This paper examines firewalls as a critical but incomplete component of network security. Drawing on peer-reviewed literature, it defines firewalls, describes their core capabilities, and reviews the technologies they employ. The paper evaluates four main firewall types — packet-filtering, application/proxy, reverse-proxy, and packet inspection — weighing the advantages and disadvantages of each. It also addresses the single-vendor versus multi-vendor purchasing decision, proactive hardening measures such as redundant firewalls and intrusion prevention systems (IPSs), and future trends in an evolving threat landscape. The conclusion emphasizes that firewalls, while essential, must be part of a broader, layered security strategy.
In construction, a firewall is a hardened divider between the hostile external environment and what needs to be protected inside. Similarly, firewalls in computing are designed to protect computers from being accessed by unauthorized individuals, and for the most part they perform this task well. Unfortunately, firewalls are also akin to the castles of old when siege weapons were built to defeat the highest walls. As siege weapons became more powerful, defenders were forced to build walls higher and install moats and other protective measures. Similarly, today, hackers and so-called crackers are always trying to overcome security devices for profit, pleasure, or for more nefarious purposes such as denial-of-service attacks by terrorist organizations.
To gain fresh insights into this area, this paper presents a review of relevant scholarly and peer-reviewed literature concerning firewalls to provide a working definition, a description of their capabilities, and an overview of the technologies typically involved. A discussion of the different types of firewalls available and their respective pros and cons is followed by an assessment of proactive measures that can be taken to harden a firewall. Finally, an analysis of future trends is followed by a summary of the research and important findings in the conclusion.
The definition provided by Blair (2009) states simply that firewalls are "single devices used to enforce security policies within a network or between networks by controlling traffic flows" (para. 1). Prior to the introduction of Web 2.0, most firewalls operated in an "allow/don't allow" environment (Hua, 2011). Following the introduction of Web 2.0 and a bewildering array of mobile devices, providing adequate firewall protection became considerably more complicated (Hua, 2011).
Firewalls basically operate by blocking attacks. By contrast, so-called intrusion detection systems (IDSs) operate by identifying attacks when they actually take place (Sequeira, 2003). According to Sequeira, "Such techniques are crucial to network security, but have limitations. A firewall can stop attacks by blocking certain port numbers, but it does little to analyze traffic that uses allowed port numbers. IDSs can monitor and analyze traffic that passes through open ports, but do not prevent attacks" (2003, p. 36). Firewall technologies include (a) packet-filtering; (b) application/proxy; (c) reverse-proxy; and (d) packet inspection — each with its own strengths and weaknesses, as outlined below.
The first issue many organizations face with respect to firewall protections is the decision whether to purchase them outright or lease them from a vendor. Each approach offers some advantages but both also carry disadvantages. For example, Andress (2003) reports that "with a single-vendor solution, such as Cisco Systems or Check Point Software Technologies, you have to deal with only one vendor and might receive deeper discounts based on the amount of product you purchase" (p. 15). Other advantages of this approach include the need for network administrators to train on only one firewall version, making updates and configurations a straightforward task (Andress, 2003).
The single-vendor approach, however, may not represent the optimal solution for all organizations. Andress cautions that "the vendor's firewall might fit your environment perfectly, but its IDS might not have the features or capability your company needs. Additionally, the common features of same-vendor products might increase your security risks" (p. 15). Furthermore, the potential exists for a single-vendor firewall to fail catastrophically, disabling the entire network until the vendor can render on-site assistance — a process that could require a substantial amount of time (Andress, 2003).
Once the decision to purchase or lease is made, the next step is selecting a firewall suitable to the needs of the organization. A wide range of firewalls is available. The following describes the four principal types, along with their respective advantages and disadvantages.
Pros: The primary advantage of packet-filtering firewalls is that they are located in virtually every device on the network. Routers, switches, wireless access points, Virtual Private Network (VPN) concentrators, and similar hardware may all have the capability to function as a packet-filtering firewall.
Cons: The challenge with packet-filtering firewalls is that access control lists (ACLs) are static, and packet filtering has no visibility into the data portion of the IP packet.
Pros: Because application/proxy firewalls act on behalf of a client, they provide an additional buffer against port scans, application attacks, and similar threats.
Cons: This type of firewall must know how to handle specific applications. Web-based applications are very common, but if an organization uses a unique application, its proxy firewall may not be able to support it without significant modifications. In addition, application firewalls are generally much slower than packet-filtering or packet-inspection firewalls because they must run applications, maintain state for both the client and server, and perform traffic inspection simultaneously.
Pros: The function of a reverse-proxy server is highly beneficial in distributing processing across multiple devices and providing an additional layer of security between the requesting client and the devices that contain the "real" data. Reverse-proxy firewalls aid in protecting and load-balancing servers, and provide a barrier between clients and critical applications through proxy services. Well-written proxy servers significantly reduce the risk of a security breach.
Cons: The same disadvantages that apply to application/proxy firewalls apply to reverse-proxy firewalls, only to a much greater degree.
Pros: These firewalls are generally much faster than application firewalls because they are not required to host client applications. Most packet-inspection firewalls today also offer very good application or deep-packet inspection. This process allows the firewall to examine the data portion of the packet, match on protocol compliance, scan for viruses, and still operate very quickly.
Cons: None identified in the reviewed literature.
(Source: Adapted from Blair, 2009, para. 1–3)
"Redundancy, OS hardening, and intrusion prevention"
"Evolving threats demand continuously updated defenses"
Firewalls were shown to be applications used to prevent unauthorized access within a network or between networks by controlling traffic flows. Several different types of firewalls are available, including packet-filtering, application/proxy, reverse-proxy, and packet inspection, each with its respective advantages and disadvantages — the exception being packet inspection, for which no specific disadvantages were identified in the reviewed literature. Firewalls, however, were also shown to be only one important part of any comprehensive security system. These devices can be hardened in various ways, and their effectiveness can be improved through the addition of an intrusion prevention system. Ultimately, no single technology constitutes a "silver bullet" solution; robust network security requires a layered, adaptive approach that combines firewalls with complementary tools and proactive management practices.
You’re 71% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.