Firewalls been around for three decades, but they’ve evolved drastically to include features that used to be sold as separate appliances and to pull in externally gathered data to make smarter decisions about what network traffic to allow and what traffic to block.
Now just one indespensible element in an ecosystem of network defenses, the latest versions are known as enterprise firewalls or next-generation firewalls (NGFW) to indicate who should use them and that they are continually adding functionality.
What is a firewall?
A firewall is a network device that monitors packets going in and out of networks and blocks or allows them according to rules that have been set up to define what traffic is permissible and what traffic isn’t.
Our new gaming site is live! Gamestar covers games, gaming gadgets and gear. Subscribe to our newsletter and we’ll email our best stuff right to your inbox. Learn more here.
There are several types of firewalls that have developed over the years, becoming progressively more complex and taking more parameters into consideration when determining whether traffic should be allowed to pass. Firewalls started off as packet filters, but the newest do much much more.
Initially placed at the boundaries between trusted and untrusted networks, firewalls are now also deployed to protect internal segments of networks, such as data centers, from other segments of organizations’ networks.
They are commonly deployed as appliances built by individual vendors, but they can also be bought as virtual appliances – software that customers install on their own hardware.
Proxy-based firewalls
These firewalls act as a gateway between end users who request data and the source of that data. Host devices connect to the proxy, and the proxy makes a separate connection to the source of the data. In response, source devices make connections to the proxy, and the proxy make a separate connection to the host device. Before passing on packets to a destination address, the proxy can filter them to enforce policies and mask the location of the recipient’s device, but also to protect the recipient’s device and network.
The upside of proxy-based firewalls is that machines outside the network being protected can gather only limited information about the network because they are never directly connected to it.
The major downside of proxy-based firewalls is that terminating incoming connections and creating outgoing connections plus filtering causes delays that can degrade performance. In turn, that can eliminate using some applications across the firewall because response times become too slow.
Stateful firewalls
A performance improvement over proxy-based firewalls came in the form of stateful firewalls, which keep track of a realm of information about connections and make it unnecessary for the firewall to inspect every packet. This greatly reduces delay introduced by the firewall.
By maintaining the state of connections, these firewalls can, for example, forego inspecting incoming packets that they identify as responses to legitimate outgoing connections that have already been inspected. The initial inspection establishes that the connection is allowable, and by preserving that state in its memory, the firewall can pass through subsequent traffic that is part of that same conversation without inspecting every packet.
Web application firewalls
Web application firewalls sit logically between servers that support Web applications and the internet, protecting them from specific HTML attacks such as cross-site scripting, SQL injection and others. They can be hardware- or cloud-based or they can be baked into applications themselves to determine whether each client trying to reach the server should be allowed access.
Next-generation firewalls
Packets can be filtered using more than the state of connections and source and destination addresses. This is where NGFWs come into play. They incorporate rules for what individual applications and users are allowed to do, and blend in data gathered from other technologies in order to make better informed decisions about what traffic to allow and what traffic to drop.
For example, some of these NGFWs perform URL filtering, can terminate secure sockets layer (SSL) and transport layer security (TLS) connections, and support software-defined wide area networking (SD-WAN) to improve the efficiency of how dynamic SD-WAN decisions about connectivity are enforced.