What are Firewalls,Types, Positives & Negatives

A firewall is a security measure that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls act as a barrier between a trusted internal network and untrusted external networks, such as the Internet.

There are several types of firewalls, each with its unique features, advantages, and disadvantages. In this article, we will explore the different types of firewalls and their use cases, and help you determine which is best suited for your specific situation.

Teams set up a firewall inline across a network to act as a border between external sources and the guarded system. Admins create so-called choke points at which a firewall inspects all data packets entering and leaving the network. A packet is a piece of data formatted for Internet transfer that contains:

• The payload (the actual content).
• A header (info about the data, such as who sent it and to whom).

Firewalls analyze packets based on pre-set rules to distinguish between benign and malicious traffic. These rulesets dictate how the firewall inspects the following:

• Source and destination IP addresses.
• Content in the payload.
• Packet protocols (e.g., whether the connection uses a TCP/IP protocol).
• App protocols (HTTP, Telnet, FTP, DNS, SSH, etc.).
• Data patterns that indicate specific cyber attacks.

The firewall blocks all packets that do not abide by the rules and routes safe packets to the intended recipient. There are two options when a firewall prevents traffic from entering a network:

• Discard the request silently.
• Provide an error reply to the sender.

Both options keep dangerous traffic out of the network, so choose the one that makes more sense from a security standpoint. Typically, security teams prefer to drop requests silently to limit the info in case a would-be hacker is testing the firewall for potential vulnerabilities.

Types of Firewalls Based on Delivery Method

There are three types of firewalls based on how you decide to deploy them: hardware, software, and cloud-based firewalls. Let's see what each of these strategies offers.

Software Firewalls

A software firewall (or a host firewall) installs directly on the host device. This type of firewall protects only one machine (network endpoint, PC, laptop, server, etc.), so admins must install a version of the software on each device they want to protect.

Since admins attach a software firewall to a specific device, there's no avoiding some resource usage. These firewalls inevitably eat up some system RAM and CPU, which is a deal-breaker for some use cases.

Pros of software firewalls:

• Excellent protection for their assigned device.
• Isolate individual network endpoints from one another.
• Highly granular security in which an admin has complete control over allowed programs.
• Readily available.

Cons of software firewalls:

• Consume the device's CPU, RAM, and storage.
• Require configuration for each host device.
• Day-to-day maintenance is difficult and time-consuming.
• Not all devices are compatible with every firewall, so you may have to use different solutions within the same network.

Hardware Firewalls

A hardware firewall (or an appliance firewall) is a separate piece of hardware that filters traffic entering and coming out of a network. Unlike a software firewall, these self-contained devices have their own resources and do not consume any CPU or RAM from host devices.

For some SMBs, a hardware firewall is a bit of an overkill, and they might find more value in per-host software firewalls. Hardware firewalls are an excellent choice for larger organizations with several subnetworks containing multiple computers.

Pros of hardware firewalls:

• Protect multiple devices with one solution.
• Top-tier perimeter security as malicious traffic never reaches host devices.
• Do not consume resources of host devices.
• An admin manage only one firewall for the entire network.

Cons of hardware firewalls:

• More expensive than software firewalls.
• Insider threats are a considerable weakness.
• Configuration and management require more skill than software-based firewalls.

Cloud-Based Firewalls

Many providers offer cloud-based firewalls that they deliver on-demand over the Internet. These services are also known as Firewall-as-a-Service and run either as IaaS or PaaS.

Since an MSP manages a cloud-based firewall, this option is excellent for:

• Highly distributed businesses.
• Teams with gaps in security resources.
• Companies without the necessary in-house expertise.

Like hardware-based solutions, cloud firewalls excel at perimeter security, but you can also set up these systems on a per-host basis.

Pros of cloud firewalls:

• The service provider handles all admin tasks (installation, deployment, patching, troubleshooting, etc.).
• Users are free to scale cloud resources to meet the traffic load.
• No need for any in-house hardware.
• High levels of availability.

Cons of cloud firewalls:

• A lack of transparency regarding exactly how the provider runs the firewall.
• Like other cloud-based services, these firewalls are difficult to migrate to a new provider.
• Traffic flows through a third party, which raises latency and privacy concerns.
• Expensive in the long run due to steep OpEx.

There's no reason to pick one type of deployment and rely solely on that setup. For example, you could set up a hardware or cloud firewall at the network perimeter while also having software firewalls on high-value hosts.

