Security is paramount for modern networks, and a Firewall helps inject security by filtering the traffic passing back and forth to a network or a system. This is the reason that Firewalls are widely regarded as the first line of defense. Modern Firewalls provide multiple security features and help organizations and individuals set parameters and create different logical security zones based on the level of trust.
Firewalls can be traced back as early as 1988 when the first Firewall came into existence in the form of a Packet Filter. Bill Cheswick and Steve Bellovin developed the first working model, which facilitated an administrator to define rules to allow, drop or reject a packet and send “error responses” to the source.
What is a Firewall?
A Firewall is a combination of hardware and software that monitors all inbound and outbound traffic to a network and allows or denies data packets based on a set of intelligent rules defined by an Administrator. A Firewall acts as a checkpoint between different security zones for any interested parties to send or receive any traffic.
Modern Firewalls (Next-Generation Firewalls) offer smart rules that go pretty deep and track the state or level of the packet entering or leaving and inspect any suspicious traffic patterns. Firewalls can also provide additional functionalities, including a VPN gateway, Intrusion Detection/Prevention, malware Inspection, and Web Proxy with SSL inspection.
While Firewalls’ scope or overall functionality has been enriched over time, the concept of firewalls remains more or less the same.
History and Evolution of Firewalls
1. First Generation Firewall
First-generation Firewall was a packet filter that came into existence in 1988 in Digital Equipment Corporation (DEC). Bill Cheswick and Steve Bellovin developed this, and it was based on their original first-generation architecture. This Firewall was a two-arm device based on the rule configured that could allow, deny, or reject it by sending an error message to the source.
The subsequent significant development came from AT&T Bell Laboratories in 1989-1990. Three colleagues (Dave Presetto, Janardan Sharma, and Kshitij Nigam) developed a Circuit Level Firewall that could also inspect the state of the packets. While some experts regard it as the second generation, most prefer to call the deep packet inspection (DPI) Firewalls the second generation.
2. Second Generation Firewall
Second-generation Firewalls were more advanced and intelligent, and in the early 90s, Deep Packet Inspection Firewalls gain centerstage. These firewalls could go deeper into the packets and inspect both the header and the payload of data packets in transit. The second generation of firewalls has dominated the market for around two decades since their inception.
Deep packet inspection (DPI) gradually paved the way to offer more advanced features in Firewalls, including malware analysis, context-based policy enforcement, and data loss prevention. DPI revolutionalized the industry and is highly relevant and is used by most modern Firewalls as of today.
Established in 1993, Checkpoint had the lion’s share of the market and became a dominant player for Deep Packet Inspection Firewalls. Other players included network pioneer Cisco, Watchguard (Est. 1996), Netscreen (Est. 1997, later acquired by Juniper Networks), and Fortinet (Est. 2000).
3. Third Generation Firewalls
The Third Generation of Firewalls came into existence in 2007, with Palo Alto Networks launching their first product branded as the “Next Generation Firewall” or NGFW. In 2009, Gartner published a report defining Next-Generation Firewalls (NGFW) and subsequently published the first Magic Quadrant of “Next Generation Firewalls” in 2011.
A Next-Generation Firewall can understand the applications and protocols and can inspect the traffic across all the layers of the OSI model. It also can decrypt, inspect and filter the HTTPS traffic along with IPS/IDS and automated malware analysis.
It’s also worth mentioning that before Palo Alto stormed into the market, there were already some products that offered most of this functionality in a single appliance dubbed as Unified Threat Management or UTM appliances. Fortinet was the early starter and had a significant market share for UTM devices.
Why do you need a firewall?
A firewall is a shield that inspects and allows only authorized incoming or outgoing traffic to pass through. It depends not only on the networks and individuals but also on the most critical resources like a server farm hosting essential services from several attacks.
Any system connected to the Internet is a potential target for the bad guys of the Internet. If there is no firewall to protect, anyone can do a port scanning to identify potentially vulnerable services in use and launch several cyberattacks, including Zero-Day Exploits, DoS/DDoS, spoofing, and malware attacks.
A firewall acts as a barrier between the network and the Internet. The Firewall will block unauthorized traffic based on the defined set of rules, actively look for any threats in the traffic, and effectively neutralize it before it causes you any harm. A firewall is best used in conjunction with other security technologies including, Proxy, Antimalware, Data Security, etc.
What are the types of Firewalls?
1. Packet Filtering Firewall
A Packet Filtering Firewall is a basic firewall that works at the network layer. It allows an administrator to allow, block, or reject traffic based on the source IP, destination IP, source port, and destination port. The Firewall also allows other networking functionality, including Source/Destination NAT and PAT (Port Address Translation).
