firewalls history

Terminology

The history of firewalls is full of terms that label a type of firewall or describe a generation of firewalls. Some of these terms are evasive and even manage to contradict themselves; they may be the result of mixing the research definitions with marketing terminology.

Let’s look at various terms in a sort of a chronological order in order to better understand the evolution of firewalls.

Packet Filters or Static Packet Filtering

Packet filter firewalls are network layer firewalls that filter based on the contents of packet headers (IP addresses, protocols (TCP, UDP, ICMP, etc.) and TCP/UDP ports for TCP/UDP traffic, but keep no state of the sessions. They work at the Layer 3(IP Layer) and Layer 4(Transport Layer).

An example of such firewall was screend; it was used to implement TCP/IP security policies and was created by Jeff Mogul in 1989.

Also in the late 1980s routers did basic packet filtering.

With the early packet filters direct connections from the external hosts to internal hosts were possible since no state was maintained.

Stateful Packet Filters or Stateful Packet Inspection

The stateful packet filters firewalls also work at the Layer 3(IP Layer) and Layer 4(Transport Layer), being network layer firewalls, but keep the state of open sessions, thus they can track and dictate who can initiate a connection. They can be better used to create a policy that allows all outbound but denies anything inbound; an early way of implementing a firewall access policy.

To be noted that in 1991 Steve Bellovin and Bill Cheswick from AT&T Bell Labs created the AT&T gateway which was a circuit relay firewall(or circuit level gateway); a first form of stateful packet inspection. This is a little different than a stateful packet filter because it hides the real IP addresses of the client and server which speak directly with the gateway(a form of NAT if you want). The circuit relay firewall keeps the state of the sessions operating at Layer 4(Transport Layer) of the OSI model.

The stateful packet filters have no clue about the application layer.

Application Proxies and Application Gateways | Proxy Firewalls

In 1991 Marcus Ranum invents the application proxies which will be used in the DEC SEAL firewall. This was a hybrid type firewall incorporating both application proxies and packet filters.

At first application proxies required the client to have knowledge of them(application gateway); later they were made transparent to simplify deployment(application level gateway).

In 1993 the TIS Firewall Toolkit source code was released. It contained a couple of proxies and even provided user authentication. It served as the base for the TIS commercial firewall, later named Gauntlet.

Application proxy firewalls had a couple of issues:
  • They needed a proxy for every allowed protocol; thus they could not function as a network firewall that controls all network traffic.
  • Introduced performance issues due to the heavy application layer inspection.
  • Were difficult to configure(CLI was used).

Application proxy firewalls are considered application layer firewalls.

Stateful Inspection

In 1994 Checkpoint introduced their firewall, Firewall-1, creating the market for stateful inspection firewalls.
In addition to keeping state these are also capable of performing partial application layer filtering.

They have some knowledge of application layer protocols and are able to dynamically adjust the filtering rules; e.g. open ports for FTP data connections.

Check Point Firewall-1 took advantage of the proxy firewalls’ issues and imposed the stateful firewall as a dominant firewall type on the market. It was fast, easy to configure(had a GUI) and at the beginning could block many “attacks”.

The problem with stateful firewalls was that they did not look too much into the application layer and at the application data.

Stateful inspection firewalls are a combination of mainly network layer firewalls with a small fraction of application layer firewalls.

Deep Packet Inspection (DPI)

This is a combination of stateful firewall and IPS capabilities aimed to offer application intelligence.
When attacks started to target more and more the application layer, the stateful firewalls reached their limits. To overcome this, they were usually paired with a separate IDS/IPS box(which was doing DPI), but this created management/scalability issues.

Deep Packet Inspection firewalls maintain the state of the connection/session and also the state of the application layer utilizing that connection; they analyze the data in order to follow the communication stream. They used a signature-based analysis technique borrowed from IPS technology to detect and block malicious attacks or activities.
In addition to security, DPI can be used for other things like QoS and application identification.

