Skip to content

Understanding Packet Filtering Firewalls In Network Security

As networks begin to grow and interconnect, it became important to control the flow of traffics to networks. This initially took the form of packet filtering firewalls that examines the source and destination address of data, protocols. Firewall rules use these to define which packet to permit or deny. When a packet is coming in and its details match what is configured, it will be allowed, if not, the packet will be blocked or dropped.

The drawback of packet filtering firewalls is that they used one rule to determine which packet to allow or deny without considering the nature of packets. Bad actors also capitalized on this to introduce rogue packets to networks. To address this, additional rules were introduced in second-generation firewalls.

Second Generation Firewalls

They are called stateful firewalls. They are designed to observe network connections over time. They will watch as new network connections are made. They will continue to examine conversations between the endpoints. If a connection behaves improperly, the firewall will block that connection. Any packet that does not belong to a known conversation is always dropped.

Although that was an improvement, second-generation firewalls did not still block rogue packets. Without the coming of the internet, the nature of rogue packets changes. E.g When it comes to https, it is being used in many ways apart from browsers. It is used for e-commerce websites, Apps, static content among others. Because they all use the same port numbers, the firewalls could not distinguish between them.

Third Generation Firewalls

There is a need now to allow useful web applications and block harmful web applications. In order to do this, the firewall needs to be able to look into the web applications and determine what they contain. Third Generation firewalls were able to distinguish between applications. The third generation firewalls can control different uses of basic applications.

The third generation firewall can do an application layer filter. They can identify common protocols that make use of http. They can identify social media applications, email, e-commerce among others. Third generation firewalls cannot also deal with any attack coming from different attack surfaces. They can deal with an attack from malicious users. That leads to the introduction of Next-Generation Firewalls.

Next-Generation Firewalls

It has multiple security checkpoints. It protects packets and makes broad-based decisions on whether to allow or drop packets. Its work is typical of what happens at the airports where travel bags are first checked and they are then isolated for further checking if it was discovered that such bags have suspicious contents.

NGFW have what is called a Sandbox where malicious contents are further examined if they behaved strangely. As the network continued to evolve, NGFW also continued to evolve with further upgrades. It also has application-level security which protects web browser applications from attacks. It also adopts the use of the segmentation process which separates applications based on what they have in common. It also has multiple security checking paths.

It makes a role-based decision on whether to allow or drop packets. It performs Deep Packet Inspection. They have the ability to monitor applications that goes through or bypass firewalls. By segmenting users and applications, the firewalls can eliminate a single point of entry. It makes it difficult for attackers to exploit the attack surface and get into the network.

It also delivers high-performance inspection. It monitors networks with little or no degradation. It can work with hybrid data centres where an organization’s data are spread across multiple data centres. Also, it also has the ability to scale on demand. Fortigate is the Next-Generation Firewall of Fortinet. This product can fully integrate with other security products. It can also share intelligence data with other Fortinet security fabrics.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training. 

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.


Fact Check Policy

CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.


Fact Check Policy