There are different types of firewalls out there, but they mainly perform some variation of the following tasks: Filter packets based on port, perform “stateful” packet filtering, and perform application level filtering. Depending upon manufacturer and age, your firewall may be capable of performing one or all of these functions.
The best firewalls perform additional functions such as IDP (Intrusion Detection) / IPS (Intrusion Prevention), gateway anti-virus, application level inspection (also called application firewalling), as well as standard features like NAT (Network Address Translation) / PAT (Port Address Translation), routing and VPN. In small businesses, it’s possible to have a device that performs all of these functions. For larger enterprises, these functions may be separated to different hardware devices to increase performance.
The problem with basic firewalls, ones that only perform packet filtering and stateful filtering, is that many of the attackers use ports and rules to perform a legitimate function that will inject traffic with malicious intent into the allowed traffic. One example is a simple web server. A traditional firewall will allow traffic from the internet to TCP port 80 for web access to this site. Depending upon what the site is, what hardware it actually runs on, how it’s written / coded, and if it has a connection to another resource (such as an E-Commerce site connecting to a SQL server database for customer records), there may be known or unknown vulnerabilities affecting that server. A common vulnerability in this example would be SQL Injection. A traditional firewall would allow this type of traffic because it is unable to differentiate between a normal user of the website and a malicious user injecting their code into the data stream.
Next-Generation Firewalls help to detect this type of attack by actively inspecting and reading the contents of every packet that is allowed into a network. These firewalls can determine, based on signature or some other definition, which traffic is legitimate and which is not. A lot of attacks can be thwarted by using application-level inspection. These firewalls can also look for anomalies in traffic patterns; that is, traffic that does not match a known good or bad signature. It then performs an action based on the traffic not matching any known pattern. This feature offers protection against unknown and “zero-day” exploits. The bottom line is that the old method of installing a firewall, setting up NAT, and allowing certain port traffic in while blocking other ports, is no longer adequate to protect a network.