E-BOOK

2019

THE
COMPREHENSIVE
GUIDE TO
COMMERCIAL
FIREWALLS
PART ONE: WHAT ARE
FIREWALLS FOR?
Cybersecurity is not just another cost to be added to
the corporate budget. It’s a valuable asset that protects
your customers, employees, and partners from very real
dangers. It plays a critical role in your organization’s public
image. When done right, cybersecurity projects an image of
competence and trustworthiness. In the wake of a large-
scale cyberthreat, it can become a competitive advantage
that lets you distinguish your organization from everyone
else in the industry.
In order to be effective, your organization’s cybersecurity
solution needs to be robust, multi-layered, and
comprehensive. Every tool has to serve a specific
purpose and to perform that task well. Most people are
already familiar with these tools. Antivirus software, data
encryption, and password managers are great examples.
There is one tool that almost everyone is aware of, but
knows little about: the firewall. Microsoft has included
firewall software in every version of its Windows operating
system since 2003. Most consumer internet routers include
basic firewall functionality. But neither Microsoft nor
hardware router manufacturers go to great lengths to
educate their customers about what firewalls actually do or
why they are necessary pieces in the cybersecurity puzzle.
2 3
FIREWALL TECHNOLOGY EXPLAINED:
WHAT A FIREWALL DOES
A firewall is an internet traffic filter that examines packets
of data according to a set of rules. Think of internet
traffic as road traffic – the firewall is the police roadblock
checking every car’s license plate against a database
looking for stolen or suspicious vehicles.
Whenever a packet of data enters your network, the
firewall verifies its contents against the rules in its list and
flags the packet as safe or suspicious. Firewalls can verify
traffic in either direction and implement rules that apply
according to users’ needs.
Network firewalls run inside dedicated hardware devices
or inside routers and protect entire networks, while host
firewalls (also called “personal” or “desktop” firewalls)
run on individual devices. Both types of firewalls can
apply different sets of rules to traffic flowing in different
directions. This helps to identify and protect against
cyberthreats, negligent users, and compromised in-
network devices.
Firewalls protect sensitive data, provide network traffic
visibility, and prevent unauthorized users from accessing
private networks. But not all firewalls are equal – in fact,
they differ radically in quality and capability.
WHAT FIREWALLS DON’T DO 4 THREATS THAT BASIC FIREWALL
TECHNOLOGY WON’T PROTECT YOU
So far, it’s clear that firewalls perform an important AGAINST
cybersecurity function. By inspecting packets of
data according to specific rulesets, they can prevent
unauthorized data transactions from taking place.

But basic firewalls can’t offer all-in-one security

protection. If a small business relies entirely on consumer-
grade firewall technology, it is leaving itself vulnerable to
all but the crudest and simplest cyberattacks.

Verifying incoming and outgoing data packets according

to strictly defined rulesets is important, but it can only
be as effective as the rules themselves. This is why
most consumer-grade firewalls fail to deliver truly
comprehensive multi-layer security results on their own.
Operating system programmers and router manufacturers
generally don’t need to offer more than the bare minimum.

As a result, many Wi-Fi routers are already compromised
before you even turn them on. The routers that ISPs give
their customers are often not any safer. Those providers
give out millions of routers a year, making them prime
targets for cybercriminals.
The reasoning behind this is simple. Buyers want plug-and-
play functionality – they don’t want to configure firewall
rulesets in order to get email and YouTube working.
Since firewalls operate based on strictly defined rulesets,
any data that appears genuine according to the ruleset
will pass right through.
To explain how this works, expanding the roadblock
analogy might be useful. Verifying vehicle license plates
won’t tell the police if someone is smuggling contraband
across the border in their own car.

