EDR solutions ensure an organization's endpoints are running properly by monitoring and troubleshooting tech on the network. Compare the top tools now.
EDR solutions ensure an organization's endpoints are running properly by monitoring and troubleshooting tech on the network. Compare the top tools now.
eSecurity Planet content and product recommendations are
editorially independent. We may make money when you click on links
to our partners.
Learn More
While originally created to protect internal networks, firewall solutions have evolved into diversified and specialized solutions suitable for a number of architectures and purposes. The eight types of deployable firewalls include traditional network firewalls, unified threat management (UTM), next-generation firewalls (NGFW), web application firewalls (WAF), database firewalls, cloud firewalls, container firewalls, and firewalls-as-a-service (FWaaS).
To deploy the appropriate type of firewall, it first requires an understanding of the available features and deployment options. These inform the pros, cons, and the best use cases for each firewall and how each type of firewall delivers a unique solution.
Featured Partners: Next-Gen Firewall (NGFW) Software
We are able to offer our services for free because some vendors may pay us for web traffic or other sales opportunities. Our mission is to help technology buyers make better purchasing decisions, so we provide you with information for all vendors — even those that don't pay us.
Centralized or DevOps configuration, can be deployed by code, container visibility and control, rapid scalability and on-demand deployment
Must be part of a security stack, expense only makes sense for larger needs
Extra and specialized container security, high performance firewall
Containerized software
Firewall-as-a-Service (FWaaS)
More scalable than on-prem firewalls, unified security, flexible and simplified deployment, requires less IT skill and resources, fully automated updates and maintenance, more rapid identification and updates for attack threats
Less attentive to specific customer needs, reduced customization options, loss of control, potential information exposure to 3rd party service provider, doesn’t replace device or specialty firewalls
Centralized management for geographically diverse organizations, robust security for resource constrained organizations, turnkey firewall solution for rapid deployment or legacy replacement
n/a (Service)
Features & Deployment Options for Firewalls
Firewalls are the bouncers for IT. They screen incoming traffic to networks, applications, databases, and other resources for unauthorized and unwanted traffic.
Firewalls must balance security performance with operations throughput, and more advanced functions improve security but slow down data delivery. In most cases, the “best” firewall solution will be the deployment of multiple firewalls to maximize their best attributes and minimize their flaws; however, budgets and resource constraints often deny ideal deployments.
Types of Firewall Features
The key features of firewalls include packet filtering, stateful inspection, session filtering, proxy service, application layer filtering, source filtering, malware filtering, and deep packet inspection. The chart below compares generally-available features with the associated firewall type, but keep in mind all classifications are generalities and some advanced traditional firewalls may perform some malware filtering and some database firewalls may be capable of session filtering.
Each feature delivers a different type of screening function. Fast, simple features don’t add much security, while the more complex features add significant security at the similarly significant cost of operational throughput.
Feature
Security Level
Complexity
Speed
Description
Packet Filtering
Low
Low
Fast
Compares headers of packets against preset rules that define permitted IP address, protocols, source/destination port
Session Filtering (AKA: Circuit-Level Gateway)
Low
Low
Fast
Examines session level connections (TCP/UDP) to verify connections are legitimate, often creates proxy connections (see below)
Proxy Services
Low
Low
Medium
Makes protocol connections (TCP/UDP) on behalf of other devices or apps; hides IP addresses and blocks queries to learn about open ports and services
Stateful Inspection
Medium
Medium
Medium
Tracks connections (TCP, etc.) in tables to detect, track, and block potentially malicious traffic
Application-layer Filtering
High
High
Slow
Uses proxies and more complex rules to inspect and filter out application layer attacks; resource intensive
Source Filtering
Medium
Medium
Medium
Uses website URL, IP address, and geolocation information to identify and filter out potentially dangerous traffic sources; difficult to keep up-to-date
Malware Filtering
High
High
Slow
Detects (often using signatures) and blocks known malware or block malicious behavior; resource-intensive and difficult to keep up-to date
Deep Packet Inspection
High
High
Slow
Inspects contents of traffic packets to identify indicators of compromise, malicious content, and sensitive information; very resource intensive, especially when decrypting encrypted traffic
Types of Firewall Deployment
When deploying a firewall, the security team needs to consider where the solution fits into the overall architecture. Traditionally, vendors delivered all firewalls in purpose-built hardware appliances, but now nearly all types of firewalls may be deployed as software ready to be installed as virtual machines (VMs) or containers.
