每个人都了解防火墙的基本功能——保护您的网络免受恶意软件和未经授权的访问。但是防火墙如何工作的具体细节却鲜为人知。
究竟什么是防火墙(firewall)?不同类型的防火墙如何工作?也许最重要的是——哪种类型的防火墙最好?
防火墙 101
简而言之(Simply),防火墙只是另一个网络端点。它的特别之处在于它能够在进入内部网络之前拦截和扫描传入流量,阻止恶意行为者获得访问权限。
验证每个连接的身份验证,向黑客隐藏目标 IP,甚至扫描每个数据包的内容——防火墙都可以做到。防火墙充当某种检查点,仔细控制允许进入的通信类型。
包过滤防火墙
包过滤防火墙是目前最简单、资源最少的防火墙技术。虽然这些天它已经失宠,但它们是旧计算机中网络保护的主要内容。
包过滤防火墙在包级别运行,扫描来自网络路由器的每个传入包。但它实际上并没有扫描数据包的内容——只是它们的标头。这允许防火墙验证源和目标地址、端口号等元数据。
您可能会怀疑,这种类型的防火墙不是很有效。包过滤防火墙所能做的就是根据访问控制列表减少不必要的网络流量。由于数据包的内容本身没有被检查,恶意软件仍然可以通过。
电路级网关
另一种验证网络连接合法性的资源有效方法是电路级网关。电路级网关不是检查单个数据包的标头,而是验证会话本身。
再一次,像这样的防火墙不会通过传输本身的内容,使其容易受到大量恶意攻击。话虽如此,从OSI模型的会话层验证传输控制协议(Transmission Control Protocol)( TCP ) 连接占用的资源非常少,并且可以有效地关闭不需要的网络连接。
这就是为什么电路级网关通常内置在大多数网络安全解决方案中,尤其是软件防火墙。这些网关还通过为每个会话创建虚拟连接来帮助掩盖用户的 IP 地址。
状态检查防火墙
包过滤防火墙(Packet-Filtering Firewall)和电路级网关(Circuit Level Gateway)都是无状态防火墙实现。这意味着它们在静态规则集上运行,从而限制了它们的有效性。每个数据包(或会话)都被单独处理,只允许执行非常基本的检查。
另一方面, 状态检测防火墙跟踪连接的状态,以及通过它传输的每个数据包的详细信息。(Inspection Firewall)通过在整个连接期间监控TCP握手,状态检测防火墙能够编译包含源和目标的 IP 地址和端口号的表,并将传入数据包与此动态规则集匹配。(TCP)
多亏了这一点,恶意数据包很难潜入状态检查防火墙。另一方面,这种防火墙具有较高的资源成本,降低了性能,并为黑客使用分布式拒绝服务(Denial-of-Service)( DDoS ) 攻击系统创造了机会。
代理防火墙
(Better)代理防火墙(Proxy Firewalls)更广为人知的是应用层网关(Application Level Gateways),它在OSI模型的前端层——应用层运行。作为将用户与网络分开的最后一层,该层允许以性能为代价对数据包进行最彻底和最昂贵的检查。
与电路级网关(Circuit-Level Gateways)类似,代理防火墙(Proxy Firewalls)通过在主机和客户端之间进行调解来工作,混淆目标端口的内部 IP 地址。此外,应用级网关执行深度数据包检查,以确保没有恶意流量可以通过。
虽然所有这些措施都显着提高了网络的安全性,但它也减慢了传入流量。由于像这样的状态防火墙执行的资源密集型检查,网络(Network)性能会受到影响,使其不适合对性能敏感的应用程序。
NAT防火墙
在许多计算设置中,网络安全的关键是确保私有网络,对黑客和服务提供商隐藏客户端设备的各个 IP 地址。正如我们已经看到的,这可以使用代理(Proxy)防火墙或电路级网关来完成。
一种更简单的隐藏 IP 地址的方法是使用网络地址转换(Network Address Translation)( NAT )防火墙(Firewall)。NAT防火墙不需要太多系统资源即可运行,使其成为服务器和内部网络之间的首选。
Web 应用程序防火墙
只有在应用程序层运行的网络防火墙(Network Firewalls)才能对数据包执行深度扫描,例如代理防火墙(Proxy Firewall),或者更好的是Web 应用程序防火墙(Web Application Firewall)( WAF )。
WAF从网络或主机内部运行,遍历各种 Web 应用程序传输的所有数据,确保没有恶意代码通过。这种类型的防火墙架构专门用于数据包检查,并提供比表面防火墙更好的安全性。
云防火墙
传统防火墙,无论是硬件防火墙还是软件,都不能很好地扩展。它们的安装必须考虑到系统的需求,要么专注于高流量性能,要么专注于低网络流量安全。
但是云防火墙(Cloud Firewalls)要灵活得多。作为代理服务器从云端部署,这种类型的防火墙在网络流量进入内部网络之前拦截网络流量,授权每个会话并在允许数据包进入之前验证每个数据包。
最好的部分是此类防火墙可以根据需要扩大和缩小容量,以适应不同级别的传入流量。作为基于云的服务提供,它不需要硬件,由服务提供商自己维护。
下一代防火墙
下一代可能是一个误导性的术语。所有以科技为基础的行业都喜欢抛出这样的流行语,但它的真正含义是什么?什么类型的功能使防火墙有资格被视为下一代?
