What is a Firewall?
A firewall is a monitored and controlled boundary between your network and the rest of the internet. Its purpose is to keep cyber threats and malicious or unwanted network traffic out of your network.
Your firewall is your first line of defense. You can think of a firewall as a great wall around your business, protecting your digital assets from cyber threats.
Enjoying the security offered by a defensive wall is nothing new. In AD 122, at the decree of Emperor Hadrian, work began on a wall that was intended to encircle the entire Roman Empire.
One of the few sections that were completed as ordered was the 80-mile stretch built right across England, from Wallsend on the East coast to Bowness-on-Solway on the West. Much of it still stands today. Incidentally, it was the inspiration for the Great Wall in Game of Thrones.
But Hadrian’s Wall wasn’t built to be an impassable barrier. It was a border control that allowed permitted traffic to pass in both directions through the gated forts spaced at five-mile intervals along its length.
Of course, there were rules and regulations about who and what could pass through. If you wanted to take a couple of oxen through, no problem. But if the oxen were pulling a cart loaded with swords and spears, the answer was going to be no.
Your network firewall operates on similar principles. Firewall rules govern what traffic can pass in and out. Instead of forts, your firewall has ports.
All network traffic is trying to arrive at a destination identified by an Internet protocol (IP) address and a port. There are hundreds of ports, each one is numbered, and each one, either formally or by convention, has a recognized purpose.
Different types of network traffic use ports that are devoted to that type of traffic. Hyper-Text Transport Protocol (HTTP) web traffic will default to using port 80. Secure HTTP (HTTPS) will use port 443.
Remote workers who wish to connect to your office might use the Remote Desktop Protocol (RDP), which is handled by port 3389.
All of these ports require rules so that the firewall can enforce your security policy on the traffic attempting to enter and leave your network. The security emphasis is usually on traffic entering the network, but a firewall can just as easily control traffic that is leaving the network.
For information on how firewalls differ from antiviruses, read our firewall vs antivirus guide.
Types of Firewalls
There are many different types of firewalls. We’re going to point out the differences between the main firewall groups. We’re only considering network equipment firewalls here and not considering software firewalls such as the “personal” firewall built into Microsoft Windows.
Traditional Network Firewall
Packet-filtering network firewalls are the type we’ve described above. They provide protection by preventing unwanted traffic – made up of many small packets of information – and suspicious connections from accessing your corporate network. They work by applying a set of rules to traffic and ports and allowing or denying access according to those rules.
The only traffic allowed through the firewall is traffic that satisfies the conditions in the rules based on criteria such as originating IP address, target IP address, port number, and protocol. Everything else is blocked.
These firewalls are very effective – if they are configured correctly. Most successful breaches of firewalls are due to misconfiguration of the firewall rules or out-of-date firmware. And bear in mind, the more capable the firewall, the more complicated it is to set up.
These firewalls extend the capability of a standard network firewall. Standard network firewalls work by packet filtering and allowing packets that match the rule criteria to pass through. Everything else is filtered out. A next-generation firewall uses packet inspection to take a deeper look into the traffic type.
If a traditional firewall is a border guard that checks your background story, inspects your papers, and asks you about your purpose of travel, a next-generation firewall does all of that, then frisks you and searches your luggage.
They look at the contents of each network packet and combine that information with the firewall rules to make a more informed and more granular decision about permitting or denying the traffic to pass.
For example, you might want to allow staff to go on the internet during their lunch break, but you don’t want them to download torrents or use video chats. Next-generation firewalls allow you to be very specific about how applications are used. You could permit Skype for voice calls but not for transferring files, for example.
These devices offer a very high level of protection, which is why they are sometimes a stipulated requirement to achieve certification or compliance against a standard such as the Payment Card Industry Data Security Standard (PCI-DSS), the Health Insurance Portability and Accountability Act (HIPAA), or the ISO/IEC 27001 Information Security Management family of standards.
The granular level of control you have over the data flow into and out of your network allows you to mitigate against a wider number of threat types, including errant staff and disgruntled employees.
The next-generation firewall is usually capable of other security functions too. These might be available out-of-the-box or as optional extras, sometimes using a subscription model. Intrusion detection, malware scanning, and inspection of some encrypted traffic are typical of these extra offerings, often under an umbrella term such as “gateway protection.”
Inspecting a network packet takes a tiny amount of time. But for a high-traffic network, those tiny amounts add up and can introduce throughput delays. To avoid network degradation may require more firewalls and load sharing, or faster, more powerful, and more expensive units built to cope with high data volumes.
Web Application Firewalls
A web application firewall typically comprises a proxy server that sits between an application running on a server and the remote users of that application who access the application via the internet.
The proxy server acts as a messaging middleman, accepting connections from the users and interacting with the application on the server on their behalf. This brokering of the connections provides a shield against port scans and other malicious threats, such as malformed packet attacks. The malformed connections fail at the proxy, not on the application server.
Web application firewalls provide a secure buffer between the web application server, benign users, and malicious threat actors.
Web application firewalls are constructed to be lean and mean, with an emphasis on simplicity and speed. Counter-intuitively, the simplicity makes them less vulnerable to attack and security vulnerabilities than web application servers themselves, and are easier to maintain and to keep patched up to date.
Web applications, by definition, are designed to be accessed from the internet, and a popular application can receive a tremendous volume of traffic.
