A packet-filtering firewall is a firewall that controls data flow into and out of a network. It’s a solution that allows packets to travel between networks while controlling their flow through the use of user-defined IP addresses, protocols, ports, and rules. Routing of packets is only successful when they have satisfied the predetermined filtering rules.
Table of Contents
Packet filtering determines whether to grant or deny packet access based on source and destination IP addresses, protocols, ports, flags, and whether the packets are incoming or outgoing.
Most computer networks today are based on packet-switched networks (PSNs), which break down communication into packets before transferring them across the network. As soon as these packets pass through a firewall, they are reordered to reach their destination in the order required to present the information correctly.
Each packet contains two key components: a header and a payload.
Packet-filtering firewalls search for information in each packet’s IP, TCP, and UDP headers and check that information against the network’s access control lists to decide whether to block or allow the packet. If the packet is verified, the firewall allows it to pass through and extract the payload.
Permission to pass through the firewall is completely dependent on the firewall’s predetermined filtering rules. This allows administrators to configure packet filtering rules that reject all packet transmission except for packets from specific IP addresses and ports.
Packet-filtering firewalls offer several advantages over later and more complex stateful firewalls, including speed, cost-effectiveness, ease of use, and transparency.
The decisions made by packet-filtering firewalls are based on simple, predetermined formulas that don’t require deep packet inspection (DPI). As a result, they are typically able to accept or reject packets relatively quickly.
Since packet-filtering firewalls only need one filtering router to provide security to the internal network, they are quite cost-effective. Additionally, packet filtering functionality is built into most popular software and hardware routing devices, and most websites infuse such functionality into their routers, so they don’t require purchasing additional solutions to function effectively.
Packet-filtering firewalls are among the most basic firewalls and do not require much additional training to use them effectively once they are implemented. And since only one router is required to secure a network, users don’t have multiple routers to manage simultaneously.
In most cases, packet filtering is carried out autonomously by these firewalls, meaning that human awareness and intervention are not required until a packet has been rejected. Either way, because the rules are preset by the user, there is a clear reason for the firewall’s decision.
Although packet-filtering firewalls have their place, there are some concerns that users should be aware of. They are less secure than newer firewalls, lack logging capabilities, can be challenging to set up, and are incompatible with some protocols and policies.
The most important thing to be aware of regarding packet-filtering firewalls is that they are less secure than their more modern counterparts. Since packet-filtering firewalls favor IP addresses and port information instead of context or application information, they lack the context that other types of firewalls have. And since they only check packet headers and not payloads, they are vulnerable to spoofing.
Packet-filtering firewalls don’t retain data about how packets move around the network. The absence of any sort of logging functionality may interfere with some organizations’ compliance requirements.
While packet-filtering firewalls are easy to use once they’ve been established, it can be challenging and time-consuming to build the initial required filters. Users also have to be cautious when entering rules as they are checked in sequential order, which can create a tangle of read errors in larger installations.
Some protocols, such as remote procedure call (RPC)-based protocols, prove to be unsuitable for packet-filtering security. Additionally, some policies may prove difficult to enforce using basic packet-filtering firewalls as the firewalls make it difficult to impose limitations on specific users and may render higher-level protocols ineffective.
There are two main types of packet-filtering firewalls: stateless, or static packet-filtering, and stateful, or dynamic packet-filtering. Stateful firewalls are undeniably the more advanced of the two, but there are still qualified uses for stateless firewalls as well.
The most basic type of packet-filtering firewalls, a static packet-filtering firewall is a type of firewall whose rules are manually established and the connection status between external and internal networks is either open or closed until it is manually changed.
As these firewalls require human intervention, administrators must regularly check, configure, and manage access control lists, rules, IP addresses, and ports.
Though stateless firewalls remain the most common type, they are becoming less widespread today. However, they’re still useful to service providers who offer low-power customer premises equipment. Their set-it-and-forget-it practicality makes them suitable for simple home or small business networks.