4 5
There are many threats that basic firewall technology
can’t detect or mitigate against:
Email Phishing - If a cybercriminal sends a spoofed
email pretending to be from a trusted third-party
service like Google, and an employee falls it, your
network firewall won’t protect you.
Compromised Passwords - If an employee sets an
easy-to-guess password or makes the mistake of reusing
it across sites, a cybercriminal can easily gain access
through that vulnerable asset and use it to gain access
to the network.
Insider Threats - Disgruntled employees are a pervasive
security threat. Basic firewalls can’t stop someone who
already has privileged access to your network.
Multi-stage Infiltration - What if a cybercriminal sends
multiple data packets that are clean enough to pass
your firewall on an individual basis, but that trigger
malicious downloads from within the safety of your
network? That’s exactly how sophisticated document-
based security exploits work.
Certain types of firewalls can help play a role in mitigating
these threats. IT administrators must be familiar with
the different types of firewalls available in order to
implement a comprehensive solution.
6 7
PART TWO: TYPES OF
FIREWALLS AND THEIR
APPLICATIONS
Firewalls offer a range of different cybersecurity
functions, allowing rules based on ports, protocols,
applications, websites, file types and more. Because
firewall technologies differ from one another,
organizations need to identify which firewall
architectures best serve their particular needs. For large
organizations with complex IT infrastructures, this will
almost certainly mean using different types of firewalls
for different devices and users.
5 TYPES OF FIREWALL ARCHITECTURES
EXPLAINED
The vast majority of firewalls on the market today use
one of the following five architectures. Each one serves
specific purposes that IT decision-makers should be
familiar with.
1. Packet-filtering Firewalls
The packet-filtering architecture is the oldest and
most basic firewall technology. It consists of a single
checkpoint where the firewall verifies incoming and
outgoing data packets according to its ruleset.
Typically, it will look for the data packet’s origin,
destination, type, port number, and other surface-level
data. It does not open the data packet to inspect what
kind of data it actually carries. It will quickly determine
which packets are cleared to go through the system and
drop the ones that fail its tests.
2. Circuit-level Gateways
Circuit-level gateways are resource-efficient, but easy
to trick. Instead of looking at individual packet data and
contents, they examine the transmission control protocol
(TCP) to determine whether the data packet should be
trusted or not.
The idea is that since TCP data can show whether a
connection is legitimate or not, it provides an easy way
to quickly verify an incoming transmission. But if a
cyberattack compromises a trusted connection after the
circuit-level gateway verifies TCP data, then your network
is vulnerable.
3. Stateful Inspection Firewalls
An example of a stateful inspection firewall is one that
takes each step in the TCP handshake process into
consideration. This means that the firewall can remember
data transfer patterns by grouping multiple data packets
into categories defined by their state. For instance,
you can instruct a stateful inspection firewall to allow
established connections while denying new connections.
8 9
Stateless firewall technologies, on the other hand, do
not keep track of transfer protocol states. These simpler
firewalls examine every data packet on a one-by-one basis.
This makes them susceptible to multi-stage infiltration in a
way that stateful inspection firewalls are not.
4. Application-level Gateways
Also called proxy firewalls, these gateways operate at
the application layer – which means they establish a
connection with the source of the data packets before
inspecting them. Like the stateful inspection firewall,
application-level gateways look into the contents of data
packets to verify them via deep packet inspection (DPI).
Application-level gateways establish a degree of
separation between your network and the systems
sending data packets to it. This separation protects your
network from cyberattacks while allowing the firewall to
more carefully inspect traffic.
5. Next-Generation Firewalls
Next-generation firewalls combine all of the above
technologies and add superior connectivity, performance,
and analysis. A next-generation firewall can perform
deep-packet inspection, verify TCP handshakes, and set
unique policies on a user-by-user basis while generating
in-depth reports about network usage and threats.
Next-generation firewalls include solutions for mitigating
security threats outside the traditional scope of firewalls.
For instance, they can incorporate sophisticated threat
detection algorithms for handling insider threats, email
phishing, and multi-stage infiltrations. They can also
provide more granular tools for controlling access to
internet resources in the first place, such as blocking or
tracking access to specific websites, applications, file
types and more.
WHICH FIREWALL TECHNOLOGY DOES
YOUR ORGANIZATION NEED?
There are advantages and drawbacks to each firewall
architecture. Today’s cybersecurity landscape demands a
comprehensive solution that incorporates many firewall
features into a single cost-effective solution.
Simple packet filtering and circuit-level gateway
functions offer minimal protection, but operate without
impacting performance. These solutions are inexpensive
and easy to maintain.
Stateful inspection offers increased security, but may
