Security Defense Perimeter: A Deep Dive into Firewall Types
In cybersecurity, firewalls are considered one of the most crucial components to defend against external digital threats. Let’s explore and detect the main types of firewalls, along with their methods and benefits. Understanding these basic concepts will allow you to make the appropriate decisions to strengthen your cyberspace.
The term firewall is a noun composed of two words: it refers to a wall designed to confine a fire within an outsider’s space.
1- Firewall definition
According to NIST SP 800-82 Rev. 2, “a firewall is an inter-network connection device that restricts data communication traffic between two connected networks. A firewall may be either an application installed on a general-purpose computer or a dedicated platform (appliance), which forwards, rejects, or drops packets on a network”.
In other words, a firewall has the ability to control, monitor, and filter incoming and outgoing traffic inside the same network or between two different networks. Mainly, it is used between trustworthy internal networks (local networks) and potentially unreliable external networks (the Internet) to protect the internal network from malicious activities and cyber threats.
2- Stateless Packet Filtering (or simply Packet Filtering)
Stateless means each packet is inspected one at a time with no knowledge of previous packets. No session table is maintained, so each packet is inspected independently of all other packets. The filtering is done according : the source and destination IP addresses, port numbers, and used protocols. The packet is allowed through if it satisfies the requirements; if not, it is blocked.
What are some of the benefits of a stateless firewall?
For starters, stateless firewalls are faster than stateful inspections. A stateless inspection gives us a degree of control over what’s going on and what is going to be allowed within our network. Stateless inspections are great for troubleshooting purposes when we want to classify packets. Also, they are helpful when we have a router that supports virtualization. We can tell if we have a flow of traffic coming from a specific source trying to go to a specific destination. Then we can send it to a specific virtual instance within our router. Also, we can perform some QRS or quality of service switches which will prioritize traffic.
3- Stateful Packet Filtering
In stateful packet filtering, the device “remembers” previous packets it has seen, resulting in more intelligent filtering. It keeps track of active connections, examines data sent and received, and separates normal activity from possibly malicious ones.
Stateful Filtering VS Stateful Inspections ?
Filtering and inspection are widely used concepts in stateful firewalls, but it is essential to distinguish between both notions.
First, stateful filtering is defined as the stateful tracking of protocol information at Layer 4 and lower in the OSI model. Meaningful filtering has no knowledge of application layer protocols. It tracks the IP addresses and port numbers of the source and destination. This method is useful for tracking connectionless protocols. Advanced product vendors develop stateful filtering firewalls that can track sequence and acknowledgment numbers and the TCP packet flags.
On the other hand, stateful inspections mean that the filtering device looks “deeper” into the packet. It has the ability to track the state of all Layer 4 information in addition to application-level protocols. All this information will provide extra insight into communication and non-standard protocol behaviors. As is obvious, more intelligence requires more hardware (CPU and memory) on the firewall.
For both stateful methods, a state table records all state information until a connection is down (as with TCP) or until a preconfigured timeout is reached (TCP, UDP, and ICMP). Every vendor has its own implementation of these methods.
3- Next-Generation Firewall (NGFW)
With evolving threats, Next-Generation Firewalls (NGFW) combine the technology of a traditional firewall with additional features: intrusion prevention systems, encrypted traffic inspection, anti-malware, and more. It includes deep packet inspection (DPI). While classic firewalls only look at packet headers, deep packet inspection examines the data within the packet itself, enabling users to more effectively identify, categorize, or stop packets with malicious data.
References:
https://csrc.nist.gov/glossary/term/firewall
https://www.informit.com/articles/article.aspx?p=373120&seqNum=3