To be noted that for some vendors, e.g. Juniper, the DPI(found on the SSG series) is a lightweight version of the IPS(that can be found on the SRX series); in this case basically Deep Inspection is a stateful inspection firewall with some IPS signatures.

Similar with application proxies, the early DPI is typically limited to a few protocols and applications while performing light analysis on the application data.

DPI firewalls are a combination of network layer firewalls and application layer firewalls.

Unified Threat Management Gateways (UTMs)

The term UTM was coined in 2004 by IDC; earlier in 2003 Internet Security Systems(ISS) launched a new product called Proventia, an "all-in-one protection product” which unified firewall, virtual private network (VPN), anti-virus, intrusion detection and prevention into one box. Others, like Cisco and Symantec, did the same.

To deal with blended threats, vendors collocated on the same box multiple systems like a stateful firewall, an IPS, a web proxy and an antivirus engine to name a few. The downside of this approach was that they were not quite actually integrated and when all systems were activated, performance dropped seriously. To solve this, the level of inspection could be lowered.

DPI technology can be seen in UTMs, either a full blown IPS being present or a stateful inspection firewall with some IPS intelligence; these protect the network against malware, trojans, spyware or client/server attacks and can be used to identify and block some applications.

UTMs either collocate stateful firewalls and IPS or use a limited DPI(just a stateful packet inspection firewall with some IDS/IPS signatures) suffering from performance issues and limited visibility into network traffic.

Normally only web traffic was controlled per users with the help of a web proxy.

UTMs are a combination of network layer firewalls and application layer firewalls.

Next Generation Firewalls

Earlier DPI performed only limited analysis on the application data. In the latest years the HTTP protocol become a transport vehicle for most attacks and it is used more and more by applications.

Greater control over applications and visibility into the network traffic is needed. Next Generation Firewalls aim to provide these going beyond the block/allow features by managing and monitoring the use of applications. Additionally the performance is improved due to the use of the single-pass engine that deeply inspects the traffic.

NGFWs integrate the firewall with the IPS; the IPS becomes a function of the firewall.

DPI in NGFWs is evolved and allows for the identification of a vast number of applications and their features meaningless of the ports or protocols they use. Furthermore, QoS can be applied to each application or application feature to optimize the traffic flow and prioritize critical applications.

Additionally NFGWs control the access to resources based on users or group of users for all network traffic not just web traffic.

NGFWs are a combination of network layer firewalls and application layer firewalls.

Specialized application firewalls and network firewalls

Application firewalls, in contrast with network firewalls, are not concerned with all the traffic. They rather include an application proxy for the application needed to be inspected and protected.

Compared with the early application proxy firewalls which were aimed to cover a wider range of application layer protocols, they have deeper knowledge of the application protocol and the application data.

The need for application security solutions appeared in the late 1990s. For example in 1997, Société Générale decides to develop an application security solution; the result: rWeb appeared. Perfecto Software AppShield was also an early entrant in the WAF market in 1999.

In 2002 the open source ModSecurity WAF was launched; in the same year Imperva debuts SecureSphere. However it wasn’t until after 2006, with the appearance of the PCI DSS 1.1 standard that mandated for the protection of web application involving credit card data, when the interest in WAFs grown.

WAFs provide a level of protection for web applications unmatched by IPS or DPI. Additionally they can enhance the web application.

Another type of specialized firewall appeared lately is the database firewall which sits in front of the database controlling the way applications interact with this.

WAFs and database firewalls are application layer firewalls.

Hybrid Firewalls

In theory there might be certain types of firewalls; in practice however firewalls are often hybrid types.

The firewall market was dominated by hybrid firewalls that did packet filtering, stateful inspection, DPI and also included some proxies.

For example the DEC SEAL firewall, dubbed as an application proxy firewall was actually a hybrid including both application proxies and packet filtering. Same will be true for Check Point Firewall-1 which included later in time application proxies or DPI.

Network layer firewalls and Application layer firewalls

Network layer firewalls typically work at the Layers 3 and 4 of the OSI model while Application layer firewalls work at the Layer 7.

They are often used together in practice.