What is a firewall

As a general statement, the role of a firewall is to segregate network traffic between two network segments, such that only legitimate traffic is permitted to traverse the firewall. Conversely, illegitimate traffic (which may be malicious or accidental) is not allowed to pass through the firewall. Logically, the function of a firewall is depicted below.

Firewalls can be either software or hardware appliances. A software firewall is a program installed either on the protected host, or some intermediate host, with the intention of regulating traffic entering and leaving a protected network segment (or a single host). Conversely, a physical firewall is a dedicated device installed the protected network and the gateway. A third option — a Cloud firewall — is a managed service that may be either hardware or software-based, and is charged to the consumer on a usage basis by a service provider.

Packet filtering (stateless and stateful)

A packet-filtering firewall is the most basic and also the most common type of firewall. They examine packets and only allow them to pass through if they match some established set of rules. This type of firewall checks the source and destination IP addresses of the packet. If the packets match those of the ‘enabled’ rule on the firewall, it is trusted to reach the network. Typically, these firewalls operate in a default-deny mode, meaning that unless a matching rule has explicitly been defined, a packet will not be permitted to traverse the firewall.

Packet-filtering firewalls are split into two categories: stateful and stateless. Stateless firewalls analyse packets individually and lack any sort of persistent context that spans multiple related packets. They are unaware of the underlying connection — treating each packet on its own merit. A stateless firewall operates at the OSI Network Layer (L3) and only looks at the header part of a packet. As a result, they are of very limited use; however, due to their simplicity, they are very efficient.

By contrast, stateful firewalls maintain conversational state and are intrinsically aware of the underlying connection, with the ability to correlate packets. The firewall is configured to distinguish legitimate network packets for different types of connections. Only packets matching a known active connection are allowed to traverse the firewall. Stateful firewalls maintain an internal state table; once a certain kind of traffic has been approved by the firewall, it is added to the table and can travel freely into the protected network. Stateful firewalls can operate at Transport Layer (L4) of the OSI reference model and are much more useful in that regard.

To compare the two, consider a hypothetical example of an HTTP connection. By design, such protocols need to be able to open connections to arbitrary high ports to function properly. Since a stateless firewall has no way of knowing that the packet destined to the protected network is part of a legitimate HTTP session which has presumably been established earlier, it will drop the packet. On the other hand, stateful firewalls with application inspection solve this problem by maintaining a table of open connections, inspecting the payload of some packets and intelligently associating new connection requests with existing legitimate connections.

While packet-filtering firewalls can be effective, they ultimately provide very basic protection and are confined to levels 3 and 4 of the OSI model; for example, they can’t determine if the contents of the request that’s being sent will adversely affect the application it’s reaching. If a malicious request that was allowed from a trusted source address would result in, say, the deletion of a database, the firewall would have no way of knowing that.

Circuit-Level Gateway

A circuit-level gateway, or a circuit proxy, accepts a connection from the other side, and if the connection is permitted, makes a second connection to the destination host on the other side. The client initiating the connection is never directly connected to the destination. Because proxies can act on different types of traffic or packets from different applications, a proxy firewall is usually designed to use proxy agents, in which an agent is programmed to handle one specific type of transfer, say FTP traffic or TCP traffic.

Circuit proxies are more secure than packet filters because computers on the external network never gain information about internal network IP addresses or ports. A circuit proxy is typically installed between your network router and the Internet, communicating with the Internet on behalf of your network. Real network addresses can be hidden because only the address of the proxy is transmitted on the Internet.

Application Firewalls

Application firewalls (also known as ‘Proxy Firewalls’) filter network traffic at the application layer by relaying requests from the initiating party to the responding party. Unlike traditional firewalls, the proxy serves as an intermediary between the two end-systems. The client must send a request to the firewall, where it is then evaluated against a set of security rules and then permitted or blocked. Most notably, proxy firewalls monitor traffic for layer 7 protocols such as HTTP and FTP and use both stateful and deep packet inspection to detect malicious traffic.

In some cases, a proxy is a multi-purpose appliance in its own right, and is a firewall only circumstantially, and will typically carry out other duties that are otherwise not firewall-related. For example, a proxy may terminate TLS connection, perform URL rewriting, routing of requests based on headers, header injection, origin authentication, rate limiting, and various other traffic shaping activities.

Network Address Translation (NAT) Firewalls

Like an application proxy, a NAT device is not necessarily a firewall, but it may perform firewall-like duties. Specifically, Network address translation (NAT) is a general method of remapping one IP address space into another by modifying network address information in the IP header of packets. A NAT allows multiple devices with different network addresses to connect to the Internet using a single IP address while keeping individual IP addresses obscured. As a result, attackers searching a network for IP addresses cannot obtain specific details, providing greater protection against attacks. NAT firewalls are similar to proxy firewalls in that they act as an intermediary between a group of hosts and outside traffic.

Stateful Multi-Layer Inspection (SMLI) Firewalls

SMLI is a mechanism that uses a sophisticated form of packet-filtering, examining all major layers of the OSI model. In other words, this type of filter examines packets on the network, transmission, and application levels, comparing them to known trusted packets. SMLI checks the entire packet and only allows it to pass through each layer individually. Such firewalls inspect packets to assess the state of communication in order to ensure that all facilitated communication only takes place with trusted sources.

To be more specific, an SMLI firewall is not necessarily a single firewall implementation. Rather, it is a series of firewalls that work in concert to secure traffic at different levels of the OSI model. It may be a composition of a stateless packet filter, a stateful firewall, as well as an application-level proxy. SMLI.

Next-Generation Firewalls (NGFW)

Next-generation firewalls, also known as ‘third-generation firewalls’, are better equipped to detect more sophisticated threats that target applications. The term NGFW is only loosely defined, with no official classification as to what an NGFW encompasses. Typically, an NGFW combines conventional firewall technology with additional functionality such as encrypted traffic verification, intrusion prevention, antivirus, website filtering, intrusion prevention, and so forth. In any case, deep packet inspection (DPI) is included. While basic firewalls only look at packet headers, deep packet inspection examines the data within the packet itself, enabling users to more effectively identify, categorise, or stop packets with malicious data.