What Is a Firewall?

A guide to firewalls, types of firewalls, and what to look for in a firewall solution.

Definition

Types of Firewalls

How a Firewall Works

Choosing a Firewall

How Fortinet Can Help

FAQs

Definition

Types of Firewalls

How a Firewall Works

Choosing a Firewall

How Fortinet Can Help

FAQs

Definition: What Is a Firewall?

A firewall in a computer network provides security at the perimeter by monitoring incoming and outgoing data packets in network traffic for malware and anomalies. A firewall filters traffic as it attempts to enter and exit your network as opposed to antivirus software that scans devices and storage systems on the network for threats that have penetrated your defenses.

A firewall is designed to follow a predefined set of security rules to determine what to allow on your network and what to block.

Depending on where it is deployed and its purpose, a firewall can be delivered as a hardware appliance, as software, or software as a service (SaaS). There are five main types of firewalls depending upon their operational method:

stateless or packet filtering firewall
stateful inspection firewall
circuit-level gateway
application-level gateway
next-generation firewall (NGFW)

The following sections cover the different types of firewalls based on operational method and delivery method.

Firewall vs. Antivirus

What is a firewall compared to antivirus software? While both firewalls and antivirus software protect you from threats, the ways they go about doing so are different. A firewall filters traffic that enters and exits your network, Antivirus software is different in that it works by scanning devices and storage systems on your network looking for threats that have already penetrated your defenses. It then gets rid of this malicious software.

What Does a Firewall Do?

Originally, firewalls were divided into two camps: proxy and stateful. Over time, stateful inspection became more sophisticated and the performance of proxy firewalls became too slow., Today, nearly all firewalls are stateful and divide into two general types: network firewalls and host-based firewalls.

A host-based or computer firewall protect just one computer, or "host," and are typically deployed on home or personal devices, often coming packaged with the operating system. Occasionally, though, these firewalls can also be used in corporate settings to provide an added layer of protection. Considering the fact that host-based firewalls must be installed and maintained individually on each device, the potential for scalability is limited.

Firewall networks, on the other hand, protect all devices and traffic passing a demarcation point, enabling broad scalability. As the name implies, a network firewall functions at the network level, OSI Layers 3 and 4, scanning traffic between external sources and your local area network (LAN), or traffic moving between different segments inside the network. They are placed at the perimeter of the network or network segment as a first line of defense and monitor traffic by performing deep packet inspection and packet filtering. If the content of the packets do not meet previously selected criteria based on rules that the network administrator or security team has created, the firewall rejects and blocks that traffic.

Four limitations of a firewall

Firewalls can stop a wide range of threats, but they also have the following limitations:

They can’t stop users from accessing information on malicious websites after the user has already connected to the website.
They don’t protect organizations from social engineering.
If your system has already been infected, the firewall cannot find the threat unless it tries to spread by crossing through the firewall.
A firewall cannot prevent hackers from using stolen passwords to access sensitive areas of your network.

History of a Firewall

Firewall security has been around since the 1980s. Originally, it only consisted of packet filters and existed within networks designed to examine the packets of data sent and received between computers. Since then, firewalls have evolved in response to the growing variety of threats:

Generation 1 firewalls—antivirus protection: These consisted of antivirus protections designed to stem the proliferation of viruses invading PCs in the 1980s.
Generation 2 firewalls—network protection: In the mid-1990s, physical firewalls had to be created to protect networks.
Generation 3 firewalls—applications: In the early 2000s, firewalls were developed to address vulnerabilities in applications.
Generation 4 firewalls—payload: These firewalls, developed around 2010, were designed to address evasive and polymorphic attacks.
Generation 5 firewalls—large-scale protection: Around 2017, large-scale attacks using new and more complex methods necessitated advanced threat detection and prevention solutions.

What Is a Software Firewall vs a Hardware Firewall?

Basically, there are two types of delivery methods for firewalls: software or hardware. In general, a software firewall protects the host it runs on such as a computer or device, and a hardware firewall protects the network.

To further differentiate, a hardware firewall in a computer network runs software installed on the hardware appliance, while a software firewall in a computer network uses a computer as the hardware device on which to run. For this reason, software firewalls are often referred to as “host firewalls” and hardware firewalls as “network firewalls.

Software Firewalls and How They Protect the Host

A software firewall or “host firewall” protects just one computer. Typically, host firewalls are packaged with the operating systems in home or personal devices. Software firewalls protect individual hosts from viruses and other malicious content.

