cyber-101

What are some different high-level deployment models for firewalls?

A brief comparison and contrast between some popular firewall terms.

Mike Berggren

Mike Berggren

— 3 min read
What are some different high-level deployment models for firewalls?
Photo by Alexander Schimmeck / Unsplash
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.

Hi there, friends! I'm back. Did you miss me? 😄 It's been awhile since my last post, so I thought it would be helpful to review some foundational concepts. Today, let's go over functional deployment modes and high-level architecture models for firewalls.

A long time ago, in a galaxy far far away, a "firewall" was a simple device with a simple purpose: it was essentially a perimeter gatekeeper for a network. On one side of it, there was the big, bad, scary public internet. On the other side, there was the serene bliss of the internal network. Since then, times have changed and networks have evolved. The idea of a "firewall" has expanded to a lot of different concepts. Now, the term can refer to a TON of different things including architectural models, feature sets, and implementations. I'll just highlight a few examples:

  • Distributed enterprise firewall - This is an architecture where firewall capabilities are broken apart and enforced across multiple points within the enterprise infrastructure (e.g. individual hosts, virtual machines, network segments, etc).
  • Internal Segmentation Firewalls (ISFW) - This is a firewall deployed within an internal network to divide it into smaller, isolated segments or zones. The ISFW typically controls traffic between internal segments.
  • Data-Center Firewalls - This is a broad term referring to firewalls specifically designed and deployed to secure a data center environment.
  • Next-Generation Firewalls (NGFW) - This is a modern firewall that goes beyond traditional packet filtering and stateful inspection. It integrates a broader set of security capabilities into a single platform.

Confused yet? Yeah, I get it. All of these concepts seem to overlap. If it helps, think of it this way:

  • NGFWs are a technology that can be deployed in various locations.
  • Distributed Enterprise Firewalls, Internal Segmentation Firewalls (ISFWs) and Data-Center Firewalls describe where and how firewalls are deployed within an enterprise and what their primary function is in that context.

For more info, consider checking out the following resources:

What Is a Distributed Firewall?
A distributed firewall is a network security solution that enforces firewall policies across multiple strategic points within a network.
Palo Alto Networks
What Is a Next-Generation Firewall (NGFW)? A Complete Guide
A next-generation firewall (NGFW) is a network security device that identifies and controls applications, users, and content to enforce security policies.
Palo Alto Networks
What is a Data Center Firewall?
A data center firewall is a software or hardware device that monitors traffic entering and exiting an organization’s network
Distributed Firewalls
What is a feature of distributed firewalls? The following post addresses the use case for disributed firewalls and their features.
Technology Focused HubMatt Conran

Read more