One of the major challenges that companies face when trying to secure their sensitive data is finding the right tools for the job. Even for a common tool such as a firewall, many businesses might not have a clear idea of how to find the right firewall (or firewalls) for their needs, how to configure those firewalls, or why such firewalls might be necessary
Right now, there are five different types of firewall architectures, broadly speaking:
Packet-filtering firewallsStateful inspection firewallsCircuit-level gatewaysApplication-level gateways (a.k.a. proxy firewalls)Next-gen firewalls
How do these firewalls work? And, which ones are the best for your business’ cybersecurity needs?
1. Packet-filtering firewalls
2. State full inspection firewalls
3. Circuit-level gateways Application-level gateways
4. Next-gen firewalls
As the most “basic” and oldest type of firewall architecture, packet-filtering firewalls basically create a checkpoint at a traffic router or switch. The firewall performs a simple check of the data packets coming through the router—inspecting information such as the destination and origination IP address, packet type, port number, and other surface-level information without opening up the packet to inspect its contents.
If the information packet doesn’t pass the inspection, it is dropped.
The good thing about these firewalls is that they aren’t very resource-intensive. This means they don’t have a huge impact on system performance and are relatively simple. However, they’re also relatively easy to bypass compared to firewalls with more robust inspection capabilities
As another simplistic firewall type that is meant to quickly and easily approve or deny traffic without consuming significant computing resources, circuit-level gateways work by verifying the transmission control protocol (TCP) handshake. This TCP handshake check is designed to make sure that the session the packet is from is legitimate.
While extremely resource-efficient, these firewalls do not check the packet itself. So, if a packet held malware, but had the right TCP handshake, it would pass right through. This is why circuit-level gateways are not enough to protect your business by themselves
Stateful Inspection Firewalls
Stateful firewalls were later designed to address security issues that emerged with the first generation, such as the case of forging connection information (spoof).
The fundamental importance was to guide the filtering to connection, allowing the filtering mechanism to know the connections and based on this it would legitimize a packet or not. This auxiliary feature is known as connection table or status table.
With the status table, every connection start is properly registered (a new status is created). When the packet returns, before starting the process of evaluating the access rules, the stateful firewall checks the status table, validating if there is any associated connection and, if it does, accepts the connection without processing the rules. Otherwise, discard the package.
The security of the environment is substantially increased by using of a stateful firewall, considering that there is trace ability of parameters used to validate an active connection in the structure. The level and complexity of tracking depends on the manufacturer. Some use only address parameters as well as source and destination port, while others use sequence and acknowledgment number, window size, and so on, in the case of TCP.
As the connection evolves in terms of packet exchanges, the status table is always updated with the information, in order to ensure continuity of security and integrity. This process also guarantees the validity of the connection, without it being necessary to evaluate the access rules defined by the administrator.
In a stateful firewall, there is important savings in computing resources, since there is an initial effort to create new connections, which is offset to closure by not having to process the access rules. It is very common to find this filtering mechanism in the most modern solutions, which remains a fundamental element in the defense strategy in depth.
Proxy Firewalls (Application-Level Gateways)
Proxy firewalls operate at the application layer to filter incoming traffic between your network and the traffic source—hence, the name “application-level gateway.” Rather than letting traffic connect directly, the proxy firewall first establishes a connection to the source of the traffic and inspects the incoming data packet.
This check is similar to the stateful inspection firewall in that it looks at both the packet and at the TCP handshake protocol. However, proxy firewalls may also perform deep-layer packet inspections, checking the actual contents of the information packet to verify that it contains no malware.
Once the check is complete, and the packet is approved to connect to the destination, the proxy sends it off. This creates an extra layer of separation between the “client” (the system where the packet originated) and the individual devices on your network—obscuring them to create additional anonymity and protection for your network.
If there’s one drawback to proxy firewalls, it’s that they can create significant slowdown because of the extra steps in the data packet transferal process.
Many of the most recently-released firewall products are being touted as “next-generation” architectures. However, there is not as much consensus on what makes a firewall truly next-gen.
Some common features of next-generation firewall architectures include deep-packet inspection (checking the actual contents of the data packet), TCP handshake checks, and surface-level packet inspection. Next-generation firewalls may include other technologies as well, such as intrusion prevention systems (IPSs) that work to automatically stop attacks against your network.
The issue is that there is no one definition of a next-generation firewall, so it’s important to verify what specific capabilities such firewalls have before investing in one.
Which Firewall Architecture is Right for Your Company?
So, which firewall architecture is the right one for your business?
The simple packet filtering or circuit-level gateway, which provides basic protection that has minimal performance impact?The stateful inspection architecture that combines the capabilities of both of the previous two options, but has a larger performance impact? OrA proxy or next-gen firewall that offers far more robust protection in exchange for additional expenses and an even higher performance impact?
The real question is “why would you only use one?”
No one protection layer, no matter how robust, will ever be enough to protect your business. To provide better protection, your networks should have multiple layers of firewalls, both at the perimeter and separating different assets on your network.
Having additional firewalls helps to make your network tougher to crack by creating additional defense-in-depth that isolates different assets—making it so attackers have to perform extra work to reach all of your most sensitive information.
The particular firewalls that you will want to use will depend on the capabilities of your network, relevant compliance requirements for your industry, and the resources you have in place to manage these firewalls.
Need help finding the ideal firewall architecture for your business’ needs? Consider starting with a security policy audit and assessment first. This can help you identify all of the assets on your network that need protecting so you can better optimize your firewall implementation.
Or, contact Blazenet Cybersecurity to get more assistance with perfecting your company’s cybersecurity strategy.