What Does a Firewall Do: How it Works and Why You Need One

Firewalls play a central role in network security. They monitor and control incoming and outgoing traffic based on security rules, blocking unauthorized access and preventing the spread of malicious software while ensuring legitimate traffic flows smoothly.

Let’s explore firewalls in more detail.

What is a firewall?

A firewall is security software that uses established security rules to monitor and control network traffic. It creates a protective barrier between trusted internal networks and untrusted external ones to prevent malicious activities while allowing legitimate communications.

What does a firewall do?

All firewalls provide three basic functions. 

Blocking unauthorized access

Network administrators set security criteria that firewalls use to block unauthorized access to a network. By evaluating incoming traffic and determining whether it meets said security criteria, firewalls help prevent hackers and unauthorized users from gaining access to private network resources.

Allowing legitimate traffic

Firewalls are used not only to block traffic but also to ensure that legitimate traffic is allowed to pass through. They permit traffic that matches the security rules while blocking traffic that does not, ensuring smooth and secure communication between authorized users and services.

Preventing malicious software from spreading

Firewalls help prevent the spread of malicious software — such as viruses, worms, and malware — by blocking suspicious and malicious traffic. This containment is crucial in stopping the spread of infections within a network and protecting individual devices from being compromised.

Types of firewalls

There is a unique variety of firewalls that cover all levels of desired security and network sizes. The main differences between the various types of firewalls are their structure and purpose. Each type has an ideal use case and offers specific benefits, but it also comes with a set of warnings or points of caution you should be aware of.

Packet-filtering firewall

Packet-filtering firewalls filter network traffic by inspecting packets against predefined rules based on IP addresses, ports, and protocols. They offer basic network security for small networks or as the first line of defense in larger networks.

Benefits

• Are simple and cost-effective.
• Provide basic protection by blocking unwanted traffic.
• Have low latency due to straightforward packet inspection.

Be aware of

• Offer limited protection: Only examine packet headers, not the payload, making them vulnerable to more sophisticated attacks like IP spoofing and fragmented packet attacks.
• Come with significant rule complexity: Managing rules can become complex and difficult to maintain, especially in large networks.
• Suffer from a lack of context: Cannot make decisions based on the state of connections, leading to potential security gaps.

Proxy firewall

Also known as application-level gateways, proxy firewalls, act as an intermediary between users and the services they access, filtering traffic at the application layer. They protect web applications and services with detailed traffic inspection and logging, and they are ideal for 

medium to large-sized networks.

Benefits

• Provide in-depth inspection and logging of traffic.
• Hide internal network structure from external sources.
• Can filter based on the content of traffic, for example, web filtering.

Be aware of

• Cause performance overhead: Can introduce latency and degrade performance due to deep inspection and content filtering.
• Have issues with scalability: May struggle with high traffic volumes, making them less suitable for large-scale deployments.
• Often have compatibility issues: Not all applications and protocols are supported, which can lead to accessibility issues.

Stateful inspection firewall

Stateful inspection firewalls track the state of active connections and make decisions based on the context of the traffic and they are ideal for small to large-sized networks that require dynamic and context-aware traffic filtering.

Benefits

• Provide better security than packet-filtering firewalls by understanding the state of connections.
• Offer more flexibility in allowing legitimate traffic while blocking malicious traffic.
• Effectively preventing certain types of attacks that stateless firewalls cannot, like IP spoofing.

Be aware of

• Can be resource intensive: Require significant processing power and memory to track the state of connections, potentially impacting performance.
• Have complex configuration: Setting up and maintaining stateful rules can be complex and error-prone.
• Are vulnerable to certain attacks: Susceptible to state table exhaustion attacks, for example, SYN flood attacks.

Unified Threat Management firewall

Unified Threat Management (UTM) firewalls integrate multiple security features, including antivirus, anti-spam, content filtering, and intrusion detection/prevention. UTM firewalls are ideal for small to medium-sized businesses needing a comprehensive, all-in-one security solution.

Benefits

• Consolidate multiple security functions into a single device.
• Simplify security management and reduce costs.
• Provide broad protection against various threats.

