A firewall is a security system that sits in various locations within a network that regulates inbound and outbound traffic based on configured security rules. Typically, firewalls reside in between a trusted and untrusted network to ensure the private network’s confidentiality, integrity, and availability.
Think of a firewall as a security guard in a tightly secured building, the one who allows, questions, or rejects visitor entrance/exit based on a set of security criteria. If the visitor fits their ID (identification) description and does not have anything suspicious in their bags, the security guard — just like a firewall — would allow this type of traffic to proceed into the building. On the other hand, if the visitor does not match their ID and/or has malicious belongings that can do harm within the building, the security guard — just like a firewall — would reject this type of traffic from proceeding into the vetted building perimeter. The analogy applies with outbound visitors where the security guard verifies the visitor based on set security criteria.
How Do Firewalls Work?
As mentioned before, firewalls regulate both inbound and outbound traffic based on security rules it is given, typically configured by the user or information technology (IT) personnel. Unlike the “visitors” mentioned in the analogy above, a network firewall accepts or blocks data packets — a formatted unit of data that carries information and user data from a source to the destination computer. Firewalls only accept data packets from trusted sources or IP Addresses and reject/blocks from untrusted IP Addresses, as defined by the security rules configured. Therefore, it is imperative that users or IT personnel configuring these rules understand the environment in a holistic view; thus, best determining how to manage and define the granularity of these rules to maximize the barrier as much as possible.
Firewall rules are developed using two approaches: allow any service or traffic unless explicitly rejected or reject all services or traffic unless explicitly allowed. With the threat landscape increasing rapidly, the latter is deemed industry best practice as it aligns with the Zero Trust Model of ‘Never Trust, Always Verify.’
Types of Firewalls
Proxy Service Firewalls
Proxies are computers that reside between a local network and a more extensive network, like the Internet. The primary purpose of proxy service firewalls is to avoid direct communication and connection between the client and server. For a client to connect to a server, it must first connect to the proxy service firewalls to inspect the outgoing data packets. Similarly, if the server tries to send a response back to the client, it must go through the proxy service firewall for inspection before proceeding to the client.
Proxy service firewalls are the direct filtering mechanism aimed to protect network security at the application layer.
Virtual Firewalls
Virtual firewalls, also known as cloud firewalls, are leveraged in private and public cloud environments, acting as a gateway between trusted and untrusted zones. Virtual firewalls are software-based appliances, unlike hardware firewalls that exist on-premises in data centers.
As many organizations migrate from the more costly on-premises data centers to the more cost-friendly cloud, virtual firewalls become an essential defense mechanism to defend against the growing number of cloud-based threats. These firewalls are configured and tailored to each cloud computing platform from Amazon Web Service (AWS), Azure, Google, VMware ESXi, etc.
Stateful Firewalls
A stateful firewall, also known as a traditional firewall, operates based on saved information and records of established connections to determine traffic filtering. Traffic monitoring happens from the connection opening to closing, and filtering is executed based on both admin-defined rules and context, calling on passed connection and packet behavior. Based on these criteria, the stateful firewall can best determine what is deemed risky, tracking, and associating which IPs are paired with which application or service.
Whenever a Three-Way Handshake is initiated, a stateful firewall can record the data sent, how packets are sequenced, where packets are routed, and what data contents are stored within the packet from a source IP. Suppose malicious traffic or payload attempts to enter a network with a stateful firewall. In that case, the firewall can detect this anomaly based on records that do not recognize this type of traffic, therefore, denying access to the malicious actor.
Next-Generation Firewalls (NGFW)
Unlike a stateful firewall, next-generation firewalls (NGFW) can do much more than simply providing stateful inspection of network traffic. With emerging threats like advanced malware, a NGFW is critical in detecting and blocking malicious traffic from entering a trusted network. Its ability to filter packets operates up to the OSI model’s layer 7 (application layer), whereas traditional firewall capabilities operated up to level 4 (transport layer).
A typical NGFW includes the following:
· Traditional firewall capabilities
· Application awareness
· Deep packet inspection
· Intrusion Prevention System (IPS)
· External threat intelligence
Web Application Firewalls (WAF)
A WAF protects web applications from users with malicious intent, monitoring and regulating HTTP (Hypertext Transfer Protocol) traffic between a web application and the Internet. WAFs effectively prevent SQL injections, cross-site scripting, file inclusion, and many other attack vectors.
Recall the proxy service firewall. The primary purpose behind a proxy service firewall was to protect the client machine from a man-in-the-middle attack or external malicious servers. Now, think of a WAF as a reverse proxy that protects the server from a malicious client.
