In today’s business world, there are two great tools used by almost every organization to help protect the computing environment. These two tools are the firewall and the virtual private network (VPN). The firewall is still the primary mechanism for protecting the infrastructure of an organization, where the VPN is more about enabling connectivity to the infrastructure.
The firewall can be a proxy-based firewall. Proxy-based firewalls are firewalls which, as the packet is processed, terminate the time to live (TTL) field in the IP header. These firewalls must protect all layers of the OSI (open systems interconnection) model, including the application layer. A proxy-based firewall must maintain two separate data streams (client to proxy firewall and proxy firewall to destination). The most complex type of firewalls, proxy firewalls are often referred to as third-generation firewall technology.
Another type of firewall is the stateful inspection-based firewall. Stateful inspection firewalls track the state of connection and make filtering decisions based on information in the state table or database. With stateful inspection firewalls a single stream of data is maintained. This kind of firewall is configured for uni-directional traffic — such as outgoing traffic for a web request — and the corresponding response packet is dynamically opened to allow the response traffic in for a period of time.
A third type of firewall is a packet filter firewall. Packet filter firewalls use source IP, destination IP, source port and destination port to determine if a packet is permitted. This firewall does not terminate the TTL (time to live) field in the IP header and does not use a state table or database for filtering traffic. The packet filter firewall is the most basic type of firewall and is often referred to as the first generation of firewall technology.
In the case of a packet filter firewall, traffic is seen as uni-directional traffic. This means that for an outgoing web request, a static response rule has to be allowed through the firewall. This response traffic can then be allowed through the firewall at any time, which reduces the overall security of the firewall by constantly having these response rules statically configured to allow the traffic in.
Most actual firewall products are combination firewalls, which provide filtering through multiple types of firewalling technologies. Some firewalls combine stateful inspection with packet filtering technology, while other firewalls combine all three types of firewalling technologies.
Today’s firewall is far more advanced than the firewall of even a few years ago. The technology has evolved from inspection primarily of the TCP and IP headers of the message to what is now known as deep packet inspection, which filters not just at the header level, but also into the data portion of the packet.
Yesterday’s firewall would simply check that a request was on the appropriate port, such as port 80 for a web request. Today’s firewall checks beyond the port information to determine if the payload, or data portion of the packet, is an actual request or a buffer overflow attack. This provides a much greater level of protection. Today’s offerings encompasses technology which was part of intrusion detection or intrusion prevention systems of just a few years ago. The technology really has evolved, and most firewalls provide additional features, such as anti-virus and strong authentication of users to dynamically load rules based not on IP address, but on login information. The firewall may even encompass content filtering, which will block a user’s request for inappropriate content.
How we tested
We tested this month’s batch of products by installing the firewalls in the SC Lab test environment and configured a simple rule to log all outgoing web requests to see if the request was logged and available from the reporting mechanism of the firewall. The configuration and installation varied — from under 10 minutes, with devices like the SonicWALL PRO 4100, to over an hour, with devices like Secure Computing’s Sidewinder 7.0 and Stonesoft’s StoneGate FW-5000.
The devices in this review were all appliance-based offerings, and while there are several manufacturers with software-based offerings, which provide security through an installation on top of an underlying operating system, such as Windows or Linux, the devices we tested were mostly installed as part of their own core operating system and were not dependant on another underlying operating system.