Types of Firewalls

A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system. It is also a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.

Software Firewalls

A software firewall is an application that provides firewall services and is installed on a dedicated (typically) computer. Software firewalls are the oldest type of firewall available and generally work very well. The downfall of a software firewall is that you need a separate computer to run the firewall software and that, in turn, requires additional cost and administration to keep it running and secure. In addition, software firewalls are prone to the pitfalls of any other software packages, namely memory leakage and operating system instability and vulnerabilities. Popular firewall packages vary in price and capability—anywhere from free (usually included in many Linux distributions) to several thousand dollars for well-optioned versions.

Hardware Firewalls

Similar to a software firewall, hardware firewalls perform the same functionality, but, instead of requiring separate computer hardware, they are typically dedicated units. Typical candidates for hardware firewalls are routers and small network appliances, which are basically small computers with no other use but to run a basic operating system (often Linux) and the firewall application. These units can be easier to maintain because they are purposely built for the task, but can cost more because you have to purchase the hardware at the same time (instead of perhaps using a spare system for a software firewall). Sometimes, depending on the unit, upgrading or changing your firewall can come at an even greater cost because you are usually locked in to that particular brand of firewall, instead of being able to change just the firewall application as you would with a software firewall. In addition, dedicated servers can handle more data being passed through the firewall; so, if your site generates a lot of Internet traffic, you may want to take this into consideration when planning your firewall implementation.

Packet Filters

Packet filters are the most basic kind of firewall package you can use. A packet filter takes packets and routes them between trusted networks (your internal network) and untrusted networks (the Internet). The benefits of a packet filter include being typically inexpensive to purchase and implement, and featuring fast scanning of data passing by. You can also purchase basic packet filters for individual workstations.

On the bad side, they are the least secure because they cannot be used to lock down individual application data passing through to the outside world. This is because they typically operate only on the Network layer and not the Application layer. Packet filters can be used to help block data to specific ports, which can be helpful in limiting data for a particular service, such as dropping packets destined for port 21 (FTP). Packet filters can be useful tools, but should be used in concert with other firewall solutions for good security, such as a first-line firewall in front of a stateful packet inspection firewall.

Stateful Packet Inspections

This type of firewall encompasses packet filtering with a slight twist. When a packet goes through the firewall, any rules that pertain to that packet may be altered for the duration of that packet to allow the return packet through without any hassle. This is different from a typical firewall in that if you have UDP blocked, for instance, it's blocked all the time unless you specify specific systems that can pass the information. These types of firewalls also tend to function well at the Network layer of the TCP/IP model, allowing for better overall security for your network.

Stateful packet inspection firewall solutions also improve upon the packet filter design by allowing administrators to implement user authentication to be able to connect to and pass information through the firewall. In addition, most of these types of firewalls can be configured to pass data based on application type, something that is not an option with many other types of firewall solutions. To their downfall, they can be costly, and although this is constantly changing, many of these solutions are software only. Ultimately, stateful packet inspection is the next big thing in firewall technology, something that will likely take over in the coming years due to its performance and flexibility.

Proxy Servers

Proxy servers are a type of firewall that not only can help limit what data flows in and out of your network, but can also help provide additional network performance. Most proxy servers provide caching of Web pages to help cut down on the amount of data being transferred from the Web site to the client and thus improve performance.

As far as security is concerned, proxy servers have a few useful features in that they can require authentication to allow data to pass through to that client. In addition, they can be used to limit access to a given URL from users on your inside network and can also perform filtering of requests. By filtering requests, proxy servers can scan for inappropriate words or data that should be blocked and then stop access to that data.

Proxy servers are relatively easy to set up initially, but can be difficult to achieve top performance when it comes to caching, and blocking of specific URLs and content filters in a way that doesn't disrupt regular use by end users. In addition, proxy servers also require additional configuration on each client using the proxy server. Although most, if not all, operating systems and Web browsers have the client or capability to be configured for a proxy server, it entails additional time to configure and maintain each system, certainly something to keep in mind.

As you can see, many of the different types of firewall technologies share similar features. Do keep in mind, though, that each firewall type provides its own benefits and drawbacks as you select the type or types you need.