What is a Firewall?

Firewall cyber security definition

A firewall is a network security device. A firewall is typically placed between security boundaries, for example, an internal and an external network. Firewalls are used to segregate traffic. All network traffic that transverses a firewall is monitored and either permitted or denied depending on security rulesets that have been configured. By default, most firewalls will operate in a default ‘deny all’ state and you will specifically allow the network ports and services that you wish to allow. In the specific context of cyber security, not least Penetration Testing and Red Teaming engagements a key focus of engagements will be to assess firewall rulesets and attempt to subvert them or highlight where rulesets are too permissive.



Is a firewall part of cyber security?

Yes, a firewall will make up part of your cyber security control set. As mentioned in the firewall cyber security definition section it restricts traffic between the security boundaries of a network. Locking the front door of your house prevents someone from entering if they try to open the door. If the door is unlocked, then they will be allowed through when they try to open the door. The same context applies to a firewall as part of cyber security. If the network traffic is allowed (door open) then it will be permitted. If it is not allowed (door closed) the traffic will be denied.


How does a firewall help?

A firewall acts as a security control that restricts traffic between areas of ‘trust’, typically the security boundaries of a network. For example, you may trust that all network traffic between two internal systems is allowed and therefore there is no need to put a firewall between them. In contrast, you wouldn’t trust all traffic arriving from the public internet, therefore typically place a firewall between the public internet and your internal systems. Firewalls are also commonly used to segregate networks, for example, you may have sensitive data held internally and you only want to permit access to the systems holding this sensitive information to certain other people or network systems. As part of a Penetration Testing engagement, the ethical hacker you are working with will typically assess numerous controls, not least your firewall configuration and wider segregation controls.


What are the 3 types of firewalls

3 of the most common firewall types are:

  1. Packet Filtering Firewalls

  2. Stateful Inspection Firewalls

  3. Application Level/Layer Firewalls


Packet Filtering Firewalls

Packet filtering firewalls are typically considered the most