cut into network performance since the firewall must
inspect data packet contents and keep detailed logs
on connection states. Application-level gateways offer
greater security performance, but risk slowing down
network speed.
10
Modern organizations need to combine multiple firewall
technologies into a unified solution that combines these
architectures into efficient, customizable solutions. Multi-
layered cybersecurity defenses ensure organizations
strike the ideal balance between cost, performance, and
network speed.
Next-generation firewall technology can offer the best
of each firewall architecture while remaining easy
to implement and cost-effective. Additionally, next-
generation firewalls are engineered to minimize their
impact on network performance. Choosing the right next-
generation firewall requires looking at your organization’s
specific risk profile and identifying value-added features
it can make use of.
Small and mid-sized businesses have different security
needs than large enterprises or institutions. Your ideal
cybersecurity solution must take those factors into account.
11
PART THREE: CHOOSING
THE RIGHT FIREWALL FOR
YOUR ORGANIZATION
Every organization has a unique risk profile. Government
agencies and healthcare providers need to protect
sensitive data from getting into the wrong hands. Schools
and universities need to protect their networks from
unsecured personal devices and their students from
accessing illegal or inappropriate content.
Small and mid-sized businesses have a specific set of
threats to worry about. Small businesses are particularly
susceptible to data breaches, ransomware, and phishing
schemes that could end up putting them out of business.
Under these conditions, firewall technology has to be
able to accommodate commercial activities while offering
suitable levels of protection to individual employees
and their supervisors. At the same time, the firewall
solution itself must be simple and robust enough for IT
administrators to learn and use successfully.
THREE MUST-HAVE COMMERCIAL
FIREWALL FEATURES
For your firewall to meet the needs of today’s cybersecurity
12
landscape, you must choose a solution that offers features
suited to your particular organization’s risk profile.
A professional cybersecurity assessment can help identify
how the following features may impact your business:
1. Flexible User Management
In any organization, different users will have different
connectivity and privileged access needs. Their firewalls
must reflect those needs and protect against the threats
they are most likely to meet.
For some employers, this means protecting against email
phishing and preventing fraudulent emails from every
reaching their inboxes. For others, it may mean setting
certain ports to close themselves when not in use, or
inspecting bandwidth usage in greater detail.
2. Reporting and Analysis
Your firewall solution must include reporting and analysis
capabilities so that you can verify the effectiveness of
your security framework. If it generates event logs at the
individual user level, you can audit and trace security-
related events to their origins and reduce the damage of
any cyberattacks that get through your defenses.
3. Guaranteed Compliance
Schools, governments, healthcare providers, and other
institutions have to follow strict regulations concerning
13
the privacy and security of their users’ data. Commercial
organizations are not exempt from these guidelines either.
Even if small businesses aren’t compelled to comply
with strict user data regulations like larger institutions
are, they must take adequate measures to protect
their customers and users. Kaspersky Labs estimates
the average cost of a small business data breach at
approximately $117,000.
FIREWALLS AND VPNS: PREVENT LOSS
AND GENERATE VALUE
Many executives and small business owners see firewalls
primarily as vehicles for loss prevention. By improving
cybersecurity, they prevent expensive data breaches
and ransomware attacks from disrupting core business
processes. But firewalls are also value-generating assets
when combined with virtual private network services (VPNs).
In today’s increasingly connected business environment,
remote communication is an important value driver for
small businesses and enterprises alike. Laptops, tablets,
mobile phones, and other portable devices provide
challenges to secure hardware network architecture.
Whether working with third-party vendors or keeping
in touch with traveling employees, businesses need to
enjoy the security benefits of firewalls beyond the regular
14
confines of their established network. These users need
to have access to secure company infrastructure even
when using insecure public internet.
This is where VPNs come into play. Organizations that
establish VPNs and use them with best-in-class firewall
technology are able to enjoy robust security across the
board, regardless of physical user location.
WHAT EXACTLY DO VPNS DO?
Computer networks are made up of the physical routers,
switches, and infrastructure that enable communications
between users and devices. VPNs extend this capability
by creating secure, encrypted tunnels for traffic between
point A and point B.
This allows businesses to extend their network
infrastructure to remote employees and third-party vendors
in a scalable way. VPNs establish encrypted communication
protocols that keep private data away from prying eyes.
This allows your organization’s firewall to address one
of the most important weaknesses of a purely hardware-
based network. Public internet traffic is widely available
for anyone to see – if incoming connections are not