A dynamic packet-filtering firewall is a firewall whose rules can be adjusted based on the context and whose ports remain open for a limited period before closing.
These firewalls operate at the network, transport, and session layers and can track not only individual packets but all ongoing network activity using extensions such as TCP and UDP streams. Stateful firewalls discern between harmless and harmful traffic and packages by detecting the full context of incoming packets—not only their headers.
Dynamic packet-filtering firewalls are more flexible than static firewalls since they enable administrators to put customizable parameters and automatable procedures in place. These firewalls are effective for protocols like the File Transfer Protocol (FTP) which dynamically allocate ports.
Due to the evolution of the networking and security landscape, it’s common to find packet-filtering features within a much more comprehensive firewall solution to cater for the shortcomings of standalone packet-filtering solutions. Below are three firewall solutions that exemplify this.
Cisco ASA delivers a firewall and network security platform that offers its users highly secure data and resource access. Cisco ASA offers a network firewall that implements stateful packet inspection to prevent access to unauthorized traffic. The firewall checks access control lists to determine whether to grant or deny access. Its packet-filtering features enable users to create rules of greater complexity and block traffic based on the protocols in use.
Cisco doesn’t list pricing for its ASA firewall, but it provides multiple avenues for contacting the company to discuss options, either by live chat, phone, or sales form to request a direct call in 15 minutes or less.
FortiGate NGFWs offer enterprise security for the campus edge to deliver full visibility into applications and users. Although this is an NGFW, one of its tools is packet capture, which enables users to manually look inside the headers of packets. Users can record the packets seen by a network interface, trace connection states to their points of failure, and more, while leveraging Fortinet’s state-of-the-art NGFW features.
You can contact Fortinet for pricing information on their NGFWs, or request a free product demo to explore features up close.
Check Point Quantum firewalls offer modern features that cover security functionality as well as mature, cloud-based, centralized management. Check Point’s advanced threat detection across its security portfolio makes it an extensive security platform solution. The firewall has features like Packet Flow, which checks the source IP address and port, destination IP address and port, as well as the protocol to determine whether to allow or discard packets.
Check Point invites prospective customers to either request a free demo or contact their sales team to discuss pricing.
The short answer is, everyone should be using a packet-filtering firewall. Although these firewalls may be unable to deliver the level of security required for every use case, they provide an effective, inexpensive base level of security for organizations of any size.
Any organization that wants to implement the first step in securing its internal users from external threats should consider a packet-filtering firewall. This category might include small businesses or those with a limited budget that are seeking a basic level of security against known threats.
For environments with reporting and compliance requirements, packet-filtering firewalls may be a poor choice due to their lack of logging capabilities. Furthermore, considering today’s ever-evolving threat landscape, it’s a risk to wholly depend on packet-filtering firewalls as your only defense from external threats. Larger organizations should especially avoid dependence on packet-filtering firewalls as their only firewall option. However, they can and should incorporate them as part of a layered defense for monitoring traffic between various internal departments.
Packet filtering firewalls provide a fast, cost-effective, transparent, and easy-to-use firewall for users to secure their internal networks against known threats.
However, as today’s threats become more and more sophisticated, it would be beneficial to consider combining these firewalls with other firewall solutions and overall security solutions applicable to your networks to ensure that your networks are fully protected and compliant and to get the best out of your packet-filtering firewall.
If you’re looking for a more comprehensive security package, here are the best network security companies to trust with your organization’s data.
Enterprise Networking Planet aims to educate and assist IT administrators in building strong network infrastructures for their enterprise companies. Enterprise Networking Planet contributors write about relevant and useful topics on the cutting edge of enterprise networking based on years of personal experience in the field.
Advertise with TechnologyAdvice on Enterprise Networking Planet and our other IT-focused platforms.
Property of TechnologyAdvice.
© 2022 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.