What is a Perimeter Firewall?

A perimeter firewall defines the boundary between a private network and the public Internet. All traffic entering and leaving the private network passes through and is inspected by the perimeter firewall. A perimeter firewall enables an organization to restrict access to internal systems, block malicious content from entering the private network, and prevent data exfiltration and unauthorized use of corporate systems.

Download the NGFW Buyer’s Guide Learn More

How Does a Perimeter Firewall Work?

A perimeter firewall is located at the boundary of a private network and prevents malicious traffic from crossing that boundary. It may be one of several types of firewalls with varying capabilities, such as:

  • Packeting Filtering: Packet filtering firewalls are the simplest type of firewall. They inspect the contents of a network packet and allow or block it based on access control lists (ACLs). A packet filtering firewall can prevent certain types of traffic from entering or leaving the private network based on packets’ source and destination ports.
  • Stateful Firewalls: Stateful packet inspection firewalls track the current state of network connections and incorporate this information into their access decisions. A stateful firewall can identify an ACK scan based on the fact that an ACK packet is received out of sequence while a packet filtering firewall cannot.
  • Proxy Firewalls: Proxy firewalls act as a proxy for user connections, creating separate connections between the user and firewall, and the server and firewall. This can help to protect users’ privacy by concealing their IP addresses.
  • Next-Generation Firewalls (NGFWs): NGFWs combine the features of packet filtering and stateful firewalls with other security capabilities. An NGFW performs deep packet inspection (DPI) and can incorporate an intrusion detection/prevention system, URL filtering, and antivirus and antimalware functionality.

Components of the Network Perimeter

A perimeter firewall is part of the network perimeter, which includes the following key components:

  • Border Router: The border router is where a private network ends and the public Internet begins. It is the last router under an organization’s control and is physically connected to both the internal and external networks.
  • Perimeter Firewall: The perimeter firewall sits behind the border router and is an organization’s first line of defense against external threats. It filters out malicious traffic before it can enter the private network.
  • Intrusion Detection/Prevention System: An intrusion detection system (IDS) provides passive monitoring and generates alerts if a threat is detected. An intrusion prevention system (IPS) provides active protection, blocking malicious traffic.
  • Demilitarized Zone (DMZ): A DMZ is a network segment that sits between the public and private networks. It is designed to host publicly-accessible services, such as web and email servers while isolating the private network from potential threats.

Security Requirements of a Perimeter Firewall

A perimeter firewall should protect an organization and its users with the following capabilities:

  • Web, Application, and Data Controls: A perimeter firewall should provide users with safe and legitimate access to both trusted and untrusted resources. This includes protection against web-based attacks, vulnerability exploits, and threats to corporate data.
  • Advanced Threat Prevention: A perimeter firewall should be capable of identifying and blocking both known and unknown threats to an organization. This requires an NGFW with threat intelligence and sandbox analysis capabilities.

Network Requirements of a Perimeter Firewall

A perimeter firewall is a networking appliance as well as a security one. Some key network requirements include:

  • Redundancy: All traffic entering and leaving the private network passes through the perimeter firewall, so an outage could result in a loss of connectivity or security. It should be redundant so that the loss of a single component does not bring the system down.
  • Performance: Since all inbound and outbound traffic passes through the firewall, inefficiency and latency have a significant impact on the organization. A perimeter firewall must be capable of inspecting traffic at line speed.
  • Network Interfaces and Port Capacity: The perimeter firewall is directly connected to both the public Internet and the private network. It must have sufficient network interfaces and port capacity to support these connections and the traffic flowing over them.

Benefits and Limitations of Strong Perimeter Firewall Security

A perimeter firewall defines and enforces the boundary between a public and private network. Perimeter firewalls have both their benefits and their limitations to an organization’s overall security posture.

Some of the benefits that a perimeter firewall provides include:

  • Network Traffic Visibility: A perimeter firewall has visibility into all traffic entering and leaving the private network. This not only enables corporate security but also provides valuable information about use of internal and external services.
  • Malicious Content Filtering: A NGFW deployed as a perimeter firewall can identify and block malware and other attacks from entering an organization’s network.
  • Improved User Privacy: Perimeter firewalls can enhance user privacy by acting as a proxy between internal users and external servers.
  • Data Loss Prevention: Perimeter firewalls can help to prevent loss of sensitive and valuable data by identifying and blocking traffic that does not comply with company policy.

While perimeter firewalls have their benefits, they are not perfect solutions. Some of their limitations include:

  • Only North-South Traffic Visibility: Perimeter firewalls can only inspect the traffic passing through them, which includes traffic entering and leaving the network. East-west traffic inside the protected network does not pass through the perimeter and is not inspected.
  • No Insider Threat Management: Perimeter firewalls block external threats from gaining access to the corporate network. They are blind to insider threats who are already within the protected perimeter.
  • Blind to Infected Mobile Devices: Perimeter firewalls can only detect malware that enters the private network over the network. Mobile devices that are infected when connected to external networks and then connect to the private network bypass perimeter defenses.

Data Center Firewall vs. Perimeter Firewall

Data center firewalls and perimeter firewalls are both designed to protect an organization’s assets. However, unlike a perimeter firewall, a data center firewall is designed to protect virtual machines hosted within an organization’s data center. This includes increased agility to accommodate the architectural changes that are common in virtualized environments.

Perimeter Firewall with Check Point

A perimeter firewall is the foundation of an organization’s network security. To learn more about what to look for in a firewall, check out this buyer’s guide to NGFWs. Then, sign up for a free demo of Check Point NGFWs to see how a modern NGFW can improve your organization’s perimeter defenses.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK