Firewalls are an old network security technology. The first firewall was developed in 1989 by Jeff Modul of the Digital Equipment Corporation. That means that some firewall technologies that companies use to this day are more than 30 years old. While some may see this as outdated, the very idea of a firewall is a timeless concept that has been improved on.
- A firewall is a sort of gatekeeper that logs, inspects and, at times, blocks the traffic entering and sometimes leaving your network.
- Firewalls are meant to protect you at the packet level, which means that they handle the inspection of protocol.
- Firewalls don’t inspect traffic at the application level, which is why other tools, such as secure web gateways (SWG) were created, which gives security professionals an added layer of granular control.
What Is a Firewall?
A firewall is a sort of gatekeeper that logs, inspects and, at times, blocks the traffic entering and sometimes leaving your network. The firewall is an old security technology that has evolved over the years to include new capabilities and variations to meet the demands of networks. What started as a manually controlled gatekeeper has turned into a smart inspection tool that exists on local servers as well as in the cloud.
What Are the Capabilities and Limits of a Firewall?
A firewall is an exceptionally powerful tool for protecting your network, but with a few caveats. Firewalls are meant to protect you at the packet level, which means that they handle the inspection of protocol.
- Log and inspect traffic
- Restrict traffic types based on corporate policies
- Keep lists of allowed sources of traffic
- Block out malicious traffic types or sources
Firewalls are a necessity for protecting your network, but they’re not flawless. We’ll explain why.
There are two types of traffic that are sent over a network:
- User datagram protocol (UDP): A lightweight protocol that doesn’t require any handshakes between the device requesting the traffic and the source delivering the traffic. Therefore, UDP traffic can stream data to a recipient like gaming, video, or streaming service sites. However, this stream of content isn’t guaranteed, which occasionally leads to packet loss.
- Transmission control protocol (TCP): This protocol requires a “handshake” (this synchronizes the connection between two points and acknowledge the transfer of packets) between the sender and the receiver of traffic in order to ensure quality delivery of traffic with no packet loss, which concludes with the termination of transmission once complete, such as file transfers, email, and instant messaging.
This is a very basic overview, but you get the idea. The problem with firewalls is that most of them only evaluate traffic on these basic levels without any deeper layers of inspection. This can lead to clumsy attempts at blocking certain actions by blocking a certain type of traffic, such as YouTube videos that use UDP, which can affect the delivery of other valid traffic that happens to use the same protocol like Zoom, which also uses UDP.
Firewalls don’t inspect traffic at the application level, which is why other tools, such as secure web gateways (SWG) were created, which gives security professionals an added layer of granular control. Think of it this way, a firewall is a sledgehammer and, in some cases, a sledgehammer is needed to fix a problem. But, in other cases, a more detailed solution is needed, which a firewall isn’t equipped to handle.
What Are the Three Types of Firewalls?
Stateless Packet Filtering Firewall
A packet filtering firewall is the oldest form of firewall. These firewalls live on the edge of a perimeter security-based network and require the manual inputs of a security professional to set the parameters for traffic without any learning capabilities. An administrator creates an access control list (ACL) to either allow or deny packets from certain internet protocol (IP) address sources. It’s essentially a “dumb” firewall.
What makes these firewalls “stateless” is the lack of any packet inspection, source logging, or validation capabilities. The problem with stateless packet filter firewalls is the implied trust that’s given to IP addresses allowed by administrators. While these firewalls block traffic from denied sources, not all threats originate from malicious IP addresses. In some cases, trusted IP addresses can be hijacked and used to pass along malicious traffic through your perimeter security all under the nose of a stateless packet filter. Think of this like a typically trusted delivery man passing along a package with a bomb in it all under the nose of building security.
Stateful Inspection Firewalls
If you’re looking for an upgrade from the 1990s, then the next step in capability would be the stateful inspection firewall.
This firewall type is “stateful” because while it does still use access control lists to regulate incoming and outgoing packets, the firewall also inspects packet traffic, log the relevant data ― originating address, packet type, destination, and so on ― and compare future traffic against that log to validate it, as shown below:
Essentially, this type of firewall operates under the concept of “this traffic was safe before, so if it’s the same, it’s safe now.” While this is an upgrade from using simple ACLs, this type of firewall is prone to two specific vulnerabilities.
Issues With Stateful Inspection Firewalls
The first issue is the fact that stateful inspection firewalls are process-intensive and have a tendency to bottleneck traffic due to their inspection processes, making them potential targets for distributed denial-of-service (DDOS) attacks.
The second issue is that their inspection is still limited. This makes the possibility for hijacked traffic to make it through the firewall so long as the traffic type isn’t unexpected. This makes stateful firewalls vulnerable to man-in-the-middle (MITM) attacks where a hacker intercepts the connection and begins sending altered packets of the same type back through your firewall. Your firewall won’t know that the traffic is malicious since it’ll look as though it’s coming from an expected source and arrives as the traffic type.
Out of the three firewall types, a proxy firewall is the most secure. The concept works the same as using a middle man to receive sensitive materials for you, inspecting it in a secure location, then delivering them to you once they are declared “safe.”
Instead of allowing traffic to reach the network perimeter before it’s inspected, a proxy firewall filters packets through a proxy server with a firewall installed on it, as shown below:
Most proxy firewalls employ certain security capabilities not shared by the last two, such as:
- Deep packet inspection (DPI): DPI searches for signatures of malware, outgoing sensitive data, and monitors for restricted content, such as unmanaged virtual private network (VPN) traffic or inappropriate websites.
- Sandboxing: The biggest benefit of a proxy firewall is the distance it creates between threats and your network. This creates a “sandboxing” capability that allows for threats to play out in a safe environment that only harms the specific firewall it comes into contact with. Most security infrastructures create redundant proxy firewalls that take over in case one is taken down.
- Traffic validation: Just like standard stateful firewalls, proxy firewalls also use administrative tools like ACLs and logging to validate traffic from recognized sources.
Firewalls Are Moving to the Cloud
As consumers and businesses rapidly shift to the cloud, the demands put on the old network perimeter are way outside of the wheelhouse for a standard firewall. Packet filters and stateful firewalls aren’t enough to protect networks, data, and devices from the long list of external and internal threats that exist today.
That’s why firewalls are moving to the cloud and becoming firewalls as a service (FWaaS). These new firewalls converge with other technologies such as secure web gateways (SWG), zero trust architectures, cloud access security brokers (CASB), and other security functions into a new paradigm known as secure access service edge (SASE) architecture.
This convergence makes firewalls more effective at inspecting traffic and protecting your assets and data from new threats that would otherwise evade your standard packet filtering firewall.
If you need to learn more about this convergence as well as the future of cybersecurity, be sure to continuously check back here at Digital.com. We have all of the latest information, product reviews, best practices, and guides you need to make the right choice in your digital transformations.