Firewalls are as central to IT security as anti-virus programs are to PCs, and the multi-billion-dollar market remains large and growing.
In the broadest terms, firewalls are like bouncers or doormen: They stand at the entrances to corporate networks, applications, databases and other resources, scrutinizing incoming (and outgoing) data traffic, and deciding what can pass through those entrances and what should be rejected.
But the term "firewall" is far too broad to be of much use to IT security buyers. There are many different types of firewalls, each of which works in different ways to protect different types of resources, both within data centers and corporate perimeters and outside in the cloud.
Here are the most important types of firewalls you need to know about:
- Network Firewalls
- Next-Generation Firewalls
- Web Application Firewalls
- Database Firewalls
- Unified Threat Management
- Cloud Firewalls
- Container Firewalls
- Network Segmentation Firewalls
Packet-filtering network firewalls provide essential network protection by helping to prevent unwanted traffic from getting in to the corporate network. They work by applying a set of network firewall security rules to decide whether to allow or deny access to the network. Typical rules include: denying entry to all traffic except for traffic destined for specific ports corresponding to specific application running inside the corporate network; and allowing or denying access to data using specific protocols or from specific IP addresses.
- Protection level: High. The vast majority of network compromises are caused by malicious data gaining access to the corporate network from outside, and a traditional firewall can help prevent this by controlling access to the network. But firewalls are only as effective as the staff that manage them: about 99% of firewall breaches are caused by simple misconfigurations rather than flaws in the firewall itself. Read more about fine-tuning and optimizing firewalls rules.
- Strengths and weaknesses: The availability of open source firewall software that runs on standard hardware means that a network firewall solution can be built at very low cost. A traditional network firewall is also only as effective as the rules that it applies, so a firewall configured with ineffective or outdated rules will let in traffic that should be excluded.
- Do you need it?: All corporate networks need some form of firewall to control the data that attempts to flow on to it. An alternative to a traditional firewall is a next-generation firewall (NGFW) that can inspect the contents of packets to give administrators far greater control over the traffic that is allowed to enter and leave the network.
- Vendors: Barracuda, Check Point Software, Cisco, Sophos, Juniper Networks, Palo Alto Networks
- Open source firewall software: pfSense, Untangle, Smoothwall Express
Next-generation firewalls serve the same purpose as traditional firewalls – protecting the network from unwanted data traffic – but they work in a different way to achieve this. Specifically, NGFWs offer application awareness with full stack visibility by looking at the contents of each data packet, rather than just its port, source and destination IP address, and protocol. By using an application layer firewall, this enables you to ban the use of specific applications, such as peer to peer file sharing applications, or to restrict how applications are used, for example, by allowing Skype to be used for voice over IP calls, but not for file sharing.
- Protection level: Very high, because of the high level of granular control they provide. These capabilities may be required for PCI or HIPAA compliance.
- Strengths and weaknesses: NGFWs provide far more granular control over what data is and is not allowed to access the corporate network, allowing NGFWs to mitigate a wider range of possible threats. But NGFWs are more expensive than traditional firewalls, and because they carry out packet inspection rather than simple packet filtering they have a more limited data throughput which can cause network performance issues.
- Do you need it? Leaving cost and performance issues to one side, a NGFW provides better network firewall protection than a traditional firewall. Most NGFWs also provide other optional security features such as an intrusion detection system, malware scanning, and SSL data inspection. These can be valuable to companies that do not already have point solutions providing these features, but they also can cause the data throughput capability of the NGFW to drop significantly when activated.
- Vendors: Barracuda, Check Point Software, Cisco, Sophos, Juniper Networks, Palo Alto Networks
See our picks for Ten Top Next-Generation Firewall Vendors.
A web application firewall is usually a proxy server that stands between an application running on a server and the application's users who access the application from outside the corporate network. The proxy server accepts incoming data and then establishes its own connection to the application on behalf of the external user. A key benefit of this setup is that the application is shielded from port scans, attempts to determine the software running on the application server, or other malicious activity directed by end users at the application. The proxy server also analyzes the data to filter malicious requests (such as deliberately malformed requests designed to result in the execution of malicious code), preventing them from ever reaching the web application server.
- Protection level: High, because they provide a buffer between the web application server and unknown and possibly malicious users out on the internet who could otherwise gain access to the web application server directly. This is important because many applications hold confidential data that is valuable to hackers, making web-facing applications a particularly attractive target.
- Strengths and weaknesses: Web application firewalls are simpler and less prone to security vulnerabilities than web application servers themselves, and more easily patched. That means they can make it significantly harder for hackers to reach applications behind the firewall. But not all applications are easily supported by proxy firewalls, and they can reduce the performance of the protected application to end users.
- Do you need it? Web applications are designed to be accessed from the Internet, so they are likely to receive a large quantity of connections originating from it. For that reason, many organizations take the view that while their networks are best protected by a conventional packet filtering firewall or a next-generation firewall, it makes more sense to send web application traffic to the application through a dedicated application firewall.
- Vendors: F5 Networks, Fortinet, Barracuda, Citrix, Imperva
As the name suggests, database firewalls are a subset of web application firewalls designed to protect databases. They are usually installed directly in front of the database server they protect (or near the network gateway when they are designed to protect more than one database running on more than one server). They are designed to detect and prevent specific database attacks, such as cross site scripting, that can lead to attackers accessing confidential information stored on the databases.
