This post has been updated for 2021.
Firewalls are as central to IT security as antivirus programs are to PCs, and the multi-billion-dollar market remains large and growing.
In the broadest terms, firewalls are like bouncers or doormen: They stand at the entrances to corporate networks, applications, databases, and other resources, scrutinizing incoming (and outgoing) data traffic, and deciding what can pass through those entrances and what to reject.
But the term “firewall” is far too broad to be of much use to IT security buyers. There are many different types of firewalls, each of which works in different ways to protect different types of resources, both within data centers and corporate perimeters and outside in the cloud.
Types of Firewalls
- Traditional Network Firewalls
- Next-Generation Firewalls
- Web Application Firewalls
- Database Firewalls
- Unified Threat Management
- Cloud Firewalls
- Container Firewalls
What is a Firewall?
A firewall is a piece of hardware or software that filters incoming network traffic to keep malware and attackers out. IT can set rules about what is and isn’t allowed through the firewall, and then security admins can alter the rules as they gain additional information. Firewalls protect both on-premises and cloud environments.
How does Firewall Technology Work?
Firewall technology works differently depending on the type of firewall you employ, but basically, it examines incoming traffic to make sure it’s all legitimate. It looks for known malware signatures and blocks data packets from entering a network if it finds malicious code. Firewalls can also identify and block packets with mismatched IP addresses—packets that say they’re coming from one location but don’t have an IP address that backs up that claim.
Traditional network firewalls
Packet-filtering network firewalls provide essential network protection by helping to prevent unwanted traffic from getting into the corporate network. They work by applying a set of network firewall security rules to decide whether to allow or deny access to the network. Typical rules include: denying entry to all traffic except for traffic destined for specific ports corresponding to specific applications running inside the corporate network and allowing or denying access to data using specific protocols or from specific IP addresses.
- Protection level: High. The vast majority of network compromises are caused by malicious data gaining access to the corporate network from outside, and a traditional firewall can help prevent this by controlling access to the network. But firewalls are only as effective as the staff that manages them. Simple misconfigurations, rather than flaws in the firewall itself, cause about 99% of firewall breaches. Read more about fine-tuning and optimizing firewalls rules.
- Do you need it? All corporate networks need some form of a firewall to control the data that attempts to flow onto it. An alternative to a traditional firewall is a next-generation firewall (NGFW, see below) that can inspect the contents of packets to give administrators far greater control over the traffic that they allow to enter and leave the network.
- Vendors: Barracuda, Check Point Software, Cisco, Sophos, Juniper Networks, Palo Alto Networks, Fortinet
- Open source firewall software: pfSense, Untangle, OPNsense Firewall, IPFire
Network Firewall Pros
- Very effective when configured correctly
- Isn’t very expensive to implement
- Doesn’t block web-based attacks
- Can be fooled by manipulated headers
Next-generation firewalls (NGFWs)
Next-generation firewalls serve the same purpose as traditional firewalls – protecting the network from unwanted data traffic – but they work in a different way to achieve this. Specifically, NGFWs offer application awareness with full-stack visibility by looking at the contents of each data packet, rather than just its port, source and destination IP address, and protocol. They can also distinguish between safe and harmful applications using signature matching and SSL decryption.
An application-layer firewall enables you to ban the use of specific applications, such as peer-to-peer file-sharing applications, or to restrict how employees use applications, for example, by allowing them to use Skype for voice over IP (VOIP) calls but not for file sharing.
NGFWs also typically use behavioral detection to monitor the network, and they decrypt encrypted traffic to inspect the contents. Additionally, they help segment an organization’s network, replacing internal network (or network segmentation) firewalls.
- Protection level: Very high, because of the high level of granular control they provide. These capabilities may be required for PCI or HIPAA compliance.
- Do you need it? Leaving cost and performance issues to one side, an NGFW provides better network firewall protection than a traditional firewall. Most NGFWs also provide other optional security features such as an intrusion detection system, malware scanning, and SSL data inspection. These can be valuable to companies that do not already have point solutions providing these features, but they also can cause the data throughput capability of the NGFW to drop significantly when activated.
- Vendors: Barracuda, Check Point Software, Cisco, Sophos, Juniper Networks, Palo Alto Networks, Fortinet
- More thoroughly searches incoming data for malicious code
- More likely to meet compliance requirements
- More expensive than traditional firewalls
- They can have a more limited data throughput, which can cause network performance issues
See our picks for Top Next-Generation Firewall (NGFW) Vendors
Web application firewalls
A web application firewall is usually a proxy server that stands between an application running on a server and the application’s users who access the application from outside the corporate network. The proxy server accepts incoming data and then establishes its own connection to the application on behalf of the external user. A key benefit of this setup is that the application is shielded from port scans, attempts to determine the software running on the application server, or other malicious activity directed by end-users at the application. The proxy server also analyzes the data to filter malicious requests (such as deliberately malformed requests designed to result in the execution of malicious code), preventing them from ever reaching the web application server.
- Protection level: High, because they provide a buffer between the web application server and unknown and possibly malicious users out on the internet who could otherwise gain access to the web application server directly. Many applications hold confidential data that is valuable to hackers, making web-facing applications a particularly attractive target.
