While originally created to protect internal networks, firewall solutions have evolved into diversified and specialized solutions suitable for a number of architectures and purposes. The eight types of deployable firewalls include traditional network firewalls, unified threat management (UTM), next-generation firewalls (NGFW), web application firewalls (WAF), database firewalls, cloud firewalls, container firewalls, and firewalls-as-a-service (FWaaS).
To deploy the appropriate type of firewall, it first requires an understanding of the available features and deployment options. These inform the pros, cons, and the best use cases for each firewall and how each type of firewall delivers a unique solution.
Firewall Types | ||||
Firewall Types | Pros | Cons | Best Use Cases | Deployment Options |
Traditional (AKA: Basic, Host, or Network) Firewall | Effective, fast data throughput, quick deployment, inexpensive | Limited functions and capacity, low security, no traffic inspection | Low-risk and low-budget environments | Physical hardware, software virtual machine |
Unified Threat Management (UTM) | Multiple basic security functions, centralized control, easy installation, medium security | More frequent updates required, less effective than dedicated solutions, lacks customization, low throughput | Moderate risk, low resource environments | Physical hardware, software virtual machine |
Next Generation Firewall (NGFW) | High security, inspects encrypted traffic, directly blocks malware | More expensive, slow throughput, increased maintenance, more risk of misconfiguration | High-risk environments (finance, healthcare, etc.) | Physical hardware, software virtual machine |
Web Application Firewall (WAF) | High security for applications, specialized HTTP inspection, highly focused purpose | Doesn’t secure all applications, must be part of a security stack, expense only makes sense for larger needs | Specialized application defense, high performance firewall | Physical hardware, software virtual machine |
Database Firewall | High and specialized security and monitoring for databases, improved compliance reports, | Must be part of a security stack, expense only makes sense for larger needs | Extra defense for databases, high performance firewall | Physical hardware, software virtual machine |
Cloud Firewall | More scalable, often pre-configured for the cloud provider, no maintenance for underlying hardware | No control of underlying hardware, more expensive for baseline firewall needs, may not be multi-cloud compatible | Specialized cloud defense, centralized enterprise firewall, highly-variable firewall traffic | Software virtual machine |
Container Firewall | Centralized or DevOps configuration, can be deployed by code, container visibility and control, rapid scalability and on-demand deployment | Must be part of a security stack, expense only makes sense for larger needs | Extra and specialized container security, high performance firewall | Containerized software |
Firewall-as-a-Service (FWaaS) | More scalable than on-prem firewalls, unified security, flexible and simplified deployment, requires less IT skill and resources, fully automated updates and maintenance, more rapid identification and updates for attack threats | Less attentive to specific customer needs, reduced customization options, loss of control, potential information exposure to 3rd party service provider, doesn’t replace device or specialty firewalls | Centralized management for geographically diverse organizations, robust security for resource constrained organizations, turnkey firewall solution for rapid deployment or legacy replacement | n/a (Service) |
Features & Deployment Options for Firewalls
Firewalls are the bouncers for IT. They screen incoming traffic to networks, applications, databases, and other resources for unauthorized and unwanted traffic.
Firewalls must balance security performance with operations throughput, and more advanced functions improve security but slow down data delivery. In most cases, the “best” firewall solution will be the deployment of multiple firewalls to maximize their best attributes and minimize their flaws; however, budgets and resource constraints often deny ideal deployments.
Types of Firewall Features
The key features of firewalls include packet filtering, stateful inspection, session filtering, proxy service, application layer filtering, source filtering, malware filtering, and deep packet inspection. The chart below compares generally-available features with the associated firewall type, but keep in mind all classifications are generalities and some advanced traditional firewalls may perform some malware filtering and some database firewalls may be capable of session filtering.
Each feature delivers a different type of screening function. Fast, simple features don’t add much security, while the more complex features add significant security at the similarly significant cost of operational throughput.
