What is a firewall? – How it works and what it does
Last updated on November 5th, 2018
A firewall is a network security device which usually physically sits between your internet connection and your internal network, which monitors incoming and outgoing network traffic. They are a fundamental piece of security and typically form the first line of defence on a network, acting as a filter against bad connections from the outside world.
Simply put, a firewall works by comparing data being sent through the network against a list of rules. The connection the data comes from is then blocked or allowed by the firewall based on the results of that rule checking.
How does a firewall work?
Firewalls work by inspecting packets (packets of data) that are travelling through the network, determining if their contents are malicious and then blocking or allowing the packet based on that determination. On a typical network setup, all connections to the Internet flow through the firewall which means all inbound or outgoing packets will be inspected.
The process of inspection involves a packet’s contents being compared against a library of known malicious patterns. If a match is found between a packet and a malicious pattern it’s highly likely that the packet is part of a larger malicious connection and so is blocked.
However, firewalls are also highly configurable as they can be made to follow additional user-created rules. These are also checked in the packet inspection process and can result in highly bespoke security. For instance, a firewall can be configured to block connections from a specific IP address, block connections that contain specific words and phrases or block connections to and from specific ports.
This means that connections that come from a known malicious file server can be blocked by adding the machine’s IP address (unique identifier on the network) to the list of forbidden IPs. Similarly, a rule can be made that blocks all connections to an internal server that do not come from a machine on the company network, preventing outsiders from accessing the data stored on that machine.
Why are firewalls important?
Firewalls are often compared to a lock on the door to your network. But it might be more accurate to say that a firewall is the door because without one, any connection can flow in or out of your network freely. This includes connections from known malicious sources and could result in unauthorised access to networked files. Leading to a data breach, malware infection or worse.
Firewalls filter out the bulk of malicious connections and without one, you are significantly more vulnerable to nearly every possible type of cyber-attack. There’s a reason that a firewall has been standard on every version of Windows since XP and it’s because they’re integral to security.
Are firewalls hardware or software?
Firewalls can be either a hardware appliance or a piece of software which runs on a machine. So, the answer is both.
The main difference is that a software firewall tends to protect the individual machine it is installed upon, typically a laptop or PC, whereas a hardware firewall usually protects many machines or an entire network.
What types of firewall are there?
Circuit level firewalls are a type of firewall that monitors transmission control protocol (TCP) handshaking to ensure that the communication between packets is legitimate and not malicious.
A firewall with stateful inspection means that the state of current connections is considered when filtering packets. This means that a packet can be blocked in one case but allowed in another where the state of the connection allows it.
Unified threat management (UTM)
UTM is technically not a type of firewall, being instead an advanced security appliance which combines the security functions of many different security appliances, but one of its features is a firewall. We have an article explaining everything you need to know about UTM if you wish to learn more.
What is a next-generation firewall (NGFW)?
An NGFW contains all the normal defences that a traditional firewall has as well as a type of intrusion prevention software and application control, alongside other bonus security features. NGFWs are also capable of deep packet inspection which enables more robust filters.
Intrusion prevention software monitors network activity to detect and stop vulnerability exploits from occurring. This is usually done by monitoring for breaches against the network policies in place as a breach is usually indicative of malicious activity.
Application control software simply sets up a hard filter for programs that are trying to send or receive data over the Internet. This can either be done by blacklist (programs in the filter are blocked) or by whitelist (programs not in the filter are blocked).
What is deep packet inspection (DPI)?
DPI is a type of packet inspection that analyses the contents of a data packet rather than just where it is coming from and going to (the headers). This enables DPI to filter out malicious packets, such as viruses and trojans, more accurately as both the contents and headers can be compared against the security rules within the firewall. Rather than just the headers being inspected.
This allows a broader range of security threats to be uncovered because packets with a malicious payload but innocuous headers will be discovered and blocked.
Where does the name firewall come from?
A final piece of trivia: the name firewall originated from the real-world application of fire partitions used in buildings. These would be walls that were implemented into a building which act as a barrier to stop fire spreading from one room to another.
The similarity between a fire spreading through a building and a computer virus spreading through a network prompted the same name to be adopted for the network device as it was an easy way to explain what its function is.