What's a Firewall? The Complete Guide

Guilty until proven innocent. This is the principle behind firewall systems, which are designed to monitor and filter network traffic based on predefined policies.

Network security is a hard problem, but the goal of a firewall system is simple: reject all network traffic unless explicitly allowed. This seems a straightforward approach to eliminate anomalous traffic from infiltrating your IT network while allowing a free flow of legitimate traffic.

But this simple concept is a challenge to implement.

Enterprise IT networks consist of thousands of devices continuously communicating with each other. How do you create a security policy that encompasses all rules representing all forms of legitimate traffic requests? A variety of firewall systems allow you to filter unwanted traffic requests.

Let’s take a look.

What is a firewall?

A firewall is a security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.

Firewalls act as a barrier between a trusted internal network and untrusted external networks, such as the internet. They're essential for protecting private networks and devices from malicious attacks, unauthorized access, and other cyber threats. By analyzing data packets and enforcing security policies, firewalls help prevent cyberattacks and ensure the integrity and confidentiality of sensitive information. People use firewalls to safeguard their personal data, secure business operations, and maintain the overall health of their digital environments.

How do firewalls work?

Firewalls act as gatekeepers for your network, ensuring only safe data passes through while blocking potentially harmful traffic. Technically, firewall systems filter network traffic across several layers of the OSI network model. The most common applications cover the data-link layer, the network layer, the transport layer, and the application layer.

Here’s a detailed look at how they work.

Traffic monitoring

A firewall constantly monitors data entering and leaving the network. Data travels in small units called packets, and the firewall checks each packet against a set of security rules.

Packet filtering

Packet filtering is the most basic function. The firewall examines the source and destination addresses of each packet and decides whether to allow it through based on predefined rules. It blocks the packet if it doesn't meet the rules.

Stateful inspection

Beyond just checking individual packets, firewalls also keep track of the state of active connections. They understand the context of traffic, recognizing which packets belong to a legitimate ongoing connection and which might be part of an attack.

Proxy services

Sometimes, a firewall will act as an intermediary. When you request a webpage, the request goes to the firewall first. The firewall then makes the request on your behalf, checks the response, and if it's safe, passes it on to you.

This adds an extra layer of security by hiding your internal network details from external servers.

Deep Packet Inspection (DPI)

This advanced technique allows firewalls to look inside the data portion of a packet, not just the header. By inspecting the content, the firewall can identify and block complex threats like malware and intrusions that basic filtering can not detect.

Application layer filtering

Modern firewalls can filter traffic based on the specific application generating the traffic, rather than just the source or destination. This means they can allow safe applications like email while blocking risky ones like certain peer-to-peer file-sharing programs.

Behavior analysis

Some advanced firewalls use behavior analysis to detect anomalies in traffic patterns that might indicate a cyberattack. By understanding what normal traffic looks like, they can spot and stop unusual, potentially harmful activity.

Firewalls enforce these security measures to protect your network by ensuring that only legitimate and safe traffic passes through. They are crucial for preventing unauthorized access and cyberattacks and for ensuring the integrity and confidentiality of data within the network.

Types of firewall systems

Let’s review how different types of firewall systems help achieve this network security goal.

Packet filtering

Packet filtering is a simple firewall system that checks

• The source and destination IP addresses
• UDP and TCP protocols
• Access control lists (ACLs) 
• Port addresses

All traffic that complies with the predefined rules passes through the device. In the case of dynamic packet filtering, these rules may apply for a specific time duration, also known as a stateful inspection firewall. The system only evaluates the protocols, not the message data in the network packets itself. Filtering rules are applied based only on the information available in current packets, which means no contextual knowledge is available.

Circuit-level gateways

This system works at the session layer of the OSI model and determines whether the TCP handshaking between trusted servers and untrusted parties complies with the particular security rules of the session.

It acts as a proxy server between the external source and the internal destination server, creating a new connection with the remote host. For this connection, the gateway also changes the IP address to reflect its own instead of using the destination IP address.