Feature | Security Level | Complexity | Speed | Description |
---|---|---|---|---|
Packet Filtering | Low | Low | Fast | Compares headers of packets against preset rules that define permitted IP address, protocols, source/destination port |
Session Filtering (AKA: Circuit-Level Gateway) | Low | Low | Fast | Examines session level connections (TCP/UDP) to verify connections are legitimate, often creates proxy connections (see below) |
Proxy Services | Low | Low | Medium | Makes protocol connections (TCP/UDP) on behalf of other devices or apps; hides IP addresses and blocks queries to learn about open ports and services |
Stateful Inspection | Medium | Medium | Medium | Tracks connections (TCP, etc.) in tables to detect, track, and block potentially malicious traffic |
Application-layer Filtering | High | High | Slow | Uses proxies and more complex rules to inspect and filter out application layer attacks; resource intensive |
Source Filtering | Medium | Medium | Medium | Uses website URL, IP address, and geolocation information to identify and filter out potentially dangerous traffic sources; difficult to keep up-to-date |
Malware Filtering | High | High | Slow | Detects (often using signatures) and blocks known malware or block malicious behavior; resource-intensive and difficult to keep up-to date |
Deep Packet Inspection | High | High | Slow | Inspects contents of traffic packets to identify indicators of compromise, malicious content, and sensitive information; very resource intensive, especially when decrypting encrypted traffic |
Types of Firewall Deployment
When deploying a firewall, the security team needs to consider where the solution fits into the overall architecture. Traditionally, vendors delivered all firewalls in purpose-built hardware appliances, but now nearly all types of firewalls may be deployed as software ready to be installed as virtual machines (VMs) or containers.
Hardware Firewalls
Hardware comes in server rack and desktop profiles and will be fixed in capacity based upon the hardware configuration. The dedicated hardware and fixed capacity improves convenience for updates and remote deployments.
However, hardware firewalls cost more than equivalent VMs, take up physical space, and are much less flexible to change. The limited flexibility plus capacity constraints make hardware less attractive for deployment in dynamic environments.
Software-Based Firewalls (VM, Cloud, Container)
Software-based virtual machine firewalls can be installed on desktops, servers, cloud, and container orchestration environments. Virtual firewalls offer improved flexibility, rapid deployment, and a full range of capabilities, from simple-host-based operating system firewalls to full-NGFW capabilities.
However, VM firewalls become security dependent on the host environment and can cause conflicts with other applications running on the host. VM firewalls also increase complexity and opportunities for mistakes in installation, integration, and configuration.
Traditional Network Firewalls
Traditional, basic, or simple network firewalls screen data packets by following rules and performing data header inspections. These firewalls provide inexpensive security and can be deployed easily as hardware devices or virtual machines throughout a network to perform filtering or network segmentation.
No vendor sells a firewall listed as ‘traditional,’ ‘simple,’ or ‘basic.’ However, a buyer can observe that the lowest priced firewall options will generally deploy the simplified features attributed to a traditional firewall.
Traditional firewalls are known as host-based firewalls when built into operating systems (EX: Windows Firewall, macOS, etc.), enterprise network routers, and consumer Wi-Fi routers. Purchasing low-cost firewalls providing traditional functionality can enable fast and easy firewall protection, but IT teams with more time might prefer open-source software firewalls.
Protection Level | Operations Throughput | Vendors | Open-Source Options |
---|---|---|---|
Low: Simple and basic | High (stateful inspection can cause some slowness) | Netgate (pfSense hardware), Zyxel | pfSense, OPNsense Firewall, IPFire |
Use Cases
- Branch offices or small and home offices (SOHO)
- Low-risk environments (industrial facilities with limited tech, etc.)
- Layer of defense for servers, endpoints, and network segments
- Internal network segmentation, access control, or bandwidth management
- Initial high-throughput filtering of traffic in front of more sophisticated or specialized solutions (NGFW, WAF, etc.)
