A network firewall is a network security device that monitors incoming and outgoing network traffic. Firewalls are a first line of defense in network security. Firewall purpose is to establish a barrier between your internal network and incoming traffic from external sources (such as the internet) in order to block malicious traffic like viruses and hackers.

 

 

How Does A Firewall Work? 

Firewall uses many rules that they also called ACL (Access List Control). Each ACL actually is a filter that filters one type of all possible types of network traffic. The purpose of packet filters is to control access to specific network segments by defining which traffic can pass through to them. Packet filters usually inspect incoming traffic at the transport layer of the (OSI) model. The firewall uses the same filters to decide which whether to allow or block specific traffic.

Each ACL (filter rule) has some fields. Examples of these fields are (with an example for each)

  • Source address: 172.16.54.5
  • Source port: 443
  • Destination address: 172.25.18.12
  • Destination port: 135
  • Protocol: UDP
  • Direction: Incoming
  • Action: Block

Example, “Source address 172.28.10.1 is allowed to reach destination 192.168.2.1 over port TCP 86.”

In this example, what’s Source port? Answer is TCP port 86 on Source address. What’s destination port? Answer is any (equal ALL).

Source address and also destination address can be one host’ IP address or also a network subnet.

It is a great idea that a firewall classifies all networks. In fact, many firewalls do it, and they categorize networks into three general types:

  1. Local networks (like organization’s LAN)
  2. Public networks (like internet)
  3. Trusted networks (Like a network address that is not in organization’s LAN but we trust it)

Source:  forcepoint.com

 

 

Types of Firewalls 

There are software and hardware firewalls. Each format serves a different but important purpose.

Hardware firewall stored between your network and gateway.

Software firewall is a program on a computer that works through port numbers and applications. Software firewalls are in two type: Host-based and Network-based.

  • Network-based often must install on a server. This type, filters traffic going to and from the internet to secured LAN. Network-based firewall typically is used by businesses that need to protect a large network of computers, servers, and employees.
  • Host-based installed locally on a single computer or device, and then it control incoming and outgoing traffic, decide whether to allow traffic to individual devices, and protect the host.

On the other hand, there are different types of firewalls. In fact, there is not a standard classification for firewalls. In this article, we will discuss the more common types of firewalls. These types are:

  • Packet-Filtering
  • Proxy
  • Unified Threat Management (UTM)
  • Next-Generation Firewall (NGFW)
  • Network Address Translation (NAT)
  • Web Application
  • Personal

 

Packet-Filtering Firewall 

This type is most common type of firewall. This firewall examines each packet entering or leaving the network and accepts or rejects it based on user-defined rules. In other words, a Packet-filtering firewall is a management program that can block network traffic IP protocol, an IP address, and a port number.

Packet-filtering firewalls are divided into two categories:

  • Stateful Firewall: Of course this type often called stateful multi-layer inspection (SMLI) firewall. Stateful firewalls remember information about previously passed packets and are considered much more secure. So, these firewalls are capable of monitoring and detecting states of all traffic on a network to track and defend based on traffic patterns and flows. Stateful firewalls monitor all aspects of the traffic streams, their characteristics and communication channels. SMLI firewall filters packets at the network, transport, and application layers, comparing them against known trusted packets. At result the SMLI firewall uses a multi-layer monitoring. In other words, SMLI examine the entire packet and only allow them to pass if they pass each layer individually.
  • Stateless Firewall: This type monitors network traffic and restricts or blocks packets based on source and destination addresses or other static values. These firewall examines packets independently of one another and lack context. Also it is typically unable to determine the difference between truly desired communications and sophisticated attempts to disguise unauthorized communications as trusted ones. At result, a stateless firewall filter does not statefully inspect traffic. Instead, it evaluates packet contents statically and does not keep track of the state of network connections. These disadvantages make this firewall, easy target for hackers.

Read more about Stateless firewalls and stateful firewalls.

