What Are the Basic Types of Firewalls?
A firewall is an essential layer of security that acts as a barrier between private networks and the outside world. From first-generation, stateless firewalls to next-generation firewalls, firewall architectures have evolved tremendously over the past four decades. Today, organizations can choose between several types of firewalls—including application-level gateways (proxy firewalls), stateful inspection firewalls, and circuit-level gateways—and even use multiple types simultaneously for a deep-layer, comprehensive security solution.
Learn the basics about the various types of firewalls, the differences between them, and how each type can protect your network in different ways.
What Is a Firewall, and What Is It Used For?
A firewall is a security tool that monitors incoming and/or outgoing network traffic to detect and block malicious data packets based on predefined rules, allowing only legitimate traffic to enter your private network. Implemented as hardware, software, or both, firewalls are typically your first line of defense against malware, viruses, and attackers trying to make it to your organization’s internal network and systems.
Much like a walk-through metal detector door at a building’s main entrance, a physical or hardware firewall inspects each data packet before letting it in. It checks for the source and destination addresses and, based on predefined rules, determines if a data packet should pass through or not. Once a data packet is inside your organization’s intranet, a software firewall can further filter the traffic to allow or block access to specific ports and applications on a computer system, allowing better control and security from insider threats.
An access control list may define specific Internet Protocol (IP) addresses that cannot be trusted. The firewall will drop any data packets coming from those IPs. Alternatively, the access control list may specify trusted-source IPs, and the firewall will only allow the traffic coming from those listed IPs. There are several techniques for setting up a firewall. The scope of security they provide also depends generally on the type of firewall and its configuration.
Software and Hardware Firewalls
Structurally, firewalls can be software, hardware, or a combination of both.
Software Firewalls
Software firewalls are installed separately on individual devices. They provide more granular control to allow access to one application or feature while blocking others. But they can be expensive in terms of resources since they utilize the CPU and RAM of the devices they are installed on, and administrators must configure and manage them individually for each device. Additionally, all devices within an intranet may not be compatible with a single software firewall, and several different firewalls may be required.
Hardware Firewalls
On the other hand, hardware firewalls are physical devices, each with its computing resources. They act as gateways between internal networks and the internet, keeping data packets and traffic requests from untrusted sources outside the private network. Physical firewalls are convenient for organizations with many devices on the same network. While they block malicious traffic well before it reaches any endpoints, they do not provide security against insider attacks. Therefore, a combination of software and hardware firewalls can provide optimal protection to your organization’s network.
Four Types of Firewalls
Firewalls are also categorized based on how they operate, and each type can be set up either as software or a physical device. Based on their method of operation, there are four different types of firewalls.
1. Packet Filtering Firewalls
Packet filtering firewalls are the oldest, most basic type of firewalls. Operating at the network layer, they check a data packet for its source IP and destination IP, the protocol, source port, and destination port against predefined rules to determine whether to pass or discard the packet. Packet filtering firewalls are essentially stateless, monitoring each packet independently without any track of the established connection or the packets that have passed through that connection previously. This makes these firewalls very limited in their capacity to protect against advanced threats and attacks.
Packet filtering firewalls are fast, cheap, and effective. But the security they provide is very basic. Since these firewalls cannot examine the content of the data packets, they are incapable of protecting against malicious data packets coming from trusted source IPs. Being stateless, they are also vulnerable to source routing attacks and tiny fragment attacks. But despite their minimal functionality, packet filtering firewalls paved the way for modern firewalls that offer stronger and deeper security.
2. Circuit-Level Gateways
Working at the session layer, circuit-level gateways verify established Transmission Control Protocol (TCP) connections and keep track of the active sessions. They are quite similar to packet filtering firewalls in that they perform a single check and utilize minimal resources. However, they function at a higher layer of the Open Systems Interconnection (OSI) model. Primarily, they determine the security of an established connection. When an internal device initiates a connection with a remote host, circuit-level gateways establish a virtual connection on behalf of the internal device to keep the identity and IP address of the internal user hidden.
Circuit-level gateways are cost-efficient, simplistic, barely impact a network’s performance. However, their inability to inspect the content of data packets makes them an incomplete security solution on their own. A data packet containing malware can bypass a circuit-level gateway easily if it has a legitimate TCP handshake. That is why another type of firewall is often configured on top of circuit-level gateways for added protection.
3. Stateful Inspection Firewalls
A step ahead of circuit-level gateways, stateful inspection firewalls, and verifying and keeping track of established connections also perform packet inspection to provide better, more comprehensive security. They work by creating a state table with source IP, destination IP, source port, and destination port once a connection is established. They create their own rules dynamically to allow expected incoming network traffic instead of relying on a hardcoded set of rules based on this information. They conveniently drop data packets that do not belong to a verified active connection.
