A firewall is a network security device or software application that monitors incoming and outgoing traffic and decides whether to allow or block specific packets based on a defined set of security rules. It sits between a trusted internal network and untrusted external networks (most commonly the public internet) and acts as the first layer of perimeter defence.
How a firewall works
Firewalls inspect data packets against a rule set as they enter or leave a network. Each rule typically references a source address, destination address, port number, and protocol (TCP, UDP, ICMP). When a packet matches an ‘allow’ rule, it passes through; when it matches a ‘deny’ rule, or fails to match any rule in a default-deny configuration, the packet is dropped. Modern firewalls maintain a state table of active connections so that return traffic for an established session is recognised and permitted without re-evaluating every rule.
Types of firewalls
Packet-filtering firewalls are the simplest type. They examine each packet’s header in isolation and apply allow or deny rules. They are fast but offer no awareness of connection state, making them weaker against attacks that span multiple packets.
Stateful inspection firewalls track the state of active connections and use that context when applying rules. A packet that would be allowed only as part of an established outbound session can be rejected if it arrives unsolicited from outside.
Next-generation firewalls (NGFW) combine stateful inspection with deep-packet inspection, application awareness, intrusion-prevention features, and often TLS decryption. They can identify and control traffic at the application layer; for example, allowing general web browsing but blocking a specific cloud-storage service.
Web application firewalls (WAF) operate at the application layer (Layer 7) and protect web applications from threats such as SQL injection, cross-site scripting, and credential stuffing. A WAF inspects HTTP/HTTPS traffic and applies rules tailored to common web vulnerabilities.
Host-based firewalls run on individual endpoints rather than at the network boundary. They control traffic to and from a single device and are commonly used alongside network firewalls to provide defence in depth.
Firewalls in penetration testing
During an external penetration test, firewall configuration is often the first thing assessed. Testers look for unnecessary open ports, overly permissive rules, weak management-interface protection, and outdated firmware. Common findings include legacy “any-any” rules left over from troubleshooting, exposed administrative services such as SSH or RDP, and missing egress filtering that would otherwise contain a compromised internal host. A well-tuned rule set with default-deny, explicit allow lists, and regular review is one of the strongest cost-effective controls available.
Related terms
See also: intrusion detection system (IDS), intrusion prevention system (IPS), port scanning, and ARP scan.
Leave a Reply