A packet-filtering firewall is a firewall that controls data flow into and out of a network. It’s a solution that allows packets to travel between networks while controlling their flow through the use of user-defined IP addresses, protocols, ports, and rules. Routing of packets is only successful when they have satisfied the predetermined filtering rules.
How Packet Filtering Works
Packet filtering determines whether to grant or deny packet access based on source and destination IP addresses, protocols, ports, flags, and whether the packets are incoming or outgoing.
Most computer networks today are based on packet-switched networks (PSNs), which break down communication into packets before transferring them across the network. As soon as these packets pass through a firewall, they are reordered to reach their destination in the order required to present the information correctly.
Each packet contains two key components: a header and a payload.
- Headers ensure that data is routed to the correct destination.
- Payloads contain the data seeking to be delivered.
Packet-filtering firewalls search for information in each packet’s IP, TCP, and UDP headers and check that information against the network’s access control lists to decide whether to block or allow the packet. If the packet is verified, the firewall allows it to pass through and extract the payload.
Permission to pass through the firewall is completely dependent on the firewall’s predetermined filtering rules. This allows administrators to configure packet filtering rules that reject all packet transmission except for packets from specific IP addresses and ports.
Top 4 Advantages of Packet-Filtering Firewalls
Packet-filtering firewalls offer several advantages over later and more complex stateful firewalls, including speed, cost-effectiveness, ease of use, and transparency.
The decisions made by packet-filtering firewalls are based on simple, predetermined formulas that don’t require deep packet inspection (DPI). As a result, they are typically able to accept or reject packets relatively quickly.
Since packet-filtering firewalls only need one filtering router to provide security to the internal network, they are quite cost-effective. Additionally, packet filtering functionality is built into most popular software and hardware routing devices, and most websites infuse such functionality into their routers, so they don’t require purchasing additional solutions to function effectively.
Ease of use
Packet-filtering firewalls are among the most basic firewalls and do not require much additional training to use them effectively once they are implemented. And since only one router is required to secure a network, users don’t have multiple routers to manage simultaneously.
In most cases, packet filtering is carried out autonomously by these firewalls, meaning that human awareness and intervention are not required until a packet has been rejected. Either way, because the rules are preset by the user, there is a clear reason for the firewall’s decision.
Top 4 Disadvantages of Packet-Filtering Firewalls
Although packet-filtering firewalls have their place, there are some concerns that users should be aware of. They are less secure than newer firewalls, lack logging capabilities, can be challenging to set up, and are incompatible with some protocols and policies.
The most important thing to be aware of regarding packet-filtering firewalls is that they are less secure than their more modern counterparts. Since packet-filtering firewalls favor IP addresses and port information instead of context or application information, they lack the context that other types of firewalls have. And since they only check packet headers and not payloads, they are vulnerable to spoofing.
Lack of logging capabilities
Packet-filtering firewalls don’t retain data about how packets move around the network. The absence of any sort of logging functionality may interfere with some organizations’ compliance requirements.
While packet-filtering firewalls are easy to use once they’ve been established, it can be challenging and time-consuming to build the initial required filters. Users also have to be cautious when entering rules as they are checked in sequential order, which can create a tangle of read errors in larger installations.
Protocol incompatibilities and policy enforcement difficulties
Some protocols, such as remote procedure call (RPC)-based protocols, prove to be unsuitable for packet-filtering security. Additionally, some policies may prove difficult to enforce using basic packet-filtering firewalls as the firewalls make it difficult to impose limitations on specific users and may render higher-level protocols ineffective.
Types of Packet-Filtering Firewalls
There are two main types of packet-filtering firewalls: stateless, or static packet-filtering, and stateful, or dynamic packet-filtering. Stateful firewalls are undeniably the more advanced of the two, but there are still qualified uses for stateless firewalls as well.
Stateless firewalls, aka static packet filtering
The most basic type of packet-filtering firewalls, a static packet-filtering firewall is a type of firewall whose rules are manually established and the connection status between external and internal networks is either open or closed until it is manually changed.
As these firewalls require human intervention, administrators must regularly check, configure, and manage access control lists, rules, IP addresses, and ports.
Though stateless firewalls remain the most common type, they are becoming less widespread today. However, they’re still useful to service providers who offer low-power customer premises equipment. Their set-it-and-forget-it practicality makes them suitable for simple home or small business networks.
Stateful firewalls, aka dynamic packet filtering
A dynamic packet-filtering firewall is a firewall whose rules can be adjusted based on the context and whose ports remain open for a limited period before closing.
These firewalls operate at the network, transport, and session layers and can track not only individual packets but all ongoing network activity using extensions such as TCP and UDP streams. Stateful firewalls discern between harmless and harmful traffic and packages by detecting the full context of incoming packets—not only their headers.
Dynamic packet-filtering firewalls are more flexible than static firewalls since they enable administrators to put customizable parameters and automatable procedures in place. These firewalls are effective for protocols like the File Transfer Protocol (FTP) which dynamically allocate ports.
Best 3 Packet-Filtering Firewalls
Due to the evolution of the networking and security landscape, it’s common to find packet-filtering features within a much more comprehensive firewall solution to cater for the shortcomings of standalone packet-filtering solutions. Below are three firewall solutions that exemplify this.
Cisco ASA firewall
Cisco ASA delivers a firewall and network security platform that offers its users highly secure data and resource access. Cisco ASA offers a network firewall that implements stateful packet inspection to prevent access to unauthorized traffic. The firewall checks access control lists to determine whether to grant or deny access. Its packet-filtering features enable users to create rules of greater complexity and block traffic based on the protocols in use.
- Integrated intrusion prevention system (IPS), virtual private network (VPN), and unified communications capabilities
- Cisco TrustSec for software-defined segmentation and context awareness
- Offers high availability for high-resiliency applications
- Uses identity-based firewall technology to provide context awareness
- Uses high-performance, multisite, and multinode clustering to enable enterprises to raise capacity and performance
- Provides support for next-generation encryption standards
- Its GUI has room for improvement.
- Users may find ASA to be complex in configuration and troubleshooting.
Cisco doesn’t list pricing for its ASA firewall, but it provides multiple avenues for contacting the company to discuss options, either by live chat, phone, or sales form to request a direct call in 15 minutes or less.
FortiGate NGFWs offer enterprise security for the campus edge to deliver full visibility into applications and users. Although this is an NGFW, one of its tools is packet capture, which enables users to manually look inside the headers of packets. Users can record the packets seen by a network interface, trace connection states to their points of failure, and more, while leveraging Fortinet’s state-of-the-art NGFW features.
- FortiGuard services provide comprehensive controls and threat intelligence
- FortiOS enables automated workflows and network convergence on a single operating system
- A suite of firewall solutions to select from
- Threat protection against advanced threats
- Multilayered protection as NGFWs are not limited to upper inspection layers
- AI-powered security
- Upfront costs may be higher than those of standalone firewall solutions.
- A greater impact on network performance as compared to standalone firewall solutions.
You can contact Fortinet for pricing information on their NGFWs, or request a free product demo to explore features up close.
Check Point Quantum firewall
Check Point Quantum firewalls offer modern features that cover security functionality as well as mature, cloud-based, centralized management. Check Point’s advanced threat detection across its security portfolio makes it an extensive security platform solution. The firewall has features like Packet Flow, which checks the source IP address and port, destination IP address and port, as well as the protocol to determine whether to allow or discard packets.
- SandBlast Threat Prevention
- Maestro Hyper-scale Networking for scalable, high-speed protection against Gen V cyberattacks
- Secure remote access with VPN and multifactor authentication (MFA)
- Highly customizable to enable customers to tailor the firewall to their needs
- Integrability with other security products
- Autonomous threat prevention
- May be complex to manage and require more technical knowledge compared to standalone firewall products.
- Technical support has room for improvement.
Check Point invites prospective customers to either request a free demo or contact their sales team to discuss pricing.
Who Should and Shouldn’t Use Packet-Filtering Firewalls?
The short answer is, everyone should be using a packet-filtering firewall. Although these firewalls may be unable to deliver the level of security required for every use case, they provide an effective, inexpensive base level of security for organizations of any size.
Any organization that wants to implement the first step in securing its internal users from external threats should consider a packet-filtering firewall. This category might include small businesses or those with a limited budget that are seeking a basic level of security against known threats.
For environments with reporting and compliance requirements, packet-filtering firewalls may be a poor choice due to their lack of logging capabilities. Furthermore, considering today’s ever-evolving threat landscape, it’s a risk to wholly depend on packet-filtering firewalls as your only defense from external threats. Larger organizations should especially avoid dependence on packet-filtering firewalls as their only firewall option. However, they can and should incorporate them as part of a layered defense for monitoring traffic between various internal departments.
Bottom Line: Packet-Filtering Firewalls Are a Foundation of Network Security
Packet filtering firewalls provide a fast, cost-effective, transparent, and easy-to-use firewall for users to secure their internal networks against known threats.
However, as today’s threats become more and more sophisticated, it would be beneficial to consider combining these firewalls with other firewall solutions and overall security solutions applicable to your networks to ensure that your networks are fully protected and compliant and to get the best out of your packet-filtering firewall.
If you’re looking for a more comprehensive security package, here are the best network security companies to trust with your organization’s data.