Hello, welcome toPeanut Shell Foreign Trade Network B2B Free Information Publishing Platform!
18951535724
  • The five main types of firewalls, applicable to which scenarios

       2026-05-01 NetworkingName750
    1111111
    Key Point:Usually working in the room, fixing roads, switchboards, and most often asked by colleagues, "what's the firewall?" which one do we use?" today, on the occasion of this internal sharing, i will not go through the big words, but i will talk to you about the different types of firewalls in the way of big words. Promise you'll think, "it's so simple!"Imagine our company's network is like a big house, the internet outside is a road, employees' comput

    Usually working in the room, fixing roads, switchboards, and most often asked by colleagues, "what's the firewall?" which one do we use?" today, on the occasion of this internal sharing, i will not go through the big words, but i will talk to you about the different types of firewalls in the way of big words. Promise you'll think, "it's so simple!"

    Imagine our company's network is like a big house, the internet outside is a road, employees' computers are family, hackers are uninvited thieves. Firewall? It's the security guard at the door. But there are several kinds of security guards: some look at their identity cards, some look at their chat records, some even recognize what's dangerous in your backpack. The consequences of the wrong choice of security are serious — light data leaks, heavy system paralysis. Our company has grown rapidly over the years, with mixed office and cloud services and firewalls。

    Firewall works on the network floor

    Don't worry, i'm taking you all the way from the most basic package filter to the next generation firewall. There'll be a few pictures in the middle, so you can see it. Let's go

    What's with the firewall

    In short, the firewall is the “transport police + security inspector” in the network. It sits at the entrance to the network, staring at every car: where are you from? Where are you going? Stop it if it's illegal。

    We go through it every day through the internet, through emails and access to internal systems. Without a firewall, the door is open to anyone. A simple software firewall may have been sufficient when the company was small; now the business is large, with remote office, supply chain systems and cloud databases all connected and not upgraded。

    I've seen a lot of colleagues think that "the firewall is a poison-killing software" – wrong. The firewall is a web-level guardian, and poison-killing software is a computer bodyguard, and the two are perfect. We'll talk about it one by one。

    Type i: pack of filtering firewalls

    It's an old firewall. It was in the 1980s. The rationale is super straightforward: it looks only at the "surface information" of the data package - source ip, purpose ip, port number, type of protocol (tcp or udp). It's like the doorman only looks at the name and the photo on the id card and doesn't ask why you're here。

    For example, the company policy is “to allow the flow of http at 80 ports only” and there is only one rule for filtering the firewall: to see that the port is not 80, block it! Speed, low resource consumption, suitable for small network or edge protection。

    But it's got a big problem: not keeping a book. It doesn't remember if the last bag is the same as the one you're in. For example, hackers falsify ip, which may have been released; or a normal connection suddenly went bad, which it does not see。

    For example, the doorman only identified the id number, whether or not you stole someone's id. We used this early in the company. It's simple, but it's not enough now。

    Firewall works on the network floor

    This is the typical package filtering process: once the data pack comes, match the first rule, go on, go on, then the next one, and then it's rejected by default. Super clear, right

    Advantages: cheap, fast, simple deployment。

    Disadvantages: low security levels, easily bypassed。

    Our company still has some filtering rules on the edge router when it's the first one。

    Type ii: status detection firewall

    It evolved in the mid-1990s and was much smarter than filtering. It will not just look at the surface, but will also create a “connection status table” to record where this session was launched and where it is now going。

    For example, you have 100 degrees of access from the company's computer: the firewall says, “this is an internally initiated tcp connection, port 80, state of established”. There's no door! Unless you're the one who started the reply。

    That's great. It's against the syn floods, the ip scams. Most of our main hardware firewalls now have state detection。

    I showed my new colleagues that with wireshawk grabs, the state firewall will show "tracked connections: 12345", as it is. It's much safer than filtering the package, but it's still looking at the transmission layer, and it doesn't care what app you're using。

    Firewall works on the network floor

    This map clearly depicts the process for the status check: control plane-checking policy sheets, data-level maintenance flow tables, and then release them. Did you think, "oh, that's how it's kept?"

