What is a Firewall? Types of Firewalls and How They Work
What is a Firewall?
A firewall is a network security solution that protects your network from unwanted traffic. They are based on the simply idea that traffic from less secure environments should be authenticated and inspected before moving to a more secure environment. Firewalls prevent unauthorized users, devices, and applications from entering a protected network environment or segment, and block incoming malware based on a set of pre-programmed rules. They can also prevent users within the network from accessing certain sites and programs, and can be used to segment the network to control and manage access to internal resources from unauthorized users or systems.
Firewalls date back to the earliest days of the Internet, and have evolved to keep up with the rapid pace of change in the cybersecurity industry. Traditionally, a firewall was put at the network perimeter to determine which types of traffic to let into the network and which to keep out. These firewalls were traditionally focused on the transport and network layers of traffic (Layers 3 and 4). Next-Gen Firewalls were added about a decade ago to inspect and secure application traffic as well (Layer 7). Today, given the rapid evolution of the network and the erosion of the network perimeter, it is recommended to also have firewalls deployed at the core of your network. Data center firewalls should be used to secure traffic moving into and out of the data center environment, as well as applications and workflows moving laterally inside the data center. Internal segmentation firewalls prevent users and malware from infiltrating the network and spreading. Cloud environments and branch offices also require firewall protections. A firewall platform can be a hardware appliance, software that resides on a virtual device, SaaS firewall services in the cloud, or some combination of these.
While a state-of-the-art firewall can no longer single-handedly defend a network against today’s complex cyber threat landscape, these devices are still considered the be the foundational building block for creating a proper cyber defense system. As part of the first line of defense against cyberattacks, firewalls offer essential monitoring and filtering of all traffic, including applications, online transactions, communications and connectivity – such as IPSec or SSL VPN, and dynamic workflows.
As the digital landscape grows more complex due to more devices, users, and applications crossing through the network perimeters – especially due to the growing volume of IoT and end user devices – and less overall centralized control from IT and security teams, companies are becoming much more vulnerable to cyberattacks. Therefore, it is essential to understand how firewalls work, what different types are available, and which are the best for securing which areas of your network.
How do Firewalls work?
A network firewall acts as a shield against unauthorized access to and from your network. It monitors traffic by examining packets of data that travel between your devices and external sources, as well as between devices located in different segments within your network. If those packets do not meet previously selected criteria based on rules that the network administrator or security team has created, they are rejected and that traffic is blocked. To be effective, firewalls must be able to scan all traffic that passes through them at the network, transport, and application layers.
Originally, firewalls were divided into two camps: proxy and stateful. Over time, however, as stateful inspection became more sophisticated and proxy firewalls became too slow, nearly all firewalls today are stateful based. Today, there are two general types of firewalls: network firewalls and host-based firewalls. Network firewalls are more sophisticated and are often used by companies because they protect multiple computers, they are faster, and they offer more features. Host-based firewalls protect just one computer and are typically deployed on home or personal devices. Occasionally, though, these firewalls can also be used in corporate settings to provide an added layer of protection.
As the name implies, a network firewall functions at the network level, scanning traffic between external sources and your local area network (LAN), or traffic moving between different segments inside the network. They are placed at the perimeter of the network or network segment as a first line of defense. Host-based firewalls, when deployed in a corporate setting, are almost always used as a second line of defense and are deployed to catch any unauthorized traffic that has managed to evade the network firewall.
A host-based firewall functions at the host level as an application installed on one computer. They often come packaged with the operating system. More advanced firewalls can be added as an additional layer of security. Regardless of how they are packaged, they are designed to protect that computer – or the “host” – alone. Considering the fact that host-based firewalls must be installed and maintained individually on each device, the potential for scalability is limited. Network firewalls, on the other hand, protect all devices and traffic passing a demarcation point, enabling broad scalability.
