Firewalls

Network security systems that monitor and control traffic based on predetermined security rules

Introduction

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It establishes a barrier between a trusted internal network and untrusted external networks, such as the internet. Firewalls are the most fundamental and widely deployed network security technology, forming the first line of defense in virtually every network architecture.

At its core, a firewall examines network packets and makes decisions to allow, deny, or drop them based on a set of rules (also called a policy or ruleset). These rules typically reference attributes such as source and destination IP addresses, port numbers, protocols, and -- in more advanced firewalls -- application-level data, user identity, and threat intelligence.

Modern networks deploy firewalls at multiple points: at the network perimeter (between internal networks and the internet), between network segments (such as between a DMZ and internal LAN), on individual hosts (host-based firewalls), and in the cloud (security groups and network ACLs).

"A firewall is not a magic solution to network security problems. It is one component of a comprehensive security architecture, and its effectiveness depends entirely on how well it is configured, maintained, and monitored." -- William Cheswick, co-author of Firewalls and Internet Security

History and Evolution

Firewall technology has evolved through several distinct generations, each adding new capabilities to address increasingly sophisticated threats:

GenerationEraTechnologyKey Innovation
1st GenerationLate 1980sPacket FiltersInspect individual packets based on header information (IP, port, protocol)
2nd GenerationEarly 1990sStateful InspectionTrack connection state to make context-aware decisions
3rd GenerationMid 1990sApplication-Layer GatewaysDeep packet inspection at the application layer (HTTP, FTP, DNS)
4th Generation2000sUnified Threat Management (UTM)Combine firewall with IDS/IPS, antivirus, VPN, content filtering
5th Generation2010s-presentNext-Generation Firewalls (NGFW)Application awareness, identity integration, threat intelligence, SSL inspection

The first commercial firewall product, DEC SEAL (Screened External Access Link), was released in 1992 by Digital Equipment Corporation. In the same year, Bill Cheswick and Steve Bellovin at Bell Labs published their influential research on firewall technology. Marcus Ranum built several early firewalls, including the TIS Firewall Toolkit, which became the basis for many commercial products.

The introduction of stateful inspection by Check Point Software in 1994 with their FireWall-1 product was a pivotal moment. Rather than examining each packet in isolation, stateful firewalls tracked the state of network connections and could make decisions based on whether a packet belonged to an established, legitimate connection.

Types of Firewalls

Packet Filtering

Packet filtering firewalls are the simplest and oldest type. They operate at the network layer (Layer 3) and transport layer (Layer 4) of the OSI model, examining each packet independently based on information in the packet headers:

  • Source and destination IP addresses
  • Source and destination port numbers
  • Protocol (TCP, UDP, ICMP)
  • TCP flags (SYN, ACK, FIN, RST)
  • Network interface (inbound vs. outbound)

Each packet is compared against an ordered list of rules. The first matching rule determines the action (allow, deny, or drop). If no rule matches, the default policy applies -- which should always be set to deny (default-deny).

Limitation: Packet filters are stateless -- they evaluate each packet in isolation with no knowledge of whether it belongs to an established connection. This makes them vulnerable to certain attacks, such as ACK scanning (sending ACK packets to probe which ports are filtered) and fragmentation attacks (splitting malicious payloads across multiple fragments).

Stateful Inspection

Stateful inspection firewalls (also called dynamic packet filtering) maintain a state table that tracks the state of every active network connection passing through the firewall. When a new connection is initiated (e.g., a TCP SYN packet), the firewall creates an entry in the state table. Subsequent packets belonging to that connection are matched against the state table rather than being evaluated against the full rule set.

This approach provides significant advantages over simple packet filtering:

  • Connection tracking: The firewall knows whether a packet is part of a NEW, ESTABLISHED, or RELATED connection
  • Return traffic handling: Return packets from legitimate connections are automatically allowed without requiring explicit rules
  • Protocol validation: The firewall can verify that TCP handshakes complete properly and reject packets that do not conform to expected protocol behavior
  • Better security: Prevents attackers from injecting arbitrary packets that happen to match a permit rule but are not part of a legitimate connection

Stateful inspection is the standard for modern firewalls and is the foundation upon which more advanced capabilities are built. Every major firewall platform -- including iptables/nftables, pf, Cisco ASA, and Palo Alto Networks -- implements stateful inspection.

Application-Layer Gateways (Proxy Firewalls)

Application-layer gateways, also called proxy firewalls, operate at Layer 7 (Application Layer) of the OSI model. Rather than simply forwarding packets, they act as intermediaries: the client connects to the proxy, and the proxy creates a separate connection to the destination. The proxy fully understands the application protocol and can inspect, filter, and modify application-layer data.

