Firewalls are as one of the key devices in a security architecture, as well as in an in-depth security strategy, protecting the fixed perimeter of enterprises. The scope of firewalls has evolved a lot over time (see article Firewall: History), and so knowing key types and understanding differences are critical for security professionals.
Throughout this material, we will introduce the concept, terminology, different types as well as the evolution of technologies over the years. Enjoy reading and improving your knowledge of Firewalls.
Firewall: Definition and basics
Firewall is nothing more than a concept that, transformed into an asset in an infrastructure, has the capacity to allow the passage of certain traffic. When applied to an endpoint, a firewall determines what can go in and out in terms of packets/network information, allowing greater control over such equipment.
The concept of Firewall can also be applied to devices, strategically placed between networks, where communication must pass through to reach a certain destination. In these cases, more common in companies, providers and others, the importance of control over communications is fundamental, regulating what may and what may not travel in networks interconnected by the firewall.
Thus, in a summarized and simplified way, a firewall is nothing more than an asset (software or hardware) that must be placed in a strategic position within a network topology, where traffic must necessarily be tapered. Once this happens, this device will have control of what may or may not travel on the network.
To get a little clearer, let us imagine a company with a simplified topology. This company has communication with the Internet, and has an internal network. The firewall will be a device directly connected to the internet, and connected to the internal network. In this way, the only possible way for the local network to access the internet, is through the firewall. At this moment, therefore, there is the possibility of control of what can or cannot travel in the environment, from the internet to the local network, or in the opposite direction.
Now imagine a slightly more complex scenario: a company with two links to the internet, and four local networks. The firewall can interconnect these four networks, managing what should or should not go through them, as well as guarantee what can come from the internet, or leave the internet, for each of the networks or computers connected to them.
Because of its positioning and importance, the firewall is within a network topology, especially protecting private and public networks, but not only this. The icon most associated with images for representing a firewall, not for nothing, is a burning wall.
Types of Firewall
The types of firewall are associated with technical evolution over time, and more recently related to the marketing carried out by companies to communicate security features in their products. This is interesting and at the same time, it inspires care, especially when comparing technologies, since it is common for manufacturers to treat a certain concept with very different nomenclatures.
We will give an overview of the terminologies currently used to differentiate the purpose of each one. It is important to highlight that many of the resources, even first or second generation, are still being used by current solutions, since they form the control base necessary for the operation of the filters.
Although little more technical subjects, we will treat them as far as possible in an informative way, facilitating the understanding of operation, purpose and extension of each technology or concept.
Stateless and Stateful firewall
The concept behind stateless and stateful filtering is related to the applied packet-filtering format. While stateless filters are not aware of connections, treating each packet independently from the filtering point of view, stateful firewalls use an auxiliary mechanism called a state table or connections, which keeps the state record of each connection going by the device.
In practice, this difference allows stateful firewalls to produce fewer rule savings, faster rule validation, and especially greater security for the environment, since they evaluate other connection data in addition to addresses and ports, depending on the protocol used.
We then consider that stateful is a natural evolution of the stateless mechanism, but both remain in use until the present day and comprise an essential element for information security solutions.
The term proxy firewall, or simply proxy, is applied to more specialized controls over a given application protocol. The proxies work in a complementary way in a security architecture, offering an in-depth control according to the behaviors and characteristics of the protocol supported.
To facilitate the understanding, we bring a common example: the navigation control, in which you can manage accesses to the websites according to several parameters, such as users, addresses, schedules and others. While a stateless and stateful firewall would act by allowing or blocking access to the port used for browsing (up to layer 4), the HTTP proxy has the visibility of the last layer, thus providing greater flexibility for application of access policies.
In many cases, application proxies act transparently in a security architecture, where traffic to the port associated with the service is automatically directed to the proxy, with controls applied according to the company’s needs. In other cases, however, it is necessary to configure, or manually intervene, to have access to the proxy and use the service.
Another interesting example of integration and complementarity of stateful firewalls with proxy is that, if the latter is manual and not properly configured on a device (computer, tablet, smartphone, etc.), the stateful packet filter can block access, forcing application to work only through the proxy.
