Firewalls and Their Evolution
A firewall is a network security device that grants or rejects network access to traffic flows between an untrusted zone (e.g., the Internet) and a trusted zone (e.g., a private or corporate network). The firewall acts as the demarcation point or “traffic cop” in the network, as all communication should flow through it and it is where traffic is granted or rejected access. Firewalls enforce access controls through a positive control model, which states that only traffic defined in the firewall policy is allowed onto the network; all other traffic is denied (known as “default deny”).
Access Control Lists
Early on, the firewall function was initially performed by Access Control Lists (ACLs), often on routers. ACLs are essentially rules written out that determine whether network access should be granted or rejected to specific IP addresses. For example, an ACL can have a line that states all traffic from IP 188.8.131.52 must be rejected, or to allow all traffic on port 80 from 184.108.40.206 to the web server at 10.10.10.201.
ACLs are advantageous due to scalability and high-performance, but cannot read past packet headers, which provides only rudimentary information about the traffic. Thus, ACL packet filtering alone does not have the capacity to keep threats out of the network.
Proxy firewalls act as middlemen; they accept all traffic requests coming into the network by impersonating the true recipient of the traffic within the network. After an inspection, if it decides to grant access, the proxy firewall sends the information to destination computer. The destination computer’s reply is sent to the proxy, which repackages the information with the source address of the proxy server. Through this process, the proxy firewall breaks (or terminates) the connection between two computers so that it is the only machine on the network that talks to the outside world.
Proxy firewalls can which inspect content fully and make access decisions based on more specific, granular level of information. Access control this nuanced is attractive to network administrators, however each application needs its own proxy at the application-level. Proxy-firewalled networks also suffer degraded traffic performance and many limitations in application support and general functionality. This ultimately leads to scalability issues that make a successful implementation tricky to pull off. For this reason, proxy firewalls have not been widely adopted. In fact, even at the peak of the proxy firewall's popularity in the 90s, performance and scalability issues limited adoption to select verticals in niche deployments.
Stateful Inspection firewalls
Stateful inspection, or stateful filtering, is regarded as the third generation of firewalls. Stateful filtering does two things: first, it classifies traffic by looking at the destination port (e.g., tcp/80 = HTTP). Second, it tracks the state of the traffic by monitoring every interaction of each particular connection until that connection is closed.
These properties add more functionality to access control: stateful inspection firewalls have the ability to grant or reject access based not only on port and protocol, but also the packet’s history in the state table. When stateful firewalls receive a packet, they check the state table to find if a connection has already been established or if a request for the incoming packet has been made by an internal host. If neither is found, the packet’s access becomes subject to the ruling of the firewall security policy.
Though stateful filtering is scalable and transparent to users, the extra layer of protection adds complexity to network security infrastructure, and stateful firewalls face difficulty in handling dynamic applications such as SIP or H.323.
Unified Threat Management
Unified Threat Management (UTM) solutions were initially defined as the consolidation of stateful inspection firewalls, antivirus, and IPS into a single appliance. Over time, the UTM definition has expanded to include many other network security functions.
It is important to note that the success of UTMs relies on the effectiveness of the stateful inspection-based firewall decision that precedes all of its component functions. This is because UTM components, while in a single device, are effectively downstream security services. Thus, the workload of all security components behind the firewall (inside the network) will be determined by the strength of its access control. Though UTMs provide a number of security functions in one product, the fundamental access control technology of the firewall remains unchanged.
Next-generation firewalls (NGFWs) were created in response to the evolving sophistication of applications and malware. Application and malware developers have largely outwitted the long-standing port-based classification of traffic by building port evasion techniques into their programs. Today, malware piggybacks these applications to enter networks and became increasingly networked themselves (connected to each other on the computers they individually infected).
NGFWs act as a platform for network security policy enforcement and network traffic inspection. Per technology research firm Gartner Inc., They are defined by the following attributes:
- Standard capabilities of the first-generation firewall: This includes packet filtering, stateful protocol inspection, network-address translation (NAT), VPN connectivity, et cetera.
- Truly integrated intrusion prevention: this includes support for both vulnerability-facing and threat-facing signatures, and suggesting rules (or taking action) based on IPS activity. The sum of these two functions collaborating via the NGFW is greater than the individual parts.
- Full stack visibility and application identification: ability to enforce policy at the application layer independently from port and protocol.
- Extrafirewall intelligence: ability to take information from external sources and make improved decisions. Examples include creating blacklists or whitelists and being able to map traffic to users and groups using active directory.
- Adaptability to the modern threat landscape: support upgrade paths for integration of new information feeds and new techniques to address future threats.
- In-line support with minimum performance degradation or disruption to network operations.