Guilty until proven innocent. This is the principle behind firewall systems, which are designed to monitor and filter network traffic based on predefined policies.
Network security is a hard problem, but the goal of a firewall system is simple: reject all network traffic unless explicitly allowed. This seems a straightforward approach to eliminate anomalous traffic from infiltrating your IT network while allowing a free flow of legitimate traffic.
But this simple concept is a challenge to implement.
Enterprise IT networks consist of thousands of devices continuously communicating with each other. How do you create a security policy that encompasses all rules representing all forms of legitimate traffic requests? A variety of firewall systems allow you to filter unwanted traffic requests.
Let’s take a look.
A firewall is a security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
Firewalls act as a barrier between a trusted internal network and untrusted external networks, such as the internet. They're essential for protecting private networks and devices from malicious attacks, unauthorized access, and other cyber threats. By analyzing data packets and enforcing security policies, firewalls help prevent cyberattacks and ensure the integrity and confidentiality of sensitive information. People use firewalls to safeguard their personal data, secure business operations, and maintain the overall health of their digital environments.
Firewalls act as gatekeepers for your network, ensuring only safe data passes through while blocking potentially harmful traffic. Technically, firewall systems filter network traffic across several layers of the OSI network model. The most common applications cover the data-link layer, the network layer, the transport layer, and the application layer.
Here’s a detailed look at how they work.
A firewall constantly monitors data entering and leaving the network. Data travels in small units called packets, and the firewall checks each packet against a set of security rules.
Packet filtering is the most basic function. The firewall examines the source and destination addresses of each packet and decides whether to allow it through based on predefined rules. It blocks the packet if it doesn't meet the rules.
Beyond just checking individual packets, firewalls also keep track of the state of active connections. They understand the context of traffic, recognizing which packets belong to a legitimate ongoing connection and which might be part of an attack.
Sometimes, a firewall will act as an intermediary. When you request a webpage, the request goes to the firewall first. The firewall then makes the request on your behalf, checks the response, and if it's safe, passes it on to you.
This adds an extra layer of security by hiding your internal network details from external servers.
This advanced technique allows firewalls to look inside the data portion of a packet, not just the header. By inspecting the content, the firewall can identify and block complex threats like malware and intrusions that basic filtering can not detect.
Modern firewalls can filter traffic based on the specific application generating the traffic, rather than just the source or destination. This means they can allow safe applications like email while blocking risky ones like certain peer-to-peer file-sharing programs.
Some advanced firewalls use behavior analysis to detect anomalies in traffic patterns that might indicate a cyberattack. By understanding what normal traffic looks like, they can spot and stop unusual, potentially harmful activity.
Firewalls enforce these security measures to protect your network by ensuring that only legitimate and safe traffic passes through. They are crucial for preventing unauthorized access and cyberattacks and for ensuring the integrity and confidentiality of data within the network.
Let’s review how different types of firewall systems help achieve this network security goal.
Packet filtering is a simple firewall system that checks
All traffic that complies with the predefined rules passes through the device. In the case of dynamic packet filtering, these rules may apply for a specific time duration, also known as a stateful inspection firewall. The system only evaluates the protocols, not the message data in the network packets itself. Filtering rules are applied based only on the information available in current packets, which means no contextual knowledge is available.
This system works at the session layer of the OSI model and determines whether the TCP handshaking between trusted servers and untrusted parties complies with the particular security rules of the session.
It acts as a proxy server between the external source and the internal destination server, creating a new connection with the remote host. For this connection, the gateway also changes the IP address to reflect its own instead of using the destination IP address.
This system inspects traffic at the application layer of the TCP/IP stack. It works as a separate host with its own IP address, which intercepts the traffic request received by the network. The proxy firewall responds with the synchronize-acknowledge (SYN-ACK) packet from the message source IP address.
The transmission is divided into two steps: source-to-proxy and proxy-to-destination. At each stage, predefined rules are analyzed for security compliance. Unlike the circuit-level gateway, the application gateway doesn't change the source IP address on its own when acting as a proxy.
This system combines multiple firewall functions of stateful inspection devices, antivirus and spyware services, and intrusion prevention devices at the gateway. A central command controls traffic flow rules with high-level visibility and control, bandwidth management, and quality of service monitoring.
Next-generation firewall (NGFW) is an advanced level of firewall mechanism that includes intelligence-based access control systems using
Threat-focused NGFW systems further enhance these by providing more control, contextual awareness, and intelligent automation, and reducing the complexity by enforcing security policies in large-scale networks.
Unlike traditional firewalls, which assume that one side of the network is trustworthy, firewalls for distributed systems define a central policy and enforce it at each endpoint regardless of the network topology.
It uses a policy language that describes the connection rules for devices and network states, translated into an internal format using a compiler. A system management tool distributes the policy to all network hosts. It uses network-level encryption to verify the identity of a traffic source. This means that there's no longer a single checkpoint for network security. The network is not limited by the throughput, latency, and speed performance of firewall devices.
These systems monitor the traffic streams for anomalous behavior by evaluating signatures in the traffic. If the signatures include the contents of a known cyberattack, signature-based firewalls filter the behavior. Like any antivirus system...
An evolution of this technique is the rules-based detection mechanism, which evaluates not only the signatures but also the patterns within those signatures. Advanced AI algorithms may be used to establish the deductive reasoning capability of the firewall system.
A firewall hosted in the cloud is often offered as a service. It provides scalable security solutions for cloud environments, protecting against threats targeting cloud-based applications and data.
A hardware firewall is when a physical device is used to enforce security policies, providing robust and dedicated protection for networks. It's often used in enterprise environments for perimeter security.
Selecting the right firewall involves key considerations:
By evaluating these factors, you can choose a firewall that offers robust protection, meets organizational needs, and scales with your network’s growth.
Yes, firewalls can be delivered as SaaS. They offer scalable, flexible protection managed by service providers, ideal for businesses needing robust security without on-premises hardware management.
Firewalls emerged in the late 1980s to address network security. The first stateful inspection firewall, introduced by AT&T Bell Labs in 1989, significantly advanced network security by tracking active connections.
NAT allows multiple devices on a local network to share a single public IP address. It enhances security by masking internal IP addresses, preventing direct external access, and conserving IP addresses.
See an error or have a suggestion? Please let us know by emailing [email protected].
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.