A firewall is a type of network security device that monitors incoming and outgoing network traffic and allows or denies data packets based on a set of security rules. Its purpose is to create a barrier between your internal network and incoming traffic from outside sources (such as the internet) in order to prevent malicious traffic such as viruses and hackers.
How does a firewall function?
To prevent attacks, firewalls carefully analyse incoming traffic based on pre-defined rules and filter traffic coming from unsecured or suspicious sources. Firewalls protect traffic at a computer’s entry point, known as ports, where data is exchanged with external devices. “Source address 172.18.1.1 is permitted to reach destination 172.18.2.1 via port 22,” for example.
Consider IP addresses to be houses, and port numbers to be rooms within the house. Only trusted people (source addresses) are allowed to enter the house (destination address), and people within the house are only allowed to access certain rooms (destination ports), depending on whether they are the owner, a child, or a guest. The owner has access to any room (any port), whereas children and guests have access to a limited number of rooms (specific ports).
Firewalls can be either software or hardware, though it is preferable to have both. A software firewall is a programme installed on each computer that regulates traffic via port numbers and applications, whereas a physical firewall is a piece of hardware installed on the network.
The most common type of firewall, packet-filtering firewalls, examine packets and prevent them from passing through if they do not match an established security rule set. This type of firewall examines the source and destination IP addresses of the packet. If the packets match a “allowed” rule on the firewall, they are allowed to enter the network.
There are two types of packet-filtering firewalls: stateful and stateless. Stateless firewalls examine packets in isolation and lack context, making them easy targets for hackers. Stateful firewalls, on the other hand, remember information about previously passed packets and are considered far more secure.
Next-generation firewalls (NGFW) integrate traditional firewall technology with additional features such as encrypted traffic inspection, intrusion prevention systems, anti-virus, and more. Its most notable feature is deep packet inspection (DPI). While traditional firewalls only examine packet headers, deep packet inspection examines the data within the packet itself, allowing users to more effectively identify, categorise, and stop malicious data packets. Find out more about Forcepoint NGFW here.
At the application level, proxy firewalls filter network traffic. Unlike traditional firewalls, the proxy acts as a middleman between two end systems. The client must send a request to the firewall, which must then evaluate it against a set of security rules before allowing or blocking it. Proxy firewalls, in particular, monitor traffic for layer 7 protocols such as HTTP and FTP, and detect malicious traffic using both stateful and deep packet inspection.
Firewalls with stateful multilayer inspection (SMLI) filter packets at the network, transport, and application layers by comparing them to known trusted packets. SMLI, like NGFW firewalls, examines the entire packet and only allows it to pass if it passes each layer individually. These firewalls examine packets to determine the state of the communication (hence the name) in order to ensure that all initiated communication occurs only with trusted sources.