Be aware of

• Create a single point of failure: Integrating multiple security functions into one device can create a single point of failure if the UTM device goes down.
• Necessitate performance trade-offs: Adding multiple security features can impact performance, especially in high-traffic environments.
• Add complexity: Can be complex to configure and manage due to the integration of various features.

Next-Generation Firewall

Next-Generation Firewalls (NGFWs) combine traditional firewall capabilities with advanced features like deep packet inspection, intrusion prevention, and application awareness.

NGFWs are ideal for enterprises requiring advanced threat detection and protection.

Benefits

• Provide comprehensive security with advanced threat detection.
• Identify and control applications regardless of port or protocol.
• Offer granular visibility into network traffic.

Be aware of 

• Increase costs: Generally more expensive than traditional firewalls due to advanced features.
• Add complexity: Advanced functionalities require specialized knowledge to configure and manage effectively.
• Have an impact on performance: Deep packet inspection and other advanced features can impact network performance.

Threat-focused NGFW

Threat-focused NGFWs enhance NGFW features with real-time threat intelligence and advanced threat analysis. They provide proactive threat mitigation meeting the needs of high-security environments and large networks.

Benefits

• Offer real-time threat intelligence integration.
• Provide advanced analytics for proactive threat hunting.
• Enhance the ability to detect and respond to sophisticated threats.

Be aware of

• Have high cost: Even more costly than standard NGFWs due to the added threat intelligence features.
• Demand increased resources: Real-time threat analysis can require substantial processing power and bandwidth.
• Adds setup complexity: Require extensive configuration and ongoing management to utilize threat intelligence effectively.

Network Address Translation firewall

Network Address Translation (NAT)  firewalls hide internal IP addresses by translating them to a public IP address, providing an additional layer of security. However, even though this is their primary function, it’s important to note that NAT firewalls are commonly used to provide an internet connection in an environment that lacks IP addresses. 

Benefits

• Conceal internal network structure.
• Reduce the number of public IP addresses needed.
• Provide a basic level of security by obscuring internal IP addresses.

Be aware of

• Offer limited security: NAT by itself does not provide robust security; it primarily offers address obscurity.
• Have compatibility issues: Some protocols and applications may have difficulties working behind a NAT firewall.
• Impact performance: Can introduce latency and performance issues, especially in large-scale environments.

Virtual firewall

Virtual firewalls provide firewall services in virtualized environments, protecting cloud infrastructure and applications. The ideal use case for virtual firewalls is cloud-based or virtualized network environments for small to large-sized networks.

Benefits

• Dynamically scale and adapt to changing cloud environments.
• Reduce hardware expenses and offer pay-as-you-go models.
• Provide advanced threat protection and micro-segmentation.

Be aware of

• Cause performance overheads: May impact the performance of the virtualized environment due to resource demands.
• Are complex to manage: Managing virtual firewalls can be complex, especially in dynamic cloud environments.
• Add security concerns: Virtual firewalls need to be as robust as physical ones, with proper configurations and updates to avoid vulnerabilities.

Network firewalls vs. host-based firewalls

Another distinct difference in firewall types is between network and host-based firewalls.

Network firewalls protect entire networks and filter traffic between different zones, such as the Internet and an internal network. They are typically deployed at the perimeter of a network to inspect and control traffic flowing into and out of the network.

Host-based firewalls, on the other hand, are installed on individual devices to protect them from threats. These firewalls monitor and control the traffic to and from that specific device, providing an additional layer of security beyond network firewalls.

How does a firewall work? 

Moving from theory to practice, in this section, we will explore the technical details of how a firewall works.

Traffic filtering: Stateless firewalls

A firewall can be seen as a security guard placed at the frontier between a private network and the outside internet. Each incoming and outgoing packet has to pass through the firewall. At this point, a packet is only a bit of data with some mandatory and optional characteristics, such as:

• Protocol (TCP, UDP, ICMP, etc.)
• Source IP
• Target IP
• Source port
• Destination port
• Flag set (SYN, ACK, etc.)

The idea here is that illegitimate packets will show some specific characteristics allowing thew firewall to block them. Firewall configuration will use those characteristics to build rules to discriminate between wanted network traffic that will go through and unwanted traffic that will be dropped. The general way to achieve this is to describe the wanted traffic and then drop all other traffic.