Common Features
- Packet filtering
- Stateful inspection
- Session filtering
- Proxy service
- Application layer filtering
- Source filtering
- Malware filtering
- Deep packet inspection
Pros
- Very effective for a narrow set of tasks
- Fast processing and high data throughput
- Inexpensive or free to implement
- Quick to install and configure
Cons
- Doesn’t block application or web-based (HTML) attacks
- No traffic inspection
- Typically limited capacity
- Can be fooled by manipulated headers
Unified Threat Management (UTM)
Unified threat management (UTM) appliances provide a robust security stack in a turn-key appliance that simply plugs into the network. The typical UTM expands upon the basic traditional firewall capabilities to perform additional scanning that incorporates the capabilities of antivirus, intrusion detection systems, secure web gateways (SWGs), domain name service (DNS) security, and email gateway security.
UTMs target small and medium-sized organizations that want to save money with a combined security solution. This solution also works for any-sized organization that wouldn’t have the resources to fine-tune security options for their organization.
All UTMs inspect the unencrypted components of the incoming and outgoing packet headers for malware, malicious attachments, and known-malicious or suspected phishing sites (IP addresses, URLs, etc.) and perform some basic application-layer protections. Some UTMs can sometimes perform deep-packet scanning but will lack the full-powered scanning available in NGFW because resources will be shared with the non-firewall features of the appliance.
Protection Level | Operations Throughput | Vendors | Open-Source Options |
---|---|---|---|
Medium | Low: Many inspections are performed | Fortinet, SonicWALL, Juniper Networks, Check Point Software, WatchGuard, and Sophos | Endian, Untangle |
Use Cases
- Small and medium-sized organizations or branch offices
- Organizations with limited IT resources
- Moderate risk facilities (industrial facilities, cruise ships, etc.)
Common Features (Firewall only)
- Packet filtering
- Stateful inspection
- Session filtering
- Proxy service
- Application layer filtering*
- Source filtering
- Malware filtering
- Deep packet inspection*
*Some features may be present but limited in capability compared to more robust solutions (NGFW, WAF, etc.).
Pros
- Includes a variety of security features in a single deployment
- Centralized management console
- Makes installation and management easier for IT teams
- Inexpensive compared to deploying individual solutions for each function
Cons
- Expanded capabilities often require more frequent updates, especially for antivirus signatures and malicious URLs
- Tends to be less effective than dedicated solutions
- Slow data throughput compared to dedicated solutions or traditional firewalls
- Lacks customization options
Next-Generation Firewalls (NGFWs)
Next-generation firewalls expand on the capabilities of traditional firewalls with more robust inspection of the contents of each data packet. This inspection includes examining the source and destination IP addresses to block malicious (malware, phishing, etc.) and unwanted connections (adult entertainment sites, unwanted geolocations, etc.).
NGFWs perform some application level filtering of harmful applications using signature matching and SSL decryption. Next-gen firewall application filtering capabilities can even enable banning the use of specific applications, such as peer-to-peer (P2P) file-sharing applications, or partially restrict application use, such as allowing Skype calls but blocking Skype file sharing.
Most firewalls currently sold provide at least simple packet inspection and URL filtering. Newer and more powerful NGFWs incorporate behavioral detection and deploy artificial intelligence (AI) for anomaly detection and proactive defense.
Protection Level | Operations Throughput | Vendors | Open-Source Options |
---|---|---|---|
Very high: deep packet inspection, decryption, malware filtering | Low: Advanced features take time to perform | Arista, Barracuda, Check Point Software, Cisco, Forcepoint, Fortinet, Huawei, Juniper Networks, Palo Alto Networks, SonicWall (Dell), Sophos | OPNsense Firewall, DynFi |
Use Cases
- Maximum protection in a firewall solution for the broadest needs
- Extensive protection to satisfy PCI or HIPAA compliance
- Performance insensitive environments little affected by reduced data flow
- Enterprise, government, and education campus environments with robust IT resources for installation, configuration, and maintenance
Common Features
- Packet filtering
- Stateful inspection
- Session filtering
- Proxy service
- Application layer filtering
- Source filtering
- Malware filtering
- Deep packet inspection
Pros
- More thoroughly searches incoming data for malicious code
- More likely to meet compliance requirements
- Can directly block some malware and attacks (such as DDoS)
- Can inspect encrypted traffic
Cons
- More expensive solution
- More limited data throughput can cause network performance issues
- More features mean more options, which increases installation time, configuration requirements, and misconfiguration risk
- More maintenance and updates will be required
Web Application Firewalls (WAF)
A web application firewall (WAF) provides an application-layer proxy between an application and the application’s users to filter potentially malicious traffic. These firewalls provide improved operational performance by focusing on specialized defense such as filtering out deliberately malformed or malicious requests.