Types of Firewalls Based on Method of Operation

Below is an in-depth look at the five types of firewalls based on their function and OSI layer. You can deploy any of them as hardware, software, or in the cloud.

Packet-Filtering Firewalls

Packet-filtering firewalls act as a checkpoint at the network layer and compare each packet's header info to a set of pre-established criteria. These firewalls check the following header-based info:

• Destination and origination IP addresses.
• Packet type.
• Port number.
• Network protocols.

These types of firewalls only analyze surface-level details and do not open the packet to examine its payload. A packet-filtering firewall examines each packet in a vacuum without considering existing traffic streams.

Packet-filtering firewalls are ideal for small organizations that require a basic level of security against well-established threats.

Pros of packet-filtering firewalls:

• A low-cost solution.
• Fast packet filtering and processing.
• Excellent at screening traffic between internal departments.
• Low resource consumption.
• Minimal impact on network speed and end-user experience.
• Enables complex security policies through filtering on packet headers.
• An excellent first line of defense in a multi-layered firewall strategy.

Cons of packet-filtering firewalls:

• No checks of packet payloads (the actual data).
• Easy to bypass for an experienced hacker.
• Incapable of filtering at the app layer.
• Vulnerable to IP spoofing attacks since it processes each packet in isolation.
• No user authentication or logging features.        
• Access control lists are challenging to set up and manage.

Circuit-Level Gateways

Circuit-level gateways operate at the session OSI layer and monitor TCP (Transmission Control Protocol) handshakes between local and remote hosts.

This simplistic firewall type quickly approves or denies traffic without consuming a lot of resources. However, these systems do not inspect packets, so even malware-infected requests get access if there's a proper TCP handshake.

Pros of circuit-level gateways:

• Only process requested transactions and reject all other traffic.
• Simple to set up and manage.
• Resource and cost-efficient.
• Strong protection against address exposure.
• Minimum impact on end-user experience.

Cons of circuit-level gateways:

• Not a stand-alone solution as there's no content filtering.
• Often requires software and network protocol tweaks.

Stateful Inspection Firewalls

A stateful inspection firewall (or dynamic packet-filtering firewall) monitors incoming and outgoing packets at the network and transport layers. This firewall type combines packet inspection and TCP handshake verification.

Stateful inspection firewalls maintain a table database that tracks all open connections and enables the system to check existing traffic streams. This database stores all key packet-related info, including:

• The source IP.
• Source port.
• Destination IP.
• Destination port for each connection.

When a new packet arrives, the firewall checks the table of valid connections. Familiar packets go through without further analysis, while the firewall evaluates non-matching traffic according to the pre-set ruleset.

Pros of stateful inspection firewalls:

• Consider previously inspected packets while filtering traffic.
• Excellent at stopping attacks that aim to exploit protocol flaws.
• Do not open numerous ports to allow traffic in or out, which shrinks the attack surface.
• Detailed logging capabilities that help in digital forensics.
• Reduced exposure to port scanners.

Cons of stateful inspection firewalls:

• More expensive than packet-filtering firewalls.
• Require a high degree of skill to set up correctly.
• Often take a toll on performance and lead to network latency.
• No authentication support for validating spoofed traffic sources.
• Vulnerable to TCP flood attacks that take advantage of pre-established connections.

Proxy Firewalls

A proxy firewall (or application-level gateway) serves as an intermediate between internal and external systems. These firewalls protect a network by masking client requests before sending them to the host.

Proxy firewalls operate at the app layer, the highest level of the OSI model. These systems have deep packet inspection (DPI) capabilities that check both payloads and headers of incoming traffic.

When a client sends a request to access a network, the message first goes to the proxy server. The firewall checks the following:

• Previous communications between the client and devices behind the firewall (if any).
• Header info.
• The content itself.

The proxy then masks the request and forwards the message to the web server. This process hides the client's ID. The server responds and sends the requested data to the proxy, after which the firewall passes the info to the original client.

Proxy firewalls are the go-to option for businesses trying to secure a web application from malicious users. These systems are also popular when a use case requires network anonymity.

Pros of proxy firewalls:

• DPI that checks both packet headers and payloads.
• Add an extra layer of separation between clients and your network.
• Conceal internal IP addresses from potential threat actors.
• Detect and block attacks invisible at the OSI model network layer.
• Fine-grained security controls over network traffic.
• Unlock geolocational restrictions.

