Understanding Firewalls: Types, Operation, and Choosing the Right One

What is a firewall?

A firewall is a security device or program that monitors network traffic and detects potential threats, acting as a protective barrier that allows non‑threatening traffic while blocking dangerous traffic.

Firewalls can be targeted by social engineering attacks, internal threats, and human error.

How firewalls work

Enterprises place inline firewalls between external sources and protected systems. Administrators define block points where the firewall inspects every packet's payload and headers.

Inspection rules examine source and destination IP addresses, payload content, packet protocol (e.g., TCP/IP), application protocols (HTTP, FTP, DNS, SSH, etc.), and patterns indicating attacks. Non‑compliant packets are either silently dropped or an error message is sent back to the sender.

Firewall types by deployment

Based on deployment, firewalls fall into three categories: hardware firewalls, software firewalls, and cloud‑based firewalls.

Software firewall

Software (host) firewalls are installed directly on individual devices, protecting only that machine. They consume RAM and CPU resources.

Advantages:

Provides strong protection for the specific device.

Isolates individual network endpoints.

High‑precision control over allowed programs.

Always available.

Disadvantages:

Consumes CPU, RAM, and storage.

Requires configuration on each host.

Maintenance can be difficult and time‑consuming.

Compatibility issues may require multiple solutions.

Hardware firewall

Hardware firewalls are dedicated appliances that filter traffic without using host resources, making them suitable for large enterprises.

Advantages:

Protects multiple devices with a single solution.

Provides top‑level boundary security.

Does not consume host resources.

One device is managed for the whole network.

Disadvantages:

Higher cost than software firewalls.

Internal threats remain a weakness.

Requires more skill to configure and manage.

Cloud‑based firewall

Cloud firewalls (Firewall‑as‑a‑Service) are delivered over the Internet as IaaS or PaaS solutions, ideal for highly distributed businesses or teams lacking security expertise.

Advantages:

Provider handles installation, updates, and troubleshooting.

Scalable to match traffic load.

No on‑premise hardware required.

High availability.

Disadvantages:

Lack of transparency about provider operations.

Vendor lock‑in can make migration difficult.

Potential latency and privacy concerns as traffic passes third‑party networks.

Higher long‑term operating costs.

Firewall types by operation method

Five functional types based on the OSI model are described below.

Packet‑filtering firewall

Operates at the network layer, comparing packet headers against predefined criteria such as source/destination IP, packet type, port number, and protocol. It does not inspect payloads.

Advantages:

Low cost.

Fast processing.

Effective for internal traffic segmentation.

Minimal resource consumption.

Little impact on network speed.

Good first line in multi‑layer strategies.

Disadvantages:

Does not inspect payloads.

Easily bypassed by skilled attackers.

Cannot filter at the application layer.

Vulnerable to IP spoofing.

Lacks authentication and logging.

ACL management can be challenging.

Circuit‑level gateway

Runs at the session layer, monitoring TCP handshakes without deep packet inspection. It quickly allows or denies traffic but cannot block malicious payloads that pass the handshake.

Advantages:

Handles only transaction requests, rejecting others.

Easy to set up and manage.

Cost‑effective and low resource usage.

Provides strong address exposure protection.

Minimal impact on user experience.

Disadvantages:

Not a standalone solution; lacks content filtering.

May require adjustments to software and protocols.

Stateful inspection firewall

Monitors traffic at network and transport layers, maintaining a table of active connections to allow established packets without re‑inspection.

Advantages:

Automatically permits previously inspected packets.

Effective against protocol‑based attacks.

Reduces exposed attack surface.

Detailed logging aids forensic analysis.

Reduces exposure to port scanners.

Disadvantages:

More expensive than simple packet filters.

Requires skilled configuration.

Can impact performance and add latency.

Does not verify source authenticity for spoofed traffic.

Susceptible to TCP flood attacks.

Proxy firewall (application‑level gateway)

Acts as an intermediary between internal clients and external servers, performing deep packet inspection at the application layer.

Advantages:

Inspects both headers and payloads.

Provides an extra isolation layer.

Hides internal IP addresses from external entities.

Detects attacks invisible to network‑layer firewalls.

Enables fine‑grained traffic control.

Can bypass geographic restrictions.

Disadvantages:

Introduces latency due to thorough inspection.

Higher processing overhead makes it more costly.

Complex to configure and manage.

May not support all network protocols.

Next‑generation firewall (NGFW)

Combines traditional firewall functions with advanced features such as deep packet inspection, IDS/IPS, malware scanning, threat intelligence, antivirus, NAT, QoS, and SSH inspection.

Advantages:

Integrates traditional and advanced security capabilities.

Inspects traffic from the data link layer up to the application layer.

Provides extensive logging.

Disadvantages:

Higher cost than other firewall types.

Potential single point of failure.

Longer deployment time.

Requires specialized expertise.

May affect network performance.

In practice, enterprises often deploy multiple firewalls in layered configurations to achieve comprehensive protection.