By: Paul Tablan on May 24, 2022
Firewalls: What You Need To Know (Function, Features, Capabilities)
Firewalls often fall into that “out-of-sight, out-of-mind” category; quietly operating to keep your network safe without too much thought from business leaders or users. But, just like every other part of your network, firewalls need to be monitored and updated to ward off new threats.
As a network engineer at Kelser, I spend a lot of time advising clients about firewalls. In this article, I’ll explain the function, features, and capabilities of firewalls. I’ll explore some of the key differences, recent feature improvements, and what to look for when selecting a firewall.
I’ll also talk about how you can use firewalls in different places within your network to build up layers of protection. Because, the truth is that while a perimeter firewall is a good start, it doesn’t provide the strongest possible protection.
After reading this article, you’ll have a deeper understanding of firewall technology (in non-technical terms) and how to maximize it to secure your users and your network.
What Is A Firewall?
A firewall is a security tool that monitors traffic traveling between networks.
In the simplest terms, a firewall blocks or allows traffic based on security parameters defined by an organization.
In other words, a firewall is like a cell membrane that acts as a barrier between an internal computer network and the internet; it allows certain things to enter and prohibits others.
Why Is Firewall Technology Important?
In the same way that a security guard provides or denies access to visitors, a firewall performs a similar function. If unauthorized traffic tries to get through your firewall, it can deny access, keeping your data and infrastructure protected.
How Much Do Firewalls Cost?
The cost of a new firewall depends on the features and throughput you need.
New firewalls can start at about $1,000, but you may need to factor in support and maintenance costs as well. The more throughput, features, and customization you need, the more expensive the firewall.
Some companies bundle support into the firewall cost, others don’t. Support keeps IPS engines up to date so that when new threats are detected, the threat signatures are updated in the firewall’s database.
Since new threats come out every day and old threats resurface, it’s important for the devices and the engines that run security protocols to be updated so they can identify the current threats. That makes the support part of the equation critically important.
If I Have A Perimeter Firewall, Am I Protected?
Well, yes…and no. As I mentioned earlier, every business needs at least a perimeter firewall to protect its network. The best protection, though, can be achieved by placing firewalls at key points in your network to protect different data or functions.
Let me explain.
In the beginning, most firewalls would operate at layers three and four of the Open Systems Interconnection (OSI) model.
Layer three, also known as the network layer, focuses on internet protocol (or IP) addresses, which provide a unique identification (similar to a telephone number) for every device operating on the internet or a local network.
Layer four (or the transport layer) comprises TCP (transmission control protocol) and user datagram protocol (UDP). Both send and receive data to and from applications running on a host by assigning port numbers to the information source and destination.
So early firewalls could allow or deny access to specific IP addresses (layer three) or ports (layer four).
Those beginning firewalls weren’t as intelligent and as feature-rich as today’s firewalls, which operate at different levels of the OSI model.
Layer seven firewalls, for example, operate at the application layer making it possible to allow or deny access by application. In other words, organizations can deny access to gambling websites or those that provide explicit content. It is easier to fine-tune the control over the applications end-users are allowed to access.
How Can Installing Firewalls At Different Levels Of My Network Provide Optimal Security?
Today there are a lot of types of firewalls. There are network firewalls and host-based firewalls.
Firewalls can be placed at any point within the network. Firewalls can be placed directly on the perimeter as the first line of defense into a network from the internet service provider.
You also can place multiple firewalls in-line to achieve different functions and to provide a multi-layered approach to security.
For example, in addition to a perimeter firewall, a company might use a host firewall on each device. With that arrangement, if something gets through the perimeter firewall, the host firewall provides an additional layer of protection for each device.
What Are The Key Features To Look For In A Firewall?
Some of the most important features in a firewall are:
1. Operating Layer
At a minimum, firewalls need to work at layers three and four. A firewall doesn’t need to operate at layer seven, but if it does that helps monitor applications and makes it possible to fine-tune which applications you allow.
Probably the biggest factor is the firewall’s throughput (or the amount of data, or traffic, that can be transmitted in a certain amount of time).
Throughput capacity varies by firewall and function. It also affects firewall prices.
For example, the Fortigate FGT-60F is an entry-level, branch model firewall. It has a theoretical maximum (layer 3 and 4) throughput of 10 gigabits per second. The model’s intrusion prevention system (IPS) has a maximum of 1.4 gigabits per second and that’s if it’s actively preventing something. If it detects an intrusion, it will try to stop the attack.
Fortigate also has a next-generation firewall (NGFW), which is a layer seven firewall. Its throughput is only one gigabit per second. For threat protection or IPS, it can only do 700 megabits per second. So the throughput is different for different functions.
Fortigate’s 80F has the same throughput as the 60F except it has a max of 900Mbps for threat protection.
So as you go up from entry-level to medium-branch to data center firewalls, you get more throughput and more traffic can be inspected and protected.
Your speed and amount of traffic definitely factor into which firewall you select. Both factors also affect the overall cost of the firewall solution.
Firewalls can be deployed via a physical or virtual appliance.
Most companies now offer virtual firewalls that can be deployed on a server, bare metal, or almost any type of container. That is an option for those who don't want a physical appliance.
Firewalls also can be hosted in the cloud, but cloud costs would have to be considered when evaluating overall cost. Both Fortinet and Palo Alto, to name a couple, have whole security stacks with different features that can be added.
4. Brand Preference
Some companies might hear that a certain brand of firewall is good and want to just go with them.
It’s worth keeping an open mind and comparing options to ensure that you get the functionality and cost that work best for you. For example, similar models might have higher throughput or some other feature that one does better than another.
(Refer to the company’s datasheets for firewall throughput numbers.)
5. Number Of Ports
While the number of ports is important, most organizations don’t typically use all of the ports on a firewall. Most use one or two.
6. SD-WAN integration
Firewalls are now gaining SD-WAN features eliminating the need for a specialized router, which simplifies deployment.
An SD-WAN typically has an underlay and an overlay network to interconnect corporate locations
7. Graphical User Interface (GUI)
Be sure that the firewall has an intuitive, easy-to-use GUI. If the GUI is poorly designed or not updated and maintained, it hinders the ability to administer and maintain the firewall.
Why Might You Need A New Firewall?
In the same way that you make decisions about when to replace a vehicle or an appliance, some factors come into play when you think about replacing a firewall.
Depending on the manufacturer and model, most firewalls have a suggested lifecycle of 3 to 5 years, due to improvements in technology and security.
If your business has grown or changed substantially, you may need more throughput to accommodate the amount of incoming and outgoing traffic. This may necessitate a new firewall to support your business and provide the speed, safety, and capacity you need.
Most original equipment manufacturers (OEMs) provide support for a particular firewall model for several years.
Many times a vendor will extend the life cycle of a particular model, but if not, you might have to upgrade to one of the models that are currently being supported.
If a vendor ends support for your model, you can keep your current firewall, but you won't get support or critical updates exposing your organization to an increased threat level.
What Are The Takeaways Regarding Firewalls?
After reading this article, you have a full understanding of firewalls. You know what they do, why they are important, how much they cost, the benefits of perimeter firewalls, and the reasons to consider deploying firewalls at different levels within your infrastructure. You also know the features to look for in a firewall and when you might need to consider a new one.
As a caveat, let me say that no firewall is effective unless it is configured appropriately.
At Kelser, we work with our customers to ensure they have everything they need to keep their IT infrastructure available, secure, and efficient.
We provide a full complement of managed IT services to keep things working optimally. Having said that, we know that managed IT isn’t right for everyone. That’s why we publish articles like this to provide business leaders like you with the information you need about a variety of IT subjects, so you can decide the best solution for your organization.
Read this article to learn more about how managed IT helps companies like yours: Are Managed Services A Good IT Solution For Small & Medium Businesses?
Or, find out for yourself if managed IT can help your business by taking the short quiz below.