Meridian Blog

The Firewall is Primary to Network Security and Defense

by Robert Bruce - January 20, 2014 - Managed IT Services

The Firewall is Primary to Network Security and Defense

Imagine a football game with no front lines; just a lot of running backs, receivers and tacklers. Without linemen of any kind, an NFL game would be a bloody mess — or at least a game of rugby.

Now imagine your enterprise network with no firewall; just routers and switches and security programs. Quarter back sacks aren’t pretty, are they?

Now, I may be overusing the football metaphor, but it is mid-winter and that means one thing: playoffs. And nobody makes the NFL post season without a strong frontline — either defensive or offensive, or both.

Regarding information technology security, the firewall is the primary, but not the only, line of defense against hackers and malicious code. And like NFL lines, firewalls have grown bigger and more complex, and the role of firewalls in network security is critical.

Firewalls are a complex subject, whose testing and updating is best left to a dedicated IT department or a managed services provider, but here is a primer on network hardware firewalls.

The Four Firewall Generations

Firewall technology first emerged in the 1980s when the Internet was in its early stages of global use and connectivity. The predecessors to firewalls were routers, which run software that makes decisions about where to send data packets. Routers still are integral to most networks, but now have firewalls to filter those data packets.

4 firewall generations infographicFirewalls have evolved through four stages:

  1. Packet filters
  2. Application proxies
  3. Stateful packet inspection
  4. Deep packet inspection

Click on the infographic to the right to enlarge it in a new window.

First Generation – Packet Filters

In the late 1980s, early firewalls filtered at the packet level. This basic system ran on the network level and inspected packets of data that transferred between computers on the Internet.

These early firewalls were flexible, scalable, inexpensive and fast. The problem was that they were very weak, providing minimal security. They were also difficult to manage.

Second Generation – Application Proxies

As threats and risks on the Internet grew, a new generation of firewalls was developed in the early 1990s. These firewalls used application proxies to examine all application levels, and ran on the servers themselves. This method provided greater security than packet filters, but was also more complex.

RELATED: Top 5 Benefits of Server Virtualization

By running on servers, these firewalls required a separate operating system. This meant that they did not work on a client/server model and therefore required more administrative tasks. They were slow and complex and could not easily handle new protocols.

Third Generation – Stateful Packet Inspection (SPI)

By the mid 1990s, stateful packet inspection had become the state of the art. This firewall development overcame the limitations of packet filters and applications proxies by providing full application layer awareness, without breaking the client/server model.

For its time, SPI was extremely secure and fast. It was more sophisticated than packet filtering, and for years was viewed as the standard in firewalls. However, since the arrival of extremely virulent network threats, such as the worms Slammer and Blaster, SPI is not enough.

RELATED: 5 Ways to Protect Your Network From Advanced Persistent Threats

Fourth Generation – Deep Packet Inspection (DPI)

Communication systems are partitioned into seven abstract layers, a product of the Open Communications Project (OSI). While stateful packet inspection filters down to the fourth OSI level, the most powerful threats on the Internet can hide in all seven layers. Deep packet inspection extends firewall protection down to the seventh OSI layer.

Today, DPI is the emerging standard for firewall technology. It works both on the edge of a network and within the network itself. Although it uses a lot of resources, DPI is much more secure than SPI firewall technology.

A managed services provider can ensure that your firewall is strong and your network is secure. A thorough assessment of your technology environment can provide them with the information they need to make recommendations to increase or stabilize your network security. Get started today by requesting a managed services assessment or click below to download our free eBook on the 10 Hidden IT Risks that could undermine your business. 

Subscribe to the Meridan blog

Sign up to receive the latest news about innovations in the world of document management, business IT, and printing technology.

Download eBook: 10 Hidden IT Risks That Might Threaten Your Business