What Is a Firewall?

A firewall is a network security device designed to monitor, filter, and control incoming and outgoing network traffic based on predetermined security rules. The primary purpose of a firewall is to establish a barrier between a trusted internal network and untrusted external networks.

Firewalls come in both hardware and software forms, and they work by inspecting data packets and determining whether to allow or block them based on a set of rules. Organizations can configure these rules to permit or deny traffic based on various criteria, such as source and destination IP addresses, port numbers, and protocol type. 

Firewalls are the bedrock of network security, shielding the network from unauthorized access. They prevent bad actors — hackers, bots, and other threats — from overloading or infiltrating a private network to steal sensitive data.

Traditionally, firewalls regulate traffic by forming a secure perimeter around a network or computer. This prevents anyone from accessing network resources if they aren’t authorized to do so. Without this protection, virtually anybody could enter and do as they please.

Today's cybersecurity landscape demands a layered approach. While firewalls remain a cornerstone of network defense, advanced threats require additional security measures. The rise of cloud computing and hybrid work environments further highlights the need for comprehensive security solutions.

Fortunately, cutting-edge firewall technologies with AI-powered services are bringing network security up to speed. Combining the strengths of traditional tools with the innovative capabilities of new solutions, modern firewall vendors help organizations defend against even the most complex attack strategies.

Firewalls protect against malicious traffic. They’re strategically positioned at the network edge or in a data center, allowing them to closely monitor anything attempting to cross this boundary.

This visibility also allows a network firewall to granularly inspect and authenticate data packets in real time. This involves checking the data packet against predefined criteria to determine whether it poses a threat. If it fails to meet the criteria, the firewall blocks it from entering or leaving the network.

Firewalls regulate both inbound and outbound traffic, protecting the network from:

• External threats such as viruses, backdoors, phishing emails, and denial-of-service (DoS) attacks. Firewalls filter incoming traffic flows, preventing unauthorized access to sensitive data and thwarting potential malware infections.
  
  
• Insider threats like known bad actors or risky applications. A firewall can enforce rules and policies to restrict certain types of outgoing traffic, which helps identify suspicious activity and mitigate data exfiltration.

What’s the difference between firewall and antivirus software? Firewalls focus on controlling network traffic and preventing unauthorized access. By contrast, antivirus programs target and eliminate threats at the device level. More specifically, their key differences include:

• Scope: Antivirus software is primarily an endpoint solution, meaning it’s installed on an individual device. Firewalls mainly deploy at the network level, but some organizations install hosted firewalls directly on an endpoint for extra protection.
  
  
• Functionality: Firewalls monitor traffic, blocking malicious data before it enters the network (or endpoint). Antivirus tools scan the local environment for signs of malware, ransomware, and other infectious attacks.

Enterprises normally deploy both firewalls and antivirus programs. As complementary solutions, they each provide essential protective layers for safeguarding business assets.

Network Address Translation (NAT) and Virtual Private Network (VPN) are two distinct technologies, each with its own set of functions related to network security and connectivity. While NAT is primarily associated with address translation for routing purposes, VPNs are used to create secure, encrypted connections over the internet.

NAT

NAT changes the destination or source addresses of data packets as they pass through a firewall. This allows multiple devices to connect to the internet using the same IP address, which helps protect the private network from direct exposure to external threats.

In an office environment, each employee uses their own computer or mobile device to access the internet for browsing, emailing, and accessing cloud services. Despite each device having its own private IP address within the company's internal network, all outbound traffic appears to external networks as originating from the same public IP address assigned to the company. As a result, it’s harder for potential attackers to identify and target individual devices.

VPN

A VPN is a type of proxy server. Therefore, it serves as a barrier between a computer or network and the internet, receiving all web requests before forwarding them to the network.

VPNs are  common and extend the private network across a public one, such as the internet. This allows users to securely transmit data as if their devices were directly connected to the private network. The connection establishes an encrypted tunnel between remote devices and the corporate network, enabling secure access.

This function is especially useful in a hybrid environment. Remote employees can leverage VPNs to access corporate networks and critical applications regardless of where or how they’re working.