For example, an HTTP proxy firewall can:

  • Inspect HTTP headers, methods, URLs, and request bodies
  • Block specific URLs, file types, or content categories
  • Strip potentially dangerous content (ActiveX, Java applets)
  • Enforce protocol compliance (reject malformed HTTP requests)
  • Provide user authentication before granting internet access
  • Cache content to improve performance

Limitation: Application-layer gateways introduce latency because they must fully process and reconstruct application-layer data. They also require a separate proxy for each application protocol, which limits their flexibility.

Next-Generation Firewalls (NGFW)

Next-Generation Firewalls, as defined by Gartner, combine traditional stateful inspection with additional capabilities that go far beyond port-and-protocol filtering:

  • Application awareness and control: Identify and control applications regardless of port, protocol, or encryption. An NGFW can distinguish between Facebook Messenger, Skype, and a corporate VPN -- even if they all use port 443.
  • Integrated intrusion prevention (IPS): Built-in intrusion prevention with signature-based and behavior-based detection
  • SSL/TLS inspection: Decrypt and inspect encrypted traffic to detect threats hiding inside TLS connections
  • Identity integration: Tie firewall rules to user identities (from Active Directory, LDAP, or SAML) rather than just IP addresses
  • Threat intelligence: Real-time feeds of known malicious IPs, domains, URLs, and file hashes
  • Sandboxing: Detonate suspicious files in an isolated environment to identify zero-day malware

Major NGFW vendors include Palo Alto Networks, Fortinet (FortiGate), Cisco (Firepower), Check Point, and Juniper Networks (SRX).

Web Application Firewalls (WAF)

A Web Application Firewall (WAF) is a specialized firewall designed specifically to protect web applications from application-layer attacks. While a network firewall operates at Layers 3-4 and an NGFW adds Layer 7 awareness, a WAF focuses exclusively on HTTP/HTTPS traffic and understands web application logic.

WAFs protect against common web attacks documented in the OWASP Top 10:

WAFs can be deployed as hardware appliances (F5 BIG-IP ASM, Imperva), software (ModSecurity with OWASP Core Rule Set), or cloud services (AWS WAF, Cloudflare WAF, Azure WAF). They operate in three modes: transparent/bridge, reverse proxy, or cloud-based (DNS redirection).

Firewall Type Comparison

FeaturePacket FilterStatefulApp-Layer ProxyNGFWWAF
OSI Layer3-43-473-77
Connection TrackingNoYesYesYesYes
Application AwarenessNoNoPer-protocolAll applicationsHTTP/HTTPS only
SSL InspectionNoNoLimitedYesYes
User IdentityNoNoOptionalYesOptional
IPS IntegrationNoNoNoBuilt-inWeb-specific
Performance ImpactMinimalLowHighModerateModerate
CostLow/FreeLow/FreeModerateHighModerate-High

Linux Firewalls: iptables and nftables

Linux provides powerful built-in firewall capabilities through the Netfilter framework in the kernel. Two userspace tools are used to configure Netfilter rules:

iptables has been the standard Linux firewall tool since the 2.4 kernel (2001). It organizes rules into tables (filter, nat, mangle, raw) and chains (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING). Example rules:

# Default deny policyiptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT ACCEPT# Allow established connectionsiptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT# Allow SSH from management subnetiptables -A INPUT -s 10.0.1.0/24 -p tcp --dport 22 -j ACCEPT# Allow HTTP and HTTPSiptables -A INPUT -p tcp --dport 80 -j ACCEPTiptables -A INPUT -p tcp --dport 443 -j ACCEPT# Allow loopbackiptables -A INPUT -i lo -j ACCEPT# Log and drop everything elseiptables -A INPUT -j LOG --log-prefix "DROPPED: "iptables -A INPUT -j DROP

nftables is the successor to iptables, introduced in the 3.13 kernel (2014) and now the default in most modern Linux distributions. It provides a cleaner syntax, better performance through set-based matching, and unified handling of IPv4, IPv6, and other protocol families:

#!/usr/sbin/nft -ftable inet filter { chain input { type filter hook input priority 0; policy drop; # Allow established connections ct state established,related accept # Allow loopback iif lo accept # Allow SSH from management subnet ip saddr 10.0.1.0/24 tcp dport 22 accept # Allow web traffic tcp dport { 80, 443 } accept # Log and drop log prefix "DROPPED: " drop } chain forward { type filter hook forward priority 0; policy drop; } chain output { type filter hook output priority 0; policy accept; }}

"The power of the Linux firewall lies not in any graphical tool, but in understanding Netfilter's architecture. Once you grasp tables, chains, and connection tracking, you can build firewall policies that rival commercial appliances." -- Michael Rash, author of Linux Firewalls

Cloud Firewalls

Cloud providers implement firewall functionality through software-defined networking constructs that apply at the virtual infrastructure level:

Cloud ProviderInstance-Level FirewallSubnet-Level FirewallWAF ServiceAdvanced Firewall
AWSSecurity Groups (stateful)Network ACLs (stateless)AWS WAFAWS Network Firewall
AzureNSGs (stateful)NSGs at subnet levelAzure WAFAzure Firewall
GCPVPC Firewall RulesHierarchical Firewall PoliciesCloud ArmorCloud NGFW

Cloud firewalls differ from traditional hardware firewalls in several important ways: they scale automatically, they are defined as code (Infrastructure as Code), they integrate with cloud identity services, and they can be version-controlled and deployed through CI/CD pipelines. This "firewall as code" approach reduces configuration drift and enables consistent security policies across large cloud deployments.