事实上,没有严格的定义。通常,您可以考虑将不同类型的防火墙组合成一个有效的安全系统的解决方案作为下一代防火墙(Next-Generation Firewall)( NGFW )。这样的防火墙能够进行深度数据包检查,同时还可以抵御DDoS攻击,提供针对黑客的多层防御。
大多数下一代防火墙通常会将多种网络解决方案(例如VPN(VPNs)、入侵防御系统(Intrusion Prevention Systems)( IPS ) 甚至防病毒软件)组合到一个强大的软件包中。这个想法是提供一个完整的解决方案来解决所有类型的网络漏洞,提供绝对的网络安全。为此,一些NGFW(NGFWs)也可以解密安全套接层(Secure Socket Layer)( SSL ) 通信,从而使它们也能注意到加密的攻击。
哪种类型(Type)的防火墙(Firewall)最能保护您的网络(Your Network)?
防火墙的问题在于不同类型的防火墙使用不同的方法来保护网络(protect a network)。
最简单的防火墙只是验证会话和数据包,对内容不做任何事情。网关(Gateway)防火墙都是关于创建虚拟连接和阻止对私有 IP 地址的访问。有状态防火墙通过其(Stateful)TCP握手来跟踪连接,并使用信息构建状态表。
然后是下一代(Next-Generation)防火墙,它将上述所有过程与深度数据包检测和一系列其他网络保护功能相结合。很明显,NGFW可以为您的系统提供尽可能好的安全性,但这并不总是正确的答案。
根据您的网络的复杂性和正在运行的应用程序的类型,您的系统可能会更好地使用更简单的解决方案来防范最常见的攻击。最好的办法可能是只使用第三方云防火墙(third-party Cloud firewall)服务,将防火墙的微调和维护工作交给服务提供商。
8 Types of Firewalls Explained
Everyone undеrѕtands the basic function of a firewall – to protect your network from malware and unaυthоrized access. But the exact specifiсs of how firewalls work аre lesser-known.
What exactly is a firewall? How do the different types of firewalls work? And perhaps most importantly – which type of firewall is best?
Firewall 101
Simply put, a firewall is just another network endpoint. What makes it special is its ability to intercept and scan incoming traffic before it enters the internal network, blocking malicious actors from gaining access.
Verifying the authentication of each connection, hiding the destination IP from hackers, and even scanning the contents of each data packet – firewalls do it all. A firewall serves as a checkpoint of sorts, carefully controlling the type of communication that’s let in.
Packet-Filtering Firewalls
Packet-filtering firewalls are the simplest and least resource-intensive firewall technology out there. While it’s out of favor these days, they were the staple of network protection in old computers.
A packet-filtering firewall operates at a packet level, scanning each incoming packet from the network router. But it doesn’t actually scan the contents of the data packets – just their headers. This allows the firewall to verify metadata like the source and destination addresses, port numbers, etc.
As you might suspect, this type of firewall isn’t very effective. All that a packet filtering firewall can do is to cut down on unnecessary network traffic according to the access control list. Since the packet’s contents themselves are not checked, malware can still get through.
Circuit Level Gateways
Another resource-efficient way of verifying the legitimacy of network connections is a circuit-level gateway. Instead of checking the headers of individual data packets, a circuit-level gateway verifies the session itself.
Once again, a firewall like this doesn’t go through the contents of the transmission itself, leaving it vulnerable to a host of malicious attacks. That being said, verifying Transmission Control Protocol (TCP) connections from the sessions layer of the OSI model takes very little resources, and can effectively shut down undesirable network connections.
This is why circuit-level gateways are often built into most network security solutions, especially software firewalls. These gateways also help mask the IP address of the user by creating virtual connections for every session.
