This post is also available in: हिन्दी (Hindi) العربية (Arabic)
For everyday Internet users, computer viruses are one of the most common network threats in cybersecurity. Statistics show that approximately 33% of household computers are affected by some type of malware, more than half of which are viruses.
Computer viruses are pieces of software that are designed to be spread from one computer to another. They’re often sent as email attachments or downloaded from specific websites with the intent to infect your computer — and other computers on your contact list — by using systems on your network. Viruses are known to send spam, disable your security settings, corrupt and steal data from your computer including personal information such as passwords, even going as far as to delete everything on your hard drive.
What is a Firewall?
A firewall is a network security device that monitors incoming and outgoing network traffic and permits or blocks data packets based on a set of security rules. Its purpose is to establish a barrier between your internal network and incoming traffic from external sources (such as the internet) in order to block malicious traffic like viruses and hackers.
What Firewalls Do?
A Firewall is a necessary part of any security architecture and takes the guesswork out of host level protections and entrusts them to your network security device. Firewalls, and especially Next-Generation Firewalls, focus on blocking malware and application-layer attacks, along with an integrated intrusion prevention system (IPS), these Next-Generation Firewalls can react quickly and seamlessly to detect and react to outside attacks across the whole network. They can set policies to better defend your network and carry out quick assessments to detect invasive or suspicious activity, like malware, and shut it down.
Types of Firewalls
Following are the important types of firewalls.
1. Packet Filtering Firewall
Packet filtering firewall is a network security technique that is used to control data flow to and from a network. It is a security mechanism that allows the movement of packets across the network and controls their flow on the basis of a set of rules, protocols, IP addresses, and ports.
Packet filtering protects a local network from undesired invasion depending upon the predefined rules. The information passes through a network in the form of small pieces called packets, which travel independently across IP networks. These small packets travel through a node only if they match with predefined filtering rules otherwise get dropped. Hence, the filtering rules that are defined by the network layer firewalls in a packet filtering firewall prove to be highly efficient in providing security mechanisms.
2. Proxy Service Firewall
A proxy firewall is a network security system that protects network resources by filtering messages at the application layer. A proxy firewall may also be called an Application Firewall or Gateway Firewall.
A proxy firewall acts as an intermediary between in-house clients and servers on the Internet. The difference is that in addition to intercepting Internet requests and responses, a proxy firewall also monitors incoming traffic for layer 7 protocols, such as HTTP and FTP. In addition to determining which traffic is allowed and which is denied, a proxy firewall uses stateful inspection technology and deep packet inspection to analyze incoming traffic for signs of attack.
Proxy firewalls are considered to be the most secure type of firewall because they prevent direct network contact with other systems. (Because a proxy firewall has its own IP address, an outside network connection will never receive packets from the sending network directly.) Having the ability to examine the entire network packet, rather than just the network address and port number, also means that a proxy firewall will have extensive logging capabilities — a valuable resource for security administrators who are dealing with security incidents.
According to Marcus Ranum, who is credited with conceiving the idea of a proxy firewall, the goal of the proxy approach is to create a single point that allows a security-conscious programmer to assess threat levels represented by application protocols and put error detection, attack detection, and validity checking in place.
The added security offered by a proxy firewall has its drawbacks, however. Because a proxy firewall establishes an additional connection for each outgoing and incoming packet, the firewall can become a bottleneck, causing a degradation of performance or becoming a single point of failure. Additionally, proxy firewalls may only support certain popular network protocols, thereby limiting which applications the network can support.
3. Stateful Inspection Firewall
A technology that controls the flow of traffic between two or more networks. SI Firewalls track the state of sessions and dropping packets that are not part of a session allowed by a pre-defined security policy. This is sometimes called session-level protection because they keep state information for each network session and make allowed/denied decisions based on a session state table.
SI firewalls go beyond individual Transmission Control Protocol (TCP) connections to involve many such connections. Session-level firewalls support dynamic protocols by identifying port change instructions in client-server communication and comparing future sessions against these negotiated ports. For instance, to track file transfer protocol (FTP) sessions, the firewall inspects the control connection, used for issuing commands and negotiating dynamic ports, and then allows various data connections for transferring files. Because session-level protection provides all the benefits of packet-level protection without the limitations, it renders packet-level protection unnecessary for most networks.
4. Next Generation Firewall (NGFW)
Next-generation firewalls (NGFWs) filter network traffic to protect an organization from internal and external threats. Along with maintaining features of stateful firewalls such as packet filtering, IPsec and SSL VPN support, network monitoring, and IP mapping features, NGFWs possess deeper content inspection capabilities. These capabilities provide the ability to identify attacks, malware, and other threats, and allow the NGFW to block these threats.
NGFWs provide organizations with SSL inspection, application control, intrusion prevention, and advanced visibility across the entire attack surface. As the threat landscape rapidly expands due to co-location and multi-cloud adoption, and businesses grow to satisfy escalating customer needs, traditional firewalls fall further behind, unable to offer protection at scale, and leading to poor user experience and weak security posture. NGFWs not only block malware but also include paths for future updates, giving them the flexibility to evolve with the threat landscape and keep the network secure as new threats arise. Next-generation firewalls are a vital component of implementing network security.
5. Network Address Translation (NAT) Firewall
A Network Address Translation (NAT) firewall operates on a router to protect private networks. It works by only allowing internet traffic to pass through if a device on the private network requested it. A NAT firewall protects the identity of a network and doesn’t show internal IP addresses to the internet.
This is because, when connected to the internet, your router is assigned a single public IP address. It’s visible to the wider net and is needed to communicate with web servers. Any devices connected to the router locally have private IP addresses, which do not allow them to directly ‘communicate’ with the required web servers. This is where NAT comes into play – it directs traffic back and forth.
6. Stateful Multilayer Inspection (SMLI) Firewall
A stateful firewall keeps track of the state of network connections, such as TCP streams, UDP datagrams, and ICMP messages, and can apply labels such as LISTEN, ESTABLISHED, or CLOSING. State table entries are created for TCP streams or UDP datagrams that are allowed to communicate through the firewall in accordance with the configured security policy.
Once in the table, all RELATED packets of a stored session are streamlined allowed, taking fewer CPU cycles than a standard inspection. Related packets are also permitted to return through the firewall even if no rule is configured to allow communications from that host. If no traffic is seen for a specified time (implementation dependent), the connection is removed from the state table. Applications can send keepalive messages periodically to prevent a firewall from dropping the connection during periods of no activity or for applications which by design have long periods of silence.
The method of maintaining a session’s state depends on the transport protocol being used. TCP is a connection-oriented protocol and sessions are established with a three-way handshake using SYN packets and end by sending a FIN notification. The firewall can use these unique connection identifiers to know when to remove a session from the state table without waiting for a timeout.
UDP is a connectionless protocol, which means it does not send unique connection-related identifiers while communicating. Because of that, a session will only be removed from the state table after the configured time-out. UDP hole punching is a technology that abuses this trait to allow for dynamically setting up data tunnels over the internet. ICMP messages are distinct from TCP and UDP and communicate control information of the network itself. A well-known example of this is the ping utility. ICMP responses will be allowed back through the firewall. In some scenarios, UDP communication can use ICMP to provide information about the state of the session so ICMP responses related to a UDP session will also be allowed back through.