    Advantages: safety has improved significantly and performance is good。

    Disadvantages: ignorance at the application level (e. G. Sql injection)。

    Most of our core areas are dominated by state tests, with acl rules。

    Type iii: application layer proxy firewall (and circuit level)

    They are often put together because they all work at higher levels。

    Application level agents: act directly as intermediaries. You want to visit the outside website? First send the request to the proxy firewall, which will visit for you, then transmit the results to you. You can't see your real ip and internal network from outside。

    It's like you asked the secretary to interview your business. People know the secretary, they don't know you. Super-suited to control the behaviour of employees on the internet - for example, allowing access only to company white-list sites or filtering sensitive content。

    Circuit level gateway: a little simpler, it only validates the tcp connection when it is established and then transports transparently. It's not about content, it's about the legality of the circuit。

    What about the flaws? The speed is slower because of the need to “turn hands”; the configuration is complex and requires a separate proxy for each application. Purely applied agents are used less now, but many of the ngfws retain proxy functions。

    Firewall works on the network floor

    Look at this map of the circuit level gateway: there's a "grey box" between the outside and the inside host, connected through the in/out port, super image

    I used the squid proxy firewall in a small company, and the staff were stopped from painting their treasures, saving a lot of bandwidth。

    Type iv: next generation firewall (ngfw)

    That's what we're doing! We're starting to grow up after 2010. Not only does it do everything ahead, but it also has more "deep package testing (dpi), invasion defense (ips), applied identification, user identity control, threat information cloud synchronization."。

    Simply put, it recognizes whether you use micro-intelligence or nails, not just looking at ports 80; who can access the financial system according to the employee's decision; and it can pull the global virus bank in real time and automatically stop a zero-day attack。

    A real case: last year we were exposed to a blackmail software risk, and the ngfw sandbox function threw suspicious documents directly into the clouds for analysis and intercepted them in advance. The old firewall would have been used。

    The largest highlight of ngfw is the application layer + user layer + intelligence layer. The configuration interface is also friendly and drags and drags can handle the strategy。

    Firewall works on the network floor

    This map clearly depicts the ngfw layers of protection: from application to threat intelligence to user control. You'll see why it's called the next generation。

    Advantages: best security, best functioning, better visualization。

    Disadvantages: expensive, need to regularly update threat banks, slightly steep learning curve。

    It's much easier for our company's principals and branches to go to the ngfw of palo alto and fortinet, together with a centralized management platform。

    In addition to the software type, there are differences between hardware, software, cloud firewalls

    The firewall does not just look at “how to check”, it scores “what it looks like”。

    Hardware firewall: specialized boxes, inserted in machine cabinets. It is highly performanceable and resistant to attack and suitable for large-flow environments. That's the big silver-white guys in our room。

    Firewall works on the network floor

    Look at these piled-up hardware firewalls, they're so hot! There's a bunch of them, they're a heat fan, they're a few gs。

    Software firewalls: installed on servers or virtual machines such as iptables, windows firewalls. Affordable, flexible, but performance depends on the host, suitable for testing the environment or small branches。

    Clouds and firewalls: run completely on clouds like aws waf, azure fairewall, google cloud armor. Pays for use, automatically expands, perfects our current hybrid cloud structure. Remote office staff are provided with cloud resources from their homes, using firewalls。

    Firewall works on the network floor

    This cloud wall deployment map, which shows cloudy, multi-geographical protection, is perfect for our current “office + home + business” model。

    How do you choose so many types? Look at the size of the company: a small team of 10 people, software package filtering + status tests are enough; more than 50 people must go to ngfw. Looking at the business scene: there are many web applications that require waf functionality; there are many remote offices with priority given to cloud firewalls. Budget and business: hardware is expensive but steady, and the cloud saves but trusts suppliers. Our company is the "ngfw hardware is main + cloudwaf is accomplished" effect。

    Finally, the regular audit rules, the updating of the solids and penetration tests should not be forgotten. Firewalls and bullies

     
    ReportFavorite 0Tip 0Comment 0
    >Related Comments
    No comments yet, be the first to comment
    >SimilarEncyclopedia
    Featured Images
    RecommendedEncyclopedia