This post has been updated for 2021.
The network firewall is the first line of defense for traffic that passes in and out of a network. The firewall examines traffic to ensure it meets the security requirements set by the organization, and unauthorized access attempts are blocked.
Firewall protection has come a long way in recent years. In addition to monitoring internet traffic, the latest network firewall security products incorporate a wide range of additional features, including automation, more integrations, and built-in sandboxing.
“The latest firewalls can neutralize an attacker’s ability to use stolen credentials for lateral movement and network compromise,” said Navneet Singh, product marketing director at Palo Alto Networks. “This is done by enforcing multi-factor authentication at the network layer.”
- What is a network firewall?
- Next-generation firewalls
- Firewall-as-a-service (FWaaS)
- Taking firewalls to the edge
- Firewall limitations
What is a Network Firewall?
The intention behind network firewalls is to filter internet transmissions so that only traffic that belongs is allowed into an organization. Decisions are based on pre-set rules or policies that IT teams can add to or adjust as necessary. Like many areas of technology, firewalls have evolved over time and are more sophisticated in terms of efficacy and flexibility of deployment.
For example, they have developed the ability to be deployed in completely virtual environments to protect data transferred to and from the cloud or to protect remote branches. “Firewalls have also greatly improved their ability to integrate threat defense and intelligence to protect against a range of threats including botnets, command and control servers, advanced persistent threats (APTs) and zero-day threats,” said Mihir Maniar, vice president of Security Business and Strategy at Juniper Networks.
Types of Network Firewalls
The foundation of IP communications is still based on a variety of factors, such as source, destination, IP addresses, protocols, ports, and URLs, so packet filtering remains at the core of firewall defense and is the best first line of defense for an organization’s network.
Essentially, a network firewall analyzes traffic to determine if the packets (small segments of data) can enter an internal network based on source, destination, ports, and protocols. Maniar said this was initially done with static filtering that inspected only packet headers. Soon, hackers figured out that all they had to do was change the packet header information to something expected and their illicit traffic would pass.
As a response, stateful or dynamic packet inspection was created. That looks at incoming and outgoing communication packets over a time period. Outgoing packets look for a specific type of incoming packet. Those incoming packets are monitored and only the ones with the right correspondence are allowed to pass. Some types of firewall protection can also provide unified threat management (UTM) functions with outgoing traffic such as secure web gateways to prevent command and control (C&C) traffic.
These are the different types of firewalls currently available:
- Packet-filtering firewalls
- Stateful inspection firewalls
- Application layer firewalls (also known as web application firewalls or WAF)
- Next-generation firewalls
- Circuit-level firewalls
- Proxy server firewalls
For more on firewall types, see Types of Firewalls: What IT Security Pros Need to Know.
Firewalls vs. Gateways
Firewalls and gateways serve similar functions: both examine traffic to block unauthorized access. But the main difference comes from where the inspections happen. Firewalls typically inspect traffic at the packet level, investigating the header to determine what information it likely contains.
Web gateways, on the other hand, work at the application level and examine the protocols between the applications that are interacting to make them work together. Depending on what the gateway finds and its security features, it can block malicious traffic from applications.
Email gateways work similarly, filtering incoming emails. Because 94 percent of malware comes from email, these gateways are critical for protecting your organization.
Gartner defines a next-generation firewall (NGFW) as a deep-packet inspection tool that moves “beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and intelligence from outside the firewall”. This is not to be confused with a network intrusion prevention system (IPS), which typically includes either a basic commodity firewall or consists of an appliance containing a poorly integrated firewall and IPS.
See our list of the top next-generation firewall vendors.
Some next-generation firewalls can perform a full-packet inspection on encrypted traffic. Additionally, they can apply application-specific and user-specific security policies. This helps protect against threats, manages how network bandwidth is allocated, and maintains appropriate access controls. NGFWs may also prevent malware from getting into the network. “Advanced firewalls can detect intrusion attempts, user identity, and application control, in addition to simply identifying unauthorized traffic access,” said Maniar.
Next-generation firewalls, then, are regular network firewalls that have additional capabilities that allow them to do more than static filtering of traffic. They inspect at the application layer and can do SSL traffic inspection, intrusion, and other prevention techniques. Companies can also deploy them at the perimeter, inside the network as core firewalls to segment traffic, or within a host to protect virtual workloads.
But network security firewalls, no matter how advanced or next-gen, won’t stop everything. They generally don’t detect and stop threats that have entered a network via social engineering, insider threats, email, or Bring Your Own Device (BYOD). Other security tools, like zero trust or security information and event management (SIEM), are required to take care of that side of the equation.
Yet some vendors have begun to integrate these features into their firewall products. Whether these tools can validly be termed “firewalls” is a matter of debate. But the reality is that the combination of traditional firewall technology with the latest security techniques provides a formidable obstacle for cybercriminals.
Like on-premises networks, cloud environments also have a perimeter that a firewall could protect. Firewall-as-a-service (FWaaS) extends the features of a traditional firewall to the cloud, preventing the need for costly hardware and centralizing the monitoring capabilities. FWaaS allows companies to enforce global security policies while employees are spread across different offices or working remotely.
With FWaaS, a third-party vendor hosts the firewall in the cloud, the company licenses the software to protect their organizations. Within the service itself, the company’s IT department gets access to an admin panel where they can whitelist and blacklist URLs, IP addresses, and email addresses and create access rules for both internal and external users.
FWaaS is crucial for protecting your remote employees because it extends protection to them that they wouldn’t normally get if your company used a traditional firewall. To protect them as well, you’d have to require them to have a firewall on their home network or, more likely, provide them with one to ensure their network was secure. Additionally, cloud-based firewalls are easy to scale and configure to fit the needs of your business. FWaaS also removes some of the burdens from your in-house IT team because they don’t have to manage the firewall; the vendor handles all of the maintenance and updates.
Taking Firewalls to the Edge
As edge computing becomes more mainstream, companies are beginning to use their firewalls as edge computing devices, treating them as entry points for their networks. But just covering the perimeter isn’t enough.
Secure Access Server Edge (SASE)
Secure access server edge (SASE) technology is a combination of software that includes FWaaS, cloud access security broker (CASB), and zero trust network access (ZTNA). The technology is delivered as a service in the cloud to provide real-time context to security events. By 2024, Gartner expects at least 40 percent of companies to adopt SASE or be in the process of doing so.
SASE offers more flexibility and functionality than traditional firewalls thanks to the cloud-based nature of the platform and the additional technologies included. It’s also helpful for IT departments because it reduces the number of platforms they have to manage, instead, combining them into one. Overall, SASE provides more visibility and allows organizations to more easily implement security policies across their network, especially as their employees continue working remotely.
Firewalls are very good at keeping malicious attackers out of a network, but once they get in, organizations need to have other security measures in place to catch them. Microsegmentation can help with this by allowing users to only access small portions of the network at once. It’s pretty common in cloud environments; users can’t access all of their systems and data at once. Instead, they have to use separate logins to access payroll data, a marketing portal, and stock photo accounts, for example.
Because microsegmentation separates the network in this way, attackers can’t simply gain entry and get all of an organization’s data. They’ll be stopped at every turn, giving the IT team time to quarantine and remediate the threat. Rather than just blocking malicious external traffic as firewalls do, microsegmentation can also protect companies against internal attacks.
The latest firewalls contain a wealth of security features. Depending on the vendor, next-generation firewalls may also incorporate services such as data loss protection, threat intelligence, malware detection, DDoS defense, and more. That said, no one vendor is going to offer a firewall that comes with every single zone of necessary security technology. So add them by all means. Take advantage of their enhanced capabilities. But don’t neglect other areas of enterprise security.
“Once the bad guys get in, and they will, other parts of the security infrastructure must come into play” – Dave Ginsburg, VP of Worldwide marketing at cavirin
“Network firewalls (or virtual network firewalls in the cloud) are critical in providing perimeter security,” said Dave Ginsburg, vice president of worldwide marketing at Cavirin. “But they are only part of an overall security posture that includes perimeter, network, endpoint, application, and data security as well as policy management and operations. Once the bad guys get in, and they will, other parts of the security infrastructure must come into play.”
And it’s not enough to set up a network firewall and forget it. Firewall maintenance is a critical and often overlooked part of IT security. For more on this important topic, see Fine-tuning Firewall Rules: 10 Best Practices.