The relentless spate of cyber attacks makes network security more important than ever before. Firewalls are one of the earliest network security devices and remain relevant as gatekeepers to the network. It still constitutes the first line of defence in today’s dominant client-server architecture model. 

A basic firewall filters incoming and outgoing network traffic based on the pre-set security rules. The firewall rules, which depend on the enterprise security policy, decide what traffic gets in and what gets blocked. But a firewall’s effectiveness depends on its design or how it works to keep the latest and most potent threats away. As threats have evolved over the years, firewall designs have also changed. 

Packet filtering

The basic firewall works by packet filtering. 

Packets contain the data itself and information about the data, such as the source and destination. Firewalls use the packet information to determine whether a given packet abides by the rules. The rules enforce clear criteria, such as IP addresses, ports for both source and destination and protocols. If the rules do not validate the packet, access is denied. For instance, if the rules block Telnet access, the firewall drops packets destined for TCP port number 23. Port 23 is typically associated with Telnet server applications.

Packet filtering firewalls adopt two broad designs, default deny and default accept.

“Default deny” denies all incoming and outgoing packets. The only exception is for traffic that meets the predefined rules. It follows the zero-trust approach of considering traffic as malicious unless proven otherwise. 

The firewall rules define a whitelist of allowed ports and protocols. This approach eliminates unauthorised access and reduces the attack surface. It also offers granular insights into what takes place on the network, improving network visibility. But the default deny design comes with the risk of blocking legitimate traffic that may not have pre-authorisation.

 For instance, an important email from a new legitimate source, which may not yet have whitelist status, will get blocked. Default deny is especially unsuitable for large companies with voluminous and complex traffic. 

“Default accept” works in the opposite way of default deny. This design accepts everything by default and denies only packets blocked by the rules. While default deny rules have whitelists, default accept rules have blacklists. The accept-everything policy makes it much easier to set up the firewall. 

The chances of legitimate traffic getting blocked are also less. But such a design is insecure, as effectiveness depends on anticipating every conceivable risk and blocking the same. A default allow policy becomes more effective when combined with the principle of least privilege. Here, users and traffic get access only to the minimum required resources to do their jobs.

The effectiveness of packet filtering firewalls depends on their positioning as well. Enterprises usually deploy firewalls at the edge or between the private LAN and the public Internet network. A firewall positioned inline across a network connection inspects all packets that enter and leave the network. 

The packet-filtering firewall examines each packet independently. It does not know if any packet is part of any traffic stream. Processing packets in isolation makes such firewalls vulnerable to IP spoofing attacks. But these firewalls are lightweight. As it inspects only packet headers, it requires minimal computing resources. These firewalls suit resource-constrained environments such as embedded systems or small networks. 

Stateful inspection firewalls

Stateful inspection firewalls are an improvement on the basic packet filtering design. Here, the firewall analyses packets in the context of network sessions. These firewalls keep track of all open connections and allow a packet only if it is a part of an established connection or a valid new connection. 

Stateful inspection firewall design offers a marked improvement over packet filtering. But these firewalls remain vulnerable to denial of service (DoS) attacks.

Circuit level firewalls

Circuit-level firewalls adopt a different design compared to packet-design firewalls. These firewalls do not examine the content of the packets. Rather, it inspects the protocol headers of the packets to determine the legitimacy of a session. When a trusted client or server tries to connect with an untrusted host, the firewall starts a three-way handshake. Validation of the handshake establishes the session.

Circuit-level firewall controls network traffic at the session level. These firewalls offer higher security compared to packet-filtering and stateful inspection firewalls. It detects advanced attacks such as port scanning and DoS attacks. But malicious content can sneak into the network because it does not inspect the packet content. 

Application layer and proxy firewalls

Application-level firewalls examine the packet payload. Such an inspection allows it to distinguish valid requests from malicious code disguised as valid requests. Packet filtering firewalls can only control general incoming requests from a particular host.

By inspecting payloads, application layer firewalls can block specific malware-infested content. The network security team also gets more granular control over network traffic. For instance, the firewall allows or denies incoming Telnet commands from a specific user.  

Application-level firewalls typically reside on the application layer. These firewalls that reside on a proxy server become a proxy firewall. The proxy server hosting the application layer firewall becomes the intermediary. The client and server conduct the session through such an intermediary. The client connects with the proxy when an external client requests a connection, and vice versa. The proxy firewall allows the connection if it meets the rule criteria. Positioning a proxy firewall between the network edge and the internet offers an additional security layer. Such a design allows filtering requests from services before allowing such traffic to enter or exit the network. Attackers find it difficult to discover the network. 

Application and circuit-level firewalls allow different types of controls. 

• User control: The firewall regulates access to a service depending on the user attempting to access the service. User control needs authentication technology, such as two-factor authentication (2FA).
• Service control: The firewall rules whitelist the services that users can access. For instance, the firewall can filter traffic based on the IP address or port.
• Direction control. The firewall rules specify the direction in which users can access a service. For instance, the rules specify if users can access both inbound and outbound traffic or only in one direction. If attackers have compromised specific areas of the network, the rules can block traffic from such segments.
• Behaviour control: The firewall rules control how users access services. For example, the rules limit people from outside the network accessing information on the web server. 

Next-generation firewalls (NGW)

The latest, next-generation firewalls combine traditional firewall technology with advanced features and functionality. The added capabilities thwart advanced malware attacks.

These firewalls adopt the “defence in depth” design, which entails layers of security controls. The multi-layer approach brings additional context to the firewall’s decision-making process.

NGW firewalls co-opts a bundle of technologies, such as:

• Deep packet inspection (DPI) to check package contents. These inspections cover applications, protocols, and payloads. 
• Granular control over individual applications and protocols to prevent unauthorised access and data exfiltration.
• Intrusion detection and prevention systems (IPS) to monitor network traffic for malicious activity. IPS snuffs suspicious activities or anomalies and shuts the network to spot trouble. 

Designing an effective firewall demands careful consideration of network-specific needs and security posture. The process is dynamic, as the nature of threats changes constantly. A key requirement is gathering information on emerging threats and adjusting firewall rules accordingly.  

Proofpoint offers threat intelligence that allows enterprises to design their firewalls effectively. Proofpoint’s products offer ready protection against the most advanced and potent threats. It enables effective protection against phishing, ransomware, email attacks, and identity-based threats. Enterprises using Proofpoint’s suite of products can break the attack chain for even the latest and deadliest attacks.