inspection firewalls addressed the limitations of stateless filtering. They tracked the state of network connections, monitoring the entire communication flow from initiation to closure. This development allowed for more granular control and better detection of suspicious activity. 

Proxy Firewalls (1990s - Present)

Proxy firewalls, also known as application-level firewalls, act as intermediaries between internal users and external services. They inspect the content (payload) of data packets and enforce rules based on applications allowed to communicate. While offering strong security, they can impact network performance. 

Web Application Firewalls (WAFs) (2000s - Present)

As web applications became prevalent, WAFs emerged to protect them specifically. These firewalls sit in front of web servers and analyze incoming HTTP traffic, filtering out malicious requests that might exploit vulnerabilities. 

Next-Generation Firewalls (NGFWs) (2008 - Present)

NGFWs represent the current pinnacle of firewall technology. They combine traditional firewall functionalities with advanced features like deep packet inspection, intrusion prevention systems (IPS), application control, and malware detection. This approach offers robust protection against a broader range of threats. 

The Future of Firewalls

Firewall technology is constantly evolving to keep pace with the ever-changing threat landscape. Machine learning (ML) integration is increasingly used for anomaly detection and automated threat response. Additionally, the rise of cloud computing necessitates firewalls that can adapt to dynamic and distributed network environments. 

Firewalls are the cornerstone of network security, but their effectiveness depends on proper use and configuration. 

Essential Uses:

• Blocking unauthorized traffic: Firewalls act as a barrier, filtering incoming and outgoing traffic based on predefined rules. This helps prevent malware, unauthorized access attempts, and data exfiltration. 

• Controlling application access: Firewalls can restrict access to specific applications, preventing unauthorized software from communicating externally. This is crucial for both home and corporate use. 

• Segmenting networks: Internal firewalls in corporate settings can divide the network into segments, limiting access between departments or functionalities. This helps isolate security breaches and minimize potential damage. 

Best Practices:

• Rule setup: Create clear and concise rules that allow legitimate traffic while blocking unwanted connections. Both home and corporate users should avoid overly permissive rules. 

• Traffic monitoring: Regularly monitor firewall logs to identify suspicious activity, such as blocked attempts or unusual traffic patterns. This is especially important for corporate firewalls. 

• Regular updates: Ensure your firewall software or hardware receives regular updates to incorporate the latest security patches and threat definitions. This advice applies to both home and corporate firewalls. 

Home vs. Corporate Use:

• Complexity: Home users typically need more straightforward firewall configurations than corporations with complex network structures and stricter security requirements. 

• Advanced features: Corporate firewalls may utilize advanced features like deep packet inspection and application control, while home firewalls offer more basic functionality. 

• Remote Access: For corporate users with remote access (VPN), ensure firewall rules allow secure connections while blocking unauthorized remote access attempts. 

Integration with Remote Connections:

• VPN tunnels: Configure firewalls to allow VPN traffic through specific ports while blocking other unwanted traffic on the remote connection. 

• Zero-trust security: Consider implementing zero-trust security principles where remote connections require additional authentication before granting access, regardless of location. 

As a first line of defense, firewalls are a critical component in any secure environment. However, they are best deployed as part of a multi-layered security strategy which ensures coverage against some limitations.

• Limited threat detection: Firewalls are designed to block unauthorized access to a network, which can leave networks vulnerable to malware delivered via email attachments or malicious websites. If an authorized user executes these types of malware, they can bypass the firewall and infect the system.

• Social engineering attacks: Firewalls provide limited protection against social engineering tactics, like phishing, where users are tricked into giving away sensitive information.

• Insider threats: While firewalls can stop unauthorized access to a private network, they are less effective against malicious insiders with legitimate access to the network.

• Zero-day threats: Firewalls can be susceptible to security vulnerabilities in software that are unknown, or do not have a patch to mitigate them.