For some organizations, that is reason enough to separate their corporate firewall needs and to have a firewall dedicated to the network and a web application firewall for the web application traffic. A high-volume web traffic firewall is cheaper than a high-volume network firewall.
These are a specialized case of web application firewalls, tailored for the needs of an internet-facing database application. Their design incorporates features that detect and neutralize database-specific attacks, such as SQL injection and cross-site scripting.
Data breaches are bad news all round, incurring reputational damage, lack of confidence in the user base, and possible fines from supervisory authorities. Understandably, it is necessary to take all reasonable steps to protect databases and the data they contain.
Database firewalls usually incorporate a dashboard so that traffic and database accesses can be viewed, reviewed, and reported on. Depending on the nature of the data in the database, this can help with demonstrating compliance with standards and other regulatory requirements.
Unified Threat Management Appliances
A unified threat management appliance combines features from a variety of firewalls and security devices into one device.
A typical selection of features will include:
- A traditional firewall;
- An intrusion detection system;
- Scanning of packets for malicious payloads, viruses, and malware;
- Web address blacklisting, preventing staff from connecting to restricted websites such as known phishing websites.
These appliances are more costly than a traditional firewall and will usually incur ongoing costs for subscriptions to receive anti-virus updates for the packet scanning functions.
They are cheaper, however, than using a suite of dedicated top-end solutions to achieve the same breadth of cover. Dedicated devices will be superior, of course, but for some organizations, it is simply too expensive. A unified threat management appliance is a good alternative.
The easy way to describe these is firewalls-as-a-service. They are cloud-hosted firewalls provided by specialist firewall providers. They are highly available, scalable, able to handle huge surges in traffic, and may offer some protection against denial of service traffic flood attacks. They are maintained and configured by firewall professionals, so you do not need that niche talent in-house.
Local changes are minimal, often simply forwarding traffic from your corporate routers to the cloud-based firewall. Remote or mobile users can connect to it via Virtual Private Network (VPN) or by using it as a network proxy.
Cloud-based firewalls are particularly suited to multi-location organizations. Each site can be protected by the same firewall technology without having to route all traffic through a central on-premise firewall or to purchase, configure, and deploy multiple firewalls across their IT estate.
Container firewalls are designed to specifically deal with the challenges of virtualized off-site computing in containers. They operate very similarly to a traditional network firewall, but they must be able to cope with the added complexity of handling traffic within the container environment as well as incoming traffic from the non-containerized outside world and network traffic sent to that non-containerized outside world.
Because the majority of container hypervisors run on Linux, it is possible to install a software-based firewall on many containers. However, with anything more than a handful of containers to administer, the overhead of maintaining a firewall for each of them becomes untenable.
Network Segmentation Firewalls
A network segmentation firewall is used to protect sub-divisions within the corporate network that have been broken out to serve functional areas, teams, departments, or other segregation requirements.
These are often used to internally ring-fence areas that handle sensitive data, such as payment card data. Along with other measures, such as physical access controls, they can form part of the protection required to satisfy a standard such as the PCI-DSS.
They are also deployed at subnet boundaries to act like a bulkheads in a submarine. If you are breached in one area they can help to contain or slow down the spread of the intrusion or infection.
Network segmentation firewalls provide are of most benefit to large organizations or companies with large and complex network perimeters that are difficult to secure.
Basic Firewall Errors
The efficacy of a firewall can be undermined by silly mistakes. Your shiny – and possibly very expensive – firewall might not be doing what you think it is if you or your staff fall into these traps.
There are still companies with default admin passwords on their firewalls. This allows a threat actor to remotely connect to your firewall and configure rules to allow them to access your network whenever they wish.
They’ll usually change the password – which you should have done on day one – so that you can’t get back in to lock them out. Instead, you’re locked out.
I wish manufacturers didn’t do this, but some firewalls are delivered with a “standard” set of ports opened. You must ensure you close off all ports you are not using, and create and enforce an operational procedure to only open a port upon a reviewed and agreed business need.
Part of the procedure must be verification that authentication has been applied to connections on that port and that the appropriate governance via your firewall rules is in place.
Setting firewall rules can become complex. An easy trap to fall into is to inadvertently create two rules that contradict one another. These will conflict and struggle against one another. One or both of the rules will fail and will not be enforced. That leaves you exposed by presenting a vulnerability that can be compromised.
Threat actors use port scanners to look for open ports. Each open port is then automatically probed. It’ll be obvious why it is important that you only open the ports that you need and that the ports that are open are secured.
Port forwarding is a technique where an unusual, non-standard port number is used for something that has a well-defined port, such as RDP on port 3389.
This might be serviced on your firewall on port 32664 and forwarded internally to port 3389 on your RDP server. Port 3389 on your firewall can then be closed, giving the impression to the outside world that you don’t use RDP at all.
One way or another, firewalls run on software, and software has bugs. It is vital that you maintain your firewalls and apply any security patches released by the manufacturer to address vulnerabilities that have been discovered in the firmware of the device.
Inevitably, the bottom line is about people. You need budgetary buy-in from the top and people on the front line to configure, deploy, and maintain the firewalls.
Maintenance needs governance in the shape of schedules and procedures. You need people to write them, roll them out, and follow them.
Hadrian’s wall would have been useless without orders, discipline, and well-trained legionaries.
- Hadrian – World History Encyclopedia (World History Encyclopedia)
- The Wall on Game of Thrones: Breaking Down Its History and Magic (Time)
- Hadrian’s Wall | Roman History, England, UK | Britannica (Britannica)