Stateful Inspection Firewalls
Both Packet-Filtering Firewall and Circuit Level Gateway are stateless firewall implementations. This means that they operate on a static ruleset, limiting their effectiveness. Every packet (or session) is treated separately, which allows for only very basic checks to be carried out.
A Stateful Inspection Firewall, on the other hand, keeps track of the state of the connection, along with the details of every packet transmitted through it. By monitoring the TCP handshake throughout the duration of the connection, a stateful inspection firewall is able to compile a table containing the IP addresses and port numbers of the source and the destination and match up incoming packets with this dynamic ruleset.
Thanks to this, it’s difficult to sneak in malicious data packets past a stateful inspection firewall. On the flip side, this kind of firewall has a heavier resource cost, slowing down performance and creating an opportunity for hackers to use Distributed Denial-of-Service (DDoS) attacks against the system.
Proxy Firewalls
Better known as Application Level Gateways, Proxy Firewalls operate at the front-facing layer of the OSI model – the application layer. As the final layer separating the user from the network, this layer allows for the most thorough and expensive checking of data packets, at the cost of performance.
Similar to Circuit-Level Gateways, Proxy Firewalls work by interceding between the host and the client, obfuscating internal IP addresses of the destination ports. In addition, application-level gateways perform a deep packet inspection to ensure no malicious traffic can get through.
And while all of these measures significantly boost the security of the network, it also slows down the incoming traffic. Network performance takes a hit due to the resource-intensive checks conducted by a stateful firewall like this, making it a poor fit for performance-sensitive applications.
NAT Firewalls
In many computing setups, the key lynchpin of cybersecurity is to ensure a private network, concealing the individual IP addresses of client devices from both hackers and service providers. As we have already seen, this can be accomplished using a Proxy firewall or a Circuit-level gateway.
A much simpler method of hiding IP addresses is to use a Network Address Translation (NAT) Firewall. NAT firewalls do not require many system resources to function, making them the go-to between servers and the internal network.
Web Application Firewalls
Only Network Firewalls that operate at the application layer are able to perform deep scanning of data packets, like a Proxy Firewall, or better yet, a Web Application Firewall (WAF).
Operating from within the network or the host, a WAF goes through all the data transmitted by various web applications, making sure that no malicious code gets through. This type of firewall architecture specializes in packet inspection and provides better security than surface-level firewalls.
Cloud Firewalls
Traditional firewalls, both hardware firewalls as well as software, don’t scale well. They have to be installed with the needs of the system in mind, either focusing on high-traffic performance or low network traffic security.
But Cloud Firewalls are far more flexible. Deployed from the cloud as a proxy server, this type of firewall intercepts network traffic before it enters the internal network, authorizing each session and verifying each data packet before letting it in.
The best part is that such firewalls can be scaled up and down in capacity as needed, adjusting to different levels of incoming traffic. Offered as a cloud-based service, it requires no hardware and is maintained by the service provider itself.
Next-Generation Firewalls
Next-Generation can be a misleading term. All tech-based industries love to throw buzzwords like this around, but what does it really mean? What type of features qualifies a firewall to be considered next-gen?
In truth, there is no strict definition. Generally, you can consider solutions that combine different types of firewalls into a single efficient security system to be a Next-Generation Firewall (NGFW). Such a firewall is capable of deep packet inspection while also shrugging off DDoS attacks, providing a multilayer defense against hackers.
Most Next-Generation firewalls will often combine multiple network solutions, such as VPNs, Intrusion Prevention Systems (IPS), and even an antivirus into one powerful package. The idea is to offer a complete solution that addresses all types of network vulnerabilities, giving absolute network security. To this end, some NGFWs can decrypt Secure Socket Layer (SSL) communications as well, allowing them to notice encrypted attacks as well.
Which Type of Firewall is the Best to Protect Your Network?
The thing about firewalls is that different types of firewalls use different approaches to protect a network.
The simplest firewalls just authenticate the sessions and packets, doing nothing with the contents. Gateway firewalls are all about creating virtual connections and preventing access to private IP addresses. Stateful firewalls keep track of connections through their TCP handshakes, building a state table with the information.
Then there are Next-Generation firewalls, which combine all of the above processes with deep packet inspection and a bevy of other network protection features. It is obvious to say that an NGFW would provide your system with the best security possible, but that isn’t always the right answer.
Depending on the complexity of your network and the type of applications being run, your systems might be better off with a simpler solution that safeguards against the most common attacks instead. The best idea might be to just use a third-party Cloud firewall service, offloading the fine-tuning and upkeep of the firewall to the service provider.