Packet filtering  firewalls provide very basic protection and can be very limited—for example, If a malicious request that was allowed from a trusted source address would result in, say, the deletion of a database, the firewall would have no way of knowing that. They also don’t block web-based attacks because all web traffic is allowed, it.

Source:  forcepoint.com

 

Proxy Firewall 

Proxy firewall serves as the gateway from one network to another for a specific application. This firewall filters network traffic at the application level. Proxy firewall scans the incoming traffic for layer 7 protocols (like FTP and HTTP) and also offers “deep packet inspection” of the incoming data packets for possible maliciousness. A proxy firewall hides the true network address of the computer(s) connecting through it. This firewall connects to the internet, makes the requests for pages, connections to servers, etc., and receives the data on behalf of the computer(s) behind it. The firewall capabilities lie in the fact that a proxy can be configured to allow only certain types of traffic to pass (for example, HTTP files, or web pages).

In other words, proxy firewall makes use of a proxy server with firewall features, and acts as a filter between the client user and the internet servers. A proxy firewall has the potential drawback of slowing network performance, since it has to actively analyze and manipulate traffic passing through it.

Source: kb.iu.edu

 

Unified Threat Management (UTM) Firewall 

A UTM provides multiple security features and services in a single device or service on the network, protecting users from security threats in a simplified way. UTM includes functions such as Firewall, anti-virus, anti-spam, content filtering, VPN, and web filtering. A UTM device typically combines the functions of a stateful inspection firewall with intrusion prevention and antivirus.

UTMs focus on simplicity and ease of use. The all-in-one solution is much easier for an organization to manage than several different security solutions, reducing the complexity.

Source: juniper.net

Read more about UTM

UTM’s best vendors

 

Next-Generation Firewall (NGFW) 

Firewalls have evolved beyond simple packet filtering and stateful inspection. NGFW combine traditional firewall technology with additional functionality, such as encrypted traffic inspection, intrusion prevention systems, anti-virus, and more. Next-generation firewalls have more levels of security, and they do deep packet inspection (DPI). In fact, they inspect a packet in its entirety (include packet header, packet’s contents, and source). Additionally, NGFW are able to block advanced malware.

Most companies are deploying next-generation firewalls to block modern threats such as advanced malware and application-layer attacks.

Source: en.wikipedia.org

 

Network Address Translation (NAT) Firewall 

NAT firewalls allow multiple devices with independent network addresses to connect to the internet using a common single Public IP address, keeping individual IP addresses hidden. All of those devices will have the same public IP address and unique private IP addresses.

In other words, NAT binds one (or some) private IP address (in LAN) to a public IP address (in Internet). NAT firewalls are similar to proxy firewalls in that they act as an intermediary between a group of computers and outside traffic. There is a great advantage to using NAT: Attackers scanning a network for IP addresses can’t capture specific details. This means a significant increase in the level of security.

 

Web Application Firewall (WAF) 

A WAF is a hardware appliance, server plug-in, or some other software filter whose main task is to protect web portals and web application. So, what’s the different between proxy firewalls and WAFs? Proxy firewalls protect clients while WAFs protect servers. In other words, A WAF can be considered a reverse proxy.

Today, these types of firewalls have the ability to deal with most attacks, threats and network malware. Threats and malware like attacks at layer 7 such as SQL Injections, Buffer Overflow, Cross Site Scripting (XSS), File Inclusion, Cookie Poisoning, Schema Poisoning, Defacements, DDoS, etc.

 

Personal Firewall 

Personal firewalls are popular software applications that we can install on workstation or servers to protect them from external security threats and intrusions. These firewalls typically apply to basic software that can control Layer 3 and Layer 4 access to client machines. Today, these types of firewalls have become much more advanced and powerful than before, and their features include:

  • Host intrusion prevention
  • Protection against spyware
  • Extensive audit and logging capabilities
  • Protection against buffer overflow attacks

 

 

———————————

Sources:

forcepoint.com

juniper.net

kb.iu.edu

en.wikipedia.org