Firewalls have been around since the late 1980s, long before businesses embraced the internet and mobile computing. Since then, emerging threats have required new technologies to protect business data. Cybersecurity is much more complex today. It’s reasonable to ask, given how far we’ve come, whether a firewall is necessary.
The short answer is yes. Firewalls still play essential roles in keeping networks and devices secure. To understand why, let’s look at how firewalls work, where businesses use them, and why firewalls are only one piece of a cybersecurity solution.
A firewall is a network security filter. All network traffic entering the firewall gets compared to a set of security rules. Traffic that meets the rules may proceed on its way. Everything else is suspect, so the firewall won’t let it pass. Business-centric firewalls generate activity logs and may issue alerts for network security administrators.
Some firewalls protect servers, computers, and mobile devices. Others defend entire networks from attack. The internet service providers’ Wi-Fi routers have firewalls that protect home networks. Business-class firewalls let network administrators build layered defenses against modern cybersecurity threats.
Firewalls screen malicious traffic from IT networks, much like airport security screens suspicious passengers from the aviation network. When you travel, the first screening compares your ticket against do-not-fly lists. TSA agents conduct the second screening by checking ID and asking security questions. A final security screen happens as metal detectors and x-ray machines scan what you carry onto the plane.
Firewalls conduct similar screening of the data packets flowing through them. In networking, packets consist of a header file and a data payload. The header describes where the packet came from, where it’s going, and the protocol used to travel between the two locations. Firewalls use various techniques to screen illegitimate packets and allow safe packets through to their destination. See this previous Blumira post for best practices for configuring a firewall.
Packet-filtering firewalls use access control lists (ACLs) that define the criteria a packet’s header file must meet. The header elements an ACL can evaluate include:
Much like pre-check programs and do-not-fly lists, ACL rules determine which data packets the firewall may allow through or block. For example, the security industry maintains lists of IP addresses for known malware sites. When the firewall sees one of these IP addresses, it will drop the packet to prevent malware from getting onto the network.
Packet-filtering firewalls take an inspect-it-and-forget-it approach that doesn’t consider how packets are related. Stateful firewalls use the context of a network session to improve security.
When the firewall accepts a packet that creates a network session, it writes information about the new session in its state table. This table records all approved sessions and their states — active or closed.
As more packets arrive, the stateful firewall compares them to the state table. It then applies packet-filtering rules to the headers of any packets part of an active, approved session.
When the packet that closes the session passes through, the firewall updates its state table and rejects any future packets for that session.
By considering each packet in the context of its session, stateful firewalls let administrators create more nuanced rules. For example, packet filtering can allow all packets from an approved source IP address to enter a destination port. A stateful firewall would only let that happen during an approved session.
Application firewalls go beyond evaluating packet headers by inspecting the packet’s data payload. Much like airport metal detectors, application firewalls can tell whether each packet’s data is appropriate to the application.
Web servers, for example, are vulnerable to a wide range of exploits, such as SQL injections. These attacks aren’t detectable through header inspection techniques. A web application firewall, for example, performs deep packet inspection to evaluate incoming HTTP requests. If the firewall detects malicious requests, it will block the packet from going through.
As security threats become more complex, businesses can’t rely on a single firewall method to protect their networks. A next-generation firewall (NGFW) combines packet-filtering, stateful, and application filtering to provide more robust network defenses.
Many NGFWs include additional security features such as anti-virus protection and intrusion detection systems. Altogether, these features let an NGFW inspect network traffic in more detail, making malicious and inappropriate activity easier to detect.
Businesses will use four types of firewalls — software, hardware, third-party, and cloud-based — to enhance security with the various screening methods.
Built-in Windows software firewalls. All modern operating systems include software firewalls to protect their devices from attack. Microsoft, for example, includes the stateful Windows Defender Firewall with all desktop and server versions of the Windows operating system.
Personal Windows devices get out-of-the-box protection since the Windows firewall is active by default. However, device owners can deactivate the firewall or change which applications may send data through.
Microsoft gives IT departments more control. They can prevent users from changing firewall settings on company-managed devices. The Windows firewall also lets IT departments apply more complex rules to inspect traffic on servers or user devices.
Hardware firewalls for networks. Firewalls placed in different locations in a network can enhance a company’s cybersecurity. All businesses will place a firewall at the network edge to control traffic exchanged with the public internet. Larger companies divide their networks into segments. Setting firewalls and other technologies between the segments gives them more control over network traffic.
Third-party firewalls from the cloud. Remote work and cloud computing require new ways to protect business information. Firewall-as-a-Service (FWaaS) replaces hardware firewalls with a third-party cloud-based service. These next-generation firewalls can examine and control traffic entering a company’s private network or cloud-based resources.
Cloud-native firewalls. Major cloud providers, including AWS, GCP, and Azure, offer built-in firewall features designed to secure cloud-based infrastructure. These features are typically easy to monitor, control, and deploy using a graphical user interface (GUI), command line, or Infrastructure as Code (IaC) methods, which enable automated and repeatable cloud infrastructure deployment.
AWS offers security groups and network ACLs (Access Control Lists) that function as virtual firewalls, managing inbound and outbound traffic at both instance and subnet levels. Additionally, AWS provides a managed firewall service for more fine-grained control and the AWS Shield service to protect against Distributed Denial of Service (DDoS) attacks.
GCP and Azure also offer comparable features, such as firewall rules and security groups (GCP) or Network Security Groups (NSGs) and Azure Firewall (Azure).
No matter which cloud provider you choose, it is essential to utilize their native firewall features and capabilities to achieve scalable and robust security within your cloud environment.
Firewalls became standard elements of network security because they create effective defenses against common security threats. Firewalls also help administrators keep networks running efficiently. Going beyond firewalls, see “What to do when Firewalls aren’t Enough.”
Preventing external cyberattacks. You can only access web servers, VPN gateways, and other services if they are visible on the public internet. That visibility also makes it easy for hackers to find most business networks. Firewalls help keep those hackers from getting into the private network.
Containing security breaches. Firewalls can slow an attack, make hackers easier to detect, and minimize the damage of a security breach. The longer hackers move undetected through a network, the more damage they can do. Firewalls placed between network segments limit hackers to the compromised segment. Activity logs and alerts give network administrators a better chance of discovering a security breach before the hackers do much damage.
Stopping unproductive network activity. Network security policies are not limited to cyber threats. They can also prevent inappropriate or unproductive use of the company network. For example, networks built when everyone was in the office may struggle with the new reliance on video conferencing. To manage network bandwidth, administrators can set rules that allow Zoom calls onto the network and block YouTube streams.
Technically, routers and firewalls are different. A router redirects incoming data packets to other places on the network. A firewall inspects incoming packets and lets approved packets through to the other side.
Practically, most routers have some firewall capabilities, and most firewalls have some routing capabilities.
Most small businesses already have both. The Wi-Fi routers supplied by their internet provider will have all the firewall capabilities needed to protect a small network. Since each employee’s computers and mobile devices have built-in firewalls, a small business may not need anything more sophisticated.
Businesses face increasing threats as their networks get larger, more complex, and more distributed. IT departments need advanced features and controls that a simple router can’t provide. Deploying dedicated firewalls in front of routers gives larger businesses the required security and performance capabilities.
Firewalls play essential security roles but are not universal solutions. Examples of threats that firewalls cannot stop include:
Unknown unknowns. Firewalls can only defend against known threats or vulnerabilities. For example, blocking packets from a malicious server is only possible if the firewall recognizes the server’s IP address. Although firewall vendors constantly update their blocklists, it takes time to discover new threats. This coverage gap gives malware sites a chance to sneak past a firewall.
IT overload. Under-resourced IT departments may not have enough time to thoroughly test and deploy the latest security patches. Too often, a firewall patch takes a back seat to other priorities. Any delays add to the time hackers have to exploit the unpatched firewall’s vulnerabilities.
Phishing attacks and credential theft. Phishing and other social engineering attacks are so common because they work. Even the most security-conscious user is a click away from downloading malware or giving up their login credentials. A successful attack bypasses firewall security by letting the hackers pass themselves off as legitimate users.
Distributed denial of service (DDoS) attacks. Firewalls and other network equipment are designed for certain traffic volumes. DDoS attacks try to overwhelm that capacity by flooding a company’s internet-facing network with incoming packets. Legitimate packets won’t get through because the firewall is too busy evaluating and rejecting bogus traffic.
Firewalls remain a vital component of any business’s cybersecurity strategy. As cyber threats continue to evolve and become more sophisticated, it is essential to deploy a multi-layered approach to network security. While firewalls are not a one-size-fits-all solution, they provide crucial protection against a wide range of external and internal threats, helping to maintain the integrity and confidentiality of your company’s data.
Investing in a robust firewall solution, whether it be software, hardware, or cloud-based, will significantly contribute to your organization’s overall security posture. Keep in mind, however, that firewalls should be part of a more comprehensive security plan that includes regular software updates, employee training, and other security measures to combat the ever-changing landscape of cyber threats.
As your business grows and its network becomes more complex, regularly evaluate your firewall’s capabilities and consider upgrading or adding additional layers of protection when necessary. By staying proactive and vigilant in the face of emerging cyber risks, you can safeguard your organization’s digital assets and maintain a secure environment for your employees and customers alike.
See also, “Top 5 Steps for SMB Endpoint Security,” and “Firewall vs. Antivirus, What’s the Difference?”