Beyond network and host-based firewalls, there are a few other types to know about, as well. These types of firewalls include:
Web Application Firewalls
A web application firewall operates at a different level than a network firewall, examining incoming traffic for Open Systems Interconnection (OSI) Layer 5 to 7 protocols. Layer 5, the session layer, provides the mechanism for opening, closing and managing sessions between end-user application processes. Layer 6 is responsible for the delivery and formatting of information to the application layer for further processing or display. And Layer 7 allows the user to interact directly with the software application.
Web application firewalls add an extra layer of protection by inspecting and ensuing the integrity of all web and application-based traffic. They offer advantages because they examine more than just the network address and port number of incoming traffic and go deeper to assess threats coming from application protocols (like HTTP and FTP). They also have logging capabilities, which prove invaluable to security teams investigating security incidents.
Unified Threat Management Firewall
Unified Threat Management (UTM) firewalls offer a modern approach to security by incorporating several critical security features under a single dashboard. These firewall solutions combine elements of a stateful inspection firewall with other key security elements such as antivirus, intrusion prevention systems (IPS), anti-spam, virtual private networks (VPN), and more. UTM firewalls are typically deployed as a single security solution, providing multiple security functions. By layering security features on an organization’s network, security teams ensure complete protection and more robust defense against cyber threats.
UTM firewalls offer reduced complexity for security teams who are tasked with protecting and defending their networks with limited staff or resources. Enterprises and even small and medium-sized businesses (SMBs) that are faced with a complex array of vendors on their network, each with its own security function, can pull security under a single umbrella, thereby reducing complexity and overhead. With a UTM firewall, just one security team is needed – even when there are multiple branches to secure.
Network Address Translation Firewalls
Network Address Translation (NAT) firewalls funnel device traffic through a single gateway to the Internet. They generally do not provide any traffic inspection, but simply work to hide the internal network from external devices and to preserve limited IP addresses by using a single IP address for external connections and then using the broad set of available internal address for managing traffic. NAT gateways are often deployed on a Wi-Fi router, but are also sometimes deployed via VPN services.
If a NAT firewall is deployed on a Wi-Fi router, all devices that connect to it will be given the public IP address of that router. This provides each device with the same public IP address. The router also makes a note of the device’s private IP address and retains it without sending that information to the server, thus preserving that information for internal use. As such, it is “translating” the device’s request and forwarding it to the server, substituting its public IP address to make the request – meaning that the device’s private IP address never leaves the local network. In this way, the NAT firewall adds a layer of protection by preventing unsolicited traffic from connecting with internal devices.
When a network address translation firewall is deployed via a VPN, a device’s internet traffic is encrypted and routed through the VPN. The VPN assigns each device a unique private IP address and preserves the functionality of the NAT firewall deployed on the Wi-Fi router. The difference is that it is the VPN that is filtering the traffic, not the router.
Internal Segmentation Firewalls
Advanced threats that manage to circumvent perimeter security controls can often move across the internal network looking for resources to exploit because the network is very flat and open. The inside of the network usually consists of non-security aware devices, such as switches, routers, and even bridges, so that once an attacker gains access to the network then can then enjoy free access to the entire enterprise network, including all of its valuable assets.
Internal Segmentation Firewalls (ISFW) sit at strategic points of the internal network – in front of specific servers that contain valuable intellectual property, or a set of devices or web applications sitting in the cloud – to provide instant “visibility” to traffic traveling into and out of predetermined areas of the network. They are also designed to deliver proactive segmentation, working in conjunction with solutions like Network Access Control (NAC) to dynamically assign new devices and workflows to specific segments of the network based on a variety of criteria.
Next-Generation Firewalls (NGFW)
A next-generation firewall (NGFW) is similar to a UTM firewall that has been designed to block modern threats. They combine the functionalities and capabilities of previous-generation firewalls – stateful inspection, for example – with techniques that address the ongoing, evolving threat landscape. This is especially critical as cyber criminals become more sophisticated in their attack methods, increasing the level of risk facing networks and the data and devices they hold.
Next-generation firewalls go beyond port and protocol inspection of packets, adding many of the capabilities mentioned in previous sections of this article, such as:
- Application-level inspection for app awareness and control
- Stateful inspection
- Traffic blocking based on port, state, and protocol
- Traffic filtering based on administrator-defined rules
- Integrated intrusion prevention
- Sandboxing to detect and prevent advanced and unknown threats
NGFWs then go further, adding the following capabilities that go above and beyond standard protections. To be defined as “next-generation,” a firewall must also:
- Block sophisticated threats such as advanced malware.
- Block attacks aimed at applications at the application layer, thus securing, or restricting access to, those that are considered high-risk.
- Upgrade paths to incorporate ongoing and future information feeds.
- Address evolving security threats.
- Block known attacks with web filtering, intrusion prevention, anti-malware, and application control while also detecting and blocking unknown attacks using advanced threat protection solutions.
- Provide a view of threat activity for all users, hosts, devices, and networks in use across the organization.
- Retain information about when a threat took place and from where it originated, how deep into the network it was able to penetrate, and what it is currently doing.
- Provide information about communications between all types of devices, including virtual machines.
A key ingredient of an NGFW is its ability to leverage intelligence gathered about evolving threats – information that is collected from outside the firewall. As a result, they are sometimes called “integrated” firewalls because they work with other systems, including cloud-delivered data systems, offering intelligence on threats to improve security.
NGFWs offer valuable cybersecurity protections for enterprises and small businesses alike. The key benefits of an NGFW, whether your organization is small, medium, or large, include the following:
- Reduced complexity: A good next-generation firewall will reduce complexity for security teams by consolidating security products and services into a simplified management console. They also enable unified policies that can be efficiently deployed across the entire network.
- Reduced cost: Consolidating a disparate array of vendor-based security products and services can also reduce costs and help businesses maximize their return on investment (ROI).
- Faster reaction time to resolution: Be able to respond appropriately when attacks occur by leveraging automation. Policies can be set automatically and defenses can react dynamically, faster than any human-centered process will ever be able to.
- Increased visibility: With complete context awareness, NGFWs allow organizations of any size to know exactly which assets are most at risk.
- Speed up security cycles: The time from threat detection to the cleanup of the impact of a threat will be significantly reduced with an NGFW that continually monitors for suspicious activity even after the initial inspection has taken place.
- Safer cloud access: With a good NGFW in place, organizations can enjoy a more secure cloud experience. Next-generation firewalls help administrators achieve transparency and control because they enable the inspection of all types of traffic in the cloud, even encrypted (SSL/TLS) traffic.
- Visibility: Network and security events are accessed via the NGFW for context, providing more visibility.
- Simplified operations: An NGFW will help simplify operations by automating certain security-related tasks, allowing time to be spent on other critical matters.
FortiGate: Network Firewall Security
Fortinet’s FortiGate NGFWs exceed the industry standard in providing superior protection, as recognized for the 10th time in Gartner’s Magic Quadrant for Network Firewalls. FortiGate solutions combine all of the various firewall permutations into a single, integrated platform, including new SD-WAN functionality. Its single-pane-of-glass management offers a simplified experience for a broad array of use cases, as well as flexible deployment across all network edges. Fortinet’s security-driven approach to networking enables security to be built into every aspect of the network, from the ground level up.
And because it has been developed with purpose-built security processors, it can also ensure that network slowdowns will not interfere with maintaining a usable network. And its integration with FortiGuard Labs advanced threat intelligence services ensures that critical security updates are delivered in real-time throughout the day, providing defenses not only against known threats but also against unknown attacks
No matter how great a firewall is, however, it is not a complete solution. To cover an organization’s entire attack surface, security solutions for network, endpoint, application, data center, cloud, access, and email must all work together as an integrated and collaborative security fabric. At the heart of the Fortinet Security Fabric is the FortiGate next-generation firewall platform (hardware and virtualized), which is key to delivering true end-to-end network security. By implementing the broad, integrated, and automated security fabric framework, organizations can enable advanced security functions, including security-driven networking, zero-trust network access, dynamic cloud security, and AI-driven security operations.