Firewalls: Why so many kinds

In order to make an informed decision about securing your network, you need to know a little about firewalls. Some of Corporate Armor’s most popular, successful models, like the Fortinet FG-40F and FG-50E, Sophos XG86 and XG115, and Meraki MX64 and MX68, are surprisingly easy to master.

A firewall acts as a barrier in front of a network. Its job is to prevent unwanted access to the network. It does this by proactively monitoring all incoming and outgoing traffic. It also enforces an organization’s security policies. Sort of like a bouncer at the door. It can be either hardware or software, and its job is to secure a system from malicious activity.

Data passes over a network (like the Internet) in packets. Think of them as little molecules of data. Each packet consists of a header, and a payload. A firewall’s job is to inspect parts of this molecule as they enter and leave a network. And it does this according to a set of pre-defined rules. It has to know what it’s looking out for, after all.

For example, the appliance can have a rule that excludes traffic coming from a specific IP address. If it receives packets with that IP address in the header, the firewall denies access. Similarly, it can deny access to anyone except certain, trusted sources. There’s lots of ways to “instruct” a firewall. The extent to which it protects a system depends on the type of device.

Software firewalls (examples: ESET, FortiClient, AVG)

Software firewalls provide internal security to a network. They are installed on an individual computer. It protects that single device. Multiple computers will need will need multiple installations. A software firewall controls the behavior of specific applications. For example, you can block access to certain websites, or a printer on the network. Also, it can protect the other computers in the same network, in the case that one of them ends up getting infected.

Because they are easier to install, many home users will go with the software option. They can work well in coordination with a hardware firewall, because they occupy a different part of the network.

Hardware (examples: Sophos XG115, FortiGate FG-40F

These are devices that represent a piece of hardware placed between an internal and external network. Unlike a software, a hardware device has its own resources. It doesn’t consume any CPU or RAM from the host devices. That’s one of its advantages.

Appliances give the network administrator a lot of control over how the network is used. It can also protect other network devices that don’t have built-in firewalls. This would be things like printers and other smart devices.

Hardware also integrates readily with other kinds of security. Many of them also come with additional security features, such as VPN and load balancing.

Once installed, a hardware firewall is a single point of management for your entire network. This just saves time and simplifies your life.

Stateful Inspection (example: Palo Alto PA-220)

A stateful inspection firewall keeps track of a connection by monitoring the TCP 3-way handshake. In this way, it keeps track of an entire connection from start to end. It acts as a gatekeeper allowing only expected return traffic. These are highly skilled at detecting unauthorized attempts or forged messaging.

When starting a connection, a stateful appliance notes the source IP, source port, destination IP, and destination port.This stateful inspection method dynamically creates its own rules to allow anticipated traffic.

This type of firewall is used as additional security. It enforces more checks and is safer compared to stateless filters. However, unlike stateless/packet filtering, stateful firewalls inspect the actual data transmitted across multiple packets instead of just the headers. Because of this, they also require more system resources. Unlike the less-expensive packet-level devices, these inspect the whole packet, as well as tracking the entire session. However, they do consume more system resources as a result.

Proxy firewalls (example Barracuda 360)

Okay, this one is sort of weird. A proxy firewall serves as an intercessor between internal and external systems communicating over the Internet. It protects a network by forwarding requests from the original client. It pretends the request is its own. After all, “proxy” means substitute. It substitutes for the client that is sending the request. In other words, it pretends to be the system its protecting. This hides the real client’s identification an location, protecting it from attacks. Once the proxy firewall receives the requested data, it passes it along to the client.

Proxy firewalls ensure user anonymity and reduce unnecessary contact with other networks. But they can also affect performance.

Next-Generation (examples: FortiGate FG-60F, Check Point 1550

We’ve all heard of Next-Gen firewalls. The term gets thrown around a lot. So what is it?

An NGFW combines functions of other firewalls. It incorporates packet, stateful, and deep packet inspection. In other words, it checks the actual payload of the packet. Not just the header information.

Next-gen firewalls inspects the entire transaction of data, including the TCP handshakes, surface-level, and deep packet inspection. They are sufficient protection from malware attacks, external threats, and intrusion. Plus, they’re quite flexible.

They feature automatic upgrades, and thorough multi-layer network monitoring. They are highly secure, complete package-deals.

However, they are more expensive than the other options. And they may require more involved integration.


A cloud firewall, or firewall-as-a-service, is maintained and run in the cloud by third-party vendors. Managing firewalls tends to absorb plenty of resources in IT departments. Dealing with all the latest threats requires people who know what they’re doing. A managed, or Firewall-as-a-Service, simply hands off the work of managing all this to someone else. Someone off-site, and off-staff. Ideally, they will watch at all hours of the day to alert you before threats cause any real damage.

FaaS tends to be cost-effective since it requires less equipment to buy and manage. It is also highly scalable. You have a dedicated professional staff taking care of things, and a wide range of prices and options, depending on your needs.

Firewalls in summary

Obviously, it is a good practice to use more than one kind of firewall. They tends to compliment each other’s strengths, as well as drawbacks. Using more than one firewall type provides multiple layers of protection. Corporate Armor is quite able and willing to walk you through these decisions. We will craft a solution that suits your use case and your budget, and we’ll do it on time! So email us, or call 877-449-0458. Thanks for reading!