Due to the diversity of applications and services, it is not common nor necessary to have proxies for each service. Therefore, it is common to see proxies acting in a specialized way in the protocols HTTP, FTP, IMAP, POP3, SMTP and others. Proxies can act both in the exit of connections and in entrance, in these cases better known as reverse proxy.
A reverse proxy allows centralizing a set of applications and publishing them to the network, based on what is requested; proxy directs to the asset that has certain information or application. As all traffic ends up being tapped into the proxy, attacks can be detected before the packet is routed to the de facto application.
It is quite common to use reverse proxy for publishing web applications on the internet, where the server is not directly exposed and all traffic passes through an intermediate layer of security. Other features commonly used in reverse proxy architectures are load balancing and traffic compression, which allow the construction of highly available environments and considerable bandwidth savings.
Deep Packet Inspection (DPI)
Security challenges over time grew so that analyzing and filtering packets based on header information became insufficient to ensure the integrity of environments as attacks were increasingly targeted to the application layer. Intrusion Detection Systems (IDS) and later evolution to Intrusion Prevention Systems (IPS) have added the concept of deep packet inspection, or deep content inspection.
Through this concept, packages are no longer analyzed based only on the information stored in their headers, but especially in their content. With a signature-based model, packet data is analyzed and if any anomalous behavior or attack is identified, an action is taken, recording the event, blocking the connection, among other facilities.
Similarly, to proxies, the ability to analyze applications by IDS/IPS is not necessarily broad, as it is mandatory to know the behavior of the protocol to insert analyzes and comparisons based on the existing knowledge of the solution (signatures). Since a much larger amount of information is stored in the data area of a packet, it is common for this mechanism to offer greater consumption of computational resources, especially CPU.
Ratifying the importance of various security elements in a truly robust architecture, even with proxies acting largely in the header area of application layer, the data area is generally not displayed. The concept of DPI, present in IDS/IPS allows to add this visibility and consequently to have a more robust security environment, less susceptible to attacks.
Unified Threat Management (UTM)
The perception that it was necessary to add more and more information security mechanisms into a single solution, possibly working in an integrated way to build safer environments, gave rise to the concept of Unified Threat Management (UTM).
This is primarily a commercial classification for solutions that have packet-filtering, proxies, VPN, IDS/IPS, antivirus and other features within a single solution or box. This allowed manufacturers to create advertising materials in order to differentiate the solutions presented to the market.
While gathering so many complementary elements into a single box may seem like a fundamental solution to security challenges, there are so many other implications that make deployment itself quite complex: the more security elements, the more hardware resources are needed. Depending on the size of the organization, UTMs can pose performance troubles or even a budget problem since they require highly robust hardware to meet the demand generated by users.
Next Generation Firewall
Next Generation Firewall (NGFW) can be understood as a successor to the UTMs, especially regarding the challenge of ensuring in-depth security for environments without affecting the use of computing resources. For this, the fundamental contribution of NGFW is the application of security policies based on the knowledge of the applications, as well as attacks associated with them.
The basic assumptions for classifying a firewall as being next-generation is the application-based visibility and control feature, as well as SSL/SSH content inspection, category-based web control, antivirus integration, and communication capability with third-party services, such as Active Directory.
The security mechanisms mentioned above continue to be present in the architecture of a NGFW, such as stateful filtering, NAT/PAT, IPS, proxies and others. The great difference, however, is the simplification in security management offered through the visibility of applications.
This concept of application visibility, evolving the example cited for HTTP traffic, is about the ability to differentiate Facebook features in photos, videos, games, advertising, chat, likes, sharing and allow security policy to take into consideration this level of granularity, and not only allow or deny access to facebook.com.
Another key aspect of a NGFW is to detect the type of traffic-based application, not necessarily the port and protocol used in the communication. This means that regardless of whether an application uses its default port or not, the traffic will be properly identified and the policy applied.
Can you already identify the type of firewall used in your company? Tell us about your experiences and see how current technologies can do more for your company. Also, read our article on the main differences between UTM and NGFW.