A comprehensive technical overview of firewall technology — objectives, types, advantages, disadvantages, and protection mechanisms.
The primary objective of a firewall is to establish a barrier between a trusted internal network and untrusted external networks, such as the internet. It acts as the first line of defense in any network security architecture.
Firewalls are designed to:
→ Prevent unauthorized access — Block attackers, bots, and malicious actors from entering the internal network.
→ Control traffic flow — Enforce policies on which services, ports, and protocols are allowed or denied.
→ Audit and log activity — Record connection attempts for forensic analysis and compliance.
→ Segment networks — Separate internal zones (e.g., DMZ, LAN, VLAN) to contain breaches.
→ Enforce security policies — Translate organizational rules into machine-readable access controls.
Operates at Layer 3/4. Inspects packet headers (IP, port, protocol) against static rules. Fast but stateless — no context awareness.
Tracks the state of active connections. Understands TCP handshakes and allows only packets that belong to a valid, established session.
Operates at Layer 7. Acts as an intermediary (proxy) for specific applications like HTTP, FTP, DNS. Deep content inspection — hides internal topology.
Combines stateful inspection with DPI, IPS/IDS, SSL inspection, application awareness, user identity tracking, and threat intelligence feeds.
Delivered as a service from the cloud. Scales dynamically, protects distributed infrastructure and remote workers. Examples: Zscaler, Cloudflare Gateway.
Runs directly on an endpoint (OS-level). Controls per-application traffic on that machine. Examples: Windows Defender Firewall, iptables/nftables on Linux.
Specifically protects web applications. Filters HTTP/HTTPS traffic, blocks SQLi, XSS, CSRF, and other OWASP Top 10 attacks. Examples: ModSecurity, AWS WAF.
Monitors TCP handshakes at the session layer (Layer 5). Validates sessions without inspecting packet content — lightweight but limited visibility.
Rate-limiting and SYN flood protection prevent service disruption.
Detects and blocks reconnaissance activity from external scanners.
WAFs intercept and block malicious SQL payloads targeting web apps.
Blocks access to services on unauthorized ports and protocols.
Blocks outbound connections to known malicious IPs and C2 domains.
Ingress/egress filtering detects packets with forged source IP addresses.
Prevents malware from opening reverse shells or unauthorized listeners.
Blocks outbound traffic to unapproved endpoints, limiting data leakage.
Internal segmentation firewalls limit attacker movement across the network.
Rule-Based Filtering: Firewalls apply a list of ACL (Access Control List) rules evaluated top-down. Each rule specifies source IP, destination IP, port, protocol, and action (ALLOW / DENY / DROP). The first matching rule wins.
Default Deny Policy: A security best practice is to end all rule sets with an implicit "deny all" — any traffic not explicitly permitted is blocked. This is the principle of least privilege applied to networking.
Stateful Connection Tracking: Modern firewalls maintain a state table of active TCP/UDP sessions. Only packets that are part of an established, legitimate session are allowed through — this blocks many spoofing and injection attacks.
Deep Packet Inspection (DPI): NGFWs look beyond headers into packet payloads. They can identify applications by behavior (not just port), detect malware signatures, and enforce content policies even on non-standard ports.
Network Zones: Firewalls commonly enforce zone-based policies — separating the Internet (Untrusted), DMZ (Semi-trusted, for public-facing servers), and LAN (Trusted). Traffic between zones is strictly controlled.