A firewall is a network protection solution designed to prevent unauthorized access to or from a private network by establishing a barrier between your internal network and incoming traffic from external sources (such as the internet) . It is a network security device that monitors incoming and outgoing network traffic and permits or blocks data packets based on a set of security rules in order to block malicious traffic like viruses and hackers.
Firewalls guard traffic at a computer’s entry point, called ports, which is where information is exchanged with external devices. Only trusted people (source addresses) are allowed to enter the house (destination address) at all—then it’s further filtered so that people within the house are only allowed to access certain rooms (destination ports), depending on if they’re the owner, a child, or a guest. The owner is allowed to any room (any port), while children and guests are allowed into a certain set of rooms (specific ports).
In protecting private information, a firewall is considered a first line of defense; it cannot, however, be considered the only such line. Firewalls are generally designed to protect network traffic and connections, and therefore do not attempt to authenticate individual users when determining who can access a particular computer or network.
Intrusion detection systems, routers, proxy servers, VPNs and antivirus solutions are not firewalls. A firewall, by definition, filters traffic. While an intrusion prevention system also filters traffic, it bases its decision on analysis of malicious traffic patterns or “signatures” that it knows to be troublesome. Signatures are automatically updated regularly and usually daily. An IPS is a step up from the intrusion detection system (IDS) in that administrators can take specific actions based on the detected traffic patterns.
Unlike a firewall, a VPN does not filter traffic. VPNs encrypt traffic between devices so that the session can safely traverse public networks (usually over the Internet) and has been made virtually private. VPNs also terminate connections and build tunnels for that encrypted traffic to pass through. A secure web gateway, on the other hand, has some firewall functionality but is not the same as a firewall and only focuses on outgoing web traffic (often restricted to ports 80 and 443). Finally, while a proxy can be a part of a firewall, a firewall is not a proxy.
Many firewall architectures are built into other security solutions, and many security solutions are built into firewalls. While NGFWs can combine the functionality of a VPN, IPS and proxies, it’s important to note that a firewall is fundamentally different from a VPN, IPS, secure web gateway, or proxy.
Firewall provide many security features.
It allows dividing a single physical network into multiple logical networks is known as network segmentation in which each segment behaves as if it runs on its own physical network. The traffic from one segment can’t be seen by or passed to another segment. This significantly reduces attack surfaces in the event of a breach.
Historically, workers accessed corporate applications from company offices. Today they access legacy apps, SaaS apps and other cloud services from the office, home, airport and anywhere else they may be. This makes it much easier for threat actors to steal credentials. The Verizon Data Breach Investigations Report found that 81% of hacking-related breaches leveraged stolen and/or weak passwords. Credential-theft prevention blocks employees from using corporate credentials on sites such as Facebook and Twitter. Even though they may be sanctioned applications, using corporate credentials to access them puts the business at risk. Credential-theft prevention works by scanning username and password submissions to websites and compare those submissions to lists of official corporate credentials. Businesses can choose what websites to allow submitting corporate credentials to or block them based on the URL category of the website.
A combination of machine learning, analytics and automation can block attacks that leverage the Domain Name System (DNS). In many enterprises, DNS servers are unsecured and completely wide open to attacks that redirect users to bad sites where they are phished and where data is stolen. When DNS security is integrated into firewalls, machine learning can analyze the massive amount of network data, making standalone analysis tools unnecessary. DNS security integrated into a firewall can predict and block malicious domains through automation and the real-time analysis that finds them. As the number of bad domains grows, machine learning can find them quickly and ensure they don’t become problems.
Firewall policies and rules are the engine that make firewalls go. Most security professionals are terrified of removing older policies because they don’t know when they were put in place or why. As a result, rules keep getting added with no thought of reducing the overall number. Some enterprises say they have millions of firewall rules in place. The fact is, too many rules add complexity, can conflict with each other and are time consuming to manage and troubleshoot.
Policy optimization migrates legacy security policy rules to application-based rules that permit or deny traffic based on what application is being used. This improves overall security by reducing the attack surface and also provides visibility to safely enable application access. Policy optimization identifies port-based rules so they can be converted to application-based whitelist rules or add applications from a port-based rule to an existing application-based rule without compromising application availability. It also identifies over-provisioned application-based rules.
It’s possible to create policies that automate the remediation of anomalous activities of workers. The basic premise is that users’ roles within a group means their network behaviors should be similar to each other. For example, if a worker is phished and strange apps were installed, this would stand out and could indicate a breach.
Historically, quarantining a group of users was highly time consuming because each member of the group had to be addressed and policies enforced individually. With dynamic user groups, when the firewall sees an anomaly it creates policies that counter the anomoly and pushes them out to the user group. The entire group is automatically updated without having to manually create and commit policies.
Several types of firewalls exist:
You can implement a firewall in either hardware or software form, or a combination of both. A software firewall is a program installed on each computer and regulates traffic through port numbers and applications, while a physical firewall is a piece of equipment installed between your network and gateway.
