Firewalls are a critical tool in any cybersecurity arsenal. However, not all firewalls are created equal, and the type of firewall you choose should depend on your business needs.
Firewalls protect your network by filtering data packets at different levels and analyzing them using specific firewall rules. The most basic firewall is the packet filtering firewall, which approves or blocks traffic based on several aspects of the data packets.
Packet Filtering Firewalls
So, what are the differences between each firewall type? Using network layer inspection, packet filtering firewalls examine the information contained within each packet of data that passes through their systems to decide whether or not it should be allowed into a particular network. They do this by examining the packet’s source and destination IP addresses, communication protocols, flags, ports, and more to determine if the data is safe to enter the network. These are the simplest firewalls, making them ideal for small businesses and home users.
However, they’re less capable of protecting against newer, more sophisticated cyber threats. Additionally, because they operate at such a superficial level and don’t consider the context of a connection, they can be easily compromised by hackers who utilize techniques like address spoofing and TCP/IP header manipulation.
Packet filtering firewalls may be deployed as hardware or software on a device like a router or standalone system. Usually, they’re placed at the network boundary between the internet and an internal server or client. They’re also popular among home internet providers that use low-power customer-premises equipment (CPE).
These systems typically operate quickly and quietly and don’t interfere with user functionality. They are also cheaper than other firewall types and well-suited for smaller networks with limited security needs. However, they’re best used within a comprehensive security solution with additional tools that provide deeper insights into traffic and other aspects of cybersecurity.
Circuit-Level Gateways
Circuit-level gateways work at the network layer to monitor TCP and User Datagram Protocol (UDP) packets for connections between trusted hosts. They also act as relays between servers and clients. They analyze header information like source and destination IP addresses, sequence numbers, and port information to determine whether the incoming packets align with the connection handshake.
If a circuit-level gateway detects suspicious activity or breaches other firewall security rules, it can block the incoming traffic and close the virtual circuit between the hosts. These features help to prevent unauthorized access and ensure that sensitive data stays safe from hackers. They are a good option for networks requiring high-security measures but need more bandwidth and hardware for more sophisticated deep-packet inspection firewalls.
Because they work at a lower network stack than application-level firewalls, circuit-level gateways introduce less latency or impact performance. They are also less costly than other types of firewalls and do not need to filter individual packets.
Another benefit of a circuit-level gateway is that it can hide the internal host from the serving host, which can be helpful for organizations that must comply with regulations regarding the privacy and protection of personally identifiable information (PII), medical records, or financial information. However, it is essential to note that circuit-level gateways are ineffective against many common security threats and must provide comprehensive protection independently.
Next-Generation Firewalls
Firewalls break down data into packets and analyze them to determine their contents. Packet filtering firewalls assess the data based on its source, destination, ports, and protocols to block malicious content. Firewalls can also detect and stop cyberattacks by inspecting the content of packets at higher order OSI layers than just layer 3 (network layer) or 4 (transport layer).
Next-generation firewalls (NGFW) improve upon traditional firewall capabilities. They are often integrated with advanced cybersecurity solutions such as an IPS, IDS, and threat intelligence services to provide a more comprehensive approach to network protection.
NGFWs offer stateful inspection, deep-packet inspection and IPv6 support, application awareness, intrusion prevention, and the ability to act on intelligence from threat intelligence services. They are typically implemented as part of a Unified Threat Management system or UTMS. Still, they can also be offered as a firewall as a service (FWaaS) to avoid the expense of buying separate appliances and managing them separately.
As with other advanced security tools, NGFWs require updates to keep them aware of the latest threats. This requires a security subscription similar to an antivirus or EDR software, often offered as a managed service by the firewall vendor. In addition, the more profound data inspection capability of NGFWs requires more and better resources to handle the workload.
Layer 3 Firewalls
Generally, firewalls categorize traffic based on one of the seven Open Systems Interconnection model (OSI) layers or a combination of the four. Depending on which category a firewall falls into, it can inspect network packets in different ways and offer a variety of security capabilities to businesses.
Firewalls that inspect at the layer 3 level typically sort packets based on their source and destination IP addresses, ports, and service protocols. They can also categorize traffic based on how the boxes are constructed, for example, by identifying whether the packets contain a protocol known to be used in Distributed Denial of Service attacks.
This type of inspection is referred to as network packet filtering. It can be accomplished by configuring the firewall to accept only certain network packets, block other kinds, or both. The firewall may use a series of routers, data processing, inspection security devices, or a network traffic monitoring system to accomplish these tasks before it allows or blocks specific packets.
A variant of this approach is a firewall that filters based on the state of an active incoming traffic session. These are called stateful inspection firewalls and offer more security than packet or circuit-based firewalls, but they significantly affect network performance. To achieve this, a firewall that performs stateful inspection sends each packet to a series of network inspection and data processing devices. Then, it sends the decrypted packets back to the firewall.
