Understanding Firewalls and How They Work
Cybersecurity has evolved by leaps and bounds these last few decades, with cutting-edge technologies like AI and machine learning powering next-generation security solutions. Traditional security controls like antivirus have been superseded by intelligent anti-malware controls that can analyze the behavior of files for malicious activity; however, one control has remained a permanent fixture within companies: the firewall. While newer and more advanced functionalities have been added to firewalls, their primary role as the barrier that allows or disallows traffic into a network has remained constant.
Due to their ubiquity and essential role, it is important to understand firewalls and how they work—whether you are a seasoned cybersecurity professional or a newcomer. In this article, we’ll provide useful information about firewalls, how they work, how they have evolved, and their various types.
What is a Firewall?
In its simplest form, a firewall is a security solution that monitors, filters, and allows/disallows network traffic based on specific predefined criteria or “rules”. It can be considered the entry point to your network and acts as the bridge between trusted and untrusted environments. To use an analogy, a firewall is like a security guard that checks everyone entering a building to ensure only authorized personnel are allowed entry.
Firewalls can comprise both hardware and software. Hardware firewalls are typically appliances that secure entire networks, while software firewalls are more dynamic and can be installed on individual devices or computers. In either form, the role of the firewall does not change: it uses rules to evaluate and assess traffic for any malicious activity.
How Firewalls Work
When designing network architectures, firewalls are typically placed at entry points to support their role as gatekeepers between the internal and external networks. As networks increase in size and complexity, additional firewalls may be needed for full coverage. These security zones help break down complex networks into trusted zones, untrusted zones, and “demilitarized zones” (DMZs).
In their simplest form, firewalls operate on predefined security rules that govern how traffic should be treated.
These rules can fall into the below categories:
- Inbound Rules: These decide how traffic entering the network should be treated. This is crucial for preventing unauthorized access or malware from entering the network.
- Outbound Rules: These rules control how traffic leaving the network will be treated. These help defend against activities like data exfiltration or malicious external calls.
The actions that a firewall takes can be categorized as follows:
- Allow: Permits the traffic to pass through. Often used for trusted sources or types of traffic deemed “safe.”
- Block: Prevents the traffic from passing through without notifying the originator. This is the standard action for known malicious sources.
- Reject: Same as Block, but it also sends a message to the originator that the traffic was rejected.
To decide between these three actions, firewalls typically use the following criteria:
- IP Address: Allow or Disallow based on the source or destination of the traffic.
- Port Number: Control traffic based on what port the data is using. Applications use specific ports, and firewalls can allow/disallow traffic based on this.
- Protocol: The protocol that the traffic uses, such as ICMP, TCP, UDP, etc.
Firewalls effectively implement the concept of least privilege at a network level. Only the required traffic should be allowed, and all others should be rejected. Firewalls often have an explicit “deny all” rule that must be configured to allow the traffic necessary for systems and applications to work.
How Firewalls Have Evolved
The core purpose of firewalls has remained the same, but their functionality and monitoring capabilities have evolved alongside cyberattacks. The earlier versions of firewalls were simple packet filters that evaluated traffic based on basic criteria such as source and destination address, with a binary decision of allow or disallow. Later, context-based firewalls emerged that tracked connections and made decisions based on the context of the connection, which gave them further intelligence.
Eventually, application-level attacks like cross-site scripting (XSS) and SQL injections became more common; these were dangerous because they were invisible to network layer security controls, so firewalls had to change to deal with them. A new type of firewall, the Web Application Firewall (WAF), was developed to combat these threats.
Currently, we have Next-Generation Firewalls (NGFWs) that combine many capabilities: intrusion detection and prevention, deep packet inspection, application traffic visibility, and more. This gives firewalls a multi-layered view into the traffic and protects against today’s advanced cyber threats.
Types of Firewalls
At a high level, the different types of firewalls can be represented as follows:
- Packet-Filtering Firewalls: The earliest and most common type of firewall. These firewalls observe traffic at the network layer and make allow/not allow decisions based on criteria like the protocol, source IP, destination IP, source and destination port numbers, etc. While they provide a basic level of security, they cannot protect against advanced types of cyber threats.
- Stateful Inspection Firewalls: These add context to packet-filtering firewalls and can monitor the state of connections, letting them allow traffic based on the status of previously trusted connections. This boosts both security and performance.
- Proxy Firewalls: As the name suggests, these firewalls act as intermediaries between applications and users. By disallowing direct connectivity between the two, they add a layer of security and abstraction that prevents attackers from gaining visibility into internal environments.
- Web Application Firewall (WAF): As application attacks increased in intensity, there was a need for firewalls that specialized in inspecting application layer traffic and protecting against attacks like SQL injections and XSS. A WAF has visibility into the application layer and can evaluate traffic to see if an attacker is trying to compromise a web application using these attacks. Newer versions of firewalls even can learn expected application flows, giving them even more intelligence.
- Personal Firewalls: While a network-level firewall controls traffic coming into and out of the network, a personal firewall focuses on the security of a device or computer. These are usually software-based and protect devices against internal threats which might originate from within the network itself.
- Next-Generation Firewalls (NGFWs): As cyber threats increased in sophistication, firewalls needed to adapt quickly. NGFWs often have the capabilities we have discussed previously, along with additional features such as intrusion detection and prevention, deep packet inspection, and application-level awareness. They offer granular control over what is not allowed within a network and are effective against malware due to the multi-layered visibility they provide.
In summary, firewalls are diverse, with each type designed to address specific vulnerabilities and threats. Organizations and individuals can better equip themselves against various digital threats by understanding each type of firewall unique abilities and applications.
The Limitations of Firewalls
Firewalls form a crucial part of any company’s security framework, but they are not without their limitations. Like any control, they have weaknesses that can be exploited, and thus it is crucial to implement a defense in depth framework in which firewalls form part of a larger security picture.
Firewalls can trigger false positives in which legitimate traffic is incorrectly flagged as malicious and blocked. This can lead to severe business disruptions, and the team may compensate by implementing overly permissive rules. This defeats the entire purpose of the firewall, as too much traffic is then allowed. Conversely, “false negatives” pose a more serious threat, in which malicious traffic is incorrectly flagged as legitimate and allowed through. This can result in data breaches and environments being compromised.
It is essential to remember the changing nature of cyber threats and how cybercriminals adapt to controls. Like any security control, a firewall must be assessed and matured over time—otherwise, it becomes useless against new types of cyberattacks.
The Way Forward
In conclusion, firewalls have been and will remain an essential control within cybersecurity. From yesterday’s simple packet filtering devices to today’s multi-layered Next Generation Firewalls, they have constantly adapted to handle the changing threat landscape. A well-configured and updated firewall can be a deciding factor between the success or failure of a cyberattack, so it’s crucial for cybersecurity professionals to understand how firewalls work and how to implement them effectively.
Thank you for trusting us to help with your cybersecurity needs. Contact us any time – we’re always happy to help.
Adam