Packet filtering: The system examines each packet entering or leaving the network and accepts or rejects that do not meet the specified security criteria. This type of firewall checks the packet’s source and destination IP addresses. These rules decide whether that flow is safe, malicious, or questionable and in need of inspection. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
Packet-filtering firewalls are divided into two categories: stateful and stateless. Stateless firewalls examine packets independently of one another and lack context, making them easy targets for hackers. In contrast, stateful firewalls remember information about previously passed packets and are considered much more secure.
While packet-filtering firewalls can be effective, they ultimately provide very basic protection and can be very limited—for example, they can’t determine if the contents of the request that’s being sent will adversely affect the application it’s reaching. If a malicious request that was allowed from a trusted source address would result in, say, the deletion of a database, the firewall would have no way of knowing that. Next-generation firewalls and proxy firewalls are more equipped to detect such threats.
Circuit-level gateway implementation: This process applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
Web application firewall: A web application firewall is a hardware appliance, server plug-in, or some other software filter that applies a set of rules to a HTTP conversation. Such rules are generally customized to the application so that many attacks can be identified and blocked.
Proxy firewalls filter network traffic at the application level. Unlike basic firewalls, the proxy acts an intermediary between two end systems. The client must send a request to the firewall, where it is then evaluated against a set of security rules and then permitted or blocked. Most notably, proxy firewalls monitor traffic for layer 7 protocols such as HTTP and FTP, and use both stateful and deep packet inspection to detect malicious traffic.
Acting as a proxy server: A proxy server is a type of gateway that hides the true network address of the computer(s) connecting through it. Users gain access to the network by going through a process that establishes session state, user authentication, and authorization policy. A proxy server connects to the internet, makes the requests for pages, connections to servers, etc., and receives the data on behalf of the computer(s) behind it. The firewall capabilities lie in the fact that a proxy can be configured to allow only certain types of traffic to pass (for example, HTTP files, or web pages).
A proxy server has the potential drawback of slowing network performance, since it has to actively analyze and manipulate traffic passing through it. The proxy server creates a single point of failure, which means that if the entrance to the network is compromised, then the entire network is compromised.
Stateful Packet Firewall
Stateful packet filtering firewall is the method that is used by the Cisco security appliances. This technlology maintains complete session state of the traffic passing through the firewall. Each time a TCP or UDP connection is established for inbound or outbound connections, the information is logged in a stateful session flow table.
The stateful session flow table, also known as the state table, contains the source and destination addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection that is associated with the particular session. This information creates a connection object, and consequently, all inbound and outbound packets are compared against session flows in the stateful session flow table. Data is permitted through the firewall only if an appropriate connection exists to validate its passage.
This method is effective for three reasons.
- It works both on packets and on connections.
- It operates at a higher performance level than packet filtering or using a proxy server.
- It records data in a table for every connection and connectionless transaction. This table serves as a reference point for determining if packets belong to an existing connection or are from an unauthorized source.
Some examples of stateful firewalls are the Cisco PIX and ASA models
Stateful multilayer inspection (SMLI) firewalls filter packets at the network, transport, and application layers, comparing them against known trusted packets. Like NGFW firewalls, SMLI also examine the entire packet and only allow them to pass if they pass each layer individually. These firewalls examine packets to determine the state of the communication (thus the name) to ensure all initiated communication is only taking place with trusted sources.
Network address translation (NAT) firewalls allow multiple devices with independent network addresses to connect to the internet using a single IP address, keeping individual IP addresses hidden. As a result, attackers scanning a network for IP addresses can’t capture specific details, providing greater security against attacks. NAT firewalls are similar to proxy firewalls in that they act as an intermediary between a group of computers and outside traffic.
In practice, many firewalls use two or more of these techniques in concert.
Next Generation Firewalls
Cyber attacks such as web-based exploit kits, malware, ransomware, application-layer attacks, and targeted threats, combined with the advancement of cloud technology and web-based applications have introduced additional layers of complexity in the network, as a result, traditional threat detection technologies and methods are proving insufficient to resist today’s modern threats effectively.
A next generation firewall is a network security device that combines traditional firewall technology with additional functionality, such as encrypted traffic inspection, intrusion prevention systems, anti-virus, and more. Most notably, it includes deep packet inspection (DPI). While basic firewalls only look at packet headers, deep packet inspection examines the data within the packet itself, enabling users to more effectively identify, categorize, or stop packets with malicious data.
While a traditional firewall typically provides stateful inspection of incoming and outgoing network traffic, a next-generation firewall includes additional features like application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence.
A virtual firewall, aka cloud firewall, is a network security solution designed specifically for environments in which deploying hardware firewalls is difficult or impossible, such as public and private cloud environments; software-defined networks, or SDN; and software-defined wide area networks, or SD-WAN.