Installing a WAF allows for NGFW at the edge of the network to skip application layer inspections and focus on more basic scanning tasks to improve data flow to the application server. The proxy architecture shields the application from malicious activity such as port scans, attempts to determine the software running on the application server (or container information), and cross-site scripting (XSS).
In addition to application layer filtering, many WAFs now provide protection for application programming interfaces (APIs), bot detection, and microservices. More advanced WAFs boost performance using AI and ML for anomaly detection and autonomous threat blocking.
Protection Level | Operations Throughput | Vendors | Open-Source Options |
---|---|---|---|
High, but specialized; usually ignores basic firewall functions | Medium; application packet inspection takes time, but specialized filtering reduces operations drag | Akamai, Barracuda, Citrix, Cloudflare, F5 Networks, Fastly, Fortinet, Imperva, Netscaler, Radware, Wallarm | Coraza, ModSecurity, open-appsec, Shadow Daemen |
Use Cases
- Extra and specialized defense for application servers and applications
- Specialized high-performance firewall to remove burden and slowdown from other firewalls
Common Features
- Proxy service
- Application layer filtering
- Source filtering
- Malware filtering
- Deep packet inspection*
Deep packet inspection will typically be focused on application attack prevention (XSS, DDoS, SQLi, etc.) and pay less attention to blocking malware to improve performance.
Pros
- Adds an extra layer of protection between the application and potentially malicious code
- Specialized inspection of HTTP/HTTPS traffic to defend against code-based attacks such as SQL injection (SQLi) or cross-site scripting (XSS)
- Specialized packet inspection improves ease of use and reduces operations drag
- Specialized focus also decreases installation and configuration mistakes
Cons
- Only cost effective for organizations with higher risks, budgets, and resources
- Doesn’t provide full security for all applications
- May slow the performance of some applications
- Doesn’t provide a full spectrum of security and should only be part of a security stack
Database Firewalls
Database firewalls are a subset of web application firewalls that protect databases. They are installed directly in front of the database server or occasionally in front of the network gateway when protecting multiple databases running on multiple servers.
Database firewalls detect and prevent specific database attacks, such as SQL injection (SQLi), that can lead to attackers accessing confidential information stored on the databases. Installing a database firewall allows a security team to skip inspections for database attacks at NGWF and application servers earlier in the data flow to improve data throughput and performance overall.
Protection Level | Operations Throughput | Vendors | Open-Source Options |
---|---|---|---|
High, but specialized; usually ignores basic firewall functions | High; application packet inspection takes time, but highly specialized filtering reduces operations drag compared to NGFW or WAF | DataSunrise, Fortinet, Imperva, Oracle | DBHawk, GreenSQL |
Use Cases
- Extra and specialized defense for databases and database servers
- Extra compliance reporting regarding database access and usage
- Specialized high-performance firewall to remove burden and slowdown from other firewalls
Common Features
- Proxy service
- Application layer filtering
- Source filtering
- Malware filtering
- Deep packet inspection*
Deep packet inspection will focus on database attack prevention (SQLi, etc.) and pay less attention to blocking other types of attacks to improve performance.
Pros
- Specialized inspection of HTTP/HTTPS traffic to defend against code-based attacks such as SQL injection (SQLi)
- Security focus improves ease of use and decreases installation or configuration mistakes
- Can double as a monitoring and auditing tool for database access
- Can produce reports regarding database access for compliance and regulatory purposes
Cons
- Only cost-effective for organizations with higher risks, budgets, and resources
- Doesn’t provide a full spectrum of security and should only be part of a security stack
- Decreases performance for database access
- Hyper-specialized protection may require specialized resources, such as database experts, to help with the integration and configuration
Cloud-Based Firewalls
A cloud-based firewall can be purchased in the marketplace for cloud providers (Azure, AWS, Google Cloud, etc.) to protect cloud resources behind the firewall. An ambitious organization could technically configure their entire network infrastructure to run behind a cloud-scalable firewall, assuming that no control of the underlying hardware is acceptable.
