This content is part of the Essential Guide: The complete guide to Windows 10 security tools


Contributor(s): Crystal Bedell, Casey Clark and Michael Cobb

In computing, a firewall is software or firmware that enforces a set of rules about what data packets will be allowed to enter or leave a network. Firewalls are incorporated into a wide variety of networked devices to filter traffic and lower the risk that malicious packets traveling over the public internet can impact the security of a private network. Firewalls may also be purchased as stand-alone software applications.

The term firewall is a metaphor that compares a type of physical barrier that's put in place to limit the damage a fire can cause, with a virtual barrier that's put in place to limit damage from an external or internal cyberattack. When located at the perimeter of a network, firewalls provide low-level network protection, as well as important logging and auditing functions.

While the two main types of firewalls are host-based and network-based, there are many different types that can be found in different places and controlling different activities. A host-based firewall is installed on individual servers and monitors incoming and outgoing signals. A network-based firewall can be built into the cloud's infrastructure, or it can be a virtual firewall service.

Types of firewalls

Other types of firewalls include packet-filtering firewalls, stateful inspection firewalls, proxy firewalls and next-generation firewalls (NGFW).

  • A packet-filtering firewall examines packets in isolation and does not know the packet's context.
  • A stateful inspection firewall examines network traffic to determine whether one packet is related to another packet.
  • A proxy firewall inspects packets at the application layer of the Open Systems Interconnection (OSI) reference model.

An NGFW uses a multilayered approach to integrate enterprise firewall capabilities with an intrusion prevention system (IPS) and application control.

Types of firewalls

When organizations began moving from mainframe computers and dumb clients to the client-server model, the ability to control access to the server became a priority. Before the first firewalls emerged based on work done in the late 1980s, the only real form of network security was enforced through access control lists (ACL) residing on routers. ACLs specified which Internet Protocol (IP) addresses were granted or denied access to the network.

The exponential growth of the internet and the resulting increase in connectivity of networks, however, meant that filtering network traffic by IP address alone was no longer enough. Static packet-filtering firewalls, which examine packet headers and use rules to make decisions about what traffic to let through, arguably became the most important part of every network security initiative by the end of the last century.

How packet-filtering firewalls work

When a packet passes through a packet-filtering firewall, its source and destination address, protocol and destination port number are checked. The packet is dropped -- it's not forwarded to its destination -- if it does not comply with the firewall's rule set. For example, if a firewall is configured with a rule to block Telnet access, then the firewall will drop packets destined for Transmission Control Protocol (TCP) port number 23, the port where a Telnet server application would be listening.

Firewalls examine packets to keep the bad ones out of enterprise networks.

Packet-filtering firewalls work mainly on the network layer of the OSI reference model, although the transport layer is used to obtain the source and destination port numbers. They examine each packet independently and do not know whether any given packet is part of an existing stream of traffic. Packet-filtering firewalls are effective, but because they process each packet in isolation, they can be vulnerable to IP spoofing attacks and have largely been replaced by stateful inspection firewalls.

How stateful inspection firewalls work

Stateful inspection firewalls -- also known as dynamic packet-filtering firewalls -- maintain a table that keeps track of all open connections. When new packets arrive, the firewall compares information in the packet header to the state table and determines whether it is part of an established connection. If it is part of an existing connection, then the packet is allowed through without further analysis. If the packet doesn't match an existing connection, it is evaluated according to the rule set for new connections.

Stateful inspection firewalls monitor communication packets over a period of time and examine both incoming and outgoing packets. Outgoing packets that are requests for specific types of incoming packets are tracked, and only those incoming packets constituting a proper response are allowed through the firewall. Although stateful inspection firewalls are quite effective, they can be vulnerable to denial-of-service (DoS) attacks.

How application layer and proxy firewalls work

As attacks against web servers became more common, it became apparent that there was a need for firewalls to protect networks from attacks at the application layer. Packet filtering and stateful inspection firewalls can't distinguish among valid application layer protocol requests, data and malicious traffic encapsulated within apparently valid protocol traffic.

Firewalls that provide application layer filtering can examine the payload of a packet and distinguish among valid requests, data and malicious code disguised as a valid request or data. Since this type of firewall makes a decision based on the payload's content, it gives security engineers more granular control over network traffic and sets rules to permit or deny specific application requests or commands. For example, it can allow or deny a specific incoming Telnet command from a particular user, whereas other firewalls can only control general incoming requests from a particular host.

If this type of firewall could also prevent an attacker from connecting directly to the network, it would be even better. Putting the firewall on a proxy server would make it harder for an attacker to discover where the network actually is and create yet another layer of security.