For example, if you wants to host an SSH server, incoming traffic on TCP port 22 must be left open. If no other service is hosted, all remaining incoming traffic can be dropped. 

Traffic filtering: Stateful firewalls

Now, imagine that we want to filter outgoing traffic. We can see that for a server, there will be outgoing traffic that is a legitimate request initiated by our client requests (the SSH response in our previous example) and outgoing traffic for legitimate use, like, for example, updates. Illegitimate outgoing traffic mainly attempts to use a system after it’s been compromised (establish persistence, exfiltrate data, install malware, etc.).

At this point, it is important to understand how traffic network communication is handled in the TCP protocol, which is used in the vast majority of Internet communications. The TCP protocol is stateful because it maintains a connection state between the client and server throughout the communication process, tracking the session’s status data transmission and ensuring reliable delivery. So, a stateful firewall has to keep track of TCP sessions to be able to discriminate between legitimate TCP sessions and TCP protocol misuse or exploitation attempts. 

Note: Other common protocols like UDP and ICMP are stateless and don’t require session tracking.

The stateful firewall provides better security management because it allows for the application of fine-grained rules and simplifies rules management. Even if it is largely used, it comes with some caveats. It can be so memory intensive that in some environments with many connections, some connections can be dropped due to a memory shortage in the state table.

Last but not least, there’s one thing that a stateful firewall can provide, even if it’s not directly related to networks. It is the Network Address Translation we saw earlier. As the remaining IPv4 pool of addresses is shrinking, it’s very important to scarcely use them. So, to achieve this, people use private addresses for networks and use a router that holds a public IPv4 that will translate public traffic into private and the other way around. This is highly dependent on tracking session states, so it is often a feature of a stateful firewall.

Zone and interface

Interfaces are hardware components that are connected to networks. 

A computer or a router can have many interfaces to connect to multiple networks. So, it is relatively common to divide a network into segments or zones. Each device in the same zone will share the security access.

Deep Packet Inspection and HTTPS

Initially, firewalls are supposed to check on the destination of TCP packets and only decide based on the destination. This is suboptimal because many threats will be able to reach the user. Deep Packet Inspection (DPI) is meant to solve this important limitation. 

DPI can protect from malware delivery, data leakage, dangerous user behavior and more. It is a challenge due to performance implications and, most of all, HTTPS traffic, representing around 80% of exchanges on the Internet. Let’s see how it works.

To apply rules on a packet’s content, the firewall must be able to decrypt its content, inspect it, then drop it or forward it to its destination. The firewall can do that since HTTPS guarantees secure communication between the user’s computer and the destination, whose identity is guaranteed by the protocol. A third party, such as a firewall, cannot intercept the communication because the traffic is encrypted using cryptographic keys that the user and the destination host have securely exchanged. Or can it?

A firewall capable of DPI will simply perform a man-in-the-middle (MITM) operation. It will present itself as the destination host and use a self-signed certificate to secure the exchange with the user’s machine. Then, it will forward the traffic to the destination on behalf of the user, and so on.

It’s true — it may be shocking to find out that a firewall can perform MITM using a self-signed certificate, since a self-signed certificate must be validated by a trusted Certificate Authority, and a self-signed CA is not. However, if you are a sysadmin managing certificates, please make sure to secure them as highly sensitive assets because if they get compromised, you’ll be teleporting your users into the phishing kingdom with little or no protection.

Intrusion Detection and Prevention Systems

Intrusion detection involves monitoring computers to identify unauthorized access attempts and are often used in large companies or in cloud environments. An Intrusion Detection and Prevention System (IDPS) is software or a device that automatically achieves intrusion detection. The response can be sent as an alert or logged as an event. Prevention is achieved when the intrusion threat is mitigated in real time.

There are three detection methods.

• Signature-based detection: The software compares an event to signatures corresponding to a known attack. 
• Anomaly-based detection: The system has knowledge of normal behaviors. The intrusion is detected when a behavior is too far to be normal (too many emails in a short time, too many failed login attempts, processor usage, etc.)
• Stateful protocol analysis: Here, the stateful means that the system can know and trace protocol states or pair requests and replies. It’s different from anomaly-based detection because it can accurately get knowledge of the context and flow of network protocols, allowing detection of protocol-based attacks.