Cons of proxy firewalls:

• Increased latency due to thorough packet checks and extra communication steps.
• Not as cost-effective as other types of firewalls due to high processing overhead.
• Challenging to set up and manage.
• Not compatible with every network protocol.

Next-Generation Firewalls

A next-generation firewall (NGFW) is a security device or program that combines several functions of other firewalls. Such a system offers:

• Deep packet inspection that analyzes the traffic's content.
• TCP handshake checks.
• Surface-level packet inspection.

Next-gen firewalls also include additional network security measures, such as:

• IDSes and IPSes.
• Malware scanning and filtering.
• Advanced threat intelligence (pattern matching, protocol-based detections, reputation-based malware detection, anomaly-based detections, etc.)
• Antivirus programs.
• Network Address Translation (NAT).
• Quality of service (QoS) features.
• Secure Shell (SSH) inspection.

NGFWs are a common choice in heavily regulated industries, such as healthcare or finance. Companies that must adhere to HIPAA and PCI are the usual adopters.

Pros of next-generation firewalls:

• Combine traditional firewall features with advanced cybersecurity capabilities.
• Inspect network traffic from the data link layer to the app layer (layers 2-7 in the OSI model).
• Substantive logging capabilities.

Cons of next-generation firewalls:

• More expensive than other firewalls.
• A massive single point of failure.
• Slow deployment time.
• Require a high degree of expertise to set up and run.
• Hindered network performance.

Like with delivery models, nothing is stopping you from using multiple types of firewalls at the same time. Companies often set up several firewalls in the same network and deploy them at different levels.

Which Firewall Type is Right for Your Business?

No two businesses have the same assets, networks, and risk tolerance, so every company has unique firewall needs. The main questions to answer when choosing a firewall type are:

• What kind of network are you trying to keep safe?
• How valuable are the assets you're trying to protect? Is there anything mission-critical?
• What's the allocated budget for the project?
• What are the technical objectives of the firewall?
• How big is the network? How many hosts are there?
• What kind of traffic will the firewall face? Will the load be consistent?
• Do you require a firewall on each host device?
• Does your team have hands-on experience with setting up and using a particular firewall type?
• What kind of traffic inspection do you need?
• How do different types of firewalls fit into your current app architecture?
• Are you ready to make infrastructure changes if necessary?
• How much (if any) latency can you afford to introduce with the new firewall?
• Do you have any compliance-related rules to consider? How about data privacy or protection laws?
• How much time can your team set aside for firewall management?

Answers to these questions help identify the right firewall option. Here are a few extra tips to help you out:

• Perform in-depth threat modeling before deciding on the right firewall type.
• Try to align your choices with the team's experience.
• Consider more cost-effective options first (i.e., do not go for a full-blown NGFW if a simple packet-filtering firewall would do the job).
• Ensure the new firewall does not slow down the network to a point you're impacting the end-user experience.
• Do not rely solely on packet-filtering and stateful inspection firewalls if you require protection at the app layer.
• Use firewalls to boost your network segmentation strategy.

A smart strategy when choosing a firewall is to start by analyzing your weaknesses. Learn how to perform a network security audit that thoroughly examines the current state of your network.

Understand What Different Types of Firewalls Offer

A firewall is the first line of defense if someone or something tries to breach your company. These systems have the potential to make or break a security strategy, so treat their selection and setup accordingly. Know what different types of firewalls offer and how they keep assets safe before you go all-in on a solution.

8 Types of Firewalls Explained & When to Use Each.

While originally created to protect internal networks, firewall solutions have evolved into diversified and specialized solutions suitable for a number of architectures and purposes. The eight types of deployable firewalls include traditional network firewalls, unified threat management (UTM), next-generation firewalls (NGFW), web application firewalls (WAF), database firewalls, cloud firewalls, container firewalls, and firewalls-as-a-service (FWaaS).

To deploy the appropriate type of firewall, it first requires an understanding of the available features and deployment options. These inform the pros, cons, and the best use cases for each firewall and how each type of firewall delivers a unique solution. 

Featured Partners: Next-Gen Firewall (NGFW) Software

Features & Deployment Options for Firewalls

Firewalls are the bouncers for IT. They screen incoming traffic to networks, applications, databases, and other resources for unauthorized and unwanted traffic.

Firewalls must balance security performance with operations throughput, and more advanced functions improve security but slow down data delivery. In most cases, the “best” firewall solution will be the deployment of multiple firewalls to maximize their best attributes and minimize their flaws; however, budgets and resource constraints often deny ideal deployments.

Types of Firewall Features

The key features of firewalls include packet filtering, stateful inspection, session filtering, proxy service, application layer filtering, source filtering, malware filtering, and deep packet inspection. The chart below compares generally-available features with the associated firewall type, but keep in mind all classifications are generalities and some advanced traditional firewalls may perform some malware filtering and some database firewalls may be capable of session filtering.

Each feature delivers a different type of screening function. Fast, simple features don’t add much security, while the more complex features add significant security at the similarly significant cost of operational throughput.

Types of Firewall Deployment

When deploying a firewall, the security team needs to consider where the solution fits into the overall architecture. Traditionally, vendors delivered all firewalls in purpose-built hardware appliances, but now nearly all types of firewalls may be deployed as software ready to be installed as virtual machines (VMs) or containers.

Hardware Firewalls

Hardware comes in server rack and desktop profiles and will be fixed in capacity based upon the hardware configuration. The dedicated hardware and fixed capacity improves convenience for updates and remote deployments.

However, hardware firewalls cost more than equivalent VMs, take up physical space, and are much less flexible to change. The limited flexibility plus capacity constraints make hardware less attractive for deployment in dynamic environments.

Software-Based Firewalls (VM, Cloud, Container)

Software-based virtual machine firewalls can be installed on desktops, servers, cloud, and container orchestration environments. Virtual firewalls offer improved flexibility, rapid deployment, and a full range of capabilities, from simple-host-based operating system firewalls to full-NGFW capabilities.

However, VM firewalls become security dependent on the host environment and can cause conflicts with other applications running on the host. VM firewalls also increase complexity and opportunities for mistakes in installation, integration, and configuration.

Traditional Network Firewalls

Traditional, basic, or simple network firewalls screen data packets by following rules and performing data header inspections. These firewalls provide inexpensive security and can be deployed easily as hardware devices or virtual machines throughout a network to perform filtering or network segmentation.

No vendor sells a firewall listed as ‘traditional,’ ‘simple,’ or ‘basic.’ However, a buyer can observe that the lowest priced firewall options will generally deploy the simplified features attributed to a traditional firewall.

Traditional firewalls are known as host-based firewalls when built into operating systems (EX: Windows Firewall, macOS, etc.), enterprise network routers, and consumer Wi-Fi routers. Purchasing low-cost firewalls providing traditional functionality can enable fast and easy firewall protection, but IT teams with more time might prefer open-source software firewalls.

Use Cases

• Branch offices or small and home offices (SOHO)
• Low-risk environments (industrial facilities with limited tech, etc.)
• Layer of defense for servers, endpoints, and network segments
• Internal network segmentation, access control, or bandwidth management
• Initial high-throughput filtering of traffic in front of more sophisticated or specialized solutions (NGFW, WAF, etc.)

Common Features 

• Packet filtering
• Stateful inspection
• Session filtering
• Proxy service
• Application layer filtering
• Source filtering
• Malware filtering
• Deep packet inspection

Pros

• Very effective for a narrow set of tasks
• Fast processing and high data throughput
• Inexpensive or free to implement
• Quick to install and configure

Cons

• Doesn’t block application or web-based (HTML) attacks
• No traffic inspection
• Typically limited capacity
• Can be fooled by manipulated headers

Unified Threat Management (UTM)

Unified threat management (UTM) appliances provide a robust security stack in a turn-key appliance that simply plugs into the network. The typical UTM expands upon the basic traditional firewall capabilities to perform additional scanning that incorporates the capabilities of antivirus, intrusion detection systems, secure web gateways (SWGs), domain name service (DNS) security, and email gateway security.

UTMs target small and medium-sized organizations that want to save money with a combined security solution. This solution also works for any-sized organization that wouldn’t have the resources to fine-tune security options for their organization.

All UTMs inspect the unencrypted components of the incoming and outgoing packet headers for malware, malicious attachments, and known-malicious or suspected phishing sites (IP addresses, URLs, etc.) and perform some basic application-layer protections. Some UTMs can sometimes perform deep-packet scanning but will lack the full-powered scanning available in NGFW because resources will be shared with the non-firewall features of the appliance.

Use Cases

• Small and medium-sized organizations or branch offices
• Organizations with limited IT resources
• Moderate risk facilities (industrial facilities, cruise ships, etc.)

