Firewalls are network security devices that monitor and filter traffic as it flows to, from, and across networks based on a given enterprise’s pre-established security policies.
Ideally, firewalls block dangerous traffic and allow non-threatening traffic. While virtually every networked organization should have some level of firewall control, not every network will require the most expensive, state-of-the-art firewalls on the market. This guide will help you determine which level of firewall protection may be right for you.
There are five basic categories of firewalls:
- Packet Filtering Firewall
- Circuit-Level Gateway
- Application-Level Gateway (“proxy”)
- Stateful Inspection Firewall
- Next-Generation Firewall (NGFW)
- Choosing the Right Firewall for You
- Types of Firewalls
For more information, also see: What is Firewall as a Service?
Packet filtering firewalls are among the earliest types of firewalls. As such, this firewall type is more limited in the level of protection it can provide. On their own, packet filtering firewalls are not sufficient for protecting enterprise network architectures.
Packet filtering firewalls are placed at junctions within enterprise networks where routers and switches are located. Unlike some other firewall types, packet filtering firewalls do not route packets. Instead, this type of firewall compares packets to a set of pre-established criteria that typically includes attributes like:
- IP address
- Packet type
- Port number
- Packet protocol header aspects
When a packet does not pass muster according to the pre-established rules (called access control lists), it is flagged and usually, dropped (not forwarded on to other network segments).
Packet filtering firewalls are implemented on the network layer of the Open Systems Interconnection (OSI) model.
Common use cases for packet filtering firewall
Packet filtering firewalls are best suited for situations where a lower level of security is acceptable. They are also an adequate solution for budget-constrained, smaller organizations to provide at least a basic level of protection against known threats, a significant advantage over having no firewall protection at all.
Within larger enterprise networks, packet filtering firewalls can be integral components of a multilayered defense strategy, especially between internal departments.
Packet filtering firewall advantages
The main advantage of using packet filtering firewalls as part of a larger network security approach is that they are quite fast and nearly transparent to users. They are also affordable versus more advanced firewalls.
Packet filtering firewall disadvantages
As the earliest widely used type of firewalls, packet filtering firewalls are quite limited in their ability to provide network protection. They are easy to bypass if the firewall is not kept up-to-date and easy to trick by hackers who manipulate headers to get around pre-established rules.
Packet filtering firewall average price
Packet filtering firewalls start at around $20 USD.
For more information, also see: Artificial Intelligence in Cybersecurity
Circuit-level gateways monitor the common TCP handshake protocol and other network protocol session initiation messages as they are established between local and remote hosts. When sessions are determined to be illegitimate, these gateways block the connection. Unlike packet filtering firewalls and other firewall types, circuit level gateways do not inspect packets even at a high level.
Common use cases for circuit-level gateways
A step up from packet filtering firewalls, circuit-level gateways are still insufficient to provide comprehensive network protection. As such, these firewalls are typically used alongside other systems like application-level gateways, which gives organizations benefits of both packet filtering firewalls and circuit-level gateways.
Circuit-level gateway advantages
The primary advantage of using circuit-level gateways is that they are easy to set up and manage. It is also easy to block most traffic as only requested transactions are processed. Circuit-level gateways are lower in cost and do not tend to impact system performance.
Circuit-level gateway disadvantages
On their own, circuit-level gateways offer no protection against data leakage from devices within the firewall. They also cannot monitor the application layer and require ongoing updates — if these firewalls are neglected, they can go out of date and be easily bypassed by bad actors.
Circuit-level gateway average price
Packet filtering firewalls start at around $200 USD.
Also called proxy firewalls, application-level gateways function as the only endpoint into and out of a network. These firewalls filter packets according to destination port rules, but by characteristics like HTTP request strings. These gateways provide a much stronger defense against data loss, but can have a marked negative impact on network performance.
Common use cases for application-level gateways
The most common use case for application-level gateways is to protect organizations from web application threats. These firewalls can block access to harmful sites and can prevent sensitive information from being leaked from within a firewall.
