Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Network Security / 7 Types of Firewalls Technologies (Software/Hardware) Explained

7 Types of Firewalls Technologies (Software/Hardware) Explained

Written By Harris Andrea

The firewall is the cornerstone of security in computer networks and I.T in general. In this website I have been talking extensively about the Cisco ASA firewall which is a classic example of a hardware network firewall.

firewall architectures

However, there are some other types of firewalls used in large enterprises, SMB or even home networks. Some of these types of firewalls are very popular and some are rarely encountered by professionals (such as the type discussed at the end of this article).

The main reasons to implement a firewall device or firewall software in a network is to control traffic flow, allow or block traffic between hosts, restrict access to applications, inspect packets for malicious patterns etc.

The above can be accomplished in different Layers of the OSI model, starting from Layer 3 up to Layer 7 which is the application layer.

So, without further delay let’s see the various architectures and types of firewalls that you can find in your professional career.

Table of Contents

  • 1) Hardware Firewall
  • 2) Software Firewall
  • 3) Stateful Inspection Firewalls
  • 4) Packet Filtering Firewall
  • 5) Application Firewall
  • 6) Next-generation Firewall (NGFW)
  • 7) Telephony Related Firewalls
  • What is Firewall Technology
    • Related Posts

1) Hardware Firewall

This is the most popular type of firewall. It is used extensively in modern networks either as border device (i.e to separate and protect the internal LAN network from the Internet or other non-trusted networks as shown below) or to segment and protect internal networks in large enterprises.

cisco asa dhcp multiple scopes

Hardware firewalls usually have many physical network interfaces which can be used to create different “security zones” which are essentially different Layer 3 subnets. Each physical interface can be further divided in “subinterfaces” which can further expand the protection zones.

Because the firewall is running on its own dedicated hardware appliance, it can handle large volumes of packets, thousands or millions of connections and generally they are high performance devices.

Some popular brands of hardware firewalls include Cisco ASA, Fortigate, Juniper, Checkpoint, Palo Alto, SonicWall etc.

2) Software Firewall

A classic example of a software firewall is the Windows Firewall installed by default on all Microsoft Windows operating systems. It is a host-based firewall and controls traffic and applications on end-user workstations or servers.

Some other examples of software host firewalls are those found on Linux machines such as IPTABLES, CSF etc.

However, software firewalls are not only host-based. There are several flavors of Open Source Software firewalls (such as pfSense, OPNSense, ClearOS etc) which can be installed on dedicated hardware (servers, Linux boxes etc) and thus create a dedicated hardware firewall device.

The first two types mentioned above are two broad categories of firewalls. Now let’s see some other types based on their architecture, how they handle traffic and on which Layer of the OSI model they work.

MORE READING:  Comparison and Differences Between IPS vs IDS vs Firewall vs WAF

3) Stateful Inspection Firewalls

Almost all modern network firewalls incorporate the “stateful inspection” architecture. Let’s describe what that means exactly using the example communication below:

In a TCP communication between a client and a server (e.g a user with web browser communicating with a web server as shown above), the client browser starts an HTTP communication at port 80 with an Internet webserver.

Assume that the Stateful Inspection Firewall sitting in the middle allows this outgoing HTTP traffic to pass. Packets therefore will reach the Web Server which will reply back to the client (as happens with every TCP communication).

Now, the Stateful Firewall under the hood will save the details of the initiating connection from client to server in a “state table”. This table will include details such as source IP and source port, destination IP and destination port, TCP flags, TCP sequence numbers etc.

Therefore, any reply packets coming back from the external web server that match the initial connection started from the client, will pass through the firewall and reach the client without any extra configuration.

This makes the configuration easier since the administrator does not need to configure any rules on the firewall to allow the return/reply packets coming from outside to inside. These packets will be allowed automatically if they belong to an already established connection from client to server.

The stateful firewall is effective for three reasons.

