What Is a Firewall?

A firewall is a cybersecurity solution that organizations use to protect networks and computers from unauthorized access and malicious intruders. Network firewalls protect the entire network, whereas host-based firewalls are installed on individual devices, such as laptops or servers.

Firewalls have varied capabilities that make one better suited for a particular environment than another. For instance, organizations with workloads in a public cloud would benefit from cloud-native firewalls designed to deliver optimal results in these environments. While all firewalls perform certain basic functions, more advanced firewalls have a much broader range of capabilities.

Packet-filtering firewalls are the most elementary type of firewall. They filter traffic at the network layer by inspecting data packets. They allow or block traffic by examining basic information about data packets. Still, they don’t perform deep-packet inspections — that is, analyze the content inside the packet — or other sophisticated functions.

Stateful inspection firewalls track active connections and make decisions about traffic based on its context. For example, a firewall could recognize that a data packet belongs to an ongoing exchange that the firewall has determined to be safe. Stateful firewalls are more robust than stateless firewalls, although stateless firewalls may perform faster because they conduct more superficial inspections. Stateful firewalls help detect unauthorized access attempts and forged messages, in part due to their powerful memory, which enables them to retain key contextual data about network connections.

Proxy firewalls operate at the application layer, filtering incoming and outgoing requests for specific applications. They act as a protective buffer, handling requests and passing along data only after determining it is safe to do so. For example, a proxy firewall that encounters suspicious commands, malicious content, or flagged websites will block them, preventing them from connecting to the user’s network.

WAFs are designed to protect web applications, such as retail platforms and login forms. Hackers target these applications to steal sensitive information (such as credit card data, usernames, and passwords) and gain control of a site. Once inside, they can download malware or install a back door for unauthorized access later.

NGFWs are advanced firewalls that integrate deep packet inspection, intrusion prevention systems, and other advanced features for enhanced security. Designed to detect and thwart sophisticated cyberattacks, NGFWs perform complex operations, such as integrating up-to-date threat intelligence and recognizing individual user identities to enforce access management policies. In addition, organizations can use NGFWs in cloud and virtualized environments, bringing the same deep protection to remote users and workloads in the cloud.

These firewalls offer flexibility and scalability for virtual, cloud, and hybrid environments. Unlike a traditional hardware firewall, virtual and cloud-native firewalls run as software. Virtual firewalls are often housed in virtual machines within data centers or cloud environments. In contrast, cloud-native firewalls are designed specifically for public cloud environments, such as Google Cloud, Microsoft Azure, and Amazon Web Services. As such, cloud-native firewalls offer seamless integration with cloud tools and dashboards, making them more efficient for cloud-focused organizations.

Increasingly, firewalls are leveraging artificial intelligence and machine learning to understand what constitutes “typical” traffic for an organization, allowing them to identify unusual traffic better. For example, AI can provide earlier detection of traffic spikes and unusual patterns. In addition, machine learning lets AI-enabled firewalls adapt to emerging threats automatically (unlike traditional firewalls, which require administrators to update rules as they become aware of new threats).

Organizations commonly prioritize the following features in network firewalls. Some features, such as IP and domain filtering, are typically included in basic firewalls, while others, such as application awareness and intrusion detection, are more likely to be found in NGFWs:

• IP and domain filtering – Firewalls allow or block traffic based on associated IP addresses and domain names. This stops incoming traffic from sources known to be malicious and prevents employees from accessing unauthorized websites.
• Port blocking – One way cybercriminals sneak onto a network is by targeting ports, or pathways, that are less secure than other ports. Port blocking prevents this by analyzing the destination port in the data packet and applying rules that govern which types of traffic can connect to which ports.
• VPN support – Remote employees commonly use VPNs to establish secure connections to their organizations. Firewalls with VPN support protect that connection and may have built-in VPN servers to eliminate the need for a separate VPN solution.
• Application awareness – Application awareness enables a firewall to recognize specific applications and distinguish them from general network traffic. That lets organizations establish more granular rules about how they want the firewall to behave.
• Intrusion detection and prevention – Some advanced firewalls analyze traffic behavior to identify suspicious activity (intrusion detection) and thwart malicious activity (intrusion prevention).

Firewalls and anti-virus software are different but complementary cybersecurity solutions that help organizations protect their data. Together, they demonstrate how cybersecurity professionals use a “layered” approach. Firewalls are a first line of defense — the security guard determines which traffic can enter the network. Anti-virus software is designed to detect and remove malicious traffic that has already infiltrated the system, as well as suspicious activity that could indicate a virus might be present.

While firewalls do much of their work autonomously, they require monitoring and management from IT administrators to address common challenges:

• Performance overhead – Firewalls examine every bit of data that enters or leaves the network, and the process is even more intensive for deep-packet inspections. If a firewall has insufficient capacity or improper configurations, this examination can slow down the network and degrade performance.
• False positives – A false positive happens when a firewall blocks legitimate traffic by mistake, often because its security rules are too strict. When that happens, customers may be unable to reach a business’s website, or employees may be unable to access an application they need for their work.
• Ongoing updates – Cybercriminals constantly refine their tactics and develop new threats. In response, IT administrators must continually update firewall rules to ensure they always provide proper protection.

IT administrators should follow best practices to ensure that firewalls function as intended and maintain effective performance over time, as threats and IT environments evolve.

Configuring the rules that govern firewall behavior is a balancing act. Rules must be comprehensive enough to block malicious traffic while not being so restrictive that they impede legitimate traffic. Additionally, administrators must regularly update these rules to address emerging threats. Cybersecurity professionals often look to industry best practices, such as those outlined in the National Institute of Standards and Technology’s “Guidelines on Firewalls and Firewall Policy,” for guidance on optimal firewall configuration and management.

Keeping firewall software up to date is crucial. Vendors frequently release patches to update their software as they become aware of new vulnerabilities; patching ensures that firewalls can defend against these new threats. Timely patching is crucial because outdated software invites cybercriminals seeking vulnerabilities to exploit.

Firewalls generate logs of traffic, alerts, and other telemetry. Administrators should review these logs regularly to identify and respond to suspicious activity promptly. While logs provide real-time information, periodic audits allow for more in-depth analysis. For example, an audit typically includes a review of firewall rules and configurations to ensure they still align with the organization’s current needs and IT environment.

To select the best firewall for a particular environment, organizations should start with a clear understanding of their cybersecurity needs and challenges so they can prioritize desired features and functionalities. They also need to determine how firewalls complement existing security solutions (such as security information and event management solutions and endpoint protection platforms) and how well they integrate with those solutions. Other key considerations include performance, scalability, ease of management, and, if needed, remote work and cloud capabilities. Expert partners can provide valuable guidance to help organizations select a firewall that aligns with their business objectives and integrates seamlessly with existing security solutions.

Firewalls play a crucial role in cybersecurity, but they don’t operate in isolation. Because modern cybersecurity is so complex, most organizations employ multiple security solutions that work together to create a multilayered defense. Understanding what firewalls can and can’t do is an integral part of developing a successful cybersecurity strategy.