Firewalls have evolved through four distinct phases:

1. First-generation firewalls began in 1989 with the packet filtering approach. These firewalls examine individual data packets, making decisions to allow or block them based on predefined rules. However, these were unable to identify if those packets contained malicious code (i.e., malware).
   
   
2. Second-generation firewalls began in the early 2000s. Otherwise known as stateful firewalls, these track the state of active connections. By observing network traffic, they use context to identify and act on suspicious behavior. Unfortunately, this generation also has its limitations.
   
   
3. Third-generation firewalls emerged in the latter half of the early 2000s. Often called proxy firewalls or application-level gateways, these act as intermediaries between a client and server, forwarding requests and filtering responses.
   
   
4. Fourth-generation firewall, also known as next-generation firewall (NGFW), started in 2010. NGFWs combine traditional capabilities with new, advanced features such as intrusion prevention (IPS), application-layer filtering, and advanced threat detection.

Although each generation improved upon the last, many earlier iterations are still in use today. Let’s review the benefits of each firewall in more detail. 

A stateless firewall protects the network by analyzing traffic in the transport layer protocol — the place where devices communicate with one another. Rather than store information about the state of the network connection, it inspects traffic on a packet-by-packet basis.

Then, it decides to block or allow the traffic based on the data located in the “packet header.” This may include source and destination IP addresses, port numbers, protocols, and other information. Altogether, this process is called packet filtering.

Despite being fast and inexpensive, stateless firewalls have their vulnerabilities. Critically, they have zero visibility into packet sequencing. That means they can’t detect illegitimate packets, which may contain attack vectors or not have a corresponding request.

Likewise, they only have insight into the packet header — not its actual contents. This makes it impossible for a stateless firewall to detect malware hidden within a packet’s payload.

Stateful firewalls track the most recent or immediate status of active connections. Monitoring the state and context of network communications can help identify threats based on more insightful information.

For example, state-aware firewalls block or allow traffic by analyzing where it’s coming from, where it’s going, and the contents of its data packets. Moreover, they evaluate the behavior of data packets and network connections, cataloging patterns and using this information to improve future threat detection.

This approach offers more protection compared to packet filtering but takes a greater toll on network performance because it conducts a more in-depth analysis. Worse yet, attackers can trick stateful inspection firewalls into letting harmful connections sneak through. They exploit network rules and send malicious packets using protocols the firewall believes to be safe.

Application-level gateways, or proxy firewalls, act as an intermediary between internal and external systems. Notably, they operate at Layer 7 of the Open Systems Interconnection (OSI) model — the application layer. As the closest layer to the end-user, Layer 7 applications include web browsers, email clients, and instant messaging tools.

Proxy firewalls intercept and analyze all incoming and outgoing traffic, applying granular security policies to control access and protect the network. They offer packet filtering, application-level inspection, URL filtering, and more. 

NGFWs protect businesses against emerging cyber threats. They blend all the best parts of past firewall technologies with the advanced capabilities required to mitigate modern cyberattacks. For example, these include:

• Deep Packet Inspection (DPI), a method of examining the contents of data packets as they pass through network checkpoints. DPI analyzes a larger range of information, allowing it to find otherwise hidden threats.
• Intrusion Prevention (IPS), a system that monitors traffic in real time to proactively identify threats and automate response.
• Data Loss Prevention (DLP), a cybersecurity solution that blocks intentional and accidental data disclosures.

NGFWs combine the protection of previous generations with the advanced security capabilities mentioned above. They can be deployed as software or hardware and can scale to any location: remote office, branch, campus, data center, and cloud. NGFWs can simplify, unify, and automate enterprise-grade protection with centralized management that extends across distributed environments. These capabilities include:

• Internet of Things (IoT) security to discover BYOD, rogue, or shadow IT devices.
• Network sandboxing to monitor and analyze suspicious objects in an isolated environment
• Zero-trust network access (ZTNA) to manage network access to users and applications based on identity and context
• Operational technology (OT) security to protect OT environments with threat intelligence, IPS, and SCADA applications and threat inspection
• Domain Name System (DNS) security to monitor, detect and prevent capabilities against DNS layer attacks
• Software-defined wide-area network (SD-WAN) architecture to deliver dynamic path selection, based on business or application policy, centralized policy and management of appliances, virtual private network (VPN), and zero-touch configuration.