Hardware Firewalls
Hardware comes in server rack and desktop profiles and will be fixed in capacity based upon the hardware configuration. The dedicated hardware and fixed capacity improves convenience for updates and remote deployments.
However, hardware firewalls cost more than equivalent VMs, take up physical space, and are much less flexible to change. The limited flexibility plus capacity constraints make hardware less attractive for deployment in dynamic environments.
Software-Based Firewalls (VM, Cloud, Container)
Software-based virtual machine firewalls can be installed on desktops, servers, cloud, and container orchestration environments. Virtual firewalls offer improved flexibility, rapid deployment, and a full range of capabilities, from simple-host-based operating system firewalls to full-NGFW capabilities.
However, VM firewalls become security dependent on the host environment and can cause conflicts with other applications running on the host. VM firewalls also increase complexity and opportunities for mistakes in installation, integration, and configuration.
Advertisement
Traditional Network Firewalls
Traditional, basic, or simple network firewalls screen data packets by following rules and performing data header inspections. These firewalls provide inexpensive security and can be deployed easily as hardware devices or virtual machines throughout a network to perform filtering or network segmentation.
No vendor sells a firewall listed as ‘traditional,’ ‘simple,’ or ‘basic.’ However, a buyer can observe that the lowest priced firewall options will generally deploy the simplified features attributed to a traditional firewall.
Traditional firewalls are known as host-based firewalls when built into operating systems (EX: Windows Firewall, macOS, etc.), enterprise network routers, and consumer Wi-Fi routers. Purchasing low-cost firewalls providing traditional functionality can enable fast and easy firewall protection, but IT teams with more time might prefer open-source software firewalls.
Protection Level
Operations Throughput
Vendors
Open-Source Options
Low: Simple and basic
High (stateful inspection can cause some slowness)
Netgate (pfSense hardware), Zyxel
pfSense, OPNsense Firewall, IPFire
Use Cases
Branch offices or small and home offices (SOHO)
Low-risk environments (industrial facilities with limited tech, etc.)
Layer of defense for servers, endpoints, and network segments
Internal network segmentation, access control, or bandwidth management
Initial high-throughput filtering of traffic in front of more sophisticated or specialized solutions (NGFW, WAF, etc.)
Common Features
Packet filtering
Stateful inspection
Session filtering
Proxy service
Application layer filtering
Source filtering
Malware filtering
Deep packet inspection
Pros
Very effective for a narrow set of tasks
Fast processing and high data throughput
Inexpensive or free to implement
Quick to install and configure
Cons
Doesn’t block application or web-based (HTML) attacks
No traffic inspection
Typically limited capacity
Can be fooled by manipulated headers
Advertisement
Traditional stand-alone, host-based, and operating system firewalls perform basic and simple data filtering.
UTMs target small and medium-sized organizations that want to save money with a combined security solution. This solution also works for any-sized organization that wouldn’t have the resources to fine-tune security options for their organization.
All UTMs inspect the unencrypted components of the incoming and outgoing packet headers for malware, malicious attachments, and known-malicious or suspected phishing sites (IP addresses, URLs, etc.) and perform some basic application-layer protections. Some UTMs can sometimes perform deep-packet scanning but will lack the full-powered scanning available in NGFW because resources will be shared with the non-firewall features of the appliance.
Protection Level
Operations Throughput
Vendors
Open-Source Options
Medium
Low: Many inspections are performed
Fortinet, SonicWALL, Juniper Networks, Check Point Software, WatchGuard, and Sophos
Endian, Untangle
Use Cases
Small and medium-sized organizations or branch offices
*Some features may be present but limited in capability compared to more robust solutions (NGFW, WAF, etc.).
Pros
Includes a variety of security features in a single deployment
Centralized management console
Makes installation and management easier for IT teams
Inexpensive compared to deploying individual solutions for each function
Cons
Expanded capabilities often require more frequent updates, especially for antivirus signatures and malicious URLs
Tends to be less effective than dedicated solutions
Slow data throughput compared to dedicated solutions or traditional firewalls
Lacks customization options
Advertisement
Next-Generation Firewalls (NGFWs)
Next-generation firewalls expand on the capabilities of traditional firewalls with more robust inspection of the contents of each data packet. This inspection includes examining the source and destination IP addresses to block malicious (malware, phishing, etc.) and unwanted connections (adult entertainment sites, unwanted geolocations, etc.).
