Imagine a football game with no front lines; just a lot of running backs, receivers and tacklers. Without linemen of any kind, an NFL game would be a bloody mess — or at least a game of rugby.
Now imagine your enterprise network with no firewall; just routers and switches and security programs. Quarter back sacks aren’t pretty, are they?
Now, I may be overusing the football metaphor, but it is mid-winter and that means one thing: playoffs. And nobody makes the NFL post season without a strong frontline — either defensive or offensive, or both.
Regarding information technology security, the firewall is the primary, but not the only, line of defense against hackers and malicious code. And like NFL lines, firewalls have grown bigger and more complex, and the role of firewalls in network security is critical. In fact, the SANS Institute, in its ebook Twenty Critical Security Controls for Effective Cyber Defense, lists firewalls and their configurations not once, but twice.
Firewalls are a complex subject, whose testing and updating is best left to a dedicated IT department or a managed services provider, but here is a primer on network hardware firewalls.
The Four Firewall Generations
Firewall technology first emerged in the 1980s when the Internet was in its early stages of global use and connectivity. The predecessors to firewalls were routers, which run software that makes decisions about where to send data packets. Routers still are integral to most networks, but now have firewalls to filter those data packets.
- Packet filters
- Application proxies
- Stateful packet inspection
- Deep packet inspection
Click on the infographic to the right to enlarge it in a new window.
First Generation – Packet Filters
In the late 1980s, early firewalls filtered at the packet level. This basic system ran on the network level and inspected packets of data that transferred between computers on the Internet.
These early firewalls were flexible, scalable, inexpensive and fast. The problem was that they were very weak, providing minimal security. They were also difficult to manage.
Second Generation – Application Proxies
As threats and risks on the Internet grew, a new generation of firewalls was developed in the early 1990s. These firewalls used application proxies to examine all application levels, and ran on the servers themselves. This method provided greater security than packet filters, but was also more complex.
By running on servers, these firewalls required a separate operating system. This meant that they did not work on a client/server model and therefore required more administrative tasks. They were slow and complex and could not easily handle new protocols.
Third Generation – Stateful Packet Inspection (SPI)
By the mid 1990s, stateful packet inspection had become the state of the art. This firewall development overcame the limitations of packet filters and applications proxies by providing full application layer awareness, without breaking the client/server model.
For its time, SPI was extremely secure and fast. It was more sophisticated than packet filtering, and for years was viewed as the standard in firewalls. However, since the arrival of extremely virulent network threats, such as the worms Slammer and Blaster, SPI is not enough.
Fourth Generation – Deep Packet Inspection (DPI)
Communication systems are partitioned into seven abstract layers, a product of the Open Communications Project (OSI). While stateful packet inspection filters down to the fourth OSI level, the most powerful threats on the Internet can hide in all seven layers. Deep packet inspection extends firewall protection down to the seventh OSI layer.
Today, DPI is the emerging standard for firewall technology. It works both on the edge of a network and within the network itself. Although it uses a lot of resources, DPI is much more secure than SPI firewall technology.
A managed services provider can ensure that your firewall is strong and your network is secure. A thorough assessment of your technology environment can provide them with the information they need to make recommendations to increase or stabilize your network security. Get started today by requesting a managed services assessment or click below to download our free eBook on the 10 Hidden IT Risks that could undermine your business.