Types of Firewalls
Listing the types of firewalls is almost like listing the taxonomy of the animal kingdom in biology. The variations, models, and versions are numerous. In addition, opinions vary about what is and is not a firewall. Many experts begin the discussion of firewall types by dividing the collective into two simple, main groupings: personal and commercial.
A personal firewall is designed to provide protection to a single system or a small network, such as a SOHO network. Most personal firewalls offer user-friendly interfaces that may be web-based or graphical in nature (that is, a graphical user interface, or GUI). To take full advantage of their features, most personal firewalls do not require special training or certification.
A commercial firewall is designed to provide protection for a medium-to-large business network. Most commercial firewalls are quite complex and often require special training and certification to take full advantage of advanced features. Most commercial firewalls use a Unix-like command line interface (CLI) that, while powerful and efficient, is not intuitive.
These two groupings do not, however, represent the complete collective of firewalls, as several could easily fall into either or both categories. Another common grouping method, therefore, is to classify firewalls as either hardware or software.
A hardware firewall is a dedicated hardware device specifically built and hardened to support the functions of the firewall software running on it. A hardware firewall is also known as an appliance firewall. It doesn’t share dedicated hardware resources with any other service. A hardware firewall does not require any additional hardware or software for its use. All it needs is one or more network connections and a power source. Although a hardware firewall can protect a single system or an entire network, it can only filter traffic that reaches the network interfaces of its appliance. However, a hardware firewall can be positioned on a network at a chokepoint or gateway to analyze and filter all traffic.
NOTE
A software firewall and a hardware firewall are both a form of software, but the hardware firewall has a dedicated appliance as its host, while the software firewall uses a standard client or server as its host.
A software firewall is an application installed on a host, which is why it is also known as a host firewall. A software firewall depends upon the host’s hardware and operating system. If the host’s components are not properly hardened, the software firewall will be less effective, especially if there are other communication pathways or attack points on the host. Software firewalls must compete for resources among all other processes active on the host. At best, a software firewall is only able to protect a single host from malicious network activity. A software firewall is only able to filter traffic that reaches the network interface of its host.
Both software and hardware firewalls can be targets of attack. Exploits can compromise a software component, or physical attacks can harm the host/appliance. A software firewall is often less expensive than a hardware firewall. A hardware firewall typically offers a wider range of features and capabilities than a software firewall. Both software firewalls and hardware firewalls are options you can use throughout a network infrastructure.
Combining these types of firewalls results in four primary options:
- Personal software firewall
- Commercial software firewall
- Personal hardware firewall
- Commercial hardware firewall
A personal software firewall is a product used on individual home systems, SOHO systems, and even client/server network workstations and servers. Generally, a personal software firewall is free or less expensive than commercial software firewall products.
A commercial software firewall is a product used on client/server network workstations and servers. These can be installed on personal or SOHO systems, but the installation is usually expensive and part of an overall security management or network access control (NAC) system. Most commercial software firewalls can be used in an agent/console infrastructure, where each host’s firewall is remotely administered from a master management console.
NOTE
Most wireless access points, both consumer and commercial grade, include some form of firewall to provide filtering services for wireless clients as well as physical cable connections. Many wireless access points could be accurately labeled as routers and/or switches, especially when some include two to six extra-wired connection ports.
A personal hardware firewall is part of an integrated firewall product, such as a wireless access point (WAP) or a cable/digital subscriber line (DSL) modem. Another variation of the personal hardware firewall is the repurposing of a client or server computer into a home-crafted open-source firewall. One example of this is pfSense by Netgate, a software firewall that provides some routing and VPN functionality.
A commercial hardware firewall is usually a device that handles the complexity of larger organizational networks. A commercial hardware firewall is often very expensive, running in the range of $10,000 or more. Often these firewalls require detailed training for proper setup and deployment.
FYI
Two common, but different, dichotomies are free versus paid and open-source versus closed-source software. Free means you do not need to pay for the firewall to use it. Paid means you must pay a purchase price and/or a licensing fee to use it. Many examples of both free and paid firewall products are available. Open-source means the original source code is available for viewing and modification. Closed-source means the distributed version is precompiled, and the original source code is undisclosed.
Software firewall products, as well as any other form of IT product, can be free and open-sourced, free and closed-sourced, paid and open-sourced, and paid and closed-sourced. You should not assume that, because something is free, it is open-sourced, or that because something is commercial, it must be purchased.
Also, just because a product is free does not ensure its reliability or trustworthiness. Additionally, being able to review the source code does not warrant the reliability of a product.
For further discussion on free software, visit GNU organization’s site at www.gnu.org
Personal versions of software and hardware firewalls might include different add-ons or enhancements than their commercial equivalents. These add-ons or enhancements could include antivirus software protection, password management, registry protection, driver protection, VPN gateways, remote access support, IDSs, IPSs, spam filtering, and more. Usually these add-ons make the firewall products more attractive to the potential buyer. However, most commercial entities would generally avoid integrated firewall solutions in favor of dedicated products to handle distinct security or management functions. An integrated device might offer easier administration, but it represents a single point of failure for multiple services. Additionally, such bundled solutions are more difficult to troubleshoot due to the complexity of the communications supported.
Another variation of firewall, in fact the original variation, is a screening router. Most appliance routers and many software routers, such as Routing and Remote Access Service (RRAS) in Windows Server, are able to perform firewall-filtering services in addition to routing. Screening routers that perform firewall filtering might provide enough sentry security for your needs. However, if you want more advanced features, a screening router is unlikely to be the best solution for your network.
Regardless of the type of firewall or implementation, it is important to be certain that your firewall implements the security and privacy policies that you want, while not conflicting with other security measures. If, for instance, a remote system that you will access requires use of a certain protocol or procedure that is blocked by your local firewall, then you have a problem that must be solved before you can access the remote system.