- Do you need it? Web applications can be accessed from the internet, so they’ll likely receive a large number of connections originating from it. For that reason, many organizations take the view that while a conventional packet filtering firewall or a next-generation firewall is the best option for protecting their network, it makes more sense to send web application traffic to the application through a dedicated application firewall.
- Vendors: F5 Networks, Fortinet, Barracuda, Citrix, Imperva
- Adds an extra layer of protection between the user and potentially malicious code
- Easier to use and less prone to security vulnerabilities
- They don’t work with all applications
- May slow down the performance of some applications
As the name suggests, database firewalls are a subset of web application firewalls that protect databases. They are usually installed directly in front of the database server they protect (or near the network gateway when they are designed to protect more than one database running on more than one server). They detect and prevent specific database attacks, such as cross-site scripting, that can lead to attackers accessing confidential information stored on the databases.
- Protection level: High. Corporate data tends to be extremely valuable, and the loss of confidential information is usually expensive and costly in terms of lost reputation and bad publicity. For that reason, it is necessary to take all reasonable steps to protect databases and the data they contain. A database firewall adds significantly to the security of this stored data.
- Do you need it? If you maintain databases containing valuable or confidential information, then the use of a database firewall is highly advisable. In 2020, over 155.8 million records were stolen from databases and exposed, according to Statista. As hackers appear to be successfully targeting databases, that means protecting records is becoming more important than ever.
- Vendors: Oracle, Imperva, Fortinet
Database Firewall Pros
- Can double as a monitoring and auditing tool for database access
- Able to produce compliance reports for regulatory purposes
- Must be correctly configured and regularly updated to work properly
- Offer little protection against zero-day threats
Unified Threat Management (UTM) appliances
Unified threat management (UTM) appliances provide a nearly complete security solution for small- and medium-sized businesses in the form of a single box that plugs into the network. Typical UTM features include a traditional firewall, an intrusion detection system, internet gateway security (which includes scanning incoming traffic such as emails for viruses and other malware or malicious attachments, and web address blacklisting to prevent employees from visiting known malicious sites such as phishing sites, functions also covered by secure web gateways), and they sometimes contain web application firewall and next-generation firewall (NGFW) features as well.
- Protection level: Medium. Most UTMs work well for securing a network, but best-of-breed solutions for each security function will likely offer better protection.
- Do you need it? UTMs are ideal for smaller organizations that don’t have dedicated security staff and lack the skills to configure point solutions.
- Vendors: Leading UTM vendors include Fortinet, SonicWALL, Juniper Networks, Check Point Software, WatchGuard, and Sophos
- Includes a variety of security features in a single console
- Makes installation and management easier for IT teams
- Updates happen infrequently
- Less specialized than other types of firewalls
A cloud-based firewall, also sometimes called Firewall-as-a-Service (FWaaS) is an alternative to a firewall running in the corporate data center, but its purpose is exactly the same: to protect a network, application, database, or other IT resources.
- Protection level: High. A cloud firewall provided as a service is configured and maintained by security professionals who specialize in firewall management, so it is capable of offering very good levels of protection for the assets it is protecting. It is also likely to be highly available with little or no scheduled or unscheduled downtime. They are usually implemented by configuring corporate routers to divert traffic to the cloud-based firewall, while mobile users either connect to it via a VPN or by using it as a proxy.
- Do you need it? Cloud-based firewalls are particularly attractive to large organizations that lack sufficient security personnel, as well as companies with multiple sites or branch offices that need protecting. The market for cloud-based firewalls is growing strongly and is expected to reach $2.5 billion by 2024, according to Global Market Insights.
- Vendors: Zscaler, Forcepoint, Fortinet
- More scalable than on-premises options, especially for businesses without a dedicated security team
- Maintained by experts in firewall management
- Service provider probably doesn’t know the specific security needs of its customers
- Switching to another provider can be difficult and result in loss of in-house knowledge
A container firewall protects and isolates containerized application stacks, workloads, and services on a container host. It works in a similar way to a conventional firewall, but it also filters all container traffic within a container environment as well as ingress and egress from the protected containers out to external networks and other non-containerized applications.
- Protection level: Medium. All containers require security, but as a relatively new computing paradigm, they are often not well understood. That means that while some level of firewalling is desirable, other security considerations (such as ensuring that the contents of each container are up to date) are arguably more important.
- Do you need it? Although dedicated container firewalls are available, it is also possible to protect a container using a host firewall via IP tables running on the container.
- Vendors: NeuVector, Juniper Networks, Palo Alto Networks
Container Firewall Pros
- Easier to configure than a host-based firewall
- Provides visibility and control over containers
- Small businesses may have difficulty justifying the cost
- Firewalls may not be as effective as other security measures
Choosing the Right Type of Firewall for Your Business
Not all businesses will need the same type of firewall. Small businesses and those without a dedicated security team may gain more benefits from a cloud-based firewall than large enterprises. NGFWs, on the other hand, may be perfect for enterprises, especially if they integrate well with the business’s other security tools. And there’s one last firewall type to consider: secure web gateways remain a steady market despite competition from UTMs and NGFWs.
The right firewall really depends on how your network is set up, the personnel you have on your team, and the features you need.