Firewalls have been a staple of cybersecurity for the last couple of decades, serving as network guardians that analyze traffic to ensure it is not malicious. They are an essential part of any cybersecurity framework, and they come in many forms, ranging from massive hardware appliances to small agents running on laptops or smartphones; however, the variety of firewalls can become overwhelming when trying to choose the best one for your organization. What does each type of firewall do? What role are they suited for? Which firewall do you choose for a particular scenario?
In this article, we demystify the types of firewalls, their roles, and the scenarios for which they are suited.
The Different Types of Firewalls
At a high level, firewalls can be categorized into the following groups:
- Packet Filtering Firewalls
- Stateful Inspection Firewalls
- Proxy Firewalls
- Web Application Firewalls (WAF)
- API Firewalls
- Container Firewalls
- Personal Firewalls
- Next-Generation Firewalls (NGFW)
Let us take a look at each of them in detail.
One of a firewall’s simplest and easiest functions is packet filtering, i.e., checking every data packet that enters and allowing/denying them based on specific criteria. These firewalls operate at the network layer and can be considered analogous to security guards that make go/no-go decisions based on the ID tags of employees. These firewalls lack intelligence and depend on firewall “rules” that are checked every time to make decisions. These rules typically contain the following:
- Protocol: Details of what protocol (TCP, ICMP, etc.) is to be checked.
- Source IP: The packet’s origin is useful when malicious traffic must be blocked.
- Destination IP: Where the packet is going.
- Port Numbers: The number that identifies the service that the packet is using. For example, port 80 for HTTP (web traffic).
Based on the criteria defined here, the packet filtering firewall decides and discards those packets that do not match its criteria.
The simplicity and ease of packet filtering firewalls are simultaneously their greatest strength and weakness. Operating at the network layers restricts their visibility and makes them blind to attacks happening at other layers. Additionally, their basic level of filtering cannot protect against today’s sophisticated cyberattacks. Advanced malware or zero-day threats can easily bypass their protection and trick the firewall into letting them through. Attackers can distribute their attack over multiple packets or spoof the IP address of an authorized address, making them invisible to the firewall. Furthermore, these firewalls do not maintain sessions and cannot understand the context behind specific requests.
In summary, while providing a solid foundation, packet filtering firewalls do not provide the level of protection necessary to protect against more advanced cyber threats. They rarely exist in isolation anymore and are usually present as a component of more advanced types of firewalls.
Stateful Inspection Firewalls
The next evolution of firewalls comes from their ability to understand and analyze context. These firewalls can keep track of connections and remember their state along with the powerful packet-filtering abilities already mentioned. Each network packet is no longer analyzed in isolation but as part of a larger context, giving this firewall more intelligence. An already established and authorized connection will be allowed further traffic, whereas a new connection will undergo more detailed inspection. This results in improved performance of the application without compromising on security.
Maintaining state also gives the firewalls the ability to detect attacks that might be multi-staged in nature, with the attacker breaking down the attack over multiple packets. A stateful inspection firewall will be able to detect these anomalies and block this type of malicious traffic, giving firewalls more intelligence and improved performance over packet filtering firewalls.
Both the firewalls we have discussed above play the role of a guardian to the network. With a proxy firewall, a new role emerges: that of the mediator. A proxy firewall’s role is to act as an intermediary between the untrusted Internet and the trusted internal network. These firewalls mediate access between end-users and untrusted services. All requests are not routed directly but must pass through the proxy, where the traffic is evaluated against security rules. The connection is allowed through only if the internal or external traffic is deemed safe. By acting like a security buffer, proxy firewalls provide numerous benefits, such as the following:
Abstraction: Internal details of the network are hidden from attackers on the Internet. Instead, only the proxy firewall details are available. This obfuscation prevents attackers from gathering information about the network for further attacks, thus increasing the company’s security posture.