  • It works both on packets and on connections.
  • It operates at a higher performance level than packet filtering or using a proxy server.
  • It records data in a table for every connection and connectionless transaction. This table serves as a reference point for determining if packets belong to an existing connection or are from an unauthorized source.

4) Packet Filtering Firewall

A packet filtering firewall works at the Layer 3 and 4 of the OSI model (that is, Internet IP Layer and Transport Layer).

Having said that, this type of firewall filters traffic statically only by IP address and port numbers. There is no state kept by the firewall about each connection (like the stateful firewall we described above).

A packet filter device checks only the following:

  • Source IP and port
  • Destination IP and port

Packet filtering is also called “stateless firewall”. In Cisco devices for example an Access Control List (ACL) configured on a router works as a packet filter firewall.

One main disadvantage of packet filter firewalls is that you need to configure rules to allow also the reply packets that are coming back from destination hosts. This is because the firewall does not keep a “state table” like the stateful firewall we discussed above.

MORE READING:  What is Cisco Identity Services Engine (ISE)? Use Cases, How it is Used etc

Packet Filtering is mostly implemented on Routers or Layer 3 switches and is a “quick and dirty” way to block some traffic from an untrusted network towards a trusted/protected network.

5) Application Firewall

As the name suggests, this type works at Layer 7 (application) of OSI model. It inspects and controls packets at the application level.

This firewall has knowledge of what constitutes safe or normal application traffic and what is malicious application traffic.

For example, an application firewall that protects a web server, knows about web related HTTP attacks (e.g SQL injections, Cross Site scripting etc) and protects the application from these attacks by looking into the HTTP application traffic.

Some examples of application firewalls include:

  • WAF (Web Application Firewall): Protects websites/webservers
  • DB (Database) Firewall: Protects Databases such as Oracle, MSSQL etc.
  • Proxy Firewall: Inspects and protects traffic from users towards the internet. It can also provide URL/Domain web filtering. Users gain access to the network by going through a process that establishes session state, user authentication, and authorization policy.

6) Next-generation Firewall (NGFW)

This is mostly a marketing term which has been popular lately among firewall manufacturers. Basically, a NGFW combines almost all the types we have discussed above into one box. It is a stateful hardware firewall which also provides application level protection and inspection.

This type offers deep-packet inspection and is capable to identify malicious traffic in all Layers of the OSI model (up to the application layer).

A NGFW usually provides advanced intrusion detection/prevention, antivirus features, application control etc. These are usually licensed separately and the customer has to pay extra fees for enabling some/all of the protections.

Some NGFWs communicate with a cloud security service of the manufacturer (e.g Cisco Talos, Fortinet FortiGuard etc) in order to receive threat-intelligence info from the cloud.

7) Telephony Related Firewalls

There is a rare type of firewall which is not usually found in normal enterprise networks except in some specialized cases.

These are special firewalls related to telephony and VoIP services and are used to protect systems from telephony communication attacks.

Some examples include:

  • SIP firewalls (to protect VoIP telephone systems).
  • SMS firewalls (for GSM mobile networks to protect subscribers from SMS fraud attacks).
  • SS7 firewalls (to protect mobile telephony operators).

What is Firewall Technology

Firewalls are used to protect computer networks from hostile intrusions. A hardware firewall separates trusted internal networks (e.g Internal corporate LAN) from external non-trusted networks (e.g Internet or untrusted WAN).

The primary objective of the firewall is to examine all inbound and outbound traffic to see if it meets specific criteria (firewall policy rules). If the traffic complies with the firewall policy it is permitted, otherwise it is dropped.

Related Posts

  • How to Scan an IP Network Range with NMAP (and Zenmap)
  • What is Cisco Identity Services Engine (ISE)? Use Cases, How it is Used etc
  • What is Cisco Umbrella Security Service? Discussion – Use Cases – Features
  • 10 Best Hardware Firewalls for Home and Small Business Networks
  • 12 Best Open Source Firewalls Comparable to Commercial Solutions

Filed Under: Network Security

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

44 shares