Leveraging this kind of software can really help achieve a significant level of security as it provides real-time monitoring and protection against threats. It also offers a certain view on security events in order to ensure security compliance. But, IDP systems don’t come without their own set of challenges. Users often have to:

• Deal with false positives and false negatives
• Spend significant resources for maintenance because effectiveness relies upon the software being up-to-date

Real-time blocklists

Something that is not often discussed, is how curated blocklists can really enhance the capabilities of a firewall. Reliable real-time curated blocklists can be very helpful in the long run because they allow people to block threats before they emerge. This kind of list is meant to adapt to evolving attacks, offering dynamic defense mechanisms. 

This can be seen as a dynamic firewall, and it avoids all the resource-consuming systems we described in the previous sections. The primary concern is the reliability of the blocklist data. False negatives could be extremely harmful, while false positives might also cause damage, especially when the blocklist is applied to public-facing infrastructure designed for selling products to customers.

However, if we add a reliable blocklist to a firewall, it could allow system administrators to block threats that wouldn’t have matched the firewall blocking rule, so it can be an excellent complementary solution to a stateful firewall.

Why do you need a firewall?

Implementing a firewall offers multi-layer benefits. Let’s take a closer look.

Protecting against unauthorized access

Firewalls act as a barrier between secure internal networks and untrusted external networks. They analyze incoming and outgoing traffic to prevent unauthorized access, blocking potentially harmful traffic while allowing safe and legitimate communication. This helps security teams protect network resources from external threats.

Mitigating cyber threats

Firewalls filter traffic and prevent malicious software from entering the network, making them essential in the efforts of security teams to block malware, viruses, and ransomware. They also help prevent data breaches and theft by identifying and stopping unauthorized data transmissions, safeguarding sensitive information, and maintaining network security.

Aiding in regulatory compliance

One of the biggest headaches security teams have to face is keeping up with regulatory compliance across their infrastructure. Firewalls provide the necessary tools to monitor and control network access, aiding in compliance with laws and industry standards. They ensure adherence to cybersecurity regulations and standards by implementing robust security measures that align with regulatory requirements.

Maintaining network integrity

Firewalls help security teams maintain network integrity by controlling the flow of sensitive information and ensuring that only authorized users and devices can access certain network parts. This selective access helps protect critical systems and data from unauthorized use and potential compromise.

Going beyond traditional firewall protection

As the global cyber threats landscape continues to evolve, firewalls remain a cornerstone of network defense by monitoring and regulating network traffic to prevent unauthorized access and block malicious software.

However, the complexities of modern threats demand enhanced security measures beyond traditional firewalls. This is where IDPS becomes essential. An IDPS provides real-time monitoring, detecting, and responding to suspicious activities, adding an extra layer of defense to identify and mitigate threats before they can cause damage.

Integrating real-time and ultra-curated IP blocklists on top of that, significantly augments firewall performance. Solutions like the CrowdSec Security Stack and CrowdSec Blocklists offer a community-driven approach to threat intelligence, providing updated and precise IP addresses to block malicious entities. These dynamic lists ensure that firewalls are not only responding to known threats but are also proactively shielding the network from emerging threats and enhancing overall network security.

By combining traditional firewall capabilities with advanced IDPS and real-time blocklists, security teams can ensure robust protection against an ever-growing array of cyber threats, maintaining the integrity and security of their networks.

Resources and further reading

• IDS / IDPS Detection Methods: Anomaly, Signature, and Stateful Protocol Analysis
• A survey of intrusion detection and prevention systems
• Intrusion detection system: A comprehensive review
• Free Course: Community Driven Cybersecurity
• What is NIS2: Scope, Impacted Sectors, and How to Prepare
• Securing Ingress Traffic Vs. Egress Traffic: A Retrospective
• Breaking 5 Misconceptions of Threat Intelligence Blocklists
• What Is a Packet Filtering Firewall?
• What Is an Application Layer Gateway (ALG)?
• What Is a Stateful Firewall?
• What is Unified Threat Management (UTM)?
• What is a next-generation firewall (NGFW)?
• Threat-Focused NG-Firewall – Who Cares? Part 1
• What is Network Security: Types, Best Practices, and Emerging Trends