Content Filtering and Scanning: The proxy firewall can assess web traffic for malicious and harmful content. Companies typically do not want to provide unrestricted access to the Internet and want the proxy firewall to inspect such traffic. This is also useful against malware attacks, which can be intercepted before they reach the user.
Session termination: The proxy does not allow a direct connection between the user and their destination. The proxy firewall terminates the session, and a new session is initiated. Thus, even if the session is hijacked, only the proxy firewall is accessed, not the user or the network.
In summary, proxy firewalls play a unique role in cybersecurity. By mediating all access, they add a security layer over the firewall types we discussed earlier.
Web Application Firewall (WAF)
Web applications, from social networks to digital banking to e-commerce, have become ubiquitous. They are used all the time and bring huge benefits—as well as major risks. They run on the application layer and provide attackers with an additional entry layer and attack path into the network. Traditionally, firewalls operated at the network layer and were blind to application-level traffic, resulting in a surge of attacks like SQL injections, cross-site scripting, etc. A new type of firewall emerged to mitigate these attacks: the Web Application Firewall or WAF.
A WAF is explicitly designed to protect against attacks at the application layer and provides numerous benefits, such as:
Application-level protection, where the WAF can understand data fields, inputs, outputs, etc., allowing it to detect malicious input into applications and prevent attacks like SQL injections and XSS. These firewalls can neutralize malicious scripts within forms and inputs, halting such attacks.
Learning mode, where the WAF can learn and baseline the application’s normal behavior. Each application is unique, and this powerful feature allows the WAF to intelligently understand how the application works and detect deviations from this baseline. WAF can also integrate from threat intelligence feeds, enabling it to stay updated with newer types of threat indicators and attacks in real time.
Customized rules, where companies can set their own unique WAF rules based on how their applications behave. Each application is unique, and it is possible for WAF not to detect every single pathway into an application. This allows companies to add further protection to the one that WAF already provides.
As businesses become more interconnected, the need for Application Programming Interfaces (APIs) has also spread, opening up another attack layer. APIs expose protocols that allow applications to talk to each other, enabling seamless integration. The modern Internet is based on mobile applications, IoT devices, microservices, etc., all of which use APIs to fetch and send data. API compromises can thus be catastrophic for an organization.
This is where API firewalls come in. An API firewall is similar to a WAF in inspecting specific traffic to detect unique attacks; however, API firewalls are more specialized, giving them visibility over API responses and requests.
In addition to protection against API-specific attacks, these firewalls can provide the following protection:
Prevent exposure of API endpoints where an API can become unintentionally exposed, increasing their attack surface. API firewalls ensure that only legitimate endpoints are exposed.
Throttling and rate-limiting API requests where the firewall ensures that only a legitimate number of requests are served. Attackers can attempt to flood the API endpoint with numerous requests in a Denial of Service attack, and rate limiting restricts the number of calls that can occur.
Like WAFs, API firewalls can go into learning mode and understand legitimate API behavior, enabling them to detect and prevent deviations in real time.
Application architectures have evolved from monolithic one-size-fits-all models to lighter container-based architectures. Containers are isolated environments that allow applications and dependencies to be bundled together, ensuring consistency wherever deployed; however, their unique nature also makes them vulnerable to attacks that are not visible to most security controls, requiring container-based firewalls.
A container firewall is uniquely designed to detect and prevent container-level attacks. It has visibility into container-level traffic, enabling it to detect communication between containers and attempts to exploit them.
Some of the unique features of these firewalls are:
Visibility into container-level traffic, which is not visible to traditional firewalls. Containers frequently communicate with each other in an east-west mode, which attackers can abuse, and container firewalls ensure that only safe and legitimate requests go through.
Integration with CI/CD pipelines where container firewalls can detect misconfigurations and security weaknesses, such as exposed credentials or open ports.
Runtime protection, where the firewall can detect any container exploit while running. Attackers frequently attempt to exploit vulnerabilities within the container and try to break out of its sandbox, which is where container firewalls can prevent such attacks.
