Network security has been a critical issue since Thomas Edison invented the computer and texted his assistant, “Mr. Watson, come here. I want to see you.” Network security has evolved tremendously since the first firewall bounced its first IP packet. Let’s take a look at the various classes of firewalls/security appliances/UTMs and finish up with a quick discussion of the latest evolution in network security, SASE.
Discussion of Firewalls
Firewalls protect local computer networks from security risks by acting as a “gate-keeper”, usually in the form of a physical device (but becoming more and more virtualized each year), located between the local network and the public Internet (or between subnets of the same local network). They block what they deem to be malicious and allow through everything else. Or, they block everything and allow through only what they deem as legitimate traffic.
Firewalls have evolved along with the threat profile over the years and the firewall functionality has been absorbed into many routers, high-end security devices, and the cloud. But they started as relatively simple “packet bouncers” tasked with filtering out suspicious Internet packets.
There is some subjectivity in designating the “generational” development of firewalls. For example, Next Generation Firewalls (NGFW) can really be considered generation 3, 4, or 5, depending on your definitions. Wikipedia considers it Gen3 while Juniper Networks would consider it Gen4. I like thinking of the application-level/proxy server firewall as Gen3 so I’ll consider NGFW to be “Gen4”, as follows:
Packet Filtering (1st Generation)
First Gen firewalls performed static, stateless packet (header) filtering. The firewall examined the packet header and looked at five parameters (“5-tuple”) that comprise the TCP/UDP connection: source and destination IP addresses, source and destination ports, and protocol. The firewall then compares these parameters to a set of pre-defined (and hopefully, constantly updated) rules to see if the current packet should be allowed through the firewall.
Stateful Inspection / Circuit-Level Gateways (2nd Generation)
These firewalls take the previous simple packet-header filtering and incorporates session and connectivity information to make a more informed decision about whether a given packet is safe to allow through. Circuit-level gateways are less concerned about individual packets, and instead monitor network session initiation protocols, such as TCP handshakes, ACKs, etc. Stateful inspection firewalls attempt to match incoming packets with pre-existing, legitimate connections. For example, if the local network requests certain data from an external server, the stateful firewall will recognize the request and be expecting a corresponding return packet from the external server.
Application-Level Gateways / Proxy Servers (3rd Generation)
Application-level gateways act as proxy servers for a given application. They are positioned in-line between the local network and the external server the local network wishes to communication with. They are tuned to the application so that they know what kind of traffic and communications should be occurring within the context of the application. This allows them to be highly effective at only allowing legitimate traffic through the firewall (gateway/proxy server). Of course they also leverage the best techniques from the previous generations of firewalls.
Next Generation Firewalls (4th Generation)
Next Gen Firewalls (NGFW) are the latest and greatest, combining all elements of past generations and adding significant capability. The most significant advancement is that of Deep Packet Inspection, or DPI. DPI allows the firewall to not only examine and filter on the packet header, but also looks at the payload itself. NGFWs can decrypt (and then re-encrypt) packet payloads and thus has much more visibility into how each packet fits into the session communication stream. Suspicious packets or traffic can be flagged and/or blocked, according to sophisticated algorithms, user-defined rules, and external security best practices. Additionally, NGFW also contain significant network security features, such as Intrusion Detection and Prevention (IDS/IDP), malware filtering and antivirus protection.
Alternative Classification of Firewalls
We classified firewalls above by the underlying technology they use to function. When thinking about firewall types, they can also be classified by their purpose – what exactly is it that they’re protecting? They can be used in many different environments to protect different types of resources. A nice discussion in these terms is provided by the eSecurityPlanet article Types of Firewalls: What IT Security Pros Need to Know. They discuss the firewalls above and also talk about database firewalls, container firewalls, and others.
Network Security Devices
Network security devices traditionally refer to physical boxes that you plug your local network into. Some of the earliest security devices were firewalls, and that’s all those boxes did – firewalling. With the explosion of software-defined networking (SDN) and virtualized network functions (VNFs), firewalling and many other network security features have been migrating away from physical devices and instead are largely implemented in software. Sometimes a physical box is still used at the local network edge, but these boxes are now highly multi-functioned. Advanced SD-WAN routers now often offer add-on services such as sophisticated firewall capabilities as well as many other important security features, including all the capabilities of NGFW plus many others.
A crystal clear example of this migration away from physical boxes is the cloud-based “as-a-service” paradigm that has seemingly taken over the networking landscape. Don’t want to buy a physical firewall device? Then just signup for FWaaS – Firewall-as-a-Service. Or, don’t stop there and just transfer all of your network security functionality to the cloud by using UTMaaS, or Unified Threat Management-as-a-Service.
Taking the next logical step in consolidating network security leads us to Unified Threat Management (UTM) solutions. As we’ve seen, firewalls have become more and more capable and sophisticated, from simply bouncing individual packets to becoming fully application aware and from simply blocking unused ports to performing deep-packet inspections and tracking session and connection details. With the explosion and maturation of SDN and VNFs, it is no surprise that current UTM solutions (whether implemented on a physical device, or in the cloud) now encompass (or at least try to) all aspects of network security, including:
We previously discussed “The Current State of UTM” in some detail. Please check it out to review the myriad computer and network security threats and how UTM attempts to safely secure your network.
Secure Access Service Edge (SASE)
With cloud-based services becoming more commonplace where most or all of your internet traffic goes through a data center on its way to or from the cloud, distributing security to individual branch offices just doesn’t make sense anymore. Even the concept of the data center as some sort of “network edge” is rapidly giving way to the reality of a much more flexible, identity-centric, “centralized security”, where security is moved away from the branch office.
In their 2019 article “The Future of Network Security Is in the Cloud”, Gartner introduces us to the concept of a “Secure Access Service Edge”, which they refer to as “SASE”.
Gartner lays out a well-reasoned argument for SASE: “Digital business transformation inverts network and security service design patterns, shifting the focal point to the identity of the user and/or device — not the data center… Complexity, latency and the need to decrypt and inspect encrypted traffic once will increase demand for consolidation of networking and security-as-a-service capabilities into a cloud-delivered secure access service edge (SASE).”
Among other things, SASE highlights the high performance and secure connectivity of the last mile, which is best accomplished with SD-WAN for branch offices. For more information this, please read our recent posts, “Secure Access Service Edge and SD-WAN”
Firewalls have progressed steadily from simple packet bouncers to sophisticated communications and applications analysis algorithms. As SDN and NFV have evolved, network security devices and/or software have developed into extremely capable, multi-purpose, unified threat management systems. The future will continue this trend, and pack more and more security features into integrated devices and/or software suites, largely cloud based, and moving closer and closer to the service edge.
SD-WAN routers used in branch offices and other remote locations remain a critical component as the industry transitions to a more SASE-based networking security model. SD-WAN allows enterprises (small/medium/large sized businesses, branch offices, remote work sites, even non-wired sites, mobile enterprises) to optimally leverage multiple WAN and/or cellular resources. This greatly facilitates the secure service edge model as it ensures a rock-solid connection to any cloud resources.
Rob Stone, Mushroom Networks, Inc.
Mushroom Networks is the provider of Broadband Bonding appliances that put your networks on auto-pilot. Application flows are intelligently routed around network problems such as latency, jitter and packet loss. Network problems are solved even before you can notice.
© 2004 – 2020 Mushroom Networks Inc. All rights reserved.
Download your copy of rare tips and tricks for a better WAN. Get your free copy today!
We respect your privacy.