Firewall Policies and Rule Design

Effective firewall management requires disciplined rule design and ongoing maintenance:

  • Default Deny: The last rule in any chain should deny all traffic. Only explicitly permitted traffic is allowed. This is the most fundamental firewall principle.
  • Least Privilege: Each rule should be as specific as possible. Allow only the exact source IPs, destination IPs, ports, and protocols required.
  • Rule Ordering: Most firewalls process rules top-to-bottom and stop at the first match. Place the most frequently matched rules near the top for performance, and place specific rules before general ones.
  • Documentation: Every rule should include a comment explaining its purpose, the date it was added, and who requested it. Undocumented rules accumulate and become impossible to audit.
  • Regular Audits: Review firewall rules quarterly. Remove rules for decommissioned servers, expired projects, and temporary exceptions that were never cleaned up.
  • Change Management: All firewall changes should go through a formal change management process with approval, testing, and rollback procedures.

Limitations and Evasion Techniques

Firewalls are essential but not infallible. Understanding their limitations is critical for building comprehensive security:

  • Encrypted traffic: Traditional firewalls cannot inspect encrypted traffic. Without SSL/TLS inspection, malware and data exfiltration can hide inside HTTPS connections.
  • Insider threats: Firewalls primarily guard perimeter boundaries. They offer limited protection against threats originating from within the trusted network.
  • Application-layer attacks: Basic firewalls that operate at Layers 3-4 cannot detect attacks embedded in application-layer protocols (SQL injection, XSS, etc.).
  • Protocol tunneling: Attackers can tunnel malicious traffic through permitted protocols (e.g., DNS tunneling, HTTP tunneling, ICMP tunneling) to bypass firewall rules.
  • Rule complexity: Large, complex rule sets are prone to misconfigurations. Overly permissive rules, rule conflicts, and shadowed rules (rules that can never match because a broader rule appears first) are common problems.
  • Zero-day exploits: Signature-based detection cannot catch unknown threats. Even NGFWs with IPS capabilities may miss novel attack techniques.

These limitations underscore the importance of defense in depth -- firewalls should be complemented by intrusion detection systems, intrusion prevention systems, endpoint protection, SIEM, and security awareness training.

Best Practices

  • Implement default-deny policies on all firewalls -- both inbound and outbound
  • Use stateful inspection at minimum; prefer NGFW for enterprise environments
  • Deploy WAFs in front of all web applications, regardless of other firewall layers
  • Enable SSL/TLS inspection where legally and operationally feasible to detect threats in encrypted traffic
  • Segment networks using firewalls between zones, not just at the perimeter -- implement DMZ architectures
  • Maintain firewall logs and forward them to a centralized SIEM for analysis and alerting
  • Conduct regular rule audits and remove obsolete or overly permissive rules
  • Test firewall configurations with automated scanning tools and periodic penetration testing
  • Keep firewall firmware and signatures current through a disciplined patch management process
  • Implement firewall rules as Infrastructure as Code and manage them through version control

References

  • Cheswick, W. R., Bellovin, S. M., & Rubin, A. D. (2003). Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition. Addison-Wesley.
  • Scarfone, K., & Hoffman, P. (2009). NIST SP 800-41 Rev. 1: Guidelines on Firewalls and Firewall Policy.
  • Rash, M. (2007). Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort. No Starch Press.
  • Neira-Ayuso, P., Gasca, R. M., & Lefevre, L. (2006). "Communicating between the kernel and user-space in Linux using Netlink sockets." Software: Practice and Experience, 40(9).
  • Gartner (2009). "Defining the Next-Generation Firewall." Gartner Research.
  • OWASP Foundation (2021). OWASP Top 10: 2021. Open Web Application Security Project.
  • Zwicky, E. D., Cooper, S., & Chapman, D. B. (2000). Building Internet Firewalls, 2nd Edition. O'Reilly Media.
  • PCI Security Standards Council (2022). PCI DSS v4.0: Payment Card Industry Data Security Standard.
  • CIS (2024). CIS Benchmarks for Firewalls. Center for Internet Security.
  • Purdy, G. N. (2004). Linux iptables Pocket Reference. O'Reilly Media.