The most common kind of software firewall can be found on most personal computers. The firewall works by inspecting data packets that flow to and from your device. It compares the information in the data packets against a list of threat signatures. If a data packet matches the profile of a known threat, it is discarded.

Infrequently, software firewalls are used in corporate settings to provide an added layer of protection. Software firewalls also can monitor different programs running on the host, while filtering inbound and outbound traffic. This provides granular control, enabling the firewall to allow communications to and from one program but prevent communications to and from another.

Because software firewalls run on one host (e.g., a server or another device), firewall software needs to be installed on each device requiring protection. As such, software-based firewalls consume some of their hosts’ CPU and RAM resources. Because software firewalls must be installed and maintained individually on each host, scalability is limited.

Hardware Firewalls and How They Protect the Network

Often referred to as “network firewalls,” hardware firewalls are appliances placed at the perimeter of the network or network segment as a first line of defense. A hardware-based network firewall acts as a secure gateway at the network perimeter. It protects all devices and traffic beyond a specific point on the network, enabling broad scalability. For this reason, hardware-based network firewalls are ideal for medium and large organizations looking to protect many devices.

Network firewalls function at OSI Layers 3 and 4, scanning traffic between external sources and the local area network (LAN), or traffic moving between different segments inside the network.

Network firewalls monitor traffic by performing deep packet inspection and packet filtering. If the content of a data packet does not meet previously selected criteria based on rules set by the network administrator or security team, the network firewall rejects and blocks that traffic.

Network firewalls require more knowledge to configure and manage than their software-based, host firewall counterparts.

What Does a Firewall Do?

The Five Types of Operational Firewalls and How They Work

The following sections explain the differences between the five different types of firewalls, mentioned above, and what they do to protect the network:

packet filtering firewall
stateful inspection firewall
circuit-level gateway
application-level gateway
next-generation firewall (NGFW)

Stateless or Packet Filtering Firewall

A packet filtering firewall protects the network by analyzing traffic in the transport protocol layer where applications can communicate with each other using specific protocols: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).

The firewall examines the data packets at this layer, looking for malicious code that can infect the network or device. If a data packet is identified as a potential threat, the firewall rejects it. Small businesses that need basic protection from existing cyber threats can benefit from a packet-filtering firewall.

Packet-filtering firewalls analyze surface-level details only and do not open the packet to examine the actual data (content payload). They check each one in isolation for destination and IP address, packet type, port number, and network protocols but not in context with current traffic streams.

Stateful Inspection Firewall

Stateful inspection firewalls operate at the gateway between systems behind the firewall and resources outside the enterprise network. Stateful inspection firewalls are situated at Layers 3 and 4 of the Open Systems Interconnection (OSI) model.

State-aware firewalls examine each packet (stateful inspection), and track and monitor the state of active network connections while analyzing incoming traffic for potential risks. The “state” is the most recent or immediate status of a process or application.

Stateful firewalls can detect attempts by unauthorized individuals to access a network, as well as analyze the data within packets to see if they contain malicious code. They are very effective at defending the network against denial of service (DoS) attacks.

It is important to monitor the state and context of network communications because this information can be used to identify threats—either based on where they are coming from, where they are going, or the content of their data packets. This method offers more security than either packet filtering or circuit monitoring alone but exacts a greater toll on network performance.

Circuit-level Gateway

Circuit-level gateways operate at the session layer of the Open Systems Interconnection (OSI) model. In the OSI model, a handshake must occur before information can be passed from one cyber entity to another. Circuit-level gateways determine the security of an established connection between the transport layer and the application layer of the TCP/Internet Protocol (TCP/IP) stack by monitoring TCP handshakes between local and remote hosts.

While circuit-level gateways have minimal impact on network performance, a data packet containing malware can bypass a circuit-level gateway easily even if it has a legitimate TCP handshake. This is because circuit-level gateways do not filter the content in data packets. To fill this gap, circuit-level gateways are often paired with another type of firewall that performs content filtering.

Application-level Gateway

also referred to as a “proxy firewall,” serves as an intermediate between internal and external systems. An application-level gateway operates at the application layer, the highest of the OSI model. It employs deep packet inspection (DPI) on incoming traffic to check both data packet payloads (content) and headers. This firewall makes sure that only valid data exists at the application level before allowing it to pass through.

Application-level gateways follow a set of application-specific policies to determine which communications are allowed to pass to and from an application. They help protect a network by masking clients’ requests before sending them to the host.

When network anonymity is required, application-level gateways are often in play. They are ideal for securing web apps from bad actors (malicious intent).