NGFWs perform some application level filtering of harmful applications using signature matching and SSL decryption. Next-gen firewall application filtering capabilities can even enable banning the use of specific applications, such as peer-to-peer (P2P) file-sharing applications, or partially restrict application use, such as allowing Skype calls but blocking Skype file sharing.
Most firewalls currently sold provide at least simple packet inspection and URL filtering. Newer and more powerful NGFWs incorporate behavioral detection and deploy artificial intelligence (AI) for anomaly detection and proactive defense.
Protection Level
Operations Throughput
Vendors
Open-Source Options
Very high: deep packet inspection, decryption, malware filtering
A web application firewall (WAF) provides an application-layer proxy between an application and the application’s users to filter potentially malicious traffic. These firewalls provide improved operational performance by focusing on specialized defense such as filtering out deliberately malformed or malicious requests.
Installing a WAF allows for NGFW at the edge of the network to skip application layer inspections and focus on more basic scanning tasks to improve data flow to the application server. The proxy architecture shields the application from malicious activity such as port scans, attempts to determine the software running on the application server (or container information), and cross-site scripting (XSS).
In addition to application layer filtering, many WAFs now provide protection for application programming interfaces (APIs), bot detection, and microservices. More advanced WAFs boost performance using AI and ML for anomaly detection and autonomous threat blocking.
Protection Level
Operations Throughput
Vendors
Open-Source Options
High, but specialized; usually ignores basic firewall functions
Medium; application packet inspection takes time, but specialized filtering reduces operations drag
Extra and specialized defense for application servers and applications
Specialized high-performance firewall to remove burden and slowdown from other firewalls
Common Features
Proxy service
Application layer filtering
Source filtering
Malware filtering
Deep packet inspection*
Deep packet inspection will typically be focused on application attack prevention (XSS, DDoS, SQLi, etc.) and pay less attention to blocking malware to improve performance.
Pros
Adds an extra layer of protection between the application and potentially malicious code
Specialized inspection of HTTP/HTTPS traffic to defend against code-based attacks such as SQL injection (SQLi) or cross-site scripting (XSS)
Specialized packet inspection improves ease of use and reduces operations drag
Specialized focus also decreases installation and configuration mistakes
Cons
Only cost effective for organizations with higher risks, budgets, and resources
Doesn’t provide full security for all applications
May slow the performance of some applications
Doesn’t provide a full spectrum of security and should only be part of a security stack
Advertisement
Database Firewalls
Database firewalls are a subset of web application firewalls that protect databases. They are installed directly in front of the database server or occasionally in front of the network gateway when protecting multiple databases running on multiple servers.
Database firewalls detect and prevent specific database attacks, such as SQL injection (SQLi), that can lead to attackers accessing confidential information stored on the databases. Installing a database firewall allows a security team to skip inspections for database attacks at NGWF and application servers earlier in the data flow to improve data throughput and performance overall.
Protection Level
Operations Throughput
Vendors
Open-Source Options
High, but specialized; usually ignores basic firewall functions
High; application packet inspection takes time, but highly specialized filtering reduces operations drag compared to NGFW or WAF
DataSunrise, Fortinet, Imperva, Oracle
DBHawk, GreenSQL
Use Cases
Extra and specialized defense for databases and database servers
Extra compliance reporting regarding database access and usage
Specialized high-performance firewall to remove burden and slowdown from other firewalls
Common Features
Proxy service
Application layer filtering
Source filtering
Malware filtering
Deep packet inspection*
Deep packet inspection will focus on database attack prevention (SQLi, etc.) and pay less attention to blocking other types of attacks to improve performance.
Pros
Specialized inspection of HTTP/HTTPS traffic to defend against code-based attacks such as SQL injection (SQLi)
Security focus improves ease of use and decreases installation or configuration mistakes
Can double as a monitoring and auditing tool for database access
Can produce reports regarding database access for compliance and regulatory purposes
Cons
Only cost-effective for organizations with higher risks, budgets, and resources
Doesn’t provide a full spectrum of security and should only be part of a security stack
Decreases performance for database access
Hyper-specialized protection may require specialized resources, such as database experts, to help with the integration and configuration
Advertisement
Cloud-Based Firewalls
A cloud-based firewall can be purchased in the marketplace for cloud providers (Azure, AWS, Google Cloud, etc.) to protect cloud resources behind the firewall. An ambitious organization could technically configure their entire network infrastructure to run behind a cloud-scalable firewall, assuming that no control of the underlying hardware is acceptable.
Many popular firewall vendors (Fortigate, Fortinet, Juniper, Palo Alto, Sophos, etc.) offer cloud-optimized VM solutions in a cloud marketplace preconfigured for that specific cloud (Azure, AWS, etc.). Some cloud providers will also make their own branded firewalls available (Azure, IBM, etc.).
Cloud-based firewalls may be specialized firewalls (Ex: WAF, Container) or may be fully functional NGFWs. Unlike FWaaS, covered below, a cloud-based firewall will require internal IT resources to install, configure, maintain, and monitor the firewall.
Protection Level
Operations Throughput
Vendors
Open-Source Options
Variable: A full range from basic to NGFW can be implemented
Variable: Fully dependent upon the features selected and level of packet inspection
*Note: Open-source resources obtained as cloud-firewalls won’t generally be free deployments. At the very least, the cloud provider will charge fees for the VM (CPU, memory, etc.).
Use Cases
Specialized layer of defense for cloud resources
Centralized firewall for an entire enterprise
Highly variable needs benefit from the scalability of cloud resources
Common Features
Packet filtering
Stateful inspection
Session filtering
Proxy service
Application layer filtering
Source filtering
Malware filtering
Deep packet inspection
Note: Not all features will be available with all cloud-based firewall products.
Pros
More scalable (up and down) than on-premises options
Less expensive than an on-premises option licensed for peak use requirements
Often pre-configured for cloud-specific deployment
No maintenance and upgrade requirements for the underlying hardware
Cons
No control of the underlying hardware
More expensive than on-premises equipment scaled for baseline requirements
Cloud-vendor-optimized deployments may not be multi-cloud compatible
Cloud-deployed firewalls may require cloud experts to ensure proper implementation and configuration of the deployment
Advertisement
Container Firewalls
A container firewall protects and isolates containerized application stacks, workloads, and services on a container host. Container firewalls deliver traditional firewall capabilities and filter traffic in, out, and within the container environment.
This specialized security improves operational throughput and creates highly isolated containers with limited exposure (and access) to external networks or other non-containerized applications. The lightweight design of a container firewall integrates tightly with container engines (Docker, etc.) and orchestration tools (Kubernetes, OpenShift, etc.).
As with other container resources, container firewalls can be easily scaled, deployed, and removed from service using code. Container firewalls can also be integrated with developer operations (DevOp) tools and processes to keep up with agile requirements.
Protection Level
Operations Throughput
Vendors
Open-Source Options
High, but specialized; relies upon other firewalls and tools for full protection
High; tightly defined allow lists and focused packet inspections keep throughput high
Juniper Networks, Palo Alto Networks
SUSE (NeuVector), Tigera (Calico)
Use Cases
Extra and specialized defense for containers
Specialized high-performance firewall to remove burden and slowdown from other firewalls
Deploy on demand and in tandem to protect containerized microservices
Common Features
Application layer filtering
Source filtering
Malware filtering
Deep packet inspection
Pros
Centralized configuration or configuration through DevOps
Can be deployed by code
Provides visibility and control over containers
Container deployment provides rapid scalability and on-demand installation
Cons
Only cost-effective for organizations with higher risks, budgets, and resources
Doesn’t provide a full spectrum of security and should only be part of a security stack
Code deployment without security oversight risks deployment of obsolete firewalls that no longer provide good security
Specialized container deployments will require specialized (and more expensive) container expertise for configuration and integration
Advertisement
Specialty app-layer firewalls improve protection and reduce data flow slowdown for applications, databases, and containers.
Firewall-as-a-Service
Firewall-as-a-Service (FWaaS) provides NGFW capabilities as a fully-outsourced service. FWaaS can be considered a specialized sub-category of NGFW or cloud-based firewalls in which most configuration and maintenance are outsourced to the SaaS provider.