Stateful inspection firewalls check for legitimate connections and source and destination IPs to determine which data packets can pass through. Although these extra checks provide advanced security, they consume a lot of system resources and can slow down traffic considerably. Hence, they are prone to DDoS (distributed denial-of-service attacks).
4. Application-Level Gateways (Proxy Firewalls)
Application-level gateways, also known as proxy firewalls, are implemented at the application layer via a proxy device. Instead of an outsider accessing your internal network directly, the connection is established through the proxy firewall. The external client sends a request to the proxy firewall. After verifying the authenticity of the request, the proxy firewall forwards it to one of the internal devices or servers on the client’s behalf. Alternatively, an internal device may request access to a webpage, and the proxy device will forward the request while hiding the identity and location of the internal devices and network.
Unlike packet filtering firewalls, proxy firewalls perform stateful and deep packet inspection to analyze the context and content of data packets against a set of user-defined rules. Based on the outcome, they either permit or discard a packet. They protect the identity and location of your sensitive resources by preventing a direct connection between internal systems and external networks. However, configuring them to achieve optimal network protection can be tricky. You must also keep in mind the tradeoff—a proxy firewall is essentially an extra barrier between the host and the client, causing considerable slowdowns.
Which Type of Firewall Best Suits My Organization?
There is no one-size-fits-all solution that can fulfill the unique security requirements of every organization. Each one of the different types of firewalls has its benefits and limitations. Packet filtering firewalls are simplistic but offer limited security, while stateful inspection and proxy firewalls can compromise network performance. Next-generation firewalls seem to be a complete package, but not all organizations have the budget or resources to configure and manage them successfully.
As attacks become more sophisticated, your organization’s security defenses must catch up. A single firewall protecting the perimeter of your internal network from external threats is not enough. Each asset within the private network needs its own individual protection as well. It is best to adopt a layered approach toward security instead of relying on the functionality of a single firewall. And why even settle on one when you can leverage the benefits of multiple firewalls in an architecture optimized specifically for your organization’s security needs.
What Is a Next-Generation Firewall?
Next-generation firewalls (NGFWs) are meant to overcome the limitations of traditional firewalls while offering some additional security features as well. Despite flexible features and architectures, what makes a firewall truly next-generation is its ability to perform deep packet inspection in addition to port/protocol and surface-level packet inspection. According to Gartner, although there is no concrete, agreed-upon definition, a next-generation firewall is “a deep-packet inspection firewall that moves beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.”
A next-generation firewall combines the features of other types of firewalls into a single solution without affecting network performance. They are more robust and offer wider and deeper security than any of their predecessors. In addition to carrying out deep packet inspections to detect anomalies and malware, NGFWs come with an application awareness feature for intelligent traffic and resource analysis. These firewalls are fully capable of blocking DDoS attacks. They feature Secure Sockets Layer (SSL) decryption functionality to gain complete visibility across applications enabling them to identify and block data breach attempts from encrypted applications as well.
Next-generation firewalls can identify users and user roles, but their predecessors relied mainly on the IP addresses of systems. This breakthrough feature enables users to leverage wireless, portable devices whilst providing broad-spectrum security across flexible working environments and bring your own device (BYOD) policies. They may also incorporate other technologies such as anti-virus and intrusion-prevention systems (IPS) to offer a more comprehensive approach toward security.
Next-generation firewalls are suitable for businesses that need to comply with the Health Insurance Portability and Accountability Act (HIPAA) or payment card industry (PCI) rules or for those that want multiple security features integrated into a single solution. But they do come at a higher price point than other types of firewalls, and depending on the firewall you choose, your administrator may need to configure them with other security systems.
Use Parallels RAS for Secure Data Access
Detecting and mitigating cyberattacks in an ever-evolving threat landscape is as daunting as it is crucial. Regardless of how sophisticated they are, firewalls alone cannot offer enough protection. As flexible work environments and work-from-home business models become mainstream, employers and employees alike must take impending threats earnestly. Employees trying to access internal resources remotely must do so via a virtual private network (VPN) and use devices that are in compliance with the organization’s policy.
Parallels® Remote Application Server (RAS) offers a wide range of tools and features to monitor and secure applications and data in a multi-cloud environment. It provides advanced access control and granular client policies to allow or restrict access based on gateway, media access control (MAC) address, client type, IP address, a specific user or user role.
Parallels RAS’s enhanced data security also protects sensitive data and prevents unauthorized access through encryption and multi-factor authentication and adheres to compliance policies. With Parallels RAS, your employees can switch between devices and access data and applications from any location, all while your resources remain securely within the internal network.
Interested in learning more about how Parallels RAS enhances data security to protect your corporate data?