Guide to firewalls

What is a network firewall? What types of firewalls are there, and which kind best protects enterprise data? All of these questions, and more, are answered in our network security firewall guide. This tutorial will help you learn every kind of firewall -- from unified threat management (UTM) to proxys -- and give you advice on firewall purchasing, firewall placement and firewall maintenance and management.

For those new to the technology, skip below the table of contents to see firewalls defined and category types. If you're well-acquainted with this essential part of security, then you are encouraged to navigate the table of contents below to drill down into topics you'd like to learn more about, whether it be on firewall implementation or on how to choose an enterprise firewall for your company's needs.


Table of contents:
 Introduction to firewalls
 Types of firewalls
       Network layer
       Application layer
Choosing a firewall
       Who is responsible for firewalls?
        Security risk assessment
       Firewall purchasing advice
Firewall implementation and placement
       Placement of a firewall
        Are two firewalls better than one?
        Firewall implementation precautions
Firewall management and maintenance



A firewall is a hardware or software system that prevents unauthorized access to or from a network. They can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet. All data entering or leaving the Intranet pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria.

Why do you need a firewall?
NetworkingRead Chapter 1 of Firewalls for Dummies: Why do you need a firewall? to understand their purpose.

 Generally, firewalls are configured to protect against unauthenticated interactive logins from the outside world. This helps prevent hackers from logging into machines on your network. More sophisticated firewalls block traffic from the outside to the inside, but permit users on the inside to communicate a little more freely with the outside.

Firewalls are essential since they can provide a single block point where security and auditing can be imposed. Firewalls provide an important logging and auditing function; often they provide summaries to the administrator about what type/volume of traffic has been processed through it. This is an important point since providing this block point can serve the same purpose (on your network) as an armed guard can (for physical premises).

This information was excerpted from creator Chris Partsenidis' tip Introduction to firewalls.



Security expert Michael Gregg says the National Institute of Standards and Technology (NIST) 800-10 divides firewalls in to five basic types:

  • Packet filters
  • Stateful Inspection
  • Proxys
  • Dynamic
  • Kernel

These divisions, however, are not quite well defined as most modern firewalls have a mix of abilities that place them in more than one of the categories shown above. The NIST Guidelines on Firewalls and Firewall Policy provides detail into each of these categories for more information.

To simplify the most commonly used firewalls, expert Chris Partsenidis breaks them down into two categories: application firewalls and network layer firewalls. The International Standards Organization (ISO) Open Systems Interconnect (OSI) model for networking defines seven layers, where each layer provides services that higher-level layers depend on. The important thing to recognize is that the lower-level the forwarding mechanism, the less examination the firewall can perform.
>> To see a more in-depth description of OSI layer security, see Michael Gregg's OSI -- Securing the stack tip series.



Network layer firewalls generally make their decisions based on the source address, destination address and ports in individual IP packets. A simple router is the traditional network layer firewall, since it is not able to make particularly complicated decisions about what a packet is actually talking to or where it actually came from. Modern network layer firewalls have become increasingly more sophisticated, and now maintain internal information about the state of connections passing through them at any time.

One important difference about many network layer firewalls is that they route traffic directly through them, which means in order to use one, you either need to have a validly-assigned IP address block or a private Internet address block. Network layer firewalls tend to be very fast and almost transparent to their users.

This information was excerpted from Chris Partsenidis' tip Introduction to firewalls.



Building application firewalls
Mike Chapple explains how carefully deployed application firewalls plug critical holes in enterprise defenses in Building application firewall rule bases.

 Application layer firewalls defined, are hosts running proxy servers, which permit no traffic directly between networks, and they perform elaborate logging and examination of traffic passing through them. Since proxy applications are simply software running on the firewall, it is a good place to do lots of logging and access control. Application layer firewalls can be used as network address translators, since traffic goes in one side and out the other, after having passed through an application that effectively masks the origin of the initiating connection, Chris Partsenidis says.

However, run-of-the-mill network firewalls can't properly defend applications. As Michael Cobb explains, application-layer firewalls offer Layer 7 security on a more granular level, and may even help organizations get more out of existing network devices.