Many popular firewall vendors (Fortigate, Fortinet, Juniper, Palo Alto, Sophos, etc.) offer cloud-optimized VM solutions in a cloud marketplace preconfigured for that specific cloud (Azure, AWS, etc.). Some cloud providers will also make their own branded firewalls available (Azure, IBM, etc.).
Cloud-based firewalls may be specialized firewalls (Ex: WAF, Container) or may be fully functional NGFWs. Unlike FWaaS, covered below, a cloud-based firewall will require internal IT resources to install, configure, maintain, and monitor the firewall.
Protection Level | Operations Throughput | Vendors | Open-Source Options |
---|---|---|---|
Variable: A full range from basic to NGFW can be implemented | Variable: Fully dependent upon the features selected and level of packet inspection | Arista, AWS, Fortigate, Fortinet, Juniper, Microsoft, Palo Alto, Sophos | OPNsense* |
*Note: Open-source resources obtained as cloud-firewalls won’t generally be free deployments. At the very least, the cloud provider will charge fees for the VM (CPU, memory, etc.).
Use Cases
- Specialized layer of defense for cloud resources
- Centralized firewall for an entire enterprise
- Highly variable needs benefit from the scalability of cloud resources
Common Features
- Packet filtering
- Stateful inspection
- Session filtering
- Proxy service
- Application layer filtering
- Source filtering
- Malware filtering
- Deep packet inspection
Note: Not all features will be available with all cloud-based firewall products.
Pros
- More scalable (up and down) than on-premises options
- Less expensive than an on-premises option licensed for peak use requirements
- Often pre-configured for cloud-specific deployment
- No maintenance and upgrade requirements for the underlying hardware
Cons
- No control of the underlying hardware
- More expensive than on-premises equipment scaled for baseline requirements
- Cloud-vendor-optimized deployments may not be multi-cloud compatible
- Cloud-deployed firewalls may require cloud experts to ensure proper implementation and configuration of the deployment
Container Firewalls
A container firewall protects and isolates containerized application stacks, workloads, and services on a container host. Container firewalls deliver traditional firewall capabilities and filter traffic in, out, and within the container environment.
This specialized security improves operational throughput and creates highly isolated containers with limited exposure (and access) to external networks or other non-containerized applications. The lightweight design of a container firewall integrates tightly with container engines (Docker, etc.) and orchestration tools (Kubernetes, OpenShift, etc.).
As with other container resources, container firewalls can be easily scaled, deployed, and removed from service using code. Container firewalls can also be integrated with developer operations (DevOp) tools and processes to keep up with agile requirements.
Protection Level | Operations Throughput | Vendors | Open-Source Options |
---|---|---|---|
High, but specialized; relies upon other firewalls and tools for full protection | High; tightly defined allow lists and focused packet inspections keep throughput high | Juniper Networks, Palo Alto Networks | SUSE (NeuVector), Tigera (Calico) |
Use Cases
- Extra and specialized defense for containers
- Specialized high-performance firewall to remove burden and slowdown from other firewalls
- Deploy on demand and in tandem to protect containerized microservices
Common Features
- Application layer filtering
- Source filtering
- Malware filtering
- Deep packet inspection
Pros
- Centralized configuration or configuration through DevOps
- Can be deployed by code
- Provides visibility and control over containers
- Container deployment provides rapid scalability and on-demand installation
Cons
- Only cost-effective for organizations with higher risks, budgets, and resources
- Doesn’t provide a full spectrum of security and should only be part of a security stack
- Code deployment without security oversight risks deployment of obsolete firewalls that no longer provide good security
- Specialized container deployments will require specialized (and more expensive) container expertise for configuration and integration
Firewall-as-a-Service
Firewall-as-a-Service (FWaaS) provides NGFW capabilities as a fully-outsourced service. FWaaS can be considered a specialized sub-category of NGFW or cloud-based firewalls in which most configuration and maintenance are outsourced to the SaaS provider.
