When you buy through affiliate links in our content, we may earn a commission at no extra cost to you. Learn 
What is a Firewall?
A firewall is a monitored and controlled boundary between your network and the rest of the Internet. Its purpose is to keep cyberthreats and malicious or unwanted network traffic out of your network. Your firewall is your first line of defense. You can think of a firewall as a great wall around your business, protecting your digital assets from cyberthreats.
Firewall rules govern what traffic can pass in and out. All network traffic is trying to arrive at a destination identified by an Internet protocol (IP) address and a port. There are hundreds of ports, each one is numbered, and each one, either formally or by convention, has a recognized purpose.
Key Takeaways
- A firewall is essential for protecting a network from cyberthreats by controlling the traffic that enters and exits based on specific rules.
- Traditional network firewalls use packet filtering to allow only approved traffic through while blocking everything else, highlighting the need for correct setup to ensure effectiveness.
- Next-generation firewalls offer enhanced security by examining the contents of network packets. This enables more precise control over application usage and helps lower the risk of various threats.
- Different types of firewalls, such as web application firewalls, database firewalls, and cloud-based firewalls, address specific security needs and offer tailored protection for different areas of a network.
- Maintaining an effective firewall requires regular updates, careful configurations, and strict adherence to security procedures to avoid common errors that could create vulnerabilities.
Types of Firewalls
Different types of network traffic use ports devoted to that type of traffic:
- Hyper-Text Transport Protocol (HTTP) web traffic will default to using port 80.
- Secure HTTP (HTTPS) will use port 443.
- Email delivered by the Simple Mail Transfer Protocol (SMTP) will use port 25.
- Email delivered by the Internet Message Access Protocol (IMAP) will use port 143.
- Remote workers who wish to connect to your office might use the Remote Desktop Protocol (RDP, which is handled by port 3389).
All of these ports require rules so that the firewall can enforce your security policy on traffic attempting to enter and leave your network. The security emphasis is usually on traffic entering the network, but a firewall can just as easily control traffic that is leaving the network.
There are many different types of firewalls. We’ll point out the differences between the main firewall groups. We’re only considering network equipment firewalls here and not software firewalls such as the personal firewall built into Microsoft Windows.
Traditional Network Firewall
Packet-filtering network firewalls are the type we’ve described above. They provide protection by preventing unwanted traffic – made up of many small packets of information – and suspicious connections from accessing your corporate network. They work by applying a set of rules to traffic and ports and allowing or denying access according to those rules.
The only traffic allowed through the firewall is traffic that satisfies the conditions in the rules based on criteria such as originating IP address, target IP address, port number, and protocol. Everything else is blocked.
These firewalls are very effective – if they are configured correctly. Most successful breaches of firewalls are due to misconfiguration of the firewall rules, or out of date firmware. And bear in mind, the more capable the firewall the more complicated it is to set up.
Next-Generation Firewall
These firewalls extend the capability of a standard network firewall. Standard network firewalls work by packet filtering and allowing packets that match the rule criteria to pass through. Everything else is filtered out. A next-generation firewall uses packet inspection to take a deeper look into the traffic type.
If a traditional firewall is a border guard that checks your background story, inspects your papers, and asks you about your purpose of travel, a next-generation firewall does all of that, then frisks you and searches your luggage. They look at the contents of each network packet and combine that information with the firewall rules to make a more informed and granular decision about permitting or denying the traffic to pass.
For example, you might want to allow staff to go on the Internet during their lunch break, but you don’t want them to download torrents or use video chats. Next-generation firewalls allow you to be very specific about how applications are used. You could permit Skype for voice calls but not for transferring files, for example.
These devices offer a very high level of protection, which is why they are sometimes a stipulated requirement to achieve certification or compliance against a standard such as the Payment Card Industry Data Security Standard (PCI-DSS), the Health Insurance Portability and Accountability Act (HIPAA), or the ISO/IEC 27001 Information Security Management family of standards.
The granular level of control you have over the data flow into and out of your network allows you to mitigate against a wider number of threat types, including errant staff and disgruntled employees. The next-generation firewall is usually capable of other security functions too. These might be available out-of-the-box or as optional extras, sometimes using a subscription model. Intrusion detection, malware scanning, and inspection of some encrypted traffic are typical of these extra offerings, often under an umbrella term such as “gateway protection.”
Inspecting a network packet takes a tiny amount of time. But for a high-traffic network, those tiny amounts add up and can introduce throughput delays. To avoid network degradation may require more firewalls and load sharing or faster, more powerful, and more expensive units built to cope with high data volumes.
Web Application Firewalls
A web application firewall (WAF) typically comprises a proxy server that sits between an application running on a server and the remote users of that application who access the application via the Internet. The proxy server acts as a messaging middleman, accepting connections from the users and interacting with the application on the server on their behalf. This brokering of the connections provides a shield against port scans and other malicious threats, such as malformed packet attacks. The malformed connections fail at the proxy, not on the application server.
Web application firewalls provide a secure buffer between the web application server, benign users, and malicious threat actors.
Web application firewalls are constructed to be lean and mean, with an emphasis on simplicity and speed. Counter-intuitively, the simplicity makes them less vulnerable to attack and security vulnerabilities than web application servers themselves, and are easier to maintain and to keep patched up to date.