Next-Generation Firewall (NGFW)

A next-generation firewall (NGFW) is the only type of firewall that provides the capabilities to protect modern businesses against emerging cyberthreats. As malware and threats have become more difficult to detect at the access point, NGFW security has evolved to span the network and monitor behavior and intent.

NGFWs provide functions like deep-packet inspection, intrusion prevention (IPS), advanced malware detection, application control, and provide overall network visibility through inspection of encrypted traffic. They can be found anywhere from an on-premises network edge to its internal boundaries, and can also be employed on public or private cloud networks.

NGFWs CPU-intensive capabilities include decryption at a very high-performance level, deep-packet inspection post decryption, detection of malicious URLs, identification of command-and-control activities, and download of malware and threat correlation. Due to these advanced security capabilities, NGFWs are critical for heavily regulated industries such as finance or healthcare and are often integrated with other security systems and SIEMs for end-to-end vigilance and reporting.

There is a wide variety of NGFWs on the market with different feature sets. In order to find the best fit, organizations would benefit from identifying the security features they need most in an NGFW for their industry and use case, to focus the search.

Fortinet FortiGate NGFWs combine the protection of the five types of firewalls with the advanced security capabilities mentioned above. They can be deployed as software or hardware and can scale to any location: remote office, branch, campus, data center, and cloud.

FortiGates are the only NGFWs with unified management for hybrid mesh firewalls and consistent security across complex, hybrid environments.

How Does a Firewall Work?

How does a firewall work? Firewalls work by inspecting packets of data and checking them for threats to enhance network security. They can check the contents of the data, the ports it uses to travel, and its origin to see if it poses a danger. Further, next-generation firewalls (NGFWs) use machine learning to detect patterns of data behavior that may signify anomalous—and dangerous—activity. These capabilities can prevent several kinds of attacks.

Backdoors

Backdoors are a form of malware that allow hackers to access an application or system remotely. Firewalls can detect and stop data that contains backdoors.

Denial of Service

Denial-of-service (DoS) attacks overwhelm a system with fake requests. You can use a network firewall with an access control list (ACL) to control which kinds of traffic are allowed to reach your applications. You can also use a web application firewall (WAF) to detect DoS-style traffic and stop it from impacting your web app.

Macros

Macros can be used by hackers to destroy data on your computer. A firewall can detect files with malicious macros and stop them from entering your system.

Remote Logins

Firewalls can prevent people from remotely logging in to your computer, which can be used to control it or steal sensitive information.

Spam

Spam, which involves unwanted emails being sent without the consent of the recipient, can also be stopped by firewalls. An email firewall can inspect incoming messages and detect spam using a predesigned assortment of rules.

Viruses

Viruses copy themselves and spread to adjacent computers on a network. Firewalls can detect data packets containing viruses and prevent them from entering or exiting the network.

What Are the Components of A Firewall?

A firewall consists of hardware and software that combine to protect a section of a network from unwanted data. A hardware firewall runs software installed inside it, and software firewalls use your computer as the hardware device on which to run. Whether you have your own firewall or a managed firewall run by a Firewall-as-a-Service (FWaaS) vendor, components will be similar.

The hardware of a firewall has its own processor or device that runs the software capabilities of the firewall. The software of a firewall consists of various technologies that apply security controls to the data trying to go through the firewall. Some of these technologies include:

Real-time monitoring, which checks the traffic as it enters the firewall
Internet Protocol (IP) packet filters, which examine data packets to see if they have the potential to contain threats
Proxy servers, which serve as a barrier between your computer or network and the internet. Requests you send go to the proxy server first, which forwards your web request on. A proxy server can control which websites users interact with, refusing to forward requests to sites that may pose a threat.
VPN, which is a type of proxy server that encrypts data sent from someone behind the firewall and forward it to someone else
Network Address Translation (NAT) changes the destination or source addresses of IP packets as they pass through the firewall. This way, multiple hosts can connect to the internet using the same IP address.
Socket Secure (SOCKS) server that routes traffic to the server on the client’s behalf. This enables the inspection of the client’s traffic.
Mail relay services, which takes email from one server and delivers it to another server. This makes it possible to inspect email messages for threats.
Split Domain Name System (DNS), which allows you to dedicate internal usage of your network to one DNS and external usage to another. The firewall can then monitor the traffic going to each server individually.
Logging, which keeps an ongoing log of activity. This can be reviewed later to ascertain when and how threats tried to access the network or malicious data within the network attempted to get out.

Firewall Best Practices

What is firewall configuration? To ensure you get the most from your firewall, follow these best practices. They will enable you to block more threats and better guard your system.