Application-level gateway proxy firewall

This system inspects traffic at the application layer of the TCP/IP stack. It works as a separate host with its own IP address, which intercepts the traffic request received by the network. The proxy firewall responds with the synchronize-acknowledge (SYN-ACK) packet from the message source IP address.

The transmission is divided into two steps: source-to-proxy and proxy-to-destination. At each stage, predefined rules are analyzed for security compliance. Unlike the circuit-level gateway, the application gateway doesn't change the source IP address on its own when acting as a proxy.

Unified threat management (UTM) firewall

This system combines multiple firewall functions of stateful inspection devices, antivirus and spyware services, and intrusion prevention devices at the gateway. A central command controls traffic flow rules with high-level visibility and control, bandwidth management, and quality of service monitoring.

Next-generation firewall (NGFW)

Next-generation firewall (NGFW) is an advanced level of firewall mechanism that includes intelligence-based access control systems using

• stateful inspection,
• integrated intrusion prevention systems,
• filtering based on geolocation and reputation, and
• the ability to evolve and improve filtering capabilities.

Threat-focused NGFW systems further enhance these by providing more control, contextual awareness, and intelligent automation, and reducing the complexity by enforcing security policies in large-scale networks.

Distributed firewall

Unlike traditional firewalls, which assume that one side of the network is trustworthy, firewalls for distributed systems define a central policy and enforce it at each endpoint regardless of the network topology.

It uses a policy language that describes the connection rules for devices and network states, translated into an internal format using a compiler. A system management tool distributes the policy to all network hosts. It uses network-level encryption to verify the identity of a traffic source. This means that there's no longer a single checkpoint for network security. The network is not limited by the throughput, latency, and speed performance of firewall devices.

Signature-based firewalls

These systems monitor the traffic streams for anomalous behavior by evaluating signatures in the traffic. If the signatures include the contents of a known cyberattack, signature-based firewalls filter the behavior. Like any antivirus system...

• The signature lists must be updated continuously.
• The firewall system may require learning capabilities to improve signature pattern recognition.

An evolution of this technique is the rules-based detection mechanism, which evaluates not only the signatures but also the patterns within those signatures. Advanced AI algorithms may be used to establish the deductive reasoning capability of the firewall system.

Cloud firewall

A firewall hosted in the cloud is often offered as a service. It provides scalable security solutions for cloud environments, protecting against threats targeting cloud-based applications and data.

Hardware firewall

A hardware firewall is when a physical device is used to enforce security policies, providing robust and dedicated protection for networks. It's often used in enterprise environments for perimeter security.

Choosing firewalls

Selecting the right firewall involves key considerations:

1. Assess your network needs: Identify the size of your network, critical assets, and future growth.
2. Security features: Look for intrusion prevention, content filtering, VPN support, and application control to meet your security requirements.
3. Ease of management: Opt for firewalls with user-friendly interfaces, comprehensive reporting, and reliable customer support.
4. Performance and reliability: Ensure the firewall can handle your network’s data throughput with minimal latency and has high availability features like failover and load balancing.
5. Compliance: Ensure the firewall meets industry-specific regulatory requirements and provides audit capabilities.
6. Cost: Consider both initial and ongoing costs, including subscription fees for updates and support, to understand the total cost of ownership.

By evaluating these factors, you can choose a firewall that offers robust protection, meets organizational needs, and scales with your network’s growth.

Firewall FAQs

Is a firewall software as a service (SaaS)?

Yes, firewalls can be delivered as SaaS. They offer scalable, flexible protection managed by service providers, ideal for businesses needing robust security without on-premises hardware management.

What is the history of firewalls?

Firewalls emerged in the late 1980s to address network security. The first stateful inspection firewall, introduced by AT&T Bell Labs in 1989, significantly advanced network security by tracking active connections.

What is Network Address Translation (NAT) in firewalls?

NAT allows multiple devices on a local network to share a single public IP address. It enhances security by masking internal IP addresses, preventing direct external access, and conserving IP addresses.