Choosing the Right Firewall For Your Organization: A Guide
Firewalls are evolving constantly with more functionality and advanced features. Choosing a firewall is heavily dependent on the size, scope, and scale of your particular organization. In this post, we explore the different types of firewalls to help you determine which best suits your organization's needs.
What is a Firewall?
Firewalls protect the perimeter of a network by inspecting entering traffic. Some firewalls also check outgoing traffic. Firewalls either use blacklist rules to block traffic that may be dangerous , or whitelist rules to only traffic that is probably safe. There are many different types of firewalls.
For example, firewalls may be hardware or software, they may be on the users premises or cloud-based. Software firewalls are installed on endpoints, such as a computer or a mobile device. Hardware firewalls are physical devices connected between your gateway and the external network it is connected to. Fundamentally, all firewalls perform the same basic function: inspecting and controlling traffic as it enters or leaves the network or device that it is protecting.
Most firewalls use source and destination addresses, port numbers, and protocol types to identify traffic that must either be blocked or allowed. You might, for example, only allow TCP traffic to enter your network on ports 80 and 443, or allow any traffic coming from a specific range of white-listed addresses, or block all traffic coming from a blacklist of addresses known to be associated with malware distribution.
Note, however, that though a firewall can block malware from blacklisted sources, it will not necessarily stop malware introduced accidentally or unknowingly from an authorized source. Firewalls, alone, do not provide perfect security, but they are an essential component of your network defenses.
5 Types of Firewalls
As with all security solutions, there are a range of firewall options with varying capabilities, and vastly different prices. You will have to take many factors into consideration when choosing firewalls.
Hardware vs. Software Firewalls
Software and hardware firewalls have different strengths and weaknesses. They are often used together to provide better security. Hardware firewalls in many ways are simpler to use. They're a physical device, connected to a router or a gateway server connected to an external network, that inspects all traffic entering or leaving the network. Installing one device applies some protection to every device connected to the network. Hardware firewalls are capable of handling high volumes of traffic. They can be changed or reconfigured with minimal impact on the network, and typically use proprietary operating systems, which are not vulnerable to many common attacks.
Software firewalls are installed on individual devices, and can be configured more precisely. They can blacklist or whitelist specific users, for example. Some software firewalls can also screen incoming information based on content, and may be able to block malware that a hardware firewall would miss. Software firewalls are harder to manage, as they need to be updated and configured individually. They may not be compatible with every kind of device, and they are more likely to be susceptible to hacking.
Packet-filtering firewalls are the most basic and least secure type of firewall. They serve as checkpoints on routers, checking data packet source and destination addresses, ports, and protocols against a set of rules — blocking any packets that fail the check. They typically only inspect the packet header, not the content. This means they provide minimal security, but they are comparatively fast, inexpensive, and easy to configure and maintain.
Circuit-level gateways provide somewhat better security than packet-filtering firewalls. Instead of inspecting individual packets, a circuit-level gateway works at the session layer, inspecting the packets performing TCP handshakes across a network, checking to see if a session initiated between local and remote hosts conform to established session rules. They will only allow sessions from allowed connections, based on the source and destination addresses, port numbers and protocols contained in the packet headers.
Just like a packet-filtering firewall, a circuit-level gateway is relatively inexpensive and easy to configure and maintain. But it also does not inspect data packets, and will not block malicious packets coming from trusted remote hosts.
Stateful Inspection Firewalls
A stateful inspection firewall combines the capabilities of a packet-filtering firewall and a circuit-level gateway, and takes them a bit further. It starts by inspecting TCP handshakes, like a circuit-level gateway. It monitors the traffic on allowed connections,and builds state tables of source IP and port and destination IP and port, and dynamically creates firewall rules to allow anticipated traffic on allowed connections.
State inspection firewalls provide better security than packet-filtering or circuit-level firewalls, but, because they monitor both the headers and the data transmitted across multiple packets, they are slow and consume more system resources.
Next-generation firewalls (NGFWs) are more sophisticated versions of stateful-inspection firewalls. Similarly to proxy firewalls, NGFWs perform deep packet inspection, verifying that the contents of every data packet which arrives at the firewall is non-malicious. However, NGFWs come with two brand new capabilities that are not integrated into traditional firewalls: Application control, and user control. Application control gives NGFWs the ability to compare incoming traffic to predefined application signatures, blocking any traffic that doesn't match an approved application signature. They are able to identify and block more varieties of malware quickly and efficiently.
User control lets NGFWs enforce rules on a user-by-user basis, cross-referencing a user directory to dynamically allow or deny traffic based on the user's privileges regardless of the source address. This means that the firewall rules can be applied consistently even if a user connects from different devices or different workplaces.
Next-gen firewalls are more expensive than previous generation firewalls. They are also difficult to configure and integrate, especially for large networks with a high number of users. They do, however, provide the finest levels of control and higher security.
Application-Level Gateways, Proxy Firewalls, and Cloud Firewalls
Proxy firewalls, sometimes called application-level gateways, filter traffic at the application layer. It works as an intermediary between two systems. Applications send requests to the proxy firewall, which inspects and verifies the request. It does not pass the request to the destination system, but rather initiates a new request from the proxy’s source address. The application and the destination never interact directly.
Like NGFWs, proxy firewalls are able to inspect both the header and the content of the packets, which allows them to find malware and other kinds of malicious data that other firewalls might miss, and control traffic on a user-by-user basis. They are very useful for protecting trusted networks from untrusted internet traffic, and allowing authorized users to connect from multiple devices and locations.
Cloud firewalls protect your trusted cloud-infrastructure from untrusted traffic from the Internet or other cloud networks hosted in the same datacenter. Cloud firewalls are virtual firewalls provided by the cloud host or firewall vendors. With virtual firewalls, you can change configurations quickly, define security rules for individual virtual machines or for specific applications.
Factors to Consider When Choosing a Firewall
Ideally, your decision will be informed by threat intelligence and risk assessments. You will know which attacks are most common, and how badly they could affect your organization. All of your defenses, including firewalls, should be designed to provide the best protection you can afford to those severe risks.
The risk assessment will also depend on the sensitivity of the data protected by your firewalls. Organizations in highly regulated or critical sectors, such as finance or healthcare, may need greater protection to protect against data breaches or service outages.
Your IT infrastructure will affect your choice. A business with only one location and no cloud infrastructure will make different decisions than one with cloud-hosted web applications, multiple offices, and hundreds of remote employees. The small business might well be able to get by with a packet-filtering firewall, while the second will likely have an array of more advanced firewalls.
The firewalls also need to be compatible with your infrastructure, including any other security solutions you may have in place such as IDS/IPS, and SIEM solutions.
Finally, you will need to consider how the firewalls will be deployed and maintained. If you do not have an IT team with the manpower and expertise to support the solution you choose, you may have to either choose a solution that is easier to configure and manage, or use a firewall service provider to reduce the burden on your IT team.