What Is a Firewall?

A firewall is a network security device — hardware, software, or cloud-based — that monitors and controls incoming and outgoing network traffic based on a defined set of security rules. Think of it as a security guard at the entrance to your network: every packet that tries to enter or leave must present its credentials and be checked against the rulebook.

Firewalls are foundational to network security architecture. No serious organization runs without one, and understanding how they work is essential for both defenders and penetration testers trying to bypass them.

Types of Firewalls

1. Packet Filtering Firewalls

The simplest and oldest type. These operate at Layer 3 (Network) of the OSI model, inspecting individual packets based on source/destination IP addresses, port numbers, and protocol (TCP/UDP). They're fast but stateless — they don't remember previous packets, making them vulnerable to certain spoofing attacks.

2. Stateful Inspection Firewalls

An evolution of packet filtering, stateful firewalls track the state of active connections. They maintain a connection table and can determine whether an incoming packet is part of a legitimate, established session or an unsolicited intrusion. This significantly improves protection against many common attacks.

3. Application Layer (Proxy) Firewalls

Operating at Layer 7, these firewalls deep-inspect the actual content of traffic — not just headers. A web proxy firewall, for example, can parse HTTP requests and block specific URLs, detect malicious payloads, or prevent data exfiltration based on content patterns.

4. Next-Generation Firewalls (NGFW)

NGFWs combine traditional firewall capabilities with modern features like intrusion prevention systems (IPS), SSL inspection, application awareness, and threat intelligence feeds. Products like Palo Alto Networks, Fortinet, and Cisco Firepower fall into this category. They are the current standard for enterprise deployments.

5. Web Application Firewalls (WAF)

Specifically designed to protect web applications, WAFs filter and monitor HTTP traffic between a web application and the internet. They defend against OWASP Top 10 threats including SQL injection, XSS, and CSRF. ModSecurity and AWS WAF are popular examples.

How Firewall Rules Work

Firewall rules are processed top-to-bottom in order of priority. Each rule specifies:

  • Source: Where the traffic originates (IP, subnet, or zone)
  • Destination: Where it's going
  • Service/Port: What protocol and port number (e.g., TCP/443)
  • Action: Allow, Deny, or Drop (drop silently vs. deny with a response)

Most firewalls follow a default-deny principle: the last rule denies everything not explicitly permitted. This "deny all" implicit rule at the bottom is critical — without it, unexpected traffic may slip through.

Common Firewall Misconfigurations to Avoid

  • Overly permissive rules: Rules like "allow any to any" completely negate the firewall's purpose.
  • Unreviewed legacy rules: Old rules for decommissioned services accumulate and create unnecessary exposure.
  • Trusting internal traffic blindly: Lateral movement attacks exploit the assumption that internal traffic is safe. Zero Trust architecture challenges this assumption.
  • No egress filtering: Blocking inbound threats but ignoring outbound traffic allows malware to "phone home" undetected.
  • Missing logging: A firewall that doesn't log drops and allows provides no forensic value.

Firewall Placement in Network Architecture

Effective firewall deployment uses a defense-in-depth approach with multiple firewall layers:

  1. Perimeter firewall: Between the internet and your network edge — the first line of defense.
  2. DMZ firewall: Isolates public-facing servers (web, mail, DNS) from the internal network.
  3. Internal segmentation firewalls: Separate sensitive internal zones (HR databases, OT networks) from general corporate traffic.

Understanding firewall architecture from both a defender's and an attacker's perspective is essential. Pen testers routinely probe firewall rule sets for gaps — which is exactly why regular audits and rule reviews are non-negotiable in a mature security program.