The term “firewall” became a part of the IT lexicon in the 1980s, when computers were moving out of the research and academic facilities and into very early use in enterprises. That was a long time ago—eons ago in computing years. Three decades ago, networks and computing infrastructure were much simpler than they are today, as were the security considerations for networked computers and applications.
Because of these differences, it’s difficult to speak of firewalls today in the same sense in which the term was used in the 1980s (or even the 1990s or 2000s). Given all the changes that have occurred in the way we build and deploy applications—from the advent of the cloud, to the shift toward microservices, to the explosive popularity of Docker containers—it’s time to reassess what a firewall is in today’s cloud-native age.
The Traditional Definition of a Firewall
It’s easy to define what a firewall used to mean. Put simply, a firewall was a hardware device or software application that determined which network traffic to accept and which to reject based on preconfigured rules.
This way of thinking about and building firewalls made sense in a bygone era, when the following conditions were true:
- The network of your organization had clearly defined and static perimeters, and a firewall could be used effectively to determine which traffic was allowed inside and which wasn’t.
- “Good” and “bad” packets could be identified reliably based on the IP addresses from which they originated.
- Most traffic was acceptable, and the bad packets that you wanted to block accounted for a minority.
How Times Have Changed
About a decade ago, when most businesses began shifting their workloads toward a cloud-centric infrastructure, the conditions above ceased to hold true in several instances. Networks no longer had fixed perimeters; instead, the blending of local and cloud-based environments meant that the network on which your organization depended extended into the public internet and public cloud in many cases.
Additionally, identifying malicious traffic is now no longer as simple as registering which IP addresses to block. The bad guys have become much more adept in recent years at hiding their tracks by taking advantage of VPNs, botnets and other means of obscuring the true origins of network traffic. This makes IP addresses a less useful way of identifying malicious traffic. Looking at protocols and the nature of the traffic itself has become more important than simply tracking traffic origin. This is all the more true because the increasing prevalence of insider attacks means that many breaches now start from within the network, and blocking external traffic is therefore not sufficient for keeping systems secure.
We now live in a world where the most secure approach is to assume that all network traffic is malicious, and we should accept only traffic that we know to be safe. This is why it’s now common to use whitelists, rather than blacklists, as the basis for controlling network traffic.
How Firewalls Work Today
The changes above mean that the way firewalls work today (if they have a decent chance of being effective for cloud-native, microservices-based, software-defined infrastructure, at least) is very different from the way they worked in the past.
It’s now important to think about your firewall not just as a singular tool, but to also draw a distinction between layer 3 and layer 7 firewalls. Each layer represents a different firewall tool that mitigates different kinds of risks. It’s not an either/or question; in most cases, you’d use both a layer 3 and a layer 7 firewall at the same time.
Here are the main differences: Layer 3 firewalls make decisions based on a much more narrow set of variables (IPs and ports) than layer 7 firewalls, which look at a literally infinite amount of unique requests. Thus, layer 3 firewalls are generally able to achieve much greater throughput than layer 7 firewalls. In addition, because they address a lower level of the stack, layer 3 firewalls cover a wider variety of scenarios than a layer 7 firewall, which has to have protocol-specific logic for handling each kind of traffic flow it protects. In contrast, layer 3 firewalls simply allow or deny based on source and destination ports, without awareness of the traffic within, and thus work universally across any IP-based scenarios.
Yet, the lack of protocol awareness is a significant blind spot the layer 7 firewalls address. As HTTP has become the universal app protocol, attackers are more likely to probe and exploit weaknesses within the app layer. So if you just have a layer 3 firewall that allows all traffic to port 80, you’re blind to those risks. A layer 7 firewall fills this visibility void, however, because it is able to look within the app layer and make decisions about whether to allow a request based on what it contains, not just the port it’s trying to reach. This is a more computationally costly operation, but one that provides significantly greater security.
The multi-layered nature of firewalls today also speaks to the ways in which overall firewalling strategies have changed. Given the complex nature of today’s security threats, the numerous ways in which they can manifest themselves, and the difficulty of tracing them to their original sources, it no longer suffices to think of network security as a single-layer task.
Instead, the best model for most scenarios is to use multiple layers of defense in-depth. You need a layer 3 firewall at the edge that only allows inbound traffic on the specific ports your apps use. Those ports should then be routed to a layer 7 firewall for deep inspection at the app protocol level. This model leverages the strengths of each approach, with the layer 3 firewall efficiently dropping all packets but those from allowed sources and destined to allowed ports, thus allowing the layer 7 firewall to focus exclusively on inspecting the content of the requests to those ports.
In its simplest form, the definition of a firewall as it was established in the 1980s holds true today, in the sense that a firewall is a tool that blocks certain kinds of traffic.
However, today’s firewalls look and act very differently than those of the past. Modern, cloud-native firewalls are dynamic. They use data and analytics to make informed, real-time decisions about which traffic to allow in. That’s very different from the firewalls of old, which operated according to preset configurations.
In addition, modern firewalls fall into two main categories—layer 3 and layer 7 firewalls. Both have advantages and drawbacks, as explained above, and both are essential tools for a modern security strategy.