App layer security school
This Integration of Networking and Security School features a tip, webcast and quiz from Cobb.

>> Cobb explains fully in his article "Defending Layer 7: A look inside application-layer firewalls."

In some cases, having an application in the way may impact performance and may make the firewall less transparent. Early application layer firewalls are not particularly transparent to end-users and may require some training. However, more modern application layer firewalls are often totally transparent. Application layer firewalls tend to provide more detailed audit reports and tend to enforce more conservative security models than network layer firewalls.

The future of firewalls sits somewhere between both network layer firewalls and application layer firewalls. It is likely that network layer firewalls will become increasingly aware of the information going through them, and application layer firewalls will become more and more transparent. The end result will be kind of a fast packet-screening system that logs and checks data as it passes through.

This information was excerpted from Chris Partsenidis' tip Introduction to firewalls.



Proxy firewalls offer more security than other types of firewalls, but this is at the expense of speed and functionality, as they can limit which applications your network can support.

Why are they more secure? Unlike stateful firewalls, or application layer firewalls, which allow or block network packets from passing to and from a protected network, traffic does not flow through a proxy. Instead, computers establish a connection to the proxy, which serves as an intermediary, and initiate a new network connection on behalf of the request. This prevents direct connections between systems on either side of the firewall and makes it harder for an attacker to discover where the network is, because they will never receive packets created directly by their target system.

Proxy firewalls also provide comprehensive, protocol-aware security analysis for the protocols they support. This allows them to make better security decisions than products that focus purely on packet header information.
>> Read the rest of this expert response on the pros and cons of proxy firewalls, excerpted from



A product category called unified threat management (UTM) has emerged. These devices promise integration, convenience and protection from pretty much every threat out there -- and are especially valuable to small and medium-sized businesses (SMBs).

>> To learn about the evolution of UTM, UTM adoption decisions and vendor offerings, view this tip from security specialist Mike Rothman.

Security expert Puneet Mehta defines unified threat management as a firewall appliance that not only guards against intrusion but performs content filtering, spam filtering, intrusion detection and anti-virus duties traditionally handled by multiple systems. These devices are designed to combat all levels of malicious activity on the computer network.

How to deploy UTM
Learn to deploy managed UTM remote firewall/VPN appliances in this tip on

 An effective UTM solution delivers a network security platform comprised of robust and fully-integrated security and networking functions -- such as network firewalling, intrusion detection and prevention (IDS/IPS) and gateway anti-virus (AV) -- along with other features, such as security management and policy management by a group or user. It is designed to protect against next generation application layer threats and offers a centralized management through a single console, all without impairing the performance of the network.

>> Is your business ready to roll network security into a single platform? Information SecurityMagazine evaluates six leading UTM appliances in this feaure article.

Advantages of using UTM
Convenience and ease of installation are the key advantages of threat management security appliances. There is much less human intervention required to install and configure these appliances. The advantages of UTM are listed below:

  • Reduced complexity: The integrated all-in-one approach not only simplifies product selection, but product integration, and ongoing support as well.
  • Ease of deployment: Since there is much less human intervention required, customers themselves or vendors can easily install and maintain these products.
  • Integration capabilities: These appliances can easily be deployed at remote sites without the help of any security professional on site. In this scenario a plug-and-play appliance can be installed and managed remotely. This kind of management is synergistic with large, centralized software-based firewalls.
  • The black box approach: Users have a tendency to play with things, and the black box approach limits the damage users can do. This reduces trouble calls and improves security.
  • Troubleshooting ease: When a box fails, it is easier to swap out than troubleshoot. This process gets the node back online quicker, and a non-technical person can also do it. This feature is especially important for remote offices without dedicated technical staff onsite.

Some of the leading UTM solution providers are Fortinet, NetScreen (now acquired by Juniper Networks), Symantec, NetScaler, WatchGuard Technologies and Elitecore Technologies.
>> To view common and uncommon UTM features, read this Q&A from's Michael Cobb.


>>Continue to our Choosing a firewall section of this guide


This was first published in January 2011