1. Block traffic by default

When you block traffic by default, all traffic is prevented from entering your network at first, and then only specific traffic headed towards known, safe services is allowed through.

2. Specify source IP address, destination IP address, and destination port

When you specify the source IP address, you can eliminate the possibility of getting malicious traffic coming directly from IP addresses that are known to present threats. By specifying the destination IP address, you can protect devices with—or those that share—a certain IP address.

Specifying the destination port can protect processes that receive data through certain destination ports, such as databases, which may be targeted by Structured Query Language (SQL) injections meant to tamper with the queries that applications make to databases.

3. Update your firewall software regularly

With regular software updates, the profiles of known threats that are relatively new to the landscape can be included in your firewalls filters. This ensures you have the most recent protections.

4. Conduct regular firewall software audits

Regular software audits of your firewalls ensure that they are managing and filtering traffic the way they need to. This reduces risk as well as ensures your system is meeting regulatory or internal requirements.

5. Have a centralized management tool for multi-vendor firewalls

With a centralized management tool, you can see the status of and make changes to several different firewalls from disparate vendors all within a single dashboard. In this way, you can check to see how each one is performing and make adjustments as needed without having to navigate through several screens or travel to different workstations.

How to Pick the Best Firewall for Your Enterprise?

Regardless of your configuration, a firewall serves as the critical inspection point for all network traffic. But not all firewalls have the same features and capabilities. The right firewall will help prepare your business for growth by consolidating the number of products you must manage, reducing costs and cycles, and making the overall management of your network infrastructure effortless and efficient.

A firewall in a computer network should operate seamlessly within a comprehensive security framework that can span and adapt to your evolving needs. To save time and get the right firewall for your use case, identify the security features that are a priority for your network and organization. It’s critical to choose a firewall that can scale as your organization and network expand.

Here are several key considerations when choosing a firewall for your business or enterprise:

Throughput -- Does it match your needs? Your firewall must be able to quickly identify applications, and scale to process and secure increasing network traffic demands, especially now as most traffic is encrypted hitting 95% as estimated by Google’s latest transparency report. Decrypting SSL is the key to identify cyber threats hiding in encrypted traffic.
Inspection -- What type do you require? Effectively analyzing streaming traffic in real-time requires a much more specialized and intensive process than most firewalls can deliver. Discovering today’s sophisticated cyberattacks demands more processing power.
Longevity -- How long should it last? To avoid filling gaps every couple of years, the best rule of thumb is to make an educated guess about your bandwidth requirements in three years, double it, and then select a firewall that is very comfortable with securing that volume of traffic.
High-Performance CPU -- Can it analyze traffic efficiently? Traffic analysis is a key consideration for the firewall’s CPU. Can it support the specialized functions for high-performance security inspection? Make sure the firewall is not built around generic processors that were not designed for this.
Multivendor or Single Vendor -- Is management complex or simple? Taking a best-of-breed, multivendor approach brings more complexity. Therefore, multivendor solutions should be built using common standards and open APIs. This will reduce the time and effort required to develop and maintain workarounds to help discrete solutions operate more like a system.
In contrast, solutions provided by a single vendor, especially when supported by a common OS, can significantly reduce deployment time, simplify management, and improve operational efficiency.
NGFW -- What’s your baseline? At a minimum, NGFWs should include decryption, advanced threat protection, content filtering, endpoint integration, sandboxing, IoT visibility and control, remote access, and a secure SD-WAN. As mentioned before, focusing on the security capabilities you require most in a firewall will help you find the right solution.

How Fortinet Can Help

FortiGate Next Generation Firewalls (NGFW) seamlessly integrates advanced networking and robust security providing industry-leading threat protection and decryption with a custom ASIC architecture for superior performance and energy efficiency at scale. Powered by FortiOS ensuring consistent security across networks, streamlining operations, and convergence of networking and security across WLAN, LAN, SASE, and NGFW eliminating the need for multiple products with integrated SD-WAN and Universal ZTNA into FortiGates. Customers are safeguarded against the latest threats with AI-enhanced protection from FortiGuard Security Services and FortiManager for centralized and unified policy management of Hybrid Mesh Firewalls. FortiGates are the foundation of the Fortinet Security Fabric ensuring consistent security, converging networking and security to rapidly respond to threats, and ensuring a secure, responsive network environment. This comprehensive platform approach, covering everything across diverse networks, endpoints, and clouds, provides a tailored, efficient cybersecurity solution.

Firewall FAQs