This was the first generation of Firewall. However, it is still relevant as of today. Most modern Internet routers and even modems come with built-in Packet Filtering capability, which is helpful in many cases and can add a layer of protection for small and home networks. Since these firewalls perform only basic inspection, they are highly efficient and do not consume much of the resources.
2. Circuit-Level Gateway
A Circuit Level Gateway inspects the state of TCP connections, aka circuits, including TCP handshaking and session fulfillment, against the table of allowed connections. It works at the session layer of the OSI model. If a session is permitted, it does not perform any further checks or packet-level inspection.
Circuit-level gateway also conceals the details of the protected network from an external network, which adds a layer of security. Circuit-level gateways are seldom used as a stand-alone firewall; instead, they are often used in combination with proxy services and packet filtering in dedicated firewall applications.
3. Application Level Gateway (Proxy Firewall)
An Application-Level Gateway acts as an intermediary between a client and a server. A client application like a web browser typically requests the service from a less secure network like the Internet via the Proxy. The Proxy authenticates the client, implements the policies (like web filtering), and relays the response back to the client.
Application Level Gateways or Proxy Servers works at the application layer and are widely used across the industry. The most common example of this is a Web Proxy server like Forcepoint SWG, Zscaler, or Bluecoat, which are used across enterprise networks for SSL decryption, inspecting websites for malware, and filtering of inappropriate URLs and content.
Proxy servers are not limited to web traffic and are widely used within applications like Secure Email Gateways to inspect traffic.
A Proxy works as a Man-in-the-Middle While most modern NGFWs support SSL decryption for web traffic, performance is a key challenge which is the primary reason for a flourishing Web Proxy market. Some firewalls like Forcepoint NGFW can proxy multiple protocols, including SSH and FTPS, which allows them to filter commands within a session and enhance security for these protocols.
A cousin of a Proxy is a Reverse Proxy which has evolved as Web Application Firewalls which we will be discussing later.
4. Stateful Inspection Firewall
Stateful Inspection Firewall monitors the state of TCP connection to validate the packets and spot a potential threat. A TCP connection is made up of a three-way-handshake and can have three states Syn (Synchronize), Syn-Ack (Synchronize Acknowledge), and Ack (Acknowledge), which are saved in a State Table used to make connection decisions.
A Stateful Inspection Firewall works at the network and transport layer of the Open System Interconnection (OSI) model. Stateful Firewalls can detect attempts by unauthorized individuals and threat actors to access a network and analyze the context to identify potentially malicious traffic. Next-Generation Firewalls or NGFWs replaced the stateful Inspection Firewalls.
5. Unified Threat Management (UTM Firewalls)
UTM Firewalls were launched to provide more value to customers by combining additional functionality including Malware Inspection, SSL Decryption(Web Proxy), Email Security, IPS (Intrusion Prevention System), Quality of Service (QoS), VPN, and Antimalware within a single appliance. IDC coined the term UTM in 2004, which is still in use.
UTM Firewalls promptly gained popularity and became the primary choice of Small and Medium Businesses since they reduced the complexity, cost of the solution, and required resources. The only limitations with UTMs were scalability and resource consumption, due to which many enterprises preferred to opt for best-of-the-breed solutions.
6. Next-Generation Firewall (NGFW)
A Next-Generation Firewall goes beyond port and protocol inspection and performs deep packet inspection, application control, intrusion prevention, VPN support, and also adds threat intelligence from outside the Firewall. The most modern iteration of the firewalls available in the market is Next-Generation Firewalls.
The distinction between an NGFW and UTM device is somewhat blurry. A Next-Generation Firewall often adds more advanced threat prevention features like Artificial Intelligence, Machine Learning, and Sandboxing. However, UTM devices were primarily designed for the Small to Medium Business (SMB) market as an all-in-one, comprehensive security solution.
7. Cloud Firewall
A Cloud Firewall is deployed in a cloud to manage the flow of information between the outside world and cloud infra or server farms. Cloud Firewalls are increasingly getting popular as a large chunk of organization infrastructure is moving to the cloud. Most NGFWs support deployment in private clouds.
A cloud firewall can be a Next-Generation Firewall (NGFW) or a Web Application Firewall depending on the requirement. It can be deployed in a Public Cloud, Private Cloud, or SDN. Cloud Firewalls are sometimes also referred to as Virtual Firewalls. However, all Virtual Firewalls may not necessarily be Cloud Firewalls.
8. Virtual Firewall
A Virtual Firewall is a software version of Firewalls build specifically for environments where deploying a hardware firewall is difficult or not possible. This may include public and private cloud environments, SDN (software-defined networks), and SD-WAN (Software-defined wide area networks).
Virtual Firewalls have all the features and capabilities of NGFWs. They can inspect and control north-south perimeter traffic and also segment east-west traffic inside data centers and branches.
9. Web Application Firewall (WAF)
A Web Application Firewall is an application layer firewall for HTTP & HTTPS traffic that protects web applications from various application-layer attacks, including Cross-Site Scripting (XSS), SQL Injection, and Cookie Poisoning. A WAF offers comprehensive policy options that help to distinguish between malicious and safe traffic.
You can consider a WAF as a reverse proxy since it is user, session, and application-aware and its functionality is similar to a proxy. The difference, however, is that it’s protecting the server-side and not the client-side. A WAF is different than an NGFW as it’s a purpose-built solution to protect web applications and not the network or systems in general.
10. Database Firewall
A Database Firewall is a purpose-built Firewall that monitors databases to identify and protect them against database-specific attacks that can compromise the sensitive information stored in the databases. Database Firewalls also monitor and audit database requests and generate compliance reports like PCI, SOX, etc.
The Database Firewalls are available as hardware appliances and software options and can be deployed inline to protect multiple database servers. Some Database servers support agents that can be installed on the server themselves.
Deploying a dedicated Database Firewall is recommended to monitor multiple servers without adding any performance overheads. Some examples of Database Firewalls include Oracle Audit Vault and Database, Green SQL, etc.
11. Host-Based Firewalls
A Host-Based Firewall is a software that is often part of the OS or anti-malware solution and filters the inbound and outbound traffic at the host level. It provides mobility and protects the host by blocking unauthorized and suspicious traffic. Host-based firewalls are critical in a modern, work from anywhere world.
Examples of host-based firewalls are Windows Firewall, Firewalld (Linux), Iptables (Linux), MAC Application firewall, etc. Also, most anti-malware solutions are shipped with built-in firewalls nowadays. It is recommended to keep the host firewall enabled and properly configured for the safety of your system, even if you have a gateway-level firewall.
What is Multi-Tenancy?
Multi-Tenancy enables organizations to run multiple independent Firewall instances within a single Firewall appliance. Each firewall instance (Tenant) is allocated its dedicated hardware resources, including CPU, memory & interfaces, therefore removing any potential for resource starvation.
In Enterprises, several use cases require segmentation and running networks independent from one another in complete isolation. Multi-Tenancy comes in handy in this scenario and can eliminate the requirement of multiple separate firewalls without any investment in multiple Firewall Appliances.
What are Security Zones in a Firewall?
Security zones in a Firewall are logical ways to separate networks with different policy requirements from one another. Firewall interfaces are assigned to one of the Zones. An administrator can create different policies (Firewall and NAT) for different zones. The most commonly used Zones are Private (Internal), Public (External), and DMZ Zones.
It is worth noting that a Firewall Interface can not be part of more than one zone, while A zone can have multiple interfaces assigned to it. The Firewall’s policies and rules use security zones to identify where the traffic is coming from and where it is going. While traffic can flow freely within a zone, it cannot travel between different zones unless you create a rule to allows it. Security zones are fundamental to most modern firewalls.
What is a DMZ (Demilitarized Zone)?
A DMZ Zone is a subnetwork containing an organization’s public-facing services. It acts as the exposed point to an untrusted network, commonly the Internet. The objective of a DMZ is to provide an extra layer of security to the local area network. If a server or application in the DMZ is compromised, your internet network still remains secure.
DMZ Zone is a critical concept in Firewall. The rules in the Firewall tightly restrict the communication between the DMZ and Internal/External zones to permit only required access. As a general rule, any services accessible from the Internal zone should be placed in the DNZ zone only. Some of the common services hosted in the DMZ includes:
1. Web Servers
Web Servers that need to be published to the Internet and require a backend database connection with Internal Database Server should be placed in the DMZ zone. This will help secure the internal databases, which often store sensitive information.
The Web Server can then interact with the internal database through the Firewall or via another Database Firewall while being protected in the DMZ zone.
2. Mail Servers
Mail Servers are recommended to be hosted in the DMZ since they send and receive Email Traffic from the outside world and often have a web interface that needs to be published to the Internet. Users from the Internal network and Internet can then access it via the Firewall in a secure way.
3. DNS Servers
4. FTP Servers
5. Proxy Servers
Organizations can also host a Proxy server in the DMZ. Many organizations that need to comply with regulations, like the Health Insurance Portability and Accountability Act (HIPAA), prefer to keep their proxy server in the DMZ. This simplifies the monitoring and recording of activities, centralizes content filtering, and ensures that the employees use the system to get to the Internet.
It is worth noting that the DMZ network itself is not safe. It enables hosts and systems to be accessible from an untrusted external network, like the Internet, while keeping other systems on private networks isolated.
How Firewall Rules Work?
The Firewall inspects all connections and enforces the rule base from top to bottom in a sequential manner. The Firewall inspects each connection that passes through it and compares the information (source, destination, service, etc.) to the first rule. If the connection matches the first rule, the Firewall applies the action.
If the connection does not match the first rule, the Firewall continues with the next rule in the Rule Base till the last one.
By default, any Firewall denies all traffic between all its interfaces, and an administrator needs to explicitly configure rules to allow the required traffic. Different Firewalls use different terminology specific to them. However, Stealth and Cleanup rules are widely adopted by most Firewalls.
A Cleanup Rule is the last rule in the ruleset to drop all the remaining traffic. The interesting thing is, even if you delete the cleanup rule, the Firewall will still deny all the traffic not matching an earlier rule. The Cleanup Rule is created to log all dropped traffic for troubleshooting or analysis.
The Firewall is the core of a well-defined network security policy. The goal of the Check Point Firewall Rule Base is to create rules that only allow the specified connections.
Firewall Deployment Modes
1. Transparent Mode (Bridge Mode)
Transparent Mode is, when a Firewall works as a Layer 2 (OSI Model) device. Firewall interfaces are not defined with an IP address visible to the devices on the network. However, Firewalls typically have a single IP address in this mode used to manage and create policies. In Bridge mode, Firewalls can not perform any routing action like NAT.
Transparent mode deployment is common in scenarios where the administrators do not want to change the network.
2. Route Mode
Router Mode is the most common firewall deployment where a Firewall works as a layer three device. Each Firewall interface will have an IP Address and will be used as the gateway by interested devices. All the Firewall capabilities are available in this deployment model.
3. Mixed Mode
Benefits of a Firewall
Firewalls are critical and an essential piece of modern network architecture. They serve as the first line of defense to any external threats, including DoS/DDoS, Spoofing, Malware, and Hackers trying to gain access to your systems and data.
1. Monitors and Controls all Traffic
A Firewall gives you visibility and control of all Inbound and Outbound traffic and allows you to reduce the surface of exposure to the bare minimum. Any traffic coming in or moving out of your systems creates a window of opportunities for attackers and threat actors.
A properly configured Firewall maintained by a skilled IT team is the most valuable asset of your security infrastructure.
2. Reduces Malware and Ransomware Threats
One of the biggest threats to your network is modern malware. A threat like Ransomware can not only cost you heavily but severely impact your operations for days. A Next-Generation Firewall comes equipped with gateway level malware detection to inspects the traffic at the network level and proactively identify and neutralize any potentially malicious traffic at the gateway level.
3. Protects from Hacking
An NGFW helps you guard against Hackers and Determined adversaries by reducing the overall attack surface and monitoring intrusion attempts. A Firewall can effectively defeat attackers or deter them from moving to an easier target.
4. Protect against Network Based Attacks
5. Promotes Privacy
6. Promotes Secure Connectivity and Remote Work Environment
Modern Firewalls offer powerful VPN capabilities using which your employees and customers can access key services connecting from the comfort of their home. It gives flexibility and promotes work from anywhere.
7. Block Bot Networks and Cryptojaking
Firewalls successfully block back-channel communication to threats like bot networks and Cryptojacking. A Botnet is a network of inter-connected systems established using malware infections across the globe that can work together and are controlled by a single threat actor used for malicious purposes.
Please refer to this blog post for more details about Bot Networks.
Cryptojacking involves the unauthorized use of people’s devices (computers, smartphones, tablets, or servers) to mine for Cryptocurrency. Cryptojacking happens when computers are hacked with the intent of installing malicious software. Please refer to our earlier blog post for more details regarding Cryptojacking.
Firewalls can also help you identify systems that are infected with Bot networks and Cryptojackers, which requires cleaning.
Limitations of a Firewall
1. Firewalls do not protect BYOD & Work from Home Users
In modern work from anywhere world, this comes as a significant limitation. A network firewall can not inspect or protect the traffic which is not passing through it. Even if the users are sitting in the office, they can always use their mobile network or a wifi hotspot to bypass the internet access policies or services blocked by the Firewall.
This is why organizations are required to complement their network firewall with a robust anti-malware solution and host-based Firewall.
2. Firewalls can not defend against Email attacks
Most NGFWs do not inspect or filter SMTP traffic for Email-based attacks and malware, which is a primary attack vector and exploited by Cybercriminal. Emails are used to launch various attacks like Phishing, Spear Phishing, Ransomware, etc.
Please refer to our earlier blog post for more details around Email Based Threats.
3. Firewalls can not enforce password policy
4. Firewalls can not protect from Social Engineering attacks
5. Firewalls can not protect against configuration mistakes
6. Firewalls can not protect against Data Loss
While some Firewalls offer Data Loss Prevention capabilities, mostly, it’s with a lot of limitations that can at best very limitedly help you. It is not a substitute for a best-of-the-breed DLP solution to protect your sensitive information.
Please refer to our earlier blog post for more details about DLP solutions.