Key Terms
Firewall
A network security device (hardware or software) that monitors and controls inbound and outbound traffic based on predefined security rules.
Stateful Inspection
A firewall technique that tracks active connections to make smarter permit/deny decisions than simple packet-by-packet filtering.
Packet Filtering
The oldest firewall technique — examines each packet individually against a ruleset of source/destination IP, port, and protocol.
NGFW / Next-Generation Firewall
Combines traditional firewall capabilities with deep packet inspection (DPI), an integrated IPS, and application-layer awareness regardless of port.

What a firewall is

A firewall is a security system — hardware, software, or a combination of both — that sits between two networks and decides which traffic is allowed to pass and which is blocked. In most deployments, that boundary is between your trusted internal network and the untrusted external internet.

Every packet entering or leaving your network is evaluated against a set of rules. Those rules can be as simple as "block all inbound traffic on port 23 (Telnet)" or as granular as "only allow outbound HTTPS from these specific internal hosts during business hours." Traffic that matches a permit rule passes through. Everything else is dropped.

The firewall is widely considered the first line of network defence — the perimeter control that stops opportunistic scanning, brute-force attempts, and known-malicious traffic from ever reaching your internal systems. Without one, every host on your network is directly exposed to the internet.

How firewalls work

Not all firewalls work the same way. There are three generations of firewall technology, each offering progressively more intelligence:

  1. 1
    Packet Filtering (First Generation)

    The earliest firewalls. Each packet is examined in isolation — the firewall checks the source IP, destination IP, source port, destination port, and protocol (TCP/UDP) against a static ruleset. If a rule matches, the packet is permitted or denied. Because there is no memory of previous packets, this is called stateless inspection. It is fast and low-overhead, but it cannot distinguish between a legitimate response to a request you made and an unsolicited inbound packet on the same port.

  2. 2
    Stateful Inspection (Second Generation)

    Stateful firewalls maintain a connection table — a record of every active TCP session, UDP flow, and ICMP exchange. When a response packet arrives, the firewall checks whether it corresponds to an established outbound request. If it does, it is permitted automatically without needing an explicit inbound rule. This dramatically reduces the rule complexity needed while blocking unsolicited inbound packets that don't belong to any known session. The vast majority of enterprise firewalls today are at least stateful.

  3. 3
    Application-Layer / NGFW (Third Generation)

    Next-generation firewalls perform deep packet inspection (DPI) — they look inside the packet payload, not just the headers. This allows the firewall to identify the application generating the traffic regardless of what port it uses (so a trojan running on port 443 can still be identified and blocked). NGFWs typically include a built-in IPS, SSL/TLS inspection, user identity awareness, and malware sandboxing. Leading vendors include Palo Alto Networks, Fortinet, Cisco Firepower, and Check Point.

Types of firewalls

The term "firewall" covers several distinct deployment patterns, each protecting a different boundary:

  • Network firewall (perimeter): A dedicated hardware appliance placed at the network edge between your organisation and the internet. Controls all north-south traffic entering and leaving the organisation.
  • Host-based firewall: Software running on an individual endpoint — Windows Defender Firewall, macOS Application Firewall, Linux iptables/nftables. Controls traffic to and from that single host. Essential even inside a trusted network because lateral movement threats come from inside the perimeter.
  • Cloud firewall / FWaaS (Firewall as a Service): Cloud-native firewalls provided by AWS (Security Groups, Network Firewall), Azure Firewall, or dedicated FWaaS providers like Zscaler. Controls traffic between cloud workloads and to/from the internet.
  • Web Application Firewall (WAF): A specialised HTTP/HTTPS proxy that protects web applications from SQL injection, XSS, and OWASP Top 10 attacks. Operates at Layer 7 only. Covered in the Cloud & Web Security topic.
A Firewall Is Not a Silver Bullet

A firewall controls what traffic is allowed in and out — but it cannot inspect encrypted payloads without TLS inspection enabled, cannot stop insider threats already operating inside the network, and cannot prevent attackers who enter through allowed ports like 443. Most modern breaches don't try to punch through a firewall — they use permitted channels like web traffic, email, and VPN to get inside.

What firewalls can't stop

Understanding a firewall's limitations is just as important as understanding what it does. Security teams that over-rely on perimeter firewalls are regularly surprised when breaches occur — because the attack never tried to break through the firewall at all.

  • Insider threats: A malicious or compromised user already inside your network operates entirely behind the firewall. Host-based firewalls and network segmentation (east-west controls) are needed to limit lateral movement.
  • Encrypted malware and C2 traffic: Without TLS inspection, a firewall cannot read HTTPS payloads. Malware increasingly uses port 443 with valid-looking TLS certificates to blend in with legitimate traffic.
  • Application-layer attacks: SQL injection, XSS, and CSRF attacks arrive on port 443 — the same port you explicitly permit for web browsing. A traditional firewall sees only valid HTTPS traffic. A WAF or NGFW with application awareness is required.
  • Misconfigurations: A firewall with overly permissive rules, rules added for temporary purposes that were never removed, or shadow rules that conflict with each other provides far less protection than assumed. Rule review and firewall auditing are critical ongoing tasks.

Firewall best practices

A correctly configured firewall is dramatically more effective than a poorly configured one. These principles apply regardless of vendor or platform:

  • Default deny (implicit deny all): The last rule in every firewall policy should deny all traffic not explicitly permitted. Never start from a default-allow posture.
  • Principle of least privilege: Each rule should permit the minimum traffic required for a specific business function. Avoid "any/any" permit rules.
  • Log everything: All permitted and denied traffic should be logged and forwarded to a SIEM. Firewalls with no logging provide no visibility when an incident occurs.
  • Quarterly rule review: Rules accumulate over time. A quarterly review identifies redundant, overly broad, or expired rules that inflate the attack surface.
  • Segregate with a DMZ: Place internet-facing servers (web, email, DNS) in a demilitarised zone — a separate network segment between the external firewall and the internal network. Traffic from the DMZ should not be permitted to reach internal systems without explicit rules.
75%
Of organisations experienced a firewall rule misconfiguration in 2024
$7.4B
NGFW market size in 2024 — growing at 12% annually
443
Port 443 (HTTPS) — where most attacks now arrive, bypassing firewall rules
Train with VAPTIC
CEH v13 AI Powered
CEH v13 covers firewall evasion techniques, packet filtering bypasses, and NGFW fingerprinting — skills every security professional needs.
Enrol Now