- Protection level: High. Corporate data tends to be extremely valuable, and the loss of confidential information is usually expensive and costly in terms of lost reputation and bad publicity. For that reason, it is necessary to take all reasonable steps to protect databases and the data they contain. A database firewall adds significantly to the security of this stored data.
- Do you need it? If you maintain databases containing valuable or confidential information, then the use of a database firewall is highly advisable. In 2016, over 4 billion records were stolen from databases, according to Risk Based Security, four times as many as in 2013. As hackers appear to be successfully targeting databases, that means protecting records is becoming more important than ever.
- Strengths and weaknesses: Database firewalls can be an effective security measure, and they can also be used to monitor and audit database accesses, and to produce compliance reports for regulatory purposes. However, they are only effective if they are correctly configured and updated, and offer little protection against zero-day exploits.
- Vendors: Oracle, Imperva, Fortinet
Unified threat management (UTM) appliances provide a nearly complete security solution for small- and medium-sized business in the form of a single box that plugs in to the network. Typical UTM features include a traditional firewall, an intrusion detection system , internet gateway security (which includes scanning incoming traffic such as emails for viruses and other malware or malicious attachments, and web address blacklisting to prevent employees from visiting known malicious sites such as phishing sites, functions also covered by secure web gateways), and they sometimes contain web application firewall and next-generation firewall (NGFW) features as well.
- Protection level: Medium. Most UTMs do a good job securing a network, but best-of-breed solutions for each security function are likely to offer better protection.
- Do you need it? UTMs are ideal for smaller organizations that do not have dedicated security staff and lack the skills needed to configure point solutions.
- Strengths and weaknesses: The key attraction of UTMs is simplicity: a single purchase covers every security need, and all the security features can be controlled and configured from a single management console. Some UTMs offer a base level of security in the initial purchase price, and extra security services (such as IPS) can be enabled for an additional license fee. Although the key drawback is that UTMs may not provide the same level of protection as a combination of more complex products, this may be academic because often the choice is between having a UTM and having no security solution at all.
- Vendors: Leading UTM vendors include Fortinet, SonicWALL, Juniper Networks, Check Point Software, WatchGuard and Sophos
A cloud based firewall is an alternative to a firewall running in the corporate data center, but its purpose is exactly the same: to protect a network, application, database, or other IT resources.
- Protection level: High. A cloud firewall provided as a service is configured and maintained by security professionals who specialize in firewall management, so it is capable of offering very good levels of protection for the assets it is protecting. It is also likely to be highly available with little or no scheduled or unscheduled downtime. They are usually implemented by configuring corporate routers to divert traffic to the cloud-based firewall, while mobile users either connect to it via a VPN or by using it as a proxy.
- Do you need it? Cloud-based firewalls are particularly attractive to large organizations which lack sufficient security personnel, as well as companies with multiple sites or branch offices that need protecting. The market for cloud-based firewalls is growing strongly and is expected to reach $2.5 billion by 2024, according to Global Market Insights.
- Strengths and weaknesses: A major benefit of using a cloud-based firewall is that multiple sites, including small branch offices, can benefit from the protection it provides without having to route all traffic through a central corporate firewall, or to configure and maintain multiple firewalls at different locations. A cloud-based firewall is also highly scalable, unlike an on-premises firewall, which may need to be replaced if the company grows and bandwidth requirements exceed the capabilities of the existing equipment. The key drawback of a cloud-based firewall is that a service provider is unlikely to know the specific security requirements of its customers on an ongoing basis as well as internal staff would. And once a company switches to a cloud-based firewall, it may lose in-house security skills, which can be hard to replace.
- Vendors: Zscaler, Forcepoint, Fortinet
A container firewall is used to protect and isolate containerized application stacks, workloads and services on a container host. It works in a similar way to a conventional firewall, but it also filters all container traffic within a container environment as well as ingress and egress from the protected containers out to external networks and other non-containerized applications.
- Protection level: Medium. All containers require security to be applied to them, but as a relatively new computing paradigm, they are often not well understood. That means that while some level of firewalling is desirable, other security considerations (such as ensuring that the contents of each container is up to date) are arguably more important.
- Do you need it? Although dedicated container firewalls are available, it is also possible to protect a container using a host firewall via iptables running on the container.
- Strengths and weaknesses: A container firewall is likely to be easier to configure than a host-based firewall running on each container. But in smaller environments it may be unnecessary and hard to justify on a cost basis.
- Vendors: NeuVector, Juniper Networks, Twistlock
A network segmentation firewall (also known as an internal network firewall) is used to protect sites, functional areas, departments or other business units by controlling network traffic that flows between them. They are implemented at subnet boundaries. That way a network breach may be contained in one area rather than spreading all over the network. It can also be used to provide added protection to areas of the network that warrant it, such as databases, or R&D units.
- Protection level: Medium. Although a network segmentation firewall may prevent an attacker from moving from part of the network to another, in practice it may only slow down an attacker's progress unless the initial breach is detected quickly.
- Do you need it? Network segmentation firewalls are most useful for very large companies, or companies with network perimeters that are very hard to secure.
- Strengths and weaknesses: If an attacker gains access to the network, then a network segmentation firewall may make it significantly harder for them to access particularly sensitive data. But it can introduce performance and availability issues and may present a single point of failure for some network services.
- Vendors: Fortinet
And one last firewall type to consider: secure web gateways remain a steady market despite competition from UTMs and NGFWs.