network firewall

Enterprise Firewalls [2023]: Light-Weight Guide

You might be wondering about the various types of firewalls and the leading vendors in the field. What’s new with firewalls and what’s not? If so, you’re in the right place. Regardless of your experience, if you are new to cyber security or a network professional, you will find value here.

Since this guide aims to familiarize you with enterprise-grade terminology and uses, most of it will avoid Wikipedia-style explanations. It will focus more on topics and relevance you encounter in enterprise cyber security.

We hope to answer questions like what a firewall can do for your company, the different types, the best firewalls, and what firewalls are used for.

What is a Firewall?

A firewall is a paramount piece of technology vital to the network of any security operations center. It filters traffic between endpoints like computers and servers. The filtering can alert, block, allow, and, in more advanced firewalls, intercept and decrypt the traffic.

The main goal of a firewall is to allow legitimate traffic to flow throughout a network while blocking and alerting malicious traffic.

Rules say whether network traffic will be blocked or allowed. A typical rule contains a source address, a protocol, a port number, and a destination address. Advanced versions like next-generation firewalls (NGFWs) use application IDs and groups within rules.

You might be wondering:

I know what addresses, ports, and protocols are, but what are application IDs and groups?

Good question.

An application ID determines what an application is without knowing a port, protocol, or any other evasive tactic the application uses. At the same time, an application group consists of application IDs. For instance, a social media application group contains Facebook, Instagram, and Twitter.

Here’s an example:

You want to group all social media sites to block traffic to them. Today, social media sites are vast and complex. For instance, Facebook has many categories like Messenger, WhatsApp, and Marketplace. All using a variety of ports and domains. Instead of hunting down all domains belonging to each category, a next-generation firewall performs this classification for you and allows you to block all of it based on one application group. Palo Alto does this the best and has some patents around this feature.

Types of Firewalls

Without getting too into the architecture and boring you with the history, we explain the different types of firewalls used today.

Next-Generation Firewalls

These are your typical network-based firewalls and are more advanced than traditional firewalls. Those old enough probably remember traditional firewalls blocking and filtering the source and destination addresses, ports, and protocols, but next-generation firewalls (NGFW) do much more.

Quick answer:

What do NGFWs do differently than traditional firewalls?

  1. Deep-packet decryption and inspection
  2. Application filtering
  3. Threat intelligence integration
Deep-packet Decryption and Inspection

Deep-packet decryption and inspection are necessary to understand the traffic between two endpoints. Today, the default security practice is to encrypt all traffic and allow the endpoints to decrypt it. While it makes sense, it can be challenging to interpret what two devices are saying to one another, especially when threat hunting.

packet inspection

Although you know the two devices are talking to each other, you don’t know what they are saying. Deep-packet decryption and inspection help uncover this communication and allow you to build advanced rules to detect specific malicious activity. Or you need to audit an employee by creating a timeline of their activity. This feature assists tremendously in this area.

Application Filtering

We previously gave an example of application filtering. To refresh you, application filtering allows you to build rules around entire software products or categories like social media, cloud storage, email, etc. Say goodbye to tracking down hundreds, if not thousands, of social media URLs.

Threat Intelligence Integration

Many NGFWs apply threat intelligence integration to traffic monitoring. In the old days, this was a manual process of correlating firewall logs against bad, risky, or malicious addresses. Now, most is baked in the tool. Popular firewall vendors incorporate threat intelligence. The firewall events include fields that mention this threat intelligence, which you use for enhanced correlation inside your security information and event management (SIEM) tool.

These firewalls are hosted in the cloud or on-premise.

You might be asking. What are the pros and cons of cloud vs. on-premise firewalls?

firewall cloud

Think about it. Today, companies have scattered resources in multiple data centers. A perfect example is a company that acquires other companies. With each acquisition, there comes another data center. Replacing multiple on-premises traditional firewalls with a cloud firewall eliminates configuring and maintaining dozens of individual data centers. There is also AWS and Microsoft to consider. Their cloud storage and resource solutions will require a firewall hosted in the cloud to protect data hosted with them.

An on-premises firewall is practical for smaller companies with one data center. On-premises firewalls make segmenting your internal networks a walk in the park cost-wise and technically.

Web Application Firewalls (WAF)

These types of firewalls live on the perimeter of your network. They are often hosted in the cloud but can be hosted locally on the network or within the application’s software. Web application firewalls protect public-facing websites, API endpoints, and VPN gateways over north-south traffic activity.

A lot of the same features of network firewalls exist with WAFs, but the main difference is the protocol. Web application firewalls filter and monitor HTTP traffic between web applications and the internet.

By deploying a WAF, you essentially build a shield between your web applications and everyone visiting it. With a proxy, you protect a client machine’s identity. In contrast, a WAF acts as a reverse proxy, protecting the server from exposure by having everyone go through the firewall before visiting the website.

So, what else is different between network firewalls and web application firewalls?

Good question. A WAF protects web applications against exploitation like cross-site forgery, cross-site scripting (CSS), and SQL injection, among a few others. Cloud-based WAFs are ‘turn-key’ when setting them up with minimal up-front costs. Modern web application firewalls can even eliminate bot activity using machine learning to build a cohesive model around what constitutes human behavior.

Are Firewalls Important?

Short answer: Yes.

To be more accurate, firewalls are necessary in any enterprise. With data moving more and more to the cloud, firewalls are more critical than ever. Network segmentation on-premise was challenging to begin with. Now, a new segmentation challenge exists in the cloud. We don’t see firewalls going away any time soon. Companies are ditching old-school on-premises server technology and are moving to hosting data in Azure and AWS, which still needs protection.