Firewalls: Great Network Security Devices, but Not a "Silver Bullet" Solution In construction, a firewall is a hardened divider between the hostile external environment outside and what needs to be protected inside. Similarly, firewalls are designed to protect computers from being accessed by unauthorized individuals, and for the most part, they perform this task well. Unfortunately, firewalls are also akin to the castles of old when siege weapons were built to defeat the highest walls. As the siege weapons became more powerful, the defenders were forced to build the walls yet higher and install moats and other protective measures. Similarly, today, hackers and so-called crackers are always trying to overcome security devices for profit, pleasure or for more nefarious purposes such as denial of service attacks by terrorist organizations. To gain some fresh insights in this area, this paper presents a review of the relevant scholarly and peer-reviewed literature concerning firewalls to provide a working definition, a description of their capabilities and what technologies are typically involved. A discussion concerning the different types of firewalls that are available and their respective pros and cons is followed by an assessment of what proactive measures can be taken to harden a firewall. Finally, an analysis of future trends is followed by a summary of the research and important findings in the conclusion.

Review and Analysis

What are firewalls and their capabilities?

The definition provided by Blair (2009) states simply that firewalls are "single devices used to enforce security policies within a network or between networks by controlling traffic flows" (para. 1). Prior to the introduction of Web 2.0, most firewalls operated in an "allow-don't allow" environment (Hua, 2011). Following the introduction of Web 2.0 and a bewildering array of mobile devices, providing adequate firewall protection became more complicated (Hua, 2011). Firewalls basically operate by blocking attacks; by contrast, so-called intrusion detection systems (IDSs) operate by identifying attacks when they actually take place (Sequeira, 2003). According to this authority, "Such techniques are crucial to network security, but have limitations. A firewall can stop attacks by blocking certain port numbers, but it does little to analyze traffic that uses allowed port numbers. IDSs can monitor and analyze traffic that passes through open ports, but do not prevent attacks" (Sequeira, 2003, p. 36).

Technologies involved

Firewall...

Each of these approaches offers some advantages but both also carry some disadvantages as well. For example, Andress (2003) reports that, "With a single-vendor solution, such as Cisco Systems or Check Point Software Technologies, you have to deal with only one vendor and might receive deeper discounts based on the amount of product you purchase" (p. 15). Other advantages of this approach include the need for network administrators to train on one firewall version, making updates and configurations a straightforward task (Andress, 2003). The single-vendor approach, though, may not represent the optimal solution for some organizations. For instance, Andress cautions that, "The vendor's firewall might fit your environment perfectly, but its IDS might not have the features or capability your company needs. Additionally, the common features of same-vendor products might increase your security risks" (p. 15). In addition, the potential exists for a single-vendor firewall to fail in a spectacular fashion, disabling the entire network until the vendor can render on-site assistance, a process that could require a great deal of time (Andress, 2003).
One the decision to purchase or lease is made, the next step is selecting a firewall that is suitable to the needs of the organization. For this purpose, a wide range of firewalls is available, including those set forth in Table 1 below which provides a brief description of the firewall and its corresponding pros and cons.

Table 1

Types of Firewalls and Their Respective Pros and Cons

Firewall Type

Pros

Cons

Packet-Filtering Firewalls

The primary advantage of this type of firewall is that they are located in virtually every device on the network. Routers, switches, wireless access points, Virtual Private Network (VPN) concentrators, and so on may all have the capability of being a packet-filtering firewall.

The challenge with packet-filtering firewalls is that access control lists (ACLs) are static, and packet filtering has no visibility into the data portion of the IP packet.

Application/Proxy Firewalls

Because…