Application-level gateway advantages
Application-level gateways provide a deeper level of network protection over simpler packet filtering firewalls. These firewalls check not just IP addresses, port, and TCP header information, but the actual content, before allowing traffic to pass through the proxy. These firewalls can be fine-tuned to, for example, allow users to access a given website, but only specific pages. Application-level gateways also provide a level of user anonymity.
Application-level gateway disadvantages
The most significant disadvantage of using an application-level gateway is that this technology is resource-intense, putting network performance at risk. These firewalls are also more expensive than some other options. Also, application-level gateways do not work with all network protocols.
Application-level gateway average price
Application-level gateways start at around $1,000 USD, with many units in the $3,000-$6,000 range.
On a related topic, also see: Top Cybersecurity Software
Stateful inspection firewalls (or “state-aware” firewalls) examine not only each packet, but they can also track whether or not the packet is part of an established TCP or other network protocol session. These firewalls require a larger investment over packet filtering and circuit-filtering firewalls, but do drag down network performance.
Common use cases for stateful inspection firewalls
Stateful inspection firewalls are popular network security tools for most larger enterprises. They provide a more robust gateway between computers and other connected assets within firewall perimeters as well as resources that exist outside the organization. They are also frequently used to defend network devices against specific attacks like distributed denial of service (DDoS) attacks.
Stateful inspection firewall advantages
The primary advantage of using a stateful inspection firewall is that these tools monitor the entire session for the state of connections, while checking IP addresses and payloads. Users have a higher degree of control over the content that is allowed in or out of the network. These firewalls do not need to open multiple ports to control traffic flow. Users can also access detailed logs generated by stateful inspection firewalls.
Stateful inspection firewall disadvantages
The main disadvantage to stateful inspection firewalls is that they require a great deal of resources, which interferes with the speed of network communications. These firewalls are also significantly more expensive over less advanced firewall technology. Finally, stateful inspection firewalls cannot provide authentication capabilities, leaving networks vulnerable to potentially spoofed traffic sources.
Stateful inspection gateway average price
Stateful inspection gateways start at around $3,000 per hardware unit.
Next-generation firewalls (NGFWs) combine packet inspection with stateful inspection. They also include deep packet inspection capabilities and incorporate network security systems like malware filtering, antivirus, and intrusion detection systems (IDS) and intrusion prevention systems (IPS).
Traditional firewalls inspect packets, but only examine the protocol header. Deep packet inspection looks at the data within each packet. These firewalls can even track a web browsing session in progress, and are capable of telling if a packet payload – when assembled with other packets in an HTTP server reply – is a legitimate HTML-formatted response.
Common use cases for next-generation firewalls
Next-generation firewalls are commonly used by organizations in the healthcare and finance sectors, which are heavily regulated. Any organization that manages highly sensitive data, especially data protected by various data-protection regulations, benefit from the added security and logging capabilities available with next-generation firewalls.
Next-generation firewall advantages
Primarily, next-generation firewalls are advantageous because they are more advanced, combining deep packet inspection and other controls to filter traffic. Next-generation firewalls track all traffic from Layer 2 to the application layer. Also, security teams can configure these firewalls to be updated automatically.
Next-generation firewall disadvantages
As with other firewall approaches, next-generation firewalls are best used within a larger security infrastructure, which can become complicated and time-consuming to manage. These firewalls are also expensive, putting them out of reach for many organizations.
Next-generation firewall average price
Stateful inspection gateways start at around $4,000 per hardware unit.
Every organization will require its own unique approach to network security. Smaller organizations with fewer resources to protect may feel well protected without moving into the more expensive categories of firewalls like stateful inspection and next-generation models. On the other hand, organizations tasked with protecting and managing sensitive data will want to explore options within the next-generation firewall category.
Firewall technology has evolved rapidly since these network security devices were first introduced in the 1980s. Still, even the most rudimentary firewall approaches, packet filtering, are often still a part of an overarching, comprehensive security umbrella. To protect against modern threats such as those presented by web applications, users will want to consider firewalls that provide higher levels of protection. Often, security teams will deploy a variety of firewall types to protect different network segments.
For more information, also see: Why Firewalls are Important for Network Security