FWaaS professionals completely specialize in firewall management, and this focus provides superior maintenance and threat updates. Zero-day attacks detected for one customer become information shared for all customers and improve security accordingly.
Deployment requires configuring corporate routers to divert traffic to the cloud-based firewall, while mobile users either connect to it via a VPN or by using it as a proxy. This process enables rapid deployment for geographically dispersed organizations or can be used during the replacement of legacy technology from corporate acquisitions.
Protection Level | Operations Throughput | Vendors | Open-Source Options |
---|---|---|---|
High; robust NGFW capabilities delivered at scale and with expansive geographic presence | Medium; scalable cloud resources provide power, but FWaaS cannot be optimized and customized to the same level as fully controlled firewall architecture | AppTrana (WAF specialist), Cisco, Forcepoint, Fortinet, NordLayer, Perimeter 81 (Check Point), SecurityHQ, Zscaler | n/a |
Use Cases
- Centralized management for geographically dispersed offices
- More robust security for IT resource-constrained organizations
- Turnkey firewall capabilities for rapid startup or replacement of legacy systems
Common Features
- Packet filtering
- Stateful inspection
- Session filtering
- Proxy service
- Application layer filtering
- Source filtering
- Malware filtering
- Deep packet inspection
Pros
- Cloud-hosted firewalls provide more flexible and scalable solutions with improved uptime compared to on-premises options
- Simple and easy deployment without any maintenance requirement
- Unified security applied consistently across the organization
- More rapid identification and updates for attack threats
Cons
- Service provider probably doesn’t know the specific security needs of its customers
- May have fewer options than more established hardware and software firewall solutions
- Loss of control and potential to expose internal information to third parties (through packet inspection, etc.)
- Doesn’t replace the need for device (OS, router) and narrow-solution firewalls (database, container)
Firewall Services as Alternatives to Firewall Purchases
All of the types of firewalls above can be purchased or installed. However, some companies may be too small, lack IT staff, or simply want to avoid the hassles of configuring and managing their own firewalls.
FWaaS provides one option for fully-outsourced firewalls in the lowest common denominator form. However, this won’t always be the best fit for organizations with resource constraints or secrecy or compliance requirements that don’t allow for data to pass through third-party providers.
Organizations with these additional constraints can hire managed service providers (MSPs), managed security service providers (MSSPs), and other cybersecurity consultants to purchase, install, configure, monitor, and maintain a diverse array of firewalls.
In addition to addressing resource constraints, adopting a service (including FWaaS) eliminates capital expenditure (CapEx) costs in favor of operating expenses (OpEx). Although the overall cost of the OpEx expense may eventually exceed the costs of a CapEx firewall acquisition, services provide more flexibility and scalability to right-size the expenditure to match changing needs.
9 Questions to Ask to Find the Right Firewall Solutions
To determine the appropriate firewall solution, first understand and define the needs. These needs must incorporate not only the security requirements but also the operations requirements, risk profiles, and resource constraints.
- What kind of resources are being protected?
- Which features may already be handled by other solutions?
- What kind of traffic will the firewall face, and how critical is packet throughput?
- How many resources are being protected?
- What is the network architecture?
- How costly is the risk of failure?
- Are there compliance or secrecy risks?
- How many resources are available for firewall management?
- What is the realistic budget?
Each of these questions contributes to determining the type of features needed and the type of resources available to implement and manage those features. Gaps between needs and risks and resources can sometimes be filled with services, but sometimes will be required to be satisfied by compromise and accepted risk.
Bottom Line: Choose the Right Firewall Solution As Part of a Bigger Security Picture
Not all businesses will need the same types of firewalls. Small businesses and those without a dedicated security team may gain more benefits from a FWaaS or traditional firewall than large enterprises with the budgets and resources to support NGFWs. The “best” firewall really depends on how a network is set up, the personnel available, and the needed features.
Of course, deploying the selected firewall only starts the process. The firewall must be properly installed, configured, and integrated into the broader network security stack as part of the strategy for layers of security.