When there is a proxy firewall in place, both the client and the server are forced to conduct the session through an intermediary -- a proxy server that hosts an application layer firewall. Now, each time an external client requests a connection with an internal server (or vice versa), the client will open a connection with the proxy instead. If the connection meets the criteria in the firewall rule base, the proxy will open a connection to the requested server. Because the firewall is placed in the middle of the logical connection, it can watch traffic for any signs of malicious activity at the application layer.

The key benefit of application layer filtering is the ability to block specific content, such as known malware or certain websites, and recognize when certain applications and protocols, such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) and domain name system (DNS), are being misused. Application layer firewall rules can also be used to control the execution of files or the handling of data by specific applications.

The future of the firewall

In the early days of the internet, when AT&T's Steven M. Bellovin first used the firewall metaphor, network traffic primarily flowed north-south. This simply means that most of the traffic in a data center flowed from client-to-server and server-to-client. In the past few years, however, virtualization and trends such as converged infrastructure have created more east-west traffic, which means that sometimes the largest volume of traffic in a data center is moving from server-to-server. To deal with this change, some enterprise organizations have migrated from the traditional three-layer data center architectures to various forms of leaf-spine architectures.

This change in architecture has caused some security experts to warn that, while firewalls still have an important role to play in keeping a network secure, modern network perimeters have so many entry points and different types of users that stronger access control and security at the host are required. The need for an even greater multilayer approach has led to the emergence of what vendors are calling next-generation firewalls.

An NGFW integrates three key assets: traditional firewall capabilities, application awareness and an IPS. Like the introduction of stateful inspection to first-generation firewalls, NGFWs bring additional context to the firewall's decision-making process.

NGFWs combine the capabilities of traditional enterprise firewalls -- including network address translation (NAT), Uniform Resource Locator (URL) blocking and virtual private networks (VPN) -- with quality of service (QoS) functionality and features not traditionally found in firewall products. These products support intent-based networking by including Secure Sockets Layer (SSL) and Secure Shell (SSH) inspection, deep packet inspection (DPI) and reputation-based malware detection, as well as application awareness.

This was last updated in May 2019

Continue Reading About firewall

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Amid the widespread use of user-owned devices in the enterprise and the emergence of the Internet of Things, is the answer better firewalls or better host protection?
I think the answer lies with host protection; firewall improvement seems too reactive. (Not a security expert here, so please tell me if I'm wrong.)
The answer, I think, would depend far more on implementation and success than the specific approach. But, that said, perhaps this is exactly the right moment to completely rethink our solutions to the problem.

We keep building better security while the bad guys build better ways to defeat it. So we patch and they attack from a different angle. The whack-a-mole loop is underway. Now that the IoT grows more entrenched in our lives and BYOD has become the standard throughout the industry, isn't it time we stopped using the same failed security system and found an entirely new approach...?

No, sorry, I don't know what that is. Wish I did so I could stop writing and buy my own island. But I do know it's time we realize that whatever we're doing isn't working very well. Surely we can do better....
I want to question the trend here. Why is it necessary to jump to "IoT" with the current state of insecurity? Why current software model assumes patching immediately after releasing?
Note that much of troubleshooting of software is now passed on the end users. But they are not software security experts and can't be - everyone is a specialist in their own domain.
What' adds risk here - many devices are sold with minimal security settings and generic preset passwords.
well you could just get chrome sever and type control alt delete see  it works and i was able to see everything the government is seeing you know that bagel that was stolen yeah that seeded one well did you know the government used it to feed  the aliens with foil hats. 


I feel that both better firewall protection as well as better host protection will be needed; if either is overlooked, the result could be detrimental to an owner or organization. There is also a shared responsibility by the owner of these devices and for organizations that allow bring your own device (BYOD) there are a plethora of issues that are associated with this newfound connectivity that most business must understand.   The mindset then changes from security to convenience and the question for an organization then becomes, which is more important security or the convenience of access with things.



So, what do you say is a better approach: everything is prohibited by default or everything is allowed unless explicitly prohibited? Should users be able to configure or only administrators?
Most kind of attacks are held against web server, nowdays it become common. Firewall is a barrier so it can prevent any kind of malicious or traffic from untrusted network. Great Post. Thanks for sharing this article.
How do I go about to create firewalls?
Please help me here. I'm unable to differentiate between the firewall rules and firewall types. If I search for firewall rules what I come across includes the firewall types. Can someone please assist me?


File Extensions and File Formats

Powered by: