What is
a Firewall?

The Digital Equipment Corporation developed the first firewall in 1988. This was a simple packet-filter firewall. Packet-filter firewalls inspect data packets as they pass between source and destination. If a packet matches a security rule, then the firewall will drop the packet and send an error response to the source.

In the early 90s, Bell Labs invented the second generation of firewalls. These firewalls used stateful filters and were also called circuit-level gateways. They worked similarly to the first generation firewall but were an upgraded version. Firewalls with stateful filtering remember information about previous packets and use context for more security.

The third generation of firewall filtered internet traffic was used in the application layer. The first version was released in 1993 and called Firewall Toolkit (FWTK). These firewalls were user-friendly for the first time, allowing even non-technical people to set firewall rules. They also understood applications and protocols and could prevent threats that packet filtering let through like application targeted malicious data coming from a trusted source.

There have been many advances in firewall technology since. Most firewalls still use application layer analysis, but the techniques used for analysis have improved. Let’s look at the common types of modern firewalls next.

The purpose of every firewall is to protect a network from malicious traffic, but firewalls can accomplish this in a variety of ways, with varying levels of effectiveness. The type of threats a network is exposed to have evolved and multiplied over the years and firewall technology has changed to keep up with it.

Packet Filtering

The first firewall used packet filtering. Packet filter firewalls inspect data packets using an access control list to determine what packets will be inspected and what actions will happen when a packet matches a rule. Firewalls can filter packets by source and destination IP addresses, protocol, and source and destination port. They fall into two categories: stateless and stateful. Stateless packet filters don't use any history or context to determine if a packet could be malicious while a stateful filter does.

Proxy Firewalls

Proxy firewalls are application-level firewalls. They act as an intermediary between the sending and receiving systems. Requests are sent to the firewall which determines whether or not it will allow traffic through. Proxy firewalls are often used for HTTP and FTP traffic and use deep, stateful packet inspection for detecting malicious traffic.

Network Address Translation (NAT) Firewalls

A NAT firewall keeps the IP addresses for devices on the internal network private by allowing all the devices on the network to connect to the internet using a single IP address. This prevents attackers from scanning the network and getting details on specific devices that they can use for a more targeted attack. NAT firewalls also act as an intermediary between the two end systems similar to proxy firewalls.

Stateful Multilayer Inspection (SMLI) Firewalls

SMLI firewalls filter packets at the network, transport, and application layers and compare incoming packets to known trusted packets. SMLI firewalls filter the entire packet at each layer and will only allow packets through that pass each filter. Being stateful, they also filter packets based on context and also make sure that sources and destinations are trusted.

Next-Generation Firewall (NGFW)

Next-generation firewalls improved firewall technology by adding additional security technologies to the traditional firewall features. Some features you will find in these firewalls are anti-virus scanning, encrypted data inspection, application awareness, cloud-delivered threat intelligence, and integrated intrusion prevention. These also use deep packet inspection (DPI) to examine the data within the packet itself and not just the headers like traditional firewalls.

Firewalls defend the perimeter of your business and will protect your network from external attacks, but many of the biggest data breaches in history didn't happen as a result of external attacks. These breaches came from internal attacks like phishing scams. A firewall can't prevent someone from downloading an email attachment.

Firewalls don't filter internal traffic. So once an attacker is inside your network, he is free to move around. Ransomware attacks are effective because of this freedom and can't bring every application on a network to a halt.

The solution to this problem is micro-segmentation, which can protect a network down to the workload level by setting security policies for specific application segments. This means that attackers that can access one machine on the network will not have access to any other resource; thereby preventing the lateral movement of threats. Micro-segmentation can not only make up for the shortcomings of firewalls but when implemented network-wide, can remove the need for a firewall altogether.

The firewall was invented in the late 80s to protect networks from malicious traffic by monitoring incoming and outgoing traffic. They have evolved over the years to keep up with increasingly sophisticated attacks and have been a necessary part of network security. But modern attackers have found ways around the perimeter defense firewalls and have accomplished large data breaches inside this perimeter. Businesses need more advanced network security like micro-segmentation to prevent attacks at the virtual machine, device, and resource level.

Discover how micro-segmentation can work for your organization with Illumio Core.