Web applications, by definition, are designed to be accessed from the Internet, and a popular application can receive a tremendous volume of traffic. For some organizations, that is reason enough to separate their corporate firewall needs and to have a firewall dedicated to the network and a web application firewall for the web application traffic. A high-volume web traffic firewall is cheaper than a high-volume network firewall.
Database Firewalls
These are a specialized case of web application firewalls, tailored for the needs of an Internet-facing database application. Their design incorporates features that detect and neutralize database-specific attacks, such as SQL injection and cross-site scripting (XSS). Data breaches are bad news all round, incurring reputational damage, lack of confidence in the user base, and possible fines from supervisory authorities. Understandably, it is necessary to take all reasonable steps to protect databases and the data they contain.
Database firewalls usually incorporate a dashboard so that traffic and database accesses can be viewed, reviewed, and reported on. Depending on the nature of the data in the database, this can help with demonstrating compliance to standards and other regulatory requirements.
Unified Threat Management Appliances
A unified threat management (UTM) appliance combines features from a variety of firewalls and security devices into one device.
A typical selection of features will include:
- A traditional firewall
- An intrusion detection system
- Scanning of packets for malicious payloads, viruses, and malware
- Web address blacklisting, preventing staff from connecting to restricted websites such as known phishing websites
These appliances are more costly than a traditional firewall and will usually incur ongoing costs for subscriptions to receive antivirus updates for the packet scanning functions. However, they are cheaper than using a suite of dedicated top-end solutions to achieve the same breadth of cover. Dedicated devices will be superior, of course, but for some organizations, they are simply too expensive. A unified threat management appliance is a good alternative.
Cloud-Based Firewalls
The easy way to describe these is firewalls-as-a-service. They are cloud-hosted firewalls provided by specialist firewall providers. They are highly available, scalable, able to handle huge surges in traffic, and may offer some protection against denial of service traffic flood attacks. They are maintained and configured by firewall professionals so you do not need that niche talent in-house.
Local changes are minimal, often simply forwarding traffic from your corporate routers to the cloud-based firewall. Remote or mobile users can connect to it via Virtual Private Network (VPN) or by using it as a network proxy.
Cloud-based firewalls are particularly suited to multi-location organizations. Each site can be protectedby the same firewall technology without having to route all traffic through a central on-premise firewall or to purchase, configure, and deploy multiple firewalls across their IT estate.
Container Firewalls
Container firewalls are designed to specifically deal with the challenges of virtualized off-site computing in containers. They operate very similarly to a traditional network firewall, but they must be able to cope with the added complexity of both handling traffic within the container environment as well as incoming traffic from the non-containerized outside world, and network traffic sent to that non-containerized outside world.
Because the majority of container hypervisors run on Linux, it is possible to install a software-based firewall on many containers. However, with anything more than a handful of containers to administer, the overhead of maintaining a firewall for each of them becomes untenable.
Network Segmentation Firewalls
A network segmentation firewall is used to protect sub-divisions within the corporate network that have been broken out to serve functional areas, teams, departments, or other segregation requirements. These are often used to internally ring-fence areas that handle sensitive data, such as payment card data. Along with other measures, such as physical access controls, they can form part of the protection required to satisfy a standard such as the PCI-DSS.
They are also deployed at subnet boundaries to act like a bulkheads in a submarine. If you are breached in one area they can help to contain or slow down the spread of the intrusion or infection.
Network segmentation firewalls are most beneficial to large organizations or companies with large and complex network perimeters that are difficult to secure.
Basic Firewall Errors
The efficacy of a firewall can be undermined by silly mistakes. Your shiny – and possibly very expensive – firewall might not be doing what you think it is if you or your staff fall into these traps.
Many companies still use default admin passwords for their firewalls, which poses significant security risks by allowing hackers to:
- Remotely access your firewall and change settings
- Lock you out by changing the password
So, it’s important to change the default password as soon as you set up the firewall.
Some firewalls are delivered with a “standard” set of ports opened.
It is essential to:
- Close all unused ports.
- Implement a strict procedure for opening ports only when necessary.
- Ensure the procedure includes:
- Verification that authentication is required for any connections on those ports.
- Proper enforcement of your firewall rules.
Setting firewall rules can become complex.
A common mistake is to create two rules that contradict one another. These rules will conflict and struggle against one another. One or both of the rules will fail and will not be enforced, leaving you exposed by presenting a vulnerability that can be compromised.
Threat actors use port scanners to look for open ports. Each open port is then automatically probed.
To enhance security, you should:
- Only open necessary ports.
- Ensure those ports are secure.
Use port forwarding to:
- Assign a non-standard port number for services with a well-defined port (e.g., RDP on port 3389). This might be serviced on your firewall on port 32664 and forwarded internally to port 3389 on your RDP server.
- Close the standard port (3389) on your firewall, making it appear as though you do not use RDP.
The Bottom Line
Inevitably, the bottom line is about people. You need budgetary buy-in from the top and people on the front line to configure, deploy, and maintain the firewalls. Maintenance needs governance in the shape of schedules and procedures. You need people to write them, roll them out, and follow them.
Hadrian’s wall would have been useless without orders, discipline, and well-trained legionaries.