Common Features (Firewall only)

• Packet filtering
• Stateful inspection
• Session filtering
• Proxy service
• Application layer filtering*
• Source filtering
• Malware filtering
• Deep packet inspection*

*Some features may be present but limited in capability compared to more robust solutions (NGFW, WAF, etc.).

Pros

• Includes a variety of security features in a single deployment
• Centralized management console
• Makes installation and management easier for IT teams
• Inexpensive compared to deploying individual solutions for each function

Cons

• Expanded capabilities often require more frequent updates, especially for antivirus signatures and malicious URLs
• Tends to be less effective than dedicated solutions
• Slow data throughput compared to dedicated solutions or traditional firewalls
• Lacks customization options

Next-Generation Firewalls (NGFWs)

Next-generation firewalls expand on the capabilities of traditional firewalls with more robust inspection of the contents of each data packet. This inspection includes examining the source and destination IP addresses to block malicious (malware, phishing, etc.) and unwanted connections (adult entertainment sites, unwanted geolocations, etc.).

NGFWs perform some application level filtering of harmful applications using signature matching and SSL decryption. Next-gen firewall application filtering capabilities can even enable banning the use of specific applications, such as peer-to-peer (P2P) file-sharing applications, or partially restrict application use, such as allowing Skype calls but blocking Skype file sharing.

Most firewalls currently sold provide at least simple packet inspection and URL filtering. Newer and more powerful NGFWs incorporate behavioral detection and deploy artificial intelligence (AI) for anomaly detection and proactive defense.

Use Cases

• Maximum protection in a firewall solution for the broadest needs
• Extensive protection to satisfy PCI or HIPAA compliance
• Performance insensitive environments little affected by reduced data flow
• Enterprise, government, and education campus environments with robust IT resources for installation, configuration, and maintenance

Common Features 

• Packet filtering
• Stateful inspection
• Session filtering
• Proxy service
• Application layer filtering
• Source filtering
• Malware filtering
• Deep packet inspection

Pros

• More thoroughly searches incoming data for malicious code
• More likely to meet compliance requirements
• Can directly block some malware and attacks (such as DDoS)
• Can inspect encrypted traffic

Cons

• More expensive solution
• More limited data throughput can cause network performance issues
• More features mean more options, which increases installation time, configuration requirements, and misconfiguration risk
• More maintenance and updates will be required

Web Application Firewalls (WAF)

A web application firewall (WAF) provides an application-layer proxy between an application and the application’s users to filter potentially malicious traffic. These firewalls provide improved operational performance by focusing on specialized defense such as filtering out deliberately malformed or malicious requests.

Installing a WAF allows for NGFW at the edge of the network to skip application layer inspections and focus on more basic scanning tasks to improve data flow to the application server. The proxy architecture shields the application from malicious activity such as port scans, attempts to determine the software running on the application server (or container information), and cross-site scripting (XSS).

In addition to application layer filtering, many WAFs now provide protection for application programming interfaces (APIs), bot detection, and microservices. More advanced WAFs boost performance using AI and ML for anomaly detection and autonomous threat blocking.

Use Cases

• Extra and specialized defense for application servers and applications
• Specialized high-performance firewall to remove burden and slowdown from other firewalls

Common Features 

• Proxy service
• Application layer filtering
• Source filtering
• Malware filtering
• Deep packet inspection*

Deep packet inspection will typically be focused on application attack prevention (XSS, DDoS, SQLi, etc.) and pay less attention to blocking malware to improve performance.

Pros

• Adds an extra layer of protection between the application and potentially malicious code
• Specialized inspection of HTTP/HTTPS traffic to defend against code-based attacks such as SQL injection (SQLi) or cross-site scripting (XSS)
• Specialized packet inspection improves ease of use and reduces operations drag
• Specialized focus also decreases installation and configuration mistakes

Cons

• Only cost effective for organizations with higher risks, budgets, and resources
• Doesn’t provide full security for all applications
• May slow the performance of some applications
• Doesn’t provide a full spectrum of security and should only be part of a security stack

Database Firewalls

Database firewalls are a subset of web application firewalls that protect databases. They are installed directly in front of the database server or occasionally in front of the network gateway when protecting multiple databases running on multiple servers.

Database firewalls detect and prevent specific database attacks, such as SQL injection (SQLi), that can lead to attackers accessing confidential information stored on the databases. Installing a database firewall allows a security team to skip inspections for database attacks at NGWF and application servers earlier in the data flow to improve data throughput and performance overall.

