A Comparison of 3 Firewall Systems: Host, Network, Application
The more sophisticated cyber attackers become, the more necessary it is to implement effective security measures. Understand the differences between firewall systems to ensure you have the appropriate protections in place for cutting edge online security. This is critical for the sake of ensuring your business's security standards. Some may be under regulatory compliance that requires these be in place while other times it is just a matter of good security practices.
What is a Firewall?
A firewall is a piece of software, many times augmented with hardware that allows or restricts the flow of traffic between two endpoints. It does so based on specific rules or pre-defined logic. Today, firewalls primarily filter traffic in the TCP/IP suite of protocols. Even in that specific niche there are a wide variety of types and features on firewalls depending on a business need. Some just do basic traffic filtering while others can do deep packet inspection on the high level protocol level. Whichever type of firewall, the goal is to only allow in the traffic that is wanted and block the other traffic.
How Does a Firewall Work?
A firewall works by inspecting traffic that traverses through it and matching that traffic to defined rules in order to determine what action to take. It is almost always in line with the flow of traffic so that it can intercept and potentially block that traffic. In terms of TCP/IP, all firewalls are not created equal. Circa 1990, many firewalls were not stateful so rules had to be crafted carefully to accommodate traffic in both directions.
As firewalls became smarter and stateful, TCP sessions were monitored for anomalies in order to ensure the firewall could not be bypassed but guessing an existing session. This allowed firewall rules to only be needed to allow the start of the session in any particular direction. From there the traffic becomes trusted and all future packets in a connection or session are allowed.
More premium firewalls began to emerge that could do deep packet inspection all the way to layer 7 of the OSI. What that means is that those layer 7 firewalls could understand specific high level protocols like SMTP, HTTP, POP3, FTP and others and actually block traffic based on certain criteria or anomalies within those higher level protocol sessions. This can be helpful to mitigate exploits or known vulnerabilities. With this level of deep inspection, however, we broach what typically an Intrusion Detection or Prevention System (IPS/IDS) will address.
What are Host-based Firewalls?
Host-based firewalls are simply firewalls that exist on the endpoint or host in question. This could be a laptop, server, desktop or anywhere in between. It is usually software based and installed onto the operating system if it did not come pre-installed already. Windows for example comes with Windows Firewall by default. Many antivirus software also comes with their own personal firewall. On Linux, iptables or firewalld are two of the common host-based firewalls and many times, based on the distribution come pre-installed.
Benefits of Host-based firewalls
One of the benefits to a host based firewall is that it is a last chance to catch malicious traffic before it enters the host. If nothing else has caught the malicious traffic, it is one more opportunity for it to catch it. While definitions and rules are usually managed at a higher level, any issues with a specific host-based firewall is limited to the host or hosts it affects. These changes are usually not pushed out synchronously and instead rollout over time, giving the advantage of catching issues earlier on before it affects all hosts.
Disadvantages of Host-Based Firewalls
Sometimes managing host-based firewalls can be tedious or difficult, particularly if the software does not allow for centralized management. When the host-based firewall blocks traffic, it can be difficult at times to diagnose. Along with this, it is usually best to catch and block malicious traffic as close to the source as possible. This helps prevent the network from even seeing the traffic. Unfortunately once it makes it to a host-based firewall, it is at the closest point to the destination and may have already penetrated other firewalls in place.
What are Network-based Firewalls?
Network-based firewalls are firewalls that live on the network. Typically they are provisioned at the edge of the network but sometimes at the core of the network as well. Network-based firewalls typically only block traffic that traverses between subnets or VLANs. One of the oldest examples of a network-based firewall is Cisco Adaptive Security Appliance (ASA). It is quite a workhorse, deployed in many businesses. CheckPoint is another example of a network-based firewall. CheckPoint is actually credited with having the first stateful packet inspection firewall.
Benefits of Network-Based Firewalls
Network-based firewalls can be a bit easier to manage as the footprint is typically smaller. Many organizations may only have one deployed where their internal network meets the internet. Typically these are deployed on highly specialized appliances to optimize throughput and minimize latency. The operating systems running on them are hardened from a security perspective to help minimize the chance of the appliance being compromised.
As mentioned in the disadvantages of host-based firewalls, it is best to block traffic at the point closest to the source and typically that is a network-based firewall, particularly at the edge of the network. For most businesses this is where the internet meets their private network.
Disadvantages of Network-Based Firewalls
One of the main disadvantages is that typically a network-based firewall will not be able to block traffic between hosts on the same subnet. In many cases there may be groups of subnets that are not able to be filtered by a network-based firewall, just due to where it is deployed in the network. This could allow one infected or compromised host to then crawl over to adjacent hosts or networks undetected.
What are Application-Based Firewalls?
Application-Based Firewalls are typically catered specifically to application communications. For that reason they typically understand the protocol. Many times that is HTTP or Web traffic. These types of application-based firewalls are called Web Application Firewalls (WAF). Many vendors have application-based firewalls such as CloudFlare, F5 Application Security Manager(ASM) and even Apache ModSecurity.
Benefits of Application-Based Firewalls
Application-based firewalls are great for protecting high level application protocols such as web traffic. They are typically specialized to distinct protocols. With this specialization they are fully aware of the protocol and can be tuned or trained to learn what is normal traffic and what is not. Other types of firewalls would typically only allow you to block based on IP addresses or routing information. In some cases if you are lucky you may be able to block based on certain protocol settings on those other types of firewalls. WAFs, however, let you block based on parts of the HTTP protocol such as headers, request method, URI or more as they fully understand the HTTP protocol and its nuances.
Disadvantages of Application-Based Firewalls
One of its greatest advantages is also one of its disadvantages. Many times the tuning can become overwhelming. In the case of WAFs, if the web application changes frequently your WAF rules will need to be monitored and adjusted. With such a specific and highly catered type of firewall, the learning curve can be steep. It typically requires someone extremely familiar with the protocol in question in order to be able to properly tune the rules and logic.
If you are relying fully on an application-based firewall to protect your network, it is not going to be the swiss army knife to have. It will be the specialized tool for specific areas of your network that need extra protections and guarding.
When choosing a firewall solution, it is important to understand the benefits and drawbacks of each. In many cases an organization will choose one or more of the options we discussed in order to maximize the coverage of the security of the network. Budget always comes into play and therefore when deciding which is best, it may come down to what can be afforded by the business. There is no wrong decision on choosing firewalls as long as they meet your business needs and regulatory compliance requirements if any exist.