Firewalls: What You Need To Know (Function, Features, Capabilities)
Firewalls often fall into that “out-of-sight, out-of-mind” category; quietly operating to keep your network safe without too much thought from business leaders or users. But, just like every other part of your network, firewalls need to be monitored and updated to ward off new threats.
As a network engineer at Kelser, I spend a lot of time advising clients about firewalls. In this article, I’ll explain what the function of a firewall is, what features you need, and what the capabilities are of firewalls. I’ll explore some of the key differences, recent feature improvements, and what to look for when selecting a firewall.
I’ll also talk about how you can use firewalls in different places within your network to build up layers of protection. Because, the truth is that while a perimeter firewall is a good start, it doesn’t provide the strongest possible protection.
After reading this article, you’ll have a deeper understanding of firewall technology, (in non-technical terms), the purpose of a firewall, and how to maximize it to secure your users and your network.
What Is A Firewall?
A firewall provides a critical security function and acts like a barrier or fence between your trusted internal network and an untrusted external network.
Firewalls work by monitoring incoming and outgoing traffic between these networks.
In the simplest terms, the purpose of a firewall is to scan the traffic between networks and implement security check points to allow safe, legitimate traffic through and block or keep malicious traffic out.
You can think of it as the security guard for your network system.
Why Is Firewall Technology Important?
Firewall technology is important because as your network security guard it protects your network from unauthorized access by hackers and malicious software. It keeps your business’s data safe and infrastructure protected.
From an efficiency standpoint, firewalls also help to filter out unnecessary traffic and help with optimizing your overall network performance.
What Is The Cost Of A New Firewall?
The cost of a new firewall depends on the features, firewall brand and model, and the throughput you need.
-
Features
Firewalls with additional features will cost more than basic firewalls. However, those looking for the most cost-effective and robust firewall for their small business should at the minimum, make sure they prioritize features like intrusion detection, content filtering and basic security and remote access features like VPN.
-
Firewall Brand & Model
Like everything, different models and brands will have different price points. When looking at purchasing a firewall for your small business it is important to look at factors like scalability, configurability and cost of ownership.
-
Firewall Throughput
You can think of firewall throughput as the processing power of the firewall. It is essentially how long it takes the firewall to filter and inspect network traffic. If your business handles a large volume of data you may need a higher throughput which will affect the cost of the firewall.
It is also important to remember that besides the hardware costs there may also be software licensing fees for the firewall that will vary depending on the features offered in the license terms.
You can expect new firewalls to start at about $1,000, but you may need to factor in support and maintenance costs as well. As mentioned previoulsly, the more throughput, features, and customization you need, the more expensive the firewall.
Some companies bundle support into the firewall cost, others don’t. Support keeps IPS engines up to date so that when new threats are detected, the threat signatures are updated in the firewall’s database.
Since new threats come out every day and old threats resurface, it’s important for the devices and the engines that run security protocols to be updated so they can identify the current threats. That makes the support part of the equation critically important.
If I Have A Perimeter Firewall, Am I Protected?
Well, yes…and no. As I mentioned earlier, every business needs at least a perimeter firewall to protect its network. The best protection, though, can be achieved by placing firewalls at key points in your network to protect different data or functions.
Let me explain.
In the beginning, most firewalls would operate at layers three and four of the Open Systems Interconnection (OSI) model.
Layer three, also known as the network layer, focuses on internet protocol (or IP) addresses, which provide a unique identification (similar to a telephone number) for every device operating on the internet or a local network.
Layer four (or the transport layer) comprises TCP (transmission control protocol) and user datagram protocol (UDP). Both send and receive data to and from applications running on a host by assigning port numbers to the information source and destination.
So early firewalls could allow or deny access to specific IP addresses (layer three) or ports (layer four).
Those beginning firewalls weren’t as intelligent and as feature-rich as today’s firewalls, which operate at different levels of the OSI model.
Layer seven firewalls, for example, operate at the application layer making it possible to allow or deny access by application. In other words, organizations can deny access to gambling websites or those that provide explicit content. It is easier to fine-tune the control over the applications end-users are allowed to access.
How Can Installing Firewalls At Different Levels Of My Network Provide Optimal Security?
Today there are a lot of types of firewalls. There are network firewalls and host-based firewalls.
Firewalls can be placed at any point within the network. Firewalls can be placed directly on the perimeter as the first line of defense into a network from the internet service provider.
You also can place multiple firewalls in-line to achieve different functions and to provide a multi-layered approach to security.
For example, in addition to a perimeter firewall, a company might use a host firewall on each device. With that arrangement, if something gets through the perimeter firewall, the host firewall provides an additional layer of protection for each device.
What Firewall Features Should You Have?
Some of the most important features in a firewall are:
1. Operating Layer
At a minimum, firewalls need to work at layers three and four. A firewall doesn’t need to operate at layer seven, but if it does that helps monitor applications and makes it possible to fine-tune which applications you allow.
2. Throughput
Probably the biggest factor is the firewall’s throughput (or the amount of data, or traffic, that can be transmitted in a certain amount of time).
Throughput capacity varies by firewall and function. It also affects firewall prices.
For example, the Fortigate FGT-60F is an entry-level, branch model firewall. It has a theoretical maximum (layer 3 and 4) throughput of 10 gigabits per second. The model’s intrusion prevention system (IPS) has a maximum of 1.4 gigabits per second and that’s if it’s actively preventing something. If it detects an intrusion, it will try to stop the attack.
Fortigate also has a next-generation firewall (NGFW), which is a layer seven firewall. Its throughput is only one gigabit per second. For threat protection or IPS, it can only do 700 megabits per second. So the throughput is different for different functions.
Fortigate’s 80F has the same throughput as the 60F except it has a max of 900Mbps for threat protection.
So as you go up from entry-level to medium-branch to data center firewalls, you get more throughput and more traffic can be inspected and protected.
Your speed and amount of traffic definitely factor into which firewall you select. Both factors also affect the overall cost of the firewall solution.
3. Deployment
Firewalls can be deployed via a physical or virtual appliance.
Most companies now offer virtual firewalls that can be deployed on a server, bare metal, or almost any type of container. That is an option for those who don't want a physical appliance.
Firewalls also can be hosted in the cloud, but cloud costs would have to be considered when evaluating overall cost. Both Fortinet and Palo Alto, to name a couple, have whole security stacks with different features that can be added.
4. Brand Preference
Some companies might hear that a certain brand of firewall is good and want to just go with them.
It’s worth keeping an open mind and comparing options to ensure that you get the functionality and cost that work best for you. For example, similar models might have higher throughput or some other feature that one does better than another.
(Refer to the company’s datasheets for firewall throughput numbers.)
5. Number Of Ports
While the number of ports is important, most organizations don’t typically use all of the ports on a firewall. Most use one or two.
6. SD-WAN integration
Firewalls are now gaining SD-WAN features eliminating the need for a specialized router, which simplifies deployment.
An SD-WAN typically has an underlay and an overlay network to interconnect corporate locations
7. Graphical User Interface (GUI)
Be sure that the firewall has an intuitive, easy-to-use GUI. If the GUI is poorly designed or not updated and maintained, it hinders the ability to administer and maintain the firewall.
Why Might You Need A New Firewall?
In the same way that you make decisions about when to replace a vehicle or an appliance, some factors come into play when you think about replacing a firewall.
-
Age
Depending on the manufacturer and model, most firewalls have a suggested lifecycle of 3 to 5 years, due to improvements in technology and security.
-
Throughput
If your business has grown or changed substantially, you may need more throughput to accommodate the amount of incoming and outgoing traffic. This may necessitate a new firewall to support your business and provide the speed, safety, and capacity you need.
-
Warranty
Most original equipment manufacturers (OEMs) provide support for a particular firewall model for several years.
Many times a vendor will extend the life cycle of a particular model, but if not, you might have to upgrade to one of the models that are currently being supported.
If a vendor ends support for your model, you can keep your current firewall, but you won't get support or critical updates exposing your organization to an increased threat level.
What Are The Takeaways Regarding Firewalls?
After reading this article, you have a full understanding of firewalls. You know what they do, why they are important, how much they cost, the benefits of perimeter firewalls, and the reasons to consider deploying firewalls at different levels within your infrastructure. You also know what features to look for in a firewall and when you might need to consider a new one.
As a caveat, let me say that no firewall is effective unless it is configured appropriately.
At Kelser, we work with our customers to ensure they have everything they need to keep their IT infrastructure available, secure, and efficient.
We provide a full complement of managed IT services to keep things working optimally. Having said that, we know that managed IT isn’t right for everyone. That’s why we publish articles like this to provide business leaders like you with the information you need about a variety of IT subjects, so you can decide the best solution for your organization.
Read this article to learn more about how managed IT helps companies like yours: Are Managed Services A Good IT Solution For Small & Medium Businesses?
Or, find out for yourself if managed IT can help your business with this no-cost, self-guided checklist.