You might be wondering about the various types of firewalls and the leading vendors in the field. What’s new with firewalls and what’s not. If so, you’re in the right place. Regardless of your experience, if you are new to cyber security, or you are a network professional, you will find value here.
Since the point of this guide is to familiarize you with enterprise grade terminology and uses, most of it will avoid Wikipedia-style explanations and will focus more so on topics and relevance you encounter working in the field of cyber security.
We hope to answer questions like what a firewall can do for your company, the different types, what are the best firewalls, and what firewalls are used for.
What is a Firewall?
A firewall is a paramount piece of technology vital to the network of any security operations center. It filters traffic between endpoints like computers and servers. The filtering can alert, block, allow, and in more advanced firewalls, intercept and decrypt the traffic.
The main goal of a firewall is to allow legitimate traffic to flow throughout a network the while at the same time to block and alert on malicious traffic.
Rules say whether network traffic will be blocked or allowed. A typical rule contains a source address, a protocol, a port number, and a destination address. Advanced versions like next-generation firewalls (NGFWs) use application IDs and groups within rules.
You might be wondering:
I know what addresses, ports, and protocols are, but what are application IDs and groups?
An application ID determines what an application is without knowing a port, protocol, or any other evasive tactic the application uses. Whereas an application group consists of application IDs. For instance, a social media application group contains Facebook, Instagram, and Twitter.
Here’s an example:
You want to group all types of social media sites to block traffic to them. Today, social media sites are incredibly large and complex. For instance, Facebook has many categories like messenger, WhatsApp, and marketplace. All using a variety of ports and domains. Instead of having to hunt down all domains belonging to each category, a next-generation firewall performs this classification for you and can allow you to block all of it based on one application group. Palo Alto does this the best and has some patents around this feature.
Types of Firewalls
Without getting too into the architecture and boring you with the history, we explain the different types of firewalls in use today.
These are your typical network-based firewalls and are more advanced than traditional firewalls. Those old enough probably remembers traditional firewalls blocking and filtering on just the source and destination addresses, ports, and protocols but next-generation firewalls (NGFW) do a lot more.
What do NGFWs do differently than traditional firewalls?
- Deep-packet decryption and inspection
- Application filtering
- Threat intelligence integration
Deep-packet Decryption and Inspection
Deep-packet decryption and inspection is necessary to truly understand the traffic between two endpoints. Today, default security practice is to encrypt all traffic and allow the endpoints to decrypt it. While it makes sense, it can prove to be a challenge when you need to interpret what two devices are saying to one another, especially when threat hunting.
Although you know the two devices are talking to each other, you really don’t know what they are saying. Deep-packet decryption and inspection helps uncover this communication and allows you to build advanced rules to detect specific malicious activity. Or you simply need to audit an employee by building a timeline of their activity. This feature assists tremendously in this area.
We previously gave an example on application filtering. To refresh you, application filtering allows you to build rules around entire software products or categories like social media, cloud storage, email, etc. Say goodbye tracking down hundreds if not thousands of social media URLs.
Threat Intelligence Integration
Many NGFWs apply threat intelligence integration to traffic monitoring. In the old days, this was a manual process of correlating firewall logs against bad, risky, or malicious addresses. Now, most is baked in the tool. Popular firewall vendors incorporate threat intelligence. The firewall events include fields that mention this threat intelligence which you use for enhanced correlation inside your security information and event management (SIEM) tool.
These firewalls are hosted in the cloud or on premise.
You might be asking. What are the pros and cons of cloud vs on premise firewalls?
Think about it. Today, companies have scattered resources in multiple data centers. A perfect example is a company that acquires other companies. With each acquisition, there comes another data center. Replacing multiple on-premises traditional firewalls with a cloud firewall eliminates configuring and maintaining dozens of individual data centers. There is also AWS and Microsoft to consider. Their cloud storage and resource solutions are going to require a firewall hosted in the cloud to protect data hosted with them.
An on-premises firewall is practical for smaller companies with one data center. In fact, on-premises firewalls make segmenting your internal networks a walk in the park cost wise and technically.
Web Application Firewalls (WAF)
These types of firewalls live on the perimeter of your network. They are often hosted in the cloud but can be hosted locally either on the network or within the applications software. Web application firewalls serve primary to protect public facing websites, API endpoints, and VPN gateways over north-south traffic activity.
A lot of the same features of network firewalls exist with WAFs, but the main difference is the protocol. Web application firewalls filter and monitor HTTP traffic between web applications and the internet.
By deploying a WAF, you essentially build a shield between your web applications and everyone visiting it. With a proxy, you protect a client machine’s identity whereas a WAF acts as a reverse-proxy, protecting the server from exposure by having everyone go through the firewall before visiting the actual website.
So, what else is different between network firewalls and web application firewalls?
Good question. A WAF protects web applications against exploitation like cross-site forgery, cross-site-scripting (CSS), and SQL injection, among a few others. Cloud-based WAFs are ‘turn-key’ when it comes to setting them up with minimal up-front costs. Modern web application firewalls can even eliminate bot activity using machine learning to build a cohesive model around what constitutes human behavior.
Are Firewalls Important?
Short answer: Yes.
To be more accurate, firewalls are necessary in any enterprise. With data moving more and more to the cloud, firewalls are more important than ever. Network segmentation on premise was challenging to begin with. Now, a new segmentation challenge exists in the cloud. We really don’t see firewalls going away any time soon. Companies are ditching old-school on-premises server technology and are moving to hosting data in Azure and AWS which still needs protection.