Use Cases

• Extra and specialized defense for databases and database servers
• Extra compliance reporting regarding database access and usage
• Specialized high-performance firewall to remove burden and slowdown from other firewalls

Common Features 

• Proxy service
• Application layer filtering
• Source filtering
• Malware filtering
• Deep packet inspection*

Deep packet inspection will focus on database attack prevention (SQLi, etc.) and pay less attention to blocking other types of attacks to improve performance.

Pros

• Specialized inspection of HTTP/HTTPS traffic to defend against code-based attacks such as SQL injection (SQLi)
• Security focus improves ease of use and decreases installation or configuration mistakes
• Can double as a monitoring and auditing tool for database access
• Can produce reports regarding database access for compliance and regulatory purposes

Cons

• Only cost-effective for organizations with higher risks, budgets, and resources
• Doesn’t provide a full spectrum of security and should only be part of a security stack
• Decreases performance for database access
• Hyper-specialized protection may require specialized resources, such as database experts, to help with the integration and configuration

Cloud-Based Firewalls

A cloud-based firewall can be purchased in the marketplace for cloud providers (Azure, AWS, Google Cloud, etc.) to protect cloud resources behind the firewall. An ambitious organization could technically configure their entire network infrastructure to run behind a cloud-scalable firewall, assuming that no control of the underlying hardware is acceptable.

Many popular firewall vendors (Fortigate, Fortinet, Juniper, Palo Alto, Sophos, etc.) offer cloud-optimized VM solutions in a cloud marketplace preconfigured for that specific cloud (Azure, AWS, etc.). Some cloud providers will also make their own branded firewalls available (Azure, IBM, etc.).

Cloud-based firewalls may be specialized firewalls (Ex: WAF, Container) or may be fully functional NGFWs. Unlike FWaaS, covered below, a cloud-based firewall will require internal IT resources to install, configure, maintain, and monitor the firewall.

*Note: Open-source resources obtained as cloud-firewalls won’t generally be free deployments. At the very least, the cloud provider will charge fees for the VM (CPU, memory, etc.).

Use Cases

• Specialized layer of defense for cloud resources
• Centralized firewall for an entire enterprise
• Highly variable needs benefit from the scalability of cloud resources

Common Features

• Packet filtering
• Stateful inspection
• Session filtering
• Proxy service
• Application layer filtering
• Source filtering
• Malware filtering
• Deep packet inspection

Note: Not all features will be available with all cloud-based firewall products.

Pros

• More scalable (up and down) than on-premises options
• Less expensive than an on-premises option licensed for peak use requirements
• Often pre-configured for cloud-specific deployment
• No maintenance and upgrade requirements for the underlying hardware

Cons

• No control of the underlying hardware
• More expensive than on-premises equipment scaled for baseline requirements
• Cloud-vendor-optimized deployments may not be multi-cloud compatible
• Cloud-deployed firewalls may require cloud experts to ensure proper implementation and configuration of the deployment

Container Firewalls

A container firewall protects and isolates containerized application stacks, workloads, and services on a container host. Container firewalls deliver traditional firewall capabilities and filter traffic in, out, and within the container environment.

This specialized security improves operational throughput and creates highly isolated containers with limited exposure (and access) to external networks or other non-containerized applications. The lightweight design of a container firewall integrates tightly with container engines (Docker, etc.) and orchestration tools (Kubernetes, OpenShift, etc.).

As with other container resources, container firewalls can be easily scaled, deployed, and removed from service using code. Container firewalls can also be integrated with developer operations (DevOp) tools and processes to keep up with agile requirements.

Use Cases

• Extra and specialized defense for containers
• Specialized high-performance firewall to remove burden and slowdown from other firewalls
• Deploy on demand and in tandem to protect containerized microservices

Common Features

• Application layer filtering
• Source filtering
• Malware filtering
• Deep packet inspection

Pros

• Centralized configuration or configuration through DevOps
• Can be deployed by code
• Provides visibility and control over containers
• Container deployment provides rapid scalability and on-demand installation

Cons

• Only cost-effective for organizations with higher risks, budgets, and resources
• Doesn’t provide a full spectrum of security and should only be part of a security stack
• Code deployment without security oversight risks deployment of obsolete firewalls that no longer provide good security
• Specialized container deployments will require specialized (and more expensive) container expertise for configuration and integration

Firewall-as-a-Service

Firewall-as-a-Service (FWaaS) provides NGFW capabilities as a fully-outsourced service. FWaaS can be considered a specialized sub-category of NGFW or cloud-based firewalls in which most configuration and maintenance are outsourced to the SaaS provider.

FWaaS professionals completely specialize in firewall management, and this focus provides superior maintenance and threat updates. Zero-day attacks detected for one customer become information shared for all customers and improve security accordingly.

Deployment requires configuring corporate routers to divert traffic to the cloud-based firewall, while mobile users either connect to it via a VPN or by using it as a proxy. This process enables rapid deployment for geographically dispersed organizations or can be used during the replacement of legacy technology from corporate acquisitions.

Use Cases

• Centralized management for geographically dispersed offices
• More robust security for IT resource-constrained organizations
• Turnkey firewall capabilities for rapid startup or replacement of legacy systems

Common Features 

• Packet filtering
• Stateful inspection
• Session filtering
• Proxy service
• Application layer filtering
• Source filtering
• Malware filtering
• Deep packet inspection

Pros

• Cloud-hosted firewalls provide more flexible and scalable solutions with improved uptime compared to on-premises options
• Simple and easy deployment without any maintenance requirement
• Unified security applied consistently across the organization
• More rapid identification and updates for attack threats

Cons

• Service provider probably doesn’t know the specific security needs of its customers
• May have fewer options than more established hardware and software firewall solutions
• Loss of control and potential to expose internal information to third parties (through packet inspection, etc.)
• Doesn’t replace the need for device (OS, router) and narrow-solution firewalls (database, container)

FortiGate Firewall Step by Step Configuration Guide | Basic Configuration, Backup & Restore

Firewall Services as Alternatives to Firewall Purchases

All of the types of firewalls above can be purchased or installed. However, some companies may be too small, lack IT staff, or simply want to avoid the hassles of configuring and managing their own firewalls.

FWaaS provides one option for fully-outsourced firewalls in the lowest common denominator form. However, this won’t always be the best fit for organizations with resource constraints or secrecy or compliance requirements that don’t allow for data to pass through third-party providers.

Organizations with these additional constraints can hire managed service providers (MSPs), managed security service providers (MSSPs), and other cybersecurity consultants to purchase, install, configure, monitor, and maintain a diverse array of firewalls.

In addition to addressing resource constraints, adopting a service (including FWaaS) eliminates capital expenditure (CapEx) costs in favor of operating expenses (OpEx). Although the overall cost of the OpEx expense may eventually exceed the costs of a CapEx firewall acquisition, services provide more flexibility and scalability to right-size the expenditure to match changing needs.

9 Questions to Ask to Find the Right Firewall Solutions

To determine the appropriate firewall solution, first understand and define the needs. These needs must incorporate not only the security requirements but also the operations requirements, risk profiles, and resource constraints.

• What kind of resources are being protected?
• Which features may already be handled by other solutions?
• What kind of traffic will the firewall face, and how critical is packet throughput?
• How many resources are being protected?
• What is the network architecture?
• How costly is the risk of failure?
• Are there compliance or secrecy risks?
• How many resources are available for firewall management?
• What is the realistic budget?

Each of these questions contributes to determining the type of features needed and the type of resources available to implement and manage those features. Gaps between needs and risks and resources can sometimes be filled with services, but sometimes will be required to be satisfied by compromise and accepted risk.

Bottom Line: Choose the Right Firewall Solution As Part of a Bigger Security Picture

Not all businesses will need the same types of firewalls. Small businesses and those without a dedicated security team may gain more benefits from a FWaaS or traditional firewall than large enterprises with the budgets and resources to support NGFWs. The “best” firewall really depends on how a network is set up, the personnel available, and the needed features.

Of course, deploying the selected firewall only starts the process. The firewall must be properly installed, configured, and integrated into the broader network security stack as part of the strategy for layers of security.

What is the State of Firewalls in 2024 ?

While numerous iterations of firewalls have emerged in the past decades, the continuous tenacity and adaptability of firewall technology consistently demonstrates that organizations with aresilient firewall infrastructuremaintain a cybersecurity edge over those without firewalls. Here are some trends to watch out for in 2024:

• Next-generation firewalls are trending towards increased usage of artificial intelligence (AI) and machine learning (ML) to automate security tasks and predict likely sources of anomalous traffic patterns.  
• Cloud firewalls are being increasingly adopted by security-conscious businesses, and as a result, cloud-based threats are similarly on the rise.
• Hybridized cybersecurity architectures have become the norm, as companies are layering multiple firewall types and coordinating their firewall infrastructure with other network security tools.