FWaaS professionals completely specialize in firewall management, and this focus provides superior maintenance and threat updates. Zero-day attacks detected for one customer become information shared for all customers and improve security accordingly.
Deployment requires configuring corporate routers to divert traffic to the cloud-based firewall, while mobile users either connect to it via a VPN or by using it as a proxy. This process enables rapid deployment for geographically dispersed organizations or can be used during the replacement of legacy technology from corporate acquisitions.
Protection Level
Operations Throughput
Vendors
Open-Source Options
High; robust NGFW capabilities delivered at scale and with expansive geographic presence
Medium; scalable cloud resources provide power, but FWaaS cannot be optimized and customized to the same level as fully controlled firewall architecture
Centralized management for geographically dispersed offices
More robust security for IT resource-constrained organizations
Turnkey firewall capabilities for rapid startup or replacement of legacy systems
Common Features
Packet filtering
Stateful inspection
Session filtering
Proxy service
Application layer filtering
Source filtering
Malware filtering
Deep packet inspection
Pros
Cloud-hosted firewalls provide more flexible and scalable solutions with improved uptime compared to on-premises options
Simple and easy deployment without any maintenance requirement
Unified security applied consistently across the organization
More rapid identification and updates for attack threats
Cons
Service provider probably doesn’t know the specific security needs of its customers
May have fewer options than more established hardware and software firewall solutions
Loss of control and potential to expose internal information to third parties (through packet inspection, etc.)
Doesn’t replace the need for device (OS, router) and narrow-solution firewalls (database, container)
Advertisement
Firewall Services as Alternatives to Firewall Purchases
All of the types of firewalls above can be purchased or installed. However, some companies may be too small, lack IT staff, or simply want to avoid the hassles of configuring and managing their own firewalls.
FWaaS provides one option for fully-outsourced firewalls in the lowest common denominator form. However, this won’t always be the best fit for organizations with resource constraints or secrecy or compliance requirements that don’t allow for data to pass through third-party providers.
Organizations with these additional constraints can hire managed service providers (MSPs), managed security service providers (MSSPs), and other cybersecurity consultants to purchase, install, configure, monitor, and maintain a diverse array of firewalls.
In addition to addressing resource constraints, adopting a service (including FWaaS) eliminates capital expenditure (CapEx) costs in favor of operating expenses (OpEx). Although the overall cost of the OpEx expense may eventually exceed the costs of a CapEx firewall acquisition, services provide more flexibility and scalability to right-size the expenditure to match changing needs.
Advertisement
9 Questions to Ask to Find the Right Firewall Solutions
To determine the appropriate firewall solution, first understand and define the needs. These needs must incorporate not only the security requirements but also the operations requirements, risk profiles, and resource constraints.
What kind of resources are being protected?
Which features may already be handled by other solutions?
What kind of traffic will the firewall face, and how critical is packet throughput?
How many resources are being protected?
What is the network architecture?
How costly is the risk of failure?
Are there compliance or secrecy risks?
How many resources are available for firewall management?
What is the realistic budget?
Each of these questions contributes to determining the type of features needed and the type of resources available to implement and manage those features. Gaps between needs and risks and resources can sometimes be filled with services, but sometimes will be required to be satisfied by compromise and accepted risk.
Advertisement
Bottom Line: Choose the Right Firewall Solution As Part of a Bigger Security Picture
Not all businesses will need the same types of firewalls. Small businesses and those without a dedicated security team may gain more benefits from a FWaaS or traditional firewall than large enterprises with the budgets and resources to support NGFWs. The “best” firewall really depends on how a network is set up, the personnel available, and the needed features.
Of course, deploying the selected firewall only starts the process. The firewall must be properly installed, configured, and integrated into the broader network security stack as part of the strategy for layers of security.
eSecurity Planet lead writer Chad Kime covers a variety of security, compliance, and risk topics. Before joining the site, Chad studied electrical engineering at UCLA, earned an MBA from USC, managed 200+ ediscovery cases, and helped market a number of IT and cybersecurity products, then transitioned into technical writing policies and penetration test reports for MSPs and MSSPs.
eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.
Advertiser Disclosure: Some of the products that appear on
this site are from companies from which TechnologyAdvice
receives compensation. This compensation may impact how and
where products appear on this site including, for example,
the order in which they appear. TechnologyAdvice does not
include all companies or all types of products available in
the marketplace.
