 Resources

‹ ALL BLOGS
SECURITY ESSENTIALS

Firewalls explained: the different firewall types and technologies

SEPTEMBER 10, 2020 | MARK STONE

This blog was written by a third-party author.

Finding the right network security tools to secure your sensitive data can be a significant
challenge for any organization. Choosing a firewall may seem like a simple task, but
companies can get overwhelmed by the different firewall types and options. Making the
distinction between a firewall and other security solutions can also pose challenges.

Here are the answers to some of the most common firewall questions.

What is a firewall? And what isn’t a firewall?

A firewall is a network security perimeter device that inspects traffic entering and leaving the
network. Depending on the security rules assigned specifically to it, the firewall either
permits safe traffic or denies traffic it deems as dangerous.

A firewall’s main objective is to establish a barrier (or “wall”) that separates an internal
network from incoming external traffic (such as the internet) for the purpose of blocking
malicious network packets like malware and hacking.

When discussing firewalls, it is critical to clear up any confusion regarding what constitutes a
firewall and what does not. For instance, intrusion detection systems, routers, proxy servers,
VPNs and antivirus solutions are not firewalls. Many firewall architectures are built into
other security solutions, and many security solutions are built into firewalls.

How does firewall technology work?

Firewalls carefully analyze incoming traffic arriving on a computer’s entry point, called a
port, which determines how external devices communicate with each other and exchange
information.

Firewalls operate using specific firewall rules. A firewall rule will typically include a source
address, a protocol, a port number and a destination address.

Here’s an analogy to explain the components of a firewall rule. Instead of protecting a

network, think of a giant castle. The source address represents a person wishing to enter the
castle. The port represents a room in the castle. The protocol represents a mode of
transportation, and the destination address represents the castle.

Only trusted people (source addresses) may enter the castle (destination address) at all. Or
perhaps only people that arrive on foot (protocol). Once inside, only people within the house
are permitted to enter certain rooms (destination ports), depending on who they are. The king
may be allowed in any room (any port), while guests and servants may only access a certain
number of rooms (specific ports).

In this analogy, the firewall would act like an elaborate alarm system.
Network-based firewall service

Fully managed, cloud-based firewall providing continuous inspection and treatment of

internet traffic.

Learn more firewalls and deployment options

Adding to the confusion of what constitutes a firewall, there are numerous firewall types to
be aware of.

First, firewalls are classified by what they are and where they reside. For example, firewalls
can either be hardware or software, cloud-based or on-premises.

A software firewall resides on an endpoint (like a computer or mobile device) and regulates
traffic directly from that device. Hardware firewalls are physical pieces of equipment that
reside between your gateway and network. Cloud-based firewalls, also known as Firewall-as-
a-service (FaaS), act like any other internet-based SaaS solutions, performing their work in
the cloud.

Next, and this is the most common distinction between types, firewalls are classified by
functionality.

The most common firewall types based on methods of operation are:

 Packet-filtering firewalls
 Proxy firewalls
 NAT firewalls
 Web application firewalls
 Next-gen firewalls (NGFW)
Packet-filtering firewalls
Packet-filtering firewalls, the most basic firewall type, examine packets and prevent them
from moving on if the specific security rule is not met. This firewall's function is to perform a
simple check of all data packets arriving from the network router and inspecting the specifics
like source and destination IP address, port number, protocol, and other surface-level data.

Packet filtering firewalls don’t open data packets to inspect their contents. Any data packet
that fails the simple inspection is dropped.

These firewalls are not resource-intensive and have a low impact on system performance.
Their main drawback is that they provide only basic protection and are therefore more
vulnerable to being bypassed.

Packet-filtering firewalls can either be stateful and stateless. Stateless firewalls only analyze
each packet individually, whereas stateful firewalls — the more secure option — take
previously inspected packets into consideration.

Proxy firewalls

Proxy firewalls, also known as application-level firewalls, filter network traffic at

the application layer of the OSI network model. As an intermediary between two systems,
proxy firewalls monitor traffic at the application layer (protocols at this layer include HTTP
and FTP). To detect malicious traffic, both stateful and deep packet inspection are leveraged.