Which Firewall Architecture is Right for Your Company?

To find the answer, consider the bottom line:

• Simple packet-filtering or circuit-level gateway provides essential protection with minimal performance impact. 
• The stateful inspection architecture combines the capabilities of the previous two options but has a more substantial performance impact. 
• A proxy or next-gen firewall offers far stronger protection in exchange for additional expenses and an even higher performance impact.

The real question is: Why would you only use one? 

No single protection layer, no matter how robust, will ever be enough to protect your business on its own. To provide better security, your networks should have multiple layers of firewalls, both at the perimeter and separating different assets on your network. For example, you could have a hardware or cloud firewall at the perimeter of your network, and individual software firewalls on each of your network assets. 

 Additional firewalls help make your network tougher to crack by creating additional defense-in-depth (DID) that isolates different assets. This acts both as a deterrent and gives you more time to respond, as it forces attackers to perform extra work to reach all your most sensitive information.

The particular firewalls you want to use will depend on your network’s capabilities, relevant compliance requirements for your industry, and the resources you have to manage these firewalls.

Firewall architecture

The types of firewalls listed above must fit into network architecture if they are to deliver maximum benefit. There are several ways to visualize this task. Here are the main firewall architecture models to consider.

Dual-homed host architecture

Dual-homed architecture is constructed around host devices with two or more network connections. These devices route traffic between different networks. These networks cannot communicate directly. The firewall intervenes, accepting IP packets from one network before transmitting them to the other.

Dual-homed hosts screen traffic and virtually exclude external traffic if required. They can apply packet filtering or deeper inspection systems to assess data security.

However, users must connect to dual-homed hosts before accessing external resources. This can give rise to security issues based around user access. Dual-homed systems also employ proxies, which may not suit all network architecture.

Screened host architecture

Screened host technology resembles dual-homed architecture. But in this case, firewall services are provided by screening routers. These devices connect with "bastion hosts" on the internal network, which in turn connect to local devices.

The screening router employs packet filtering to assess network traffic. Traffic admitted to the network passes through the bastion. This device must be equipped with sufficient security controls to screen emails and file transfers and exclude malicious traffic.

Packet filtering allows the host to open internet connections on network devices. It can also divert risky connections through proxy hosts. This adds extra flexibility compared with dual-homed architecture.

Defending the screening router is easier than guarding dual-home hosts. The reliance on packet filtering also makes screened hosts faster in most situations. However, the bastion host is vulnerable to external attacks – a significant security weakness.

Screened subnet architecture

Screened subnet systems provide a solution to these security problems. This form of firewall architecture creates an additional perimeter layer around the bastion host. This makes movement within the network more difficult for cyber attackers.

The general idea behind screened subnets is simple. While screened host models have a single point of failure, screened subnets have multiple protections. This creates an "insurance policy", reducing the risk of security breaches.

Screened subnets generally use a router pair to provide host protection. One screening router lies between the internet and the bastion host. The other stands between the bastion and internal network devices.

Subnets can be more complex. For example, network managers can create perimeter nets around critical assets and apply loser protections to less important network nodes. Subnets apply a form of network segmentation, blocking east-west movement within the network.

I will be covering more of Network Security for next couple of Writeups, This one covers Firewalls which is one of my favourite topics, again as mentioned in my previous post, I had a privelage to work with Global IT Teams across the world where i used to Collaborate , Train and Get trained from Senior professionals across various verticles in Global IT infrastructure Setup, Operations, IT and OT Security etc soforth, there i got exposed to work on live production enviromment Firewalls while working as a system analyst L3 and I worked along with the Main Network Team which was again based out of UK, I actually got to implement and test some of the rules whereby I along with the team used to Block Malicious IP's hitting the Firewall's incoming Traffic using varuious range of IP addresses which was a thrilling experience , i was a Limited Admin not a full Firewall Admin, So I used to work with the Main Data Center team again from UK which was managing all the Global Firewalls that was known as Exponential-E UK, anyone can google them out ,

Disclosure & Legal Disclaimer Statement Some of the Content has been taken from Open Internet Sources just for representation purposes.

Anjoum Sirohhi