Firewalls are an essential part of network security. They are used to protect your internal network from external threats that can compromise your data, your assets and resources—and even your reputation. A firewall is usually deployed so that everyone entering or leaving your network must pass through it, rather like the drawbridge of a medieval castle surrounded by a moat.
Like a drawbridge, a firewall is only as good as those who operate it. If a firewall is not set up properly it may let attackers in (see Basic Firewall Configuration for more on how to configure firewalls). Furthermore, as the citizens of ancient Troy discovered, attacks often come from within. But despite its limitations, a firewall is still the most effective way to protect a network which must be connected to the Internet.
Firewalls work by examining network transmissions as they move from inside to outside your network, and vice versa, and then applying rules set up by an administrator to:
- Protect the internal network from attack by external sources.
- Prohibit access from the internal network to outside sources; in effect, forcing compliance with your organization's Acceptable Use Policy or Security Policy.
In addition, firewalls can perform the following functions depending on their type:
- Route packets from the inside network to other networks, and vice versa.
- Translate the IP addresses of an internal network to addresses the Internet recognizes.
- Keep a record of network traffic that has passed through the firewall that can be used for other purposes.
- Divide a network into segments according to differing security needs.
Types of Firewalls
There are numerous ways to classify firewalls. The most useful classifications are defined by the firewall's intended use, its system architecture, and the way it uses filtering technology.
For what purpose is the firewall being deployed? The answer to this question not only determines its name, but also where the firewall will be installed. It will also determine the choices in the next two categories of firewalls. If a firewall is being installed to protect a network, then it is called a "network firewall," and it is installed at a point where one network meets another in order to act as a choke point for network traffic. While the most common use for a network firewall is to protect an inside network from the Internet, a network firewall can also be used to protect or segregate networks whose security requirements differ from each other. For instance, a network firewall might be deployed to protect a network of lawyers' computers from a network of public-use computers in a law library. Unless otherwise noted, for the remainder of this page, it is assumed we are discussing network firewalls.
If a firewall needs to protect a single PC, then it is called a "personal firewall." Personal firewalls have become much more popular since the advent of broadband Internet access for home users. Personal firewalls share many of the same traits as network firewalls, such as protecting an internal "network" (or single computer) from the internet. Some personal firewalls limit access to the Internet, as well.
A firewall may also be classified by the way it is designed to use its hardware and software. In terms of software, firewalls fall into two distinct categories: firewalls that have an operating system separate from the firewall software and those that don't. Firewalls that don't require a separate OS are often referred to as "firewall appliances" or "single-box firewalls." The great advantage of purchasing a firewall appliance is that you don't have to worry about installing an operating system, making sure it is secure and then maintaining it—the firewall software is also its operating system. On the other hand, the administrator of a firewall appliance has to learn the appliance's proprietary operating system at the same time s/he learns to administer the firewall's filtering system. These devices are generally more expensive than firewalls based on a standard, separate OS.
Regardless of whether the firewall requires a separate operating system or not, firewalls can also be classified by the number of network interfaces they employ. A firewall usually has two or more network interface cards that connect it to two or more networks. Firewall administrators often deliberately move servers that create more risk than others, such as web servers or email servers, onto a third network that is set apart from the internal network but is still not completely on the outside. In this way, more access can be granted to them while still affording them some protection. This type of firewall network architecture is known as a "multi-homed firewall with a perimeter network."
The most common way firewalls are classified is by the way the firewall actually works. Depending on how fine a distinction you make in the ways that firewalls work, they can be grouped into at least two categories:
- Packet Filtering - This classification describes a firewall that examines the basic building blocks of network transmissions, called packets, and compares them with rules that are programmed into it by an administrator. Collectively, these rules are known as a ruleset. The firewall looks at portions of the packet known as its headers, specifically the packet's originating IP address, destination IP address, TCP/IP source port, and TCP/IP destination port. A subset of packet filtering firewalls are stateful inspection firewalls. A stateful inspection firewall not only inspects packets as they cross the firewall, but also looks at the characteristics of the network transmission, known as its state, which gives it important information about whether or not the packet is legitimate. For more on packets and protocols, see Packets and Protocols.
Pros and Cons: Because packet filtering firewalls only look at a very small amount of information contained in the packet's headers, they can examine and decide upon thousands of packets in a very short time, thus imposing little overhead on the transmission time. However, because they basically allow direct connections without examining much more than basic information, they are open to particular types of network attacks where packets are deliberately altered. Furthermore, since the actual data portion of the packet is not considered at all, higher-level manipulation of the packet, such as screening for content, cannot be performed.
- Application Proxy - An application proxy firewall acts as an overly aggressive administrative secretary who is always intercepting calls to the director and answering them for her. A proxy is someone who acts on your behalf; an application proxy firewall never allows direct connections from one network to another. Instead, the firewall intercepts the packet, examines it and compares it with its ruleset and then (if the packet is allowed on to its destination) creates a mirror of the application that sent the packet in the first place, copies the data into it, and then sends the packet on.
Pros and Cons: Because actual packets never make it through the firewall, application proxies are considered to be quite secure. Furthermore, content filtering is possible with this type of firewall, from web filtering to virus detection. Application proxies can also provide user authentication and web caching to speed up perceived network speed. However, because this type of firewall relies on the constant creation of new application processes in order to forward packets, it can be quite slow, especially for networks with a lot of traffic. Applications that the firewall doesn't understand or can't handle may not be forwarded properly. Furthermore, client software may have to be configured to recognize the application proxy firewall, such as by modifying a web browser client.
Many commercial firewall products are a hybrid of these two types of firewalls. If you are so inclined, you can create a basic packet filtering firewall using a router. For instance, you can program the router that connects your network to the Internet to drop packets entering your network from the outside that are deliberately masquerading as packets coming from the internal network (known as IP spoofing). Combining this basic type of router (called a border router) with another type of firewall, perhaps an application proxy, will give your network more protection. It will also act to slow the bad guys down because they have two firewalls to deal with rather than one.
Firewalls are a great way to provide protection against many known attack strategies by malicious users. Many firewalls go much further and provide logging, caching, authentication services, and content filtering. However, you can't simply "firewall it and forget it." Firewalls cannot protect your network from attacks coming from within the network, nor can they protect attacks arriving via connections that don't go through it, such as modem connections. They aren't very good at protecting a network from viruses, and they aren't very good at detecting new types of attacks, either. Finally, and perhaps most importantly, they need someone who is trained and knowledgeable to set them up. Your firewall administrator is the key to making your firewall work.