encrypted in a way that is compatible with your firewall
architecture, then you have no way of adequately
protecting your network from these external threats.
15
VPNs allow users to remotely connect with other offices
through secure connections. At the same time, they
encrypt and anonymize trusted internet traffic so that
employees and partners have remote access to company
infrastructure.
Combining a next-generation firewall solution with
a cost-effective VPN allows you to establish a robust,
scalable foundation for cybersecurity. It gives even small
businesses the ability to operate with enterprise-level
privacy and safety.
16
PART FOUR: NEXT-
GENERATION FIREWALL
TECHNOLOGY
Next-generation firewalls combine the best features of
existing firewall architectures into a single, unified platform.
They offer a cost-effective, all-in-one solution for small-to-
medium businesses, public institutions, and enterprises
that need scalable and flexible firewall implementations.
Without next-generation firewall technology, businesses
would have to perform their own assessments and find
their own combined solutions for matching multiple
firewall frameworks with their VPN needs, and then
dedicate in-house IT resources to operating and
maintaining those solutions.
Next-generation firewalls streamline the deployment and
implementation process by bringing desired functionalities
and firewall architecture technologies into a single solution.
UNTANGLE NG FIREWALL
Untangle NG Firewall is a next-generation firewall
that offers comprehensive content filtering and threat
protection to small-to-medium businesses, distributed
enterprises, and public institutions in a scalable way. It
17
offers strict, rule-defined application control, bandwidth
optimization, and secure Wi-Fi capabilities in a single
easy-to-use product.
NG Firewall also includes a comprehensive suite of VPN
solutions and a full-scale, cloud-based management
suite, Command Center. Command Center gives
organizations the ability to securely connect to their NG
Firewall deployment from any browser, anywhere, and to
efficiently administer security without having to invest in
a costly on-site solution.
Four key features serve to distinguish NG Firewall
from other firewall solutions:
Real-Time Network Visibility - With Untangle,
administrators can easily see everything that’s
happening on the network. Every application, web
request, and advertising attempt is gathered, recorded,
and analyzed in real-time.
18
Intelligent Analysis and Reporting - Database-driven
reporting allows administrators to leverage historical
insights alongside real-time reporting. Using Untangle’s
reports, administrators can create complete audit logs
and identify opportunities to improve network speed
configurations and enforcements.
Flexible Deployment Options - Organizations can
deploy NG Firewall as a virtual machine, in the public
cloud, as a turnkey appliance, or on third-party
hardware with no effect on the solution’s efficacy. This
makes it an ideal solution for small offices,
geographically diverse school campuses, and large
organizations alike.
Best-in-class Security - By eliminating the need to
mix and match multiple firewall solutions, NG firewall
saves organizations both time and money. Instead of
purchasing and configuring dozens of different security
solutions, you can deploy a single, comprehensive
security solution.
THE NG FIREWALL COMMAND CENTER
AND SCOUTIQ
The primary administrative interface you’ll use with NG
Firewall is Command Center. It is a centralized, cloud-
based management platform that allows you to control
NG Firewall deployments no matter their location.
19
This is where you will view alerts, verify threat triggers,
and audit security data for your entire network. Reports
include 30-day aggregate audit logs across various key
network details.
Command Center includes a sophisticated threat
intelligence solution called ScoutIQ™. This service
provides additional protection against emerging malware
threats and previously unreported zero-day exploits.
ScoutIQ uses real-time intelligence gathered from NG
Firewall deployments around the world to identify
suspicious patterns and associate them with threats. It
scans millions of files per day and increases users’ defenses
against malware, ransomware, worms, and trojans.
DEPLOY NG FIREWALL AND IMPLEMENT
BENCHMARK SECURITY TODAY
NG Firewall is a comprehensive, all-in-one security
platform that gives IT administrators the tools they
need to remain secure in today’s connected world.
Speak to a cybersecurity expert at Untangle to learn
more about how NG Firewall can help your business
prevent disastrous cybersecurity losses while
ensuring business continuity and network reliability,
performance and connectivity.
©2019 Untangle, Inc. All rights reserved. Untangle and the Untangle logo are registered marks or trademarks
of Untangle, Inc. All other company or product names are the property of their respective owners.
20
ABOUT US
Untangle is an innovator in cybersecurity for
the below-enterprise market, safeguarding
people’s digital lives at home, work and
on-the-go. Untangle’s integrated suite
of software and appliances provides
enterprise-grade capabilities and consumer-
oriented simplicity, bringing a new
generation of smart security to homes and
small-to-mid-sized businesses. Untangle’s
award-winning network security solutions
are trusted by over 400,000 customers,
protecting nearly 5 million people, their
computers and networks around the world.
For sales information, please contact us by
phone in the US at +1 (866) 233-2296 or via
e-mail at sales@untangle.com.