The threat landscape has changed considerably with the rise of remote working and trends like Bring Your Own Device (. This adds additional risks beyond the external perimeter. Each device, like a smartphone or laptop, can become a point of entry for attackers. Personal firewalls are a solution to this problem. Rather than guarding an entire application or network, these firewalls work on a specific device.
These firewalls are usually software-based and lightweight to ensure they do not interfere with the device’s performance. Once installed, they monitor the traffic entering or leaving the device to ensure no malicious activity is occurring. If a harmful website attempts to communicate with the device, the personal firewall will prevent such connections from occurring. They are also more interactive and prompt users when they detect malicious activity, asking for their input to block or allow the service.
Personal firewalls are a great complimentary control to the other types of firewalls we have already discussed. Threats like malware, phishing, and identity theft are genuine threats that can compromise devices and spread to other network parts. A personal firewall can contain such attacks and prevent them from propagating across the network.
Next-Generation Firewalls (NGFWs)
As attacks have increased in sophistication, traditional network security controls have struggled to keep pace. Network complexities have also increased, necessitating consolidating controls into a unified interface. NGFWs have emerged in response to this need, offering advanced capabilities to meet the demands of modern networks.
NGFWs are designed to protect against today’s sophisticated cyberattacks, such as advanced malware, spear phishing, etc., and provide a new way of looking at firewalls. Some of the unique features they provide are:
Visibility into multiple layers, with the NGFW able to analyze traffic from multiple sources to detect even the most sophisticated threats. NGFWs are also application-aware and can understand typical application behavior to detect deviations from the norm. This allows NGFWs a higher level of intelligence than other types of firewalls.
Intrusion Detection and Prevention (IDS/IPS) capabilities allow the NGFW to take actions far beyond just blocking traffic. NGFWs can analyze suspicious behavior and initiate incident response actions by alerting administrators and isolating areas of the network to contain attacks.
Deep Packet Inspection (DPI) of network traffic involves analyzing the metadata of data packets and their content to ensure even the most well-hidden payloads can be detected. This allows NGFWs to detect advanced types of malware that try to hide their presence within legitimate traffic.
Fine-tuned policies that allow administrators granular control over what type of traffic is allowed and what should be blocked. This can be fine-tuned to specific user groups and applications, enforcing the concept of least privilege at the network level.
NGFWs represent the next evolution of firewalls in the battle against advanced types of cyberattacks. They are not restricted to specific layers and are proactive in mitigating potential threats to the network.
Which Firewall Should You Choose?
Choosing a firewall for your environment is not a simple decision to make. As shown above, each firewall type offers its unique advantages and areas of focus. This is not a simple choice, and multiple factors must be considered. To make the choice easier, remember these key points and tips:
Carry out a risk assessment to understand the environment and the key risks. If your company does not use containers, then investing in a container firewall would not make any sense. If you have a large enterprise with multiple entry points, investing in NGFW will pay off in the long run.
Assess your budget level, as WAFs and NGFWs can be much more expensive than other types of firewalls. Investing in these solutions would not be advised unless the need exists.
Assess your future needs and how the company plans to scale over time. If the plan moves towards a cloud-first model, investing in NFGW and Container Firewall will future-proof your security framework.
Look at the current skill level of your staff, as firewalls are not just plug-and-play solutions but require specific skills to implement and maintain over time. Invest in training and upskilling your staff otherwise, the security benefits of these devices will not materialize.
The Way Forward
Since their humble beginnings as simple packet filtering systems, firewalls have come a long way. Today, they cater to an extensive array of security requirements, safeguarding everything from individual devices to vast enterprise networks. But with so many options and types of firewalls, making well-informed choices hinges on recognizing the threat landscape of your specific environment and understanding which firewall could best mitigate the risks present within it.
Thank you for trusting us to help with your cybersecurity needs. Contact us any time – we’re always happy to help.