Firewall

What Is a Firewall

A firewall is a security mechanism that monitors traffic between networks and controls whether to allow or deny communication based on predefined rules. The name comes from the architectural term for a fire-resistant wall, and it serves to block unauthorized access from external networks (the Internet).

Even home routers include basic firewall functionality. Combined with NAT, they hide internal network devices from direct access by external parties. Enterprise firewalls offer more advanced features such as application-layer inspection and intrusion detection.

Types and Mechanisms of Firewalls

• Packet Filtering: The simplest method - inspects each packet's source IP, destination IP, port number, and protocol against rules. Fast, but since it only examines individual packets, it may miss sophisticated attacks.
• Stateful Inspection: Tracks the state of communication sessions (connection establishment, data transfer, termination) and makes decisions based on context. Can detect and block packets that do not belong to a legitimate session. The mainstream approach in modern firewalls.
• Application Layer Gateway (Proxy): Operates at the application layer (L7), inspecting the content of HTTP, FTP, and other protocols. Enables fine-grained control such as URL filtering and content inspection, but adds processing overhead.
• Next-Generation Firewall (NGFW): Integrates traditional firewall functions with IPS (Intrusion Prevention System), application identification, and user-based control. Can identify and control specific applications (e.g., allowing YouTube but blocking file uploads).

Firewall Configuration Principles

A firewall's effectiveness depends heavily on the quality of its configuration. The following principles are essential.

• Default Deny: Deny all traffic by default and explicitly allow only what is needed. A "default allow" policy means any configuration oversight immediately becomes a security hole.
• Principle of Least Privilege: Allow only the minimum necessary ports and protocols. For example, a web server should only have ports 80 (HTTP) and 443 (HTTPS) open.
• Logging and Monitoring: Log denied traffic and review it regularly. Anomalous patterns may indicate attack attempts or misconfiguration.
• Rule Review: Periodically audit firewall rules and remove those that are no longer needed. Accumulated obsolete rules expand the attack surface.

Firewall Limitations and Zero Trust

Traditional firewalls are based on the concept of "perimeter defense" - trusting the internal network and blocking intrusions from outside. However, this assumption has limitations.

• Weak Against Internal Threats: Once an attacker breaches the internal network, the firewall is powerless. It cannot prevent insider threats or lateral movement.
• Remote Work Challenges: With employees accessing resources from home or on the go, the network perimeter has dissolved. VPN-only approaches create bottlenecks and management complexity.
• Cloud Migration: As systems move to the cloud, the traditional "inside vs. outside" boundary becomes meaningless. Cloud-native security groups and WAF are needed instead.

The Zero Trust model addresses these limitations by verifying every access request regardless of network location. It follows the principle of "never trust, always verify," authenticating and authorizing every user and device for each access attempt.

To learn more about this topic, see Firewall Basics: Your First Line of Network Defense.

Common Misconceptions

A firewall prevents all hacking

A firewall is a network-layer defense. It cannot prevent phishing email clicks, web application vulnerabilities, or insider threats. It should be positioned as one element of a defense-in-depth strategy.

A firewall only needs to be configured once

Rules must be reviewed regularly as network configurations change, new services are introduced, and threats evolve. Leaving obsolete rules in place expands the attack surface.

Firewall vs. WAF Comparison

Related Terms

Related Articles