Like hardware firewalls, virtual firewalls grant or reject network access to traffic flows between untrusted zones and trusted zones. Unlike hardware firewalls – which are physically located on-premises in data centers – virtual firewalls are essentially software, making them ideal for securing virtual environments.
Firewall as a Service (FWaaS)
With the emergence of cloud technology, firewalls are now being deployed which offers a bundled solution that ensures availability of firewall on any device, addresses any traffic workload and enforces similar policies across the organization. Firewall as a Service (FWaaS) is a new and revolutionary way of delivering firewall and other network security capabilities as a cloud service. Enterprises have always deployed next generation firewalls as appliances. While form factor varies between physical and virtual appliances, deployed on-premises or in the cloud, customers needed to support the full appliance life cycle. Distributed locations needed dedicated appliances that had to be sized and upgraded to accommodate business growth. Appliance software had to be patched and upgraded. Policy management had been done on an appliance basis. We refer to the “appliance straight jacket” and it had impacted both enterprises and service providers.
Firewall as a Service (FWaaS) is a new type of a next-generation firewall. It does not merely hide physical firewall appliances behind a “cloud duct tape”, but truly eliminates the appliance form factor, making firewall services available everywhere. In essence, the entire organization is connected to a single, logical global firewall with a unified application-aware security policy. Gartner has highlighted FWaaS as an emerging infrastructure protection technology with a high impact benefit rating.
Compared to traditional firewalls, FWaaS improves scalability, provides a unified security policy, improves visibility, and simplifies management. These features allow an organization to spend less time on repetitive tasks such as patching and upgrades, and provides the responsive scalability to fast-changing business requirements
PacStar 451 with Juniper vSRX Virtual Firewall Approved for U.S. Government Classified Use, Sep 2020
PacStar®, a leading developer and supplier of advanced communications solutions for the U.S. Department of Defense (DoD), today announced that PacStar 451 integrated with the vSRX Virtual Firewall from Juniper Networks, a leader in secure, AI-driven networks, will be added to the National Security Agency (NSA) component list for use in NSA CSfC (Commercial Solutions for Classified) solutions. This combined solution delivers a complete virtual next generation firewall, including advanced security, robust networking and automated virtual machine lifecycle management capabilities for tactical applications, enabling security specialists to deploy and scale firewall protection in highly dynamic environments.
“PacStar 451 with Juniper vSRX Virtual Firewall will join the comprehensive suite of technologies available with PacStar 400-Series modules eligible for use in CSfC solutions,” said Peggy J. Miller, CEO of PacStar. “We are proud to be working with Juniper Networks to add another solution to our list of CSfC offerings and to deliver small form factor, rugged and high-performance security solutions for deployed, tactical and expeditionary use.”
The combined PacStar 451 with the Juniper vSRX boasts comprehensive security features, including:
- Virtual firewall with L4-L7 advanced security services
- UTM capabilities including antivirus, web filtering, content filtering and anti-spam
- Intrusion Prevention System (IPS) with zero-day protection, protocol decoding and packet capture
- Application visibility and control
- Advanced Threat Protection including cloud-based deep inspection, threat feeds and encrypted traffic analysis
- IPsec VPN Gateway and extensive networking and routing features
- Unified management and open APIs
- “The joint PacStar/Juniper Networks solution extends the reach of our Juniper Connected Security solution to our DoD and IC customers. The joint solution provides a flexible, robust, certified and secure CSfC solution that integrates seamlessly within existing DoD and IC networks,” said Gregory Bourdelais, Juniper Networks DoD Director of Sales.
The enterprise firewall market is expected to register a CAGR of 9.44 %, during the forecast period (2019 – 2024). Earlier used enterprise firewalls have lost their feasibility in the current market scenario, as the high level of threats posed by modern hacking methods cannot be handled by conventional systems. The increasing demand for network security, especially in the manufacturing sector is primarily due to the rapid adoption of Industry 4.0 policies, also IoT applications are expected to create a huge demand for enterprise firewall systems.
North America to Account for a Major Share. The North American region currently dominates the global market, owing to the high preference of businesses for the security of the high volume of sensitive and important data used by them, and continuous adoption of high performing network security solutions by organizations.
In recent times, major firms of the US suffered from the fatal WannaCry ransomware attack, where data was encrypted and ransom was asked in the form of cryptocurrency. The attack happened because the data of millions of customers was unsecured and this is worrying the industries of the region, hence stringent government regulations regarding consumer privacy were imposed and is expected to drive the growth of the market in this region.
Major Key Players are Palo Alto Networks, Dell Technologies, Huawei Technologies Co. Ltd., Fortinet, Barracuda Networks, Forcepoint LLC, WatchGuard Technologies, Check Point Software Technologies Ltd., Hillstone Networks, Sophos Technologies Pvt. Ltd (Cyberoam), Untangle and Zscaler
References and Resources also include: