The Meridian Blog: Tech News, Tips & More for SMB and Enterprise Environments

The Firewall is Primary to Network Security and Defense

Robert Bruce

Posted by Robert Bruce
January 20, 2014

Imagine a football game with no front lines; just a lot of running backs, receivers and tacklers. Without linemen of any kind, an NFL game would be a bloody mess — or at least a game of rugby.

Now imagine your enterprise network with no firewall; just routers and switches and security programs. Quarter back sacks aren’t pretty, are they?

Now, I may be overusing the football metaphor, but it is mid-winter and that means one thing: playoffs. And nobody makes the NFL post season without a strong frontline — either defensive or offensive, or both.

Regarding information technology security, the firewall is the primary, but not the only, line of defense against hackers and malicious code. And like NFL lines, firewalls have grown bigger and more complex, and the role of firewalls in network security is critical. In fact, the SANS Institute, in its ebook Twenty Critical Security Controls for Effective Cyber Defense, lists firewalls and their configurations not once, but twice.

Firewalls are a complex subject, whose testing and updating is best left to a dedicated IT department or a managed services provider, but here is a primer on network hardware firewalls.

RELATED: Does Your Firewall Policy Extinguish Network Threats?

The Four Firewall Generations

Firewall technology first emerged in the 1980s when the Internet was in its early stages of global use and connectivity. The predecessors to firewalls were routers, which run software that makes decisions about where to send data packets. Routers still are integral to most networks, but now have firewalls to filter those data packets.

4 firewall generations infographicFirewalls have evolved through four stages:

  1. Packet filters
  2. Application proxies
  3. Stateful packet inspection
  4. Deep packet inspection

Click on the infographic to the right to enlarge it in a new window.

First Generation – Packet Filters

In the late 1980s, early firewalls filtered at the packet level. This basic system ran on the network level and inspected packets of data that transferred between computers on the Internet.

These early firewalls were flexible, scalable, inexpensive and fast. The problem was that they were very weak, providing minimal security. They were also difficult to manage.

Second Generation – Application Proxies

As threats and risks on the Internet grew, a new generation of firewalls was developed in the early 1990s. These firewalls used application proxies to examine all application levels, and ran on the servers themselves. This method provided greater security than packet filters, but was also more complex.

RELATED: Top 5 Benefits of Server Virtualization

By running on servers, these firewalls required a separate operating system. This meant that they did not work on a client/server model and therefore required more administrative tasks. They were slow and complex and could not easily handle new protocols.

Third Generation – Stateful Packet Inspection (SPI)

By the mid 1990s, stateful packet inspection had become the state of the art. This firewall development overcame the limitations of packet filters and applications proxies by providing full application layer awareness, without breaking the client/server model.

For its time, SPI was extremely secure and fast. It was more sophisticated than packet filtering, and for years was viewed as the standard in firewalls. However, since the arrival of extremely virulent network threats, such as the worms Slammer and Blaster, SPI is not enough.

RELATED: 5 Ways to Protect Your Network From Advanced Persistent Threats

Fourth Generation – Deep Packet Inspection (DPI)

Communication systems are partitioned into seven abstract layers, a product of the Open Communications Project (OSI). While stateful packet inspection filters down to the fourth OSI level, the most powerful threats on the Internet can hide in all seven layers. Deep packet inspection extends firewall protection down to the seventh OSI layer.

Today, DPI is the emerging standard for firewall technology. It works both on the edge of a network and within the network itself. Although it uses a lot of resources, DPI is much more secure than SPI firewall technology.

A managed services provider can ensure that your firewall is strong and your network is secure. A thorough assessment of your technology environment can provide them with the information they need to make recommendations to increase or stabilize your network security. Get started today by requesting a managed services assessment or click below to download our free eBook on the 10 Hidden IT Risks that could undermine your business. 

eBook Meridian 10 Hidden IT Risks

Robert Bruce

Ready to Become a Pro?

 Our White Paper can help.

whitepaper-4-key-elements-for-building-your-technology-road-map-thumbnail-3Subscribe to our blog and get your copy of "4 Key Elements to Consider When Building Your Technology Road Map"

You'll learn:

  • What role people play in determining your road map
  • How to build a plan in a multi-device world
  • What types of applications need to be considered
  • How data plays a key role in success


Subscribe to get your copy

Leave A Comment

About this blog

News, best practices and more to help you get the most out of your office technology. Whether you're an SMB owner who wears a lot of hats, or an enterprise IT director, facilities manager or just someone who wants to work smarter — this blog has the resources you need to maximize the business impact of all your tech investments. Be sure to subscribe to receive email updates about new posts!

Download our eBook