Proxy firewalls typically operate in the cloud or through another proxy device. Instead of
allowing traffic to connect directly, a connection to the traffic’s source is established and the
data packet is inspected.

Speed can be a key weakness of proxy firewalls, as the transfer process creates extra steps
that may slow things down.

NAT firewalls

Network address translation (NAT) firewalls work by assigning a public address to a group of
devices inside a private network. With NAT, individual IP addresses are hidden. Therefore,
attackers scanning for IP addresses on a network are prevented from discovering specific
details.

NAT firewalls and proxy firewalls both act as a go-between connecting groups of devices
with outside traffic.

Web application firewalls

Web application firewalls (WAF) are responsible for filtering, monitoring, and
blocking data packets as they travel in and out of websites or web applications. A WAF can
either reside on the network, at the host or in the cloud and is typically placed in front of one
or many websites or applications. WAFs are available as server plugins, cloud services, or
network appliances.

A WAF is most similar to the proxy firewall, but has a more specific focus on defending
against application layer web-based attackers.

NGFW firewalls

As the threat landscape intensifies, the Next-generation firewall (NGFW) is the most popular
firewall type available today.

Thanks to the major improvements in storage space, memory, and processing speeds,
NGFWs build upon traditional firewalls' features and add other critical security functions like
intrusion prevention, VPN, anti-malware, and even encrypted traffic inspection. NGFW’s
ability to handle deep packet inspection means that the firewall can unpack the packet's data
to prevent any packets with malicious data from moving forward.

NGFWs can also integrate with Software-defined wide area networks (SDWAN).

Compared to traditional firewalls, these firewalls provide extensive application control and
visibility, distinguish between safe and dangerous applications, and block malware from
entering a network.

While most recent firewall solutions on the market are touted as NGFWs, the security
industry lacks consensus on what classifies a next-gen firewall. Without a clear definition,
companies must do their due diligence to understand what specific security features are
available before making an investment.

Comparing firewall to VPN, IDS, IPS and proxies

While NGFWs can combine the functionality of a VPN, IPS and proxies, it’s important to
note that a firewall is fundamentally different from a VPN, IPS, secure web gateway, or
proxy.

A firewall, by definition, filters traffic. While an intrusion prevention system also filters
traffic, it bases its decision on analysis of malicious traffic patterns or “signatures” that it
knows to be troublesome. Signatures are automatically updated regularly and usually daily.
An IPS is a step up from the intrusion detection system (IDS) in that administrators can take
specific actions based on the detected traffic patterns.

Unlike a firewall, a VPN does not filter traffic. VPNs encrypt traffic between devices so that
the session can safely traverse public networks (usually over the Internet) and has been made
virtually private. VPNs also terminate connections and build tunnels for that encrypted traffic
to pass through.
A secure web gateway, on the other hand, has some firewall functionality but is not the same
as a firewall and only focuses on outgoing web traffic (often restricted to ports 80 and 443).

Finally, while a proxy can be a part of a firewall, a firewall is not a proxy.

Deciding on a firewall

When choosing the right firewall architecture for your organization, the question you need to
ask may not be, “Which firewall type should we go with?”

Better questions to ask might include, “What combination of firewalls do we need?” and
“What are the assets that I want to protect and where are they located?”

Only one layer of protection, no matter how secure, is probably not enough security for your
business. By deploying multiple layers of firewalls in different areas on your network and
even on your endpoints, you’ll be creating a defense-in-depth strategy necessary for today’s
threat landscape.

A hybrid solution that leverages your existing on-site devices and solutions with managed
network security services is even better. Because when it comes to protecting your business,
it’s not just a decision about firewalls, it’s a decision about how firewalls fit into your overall
security strategy.

About the Author: Mark Stone

Mark Stone is a content and copy writer with over a decade of experience covering
technology, business, and cybersecurity. Earlier in his career, he was a cybersecurity analyst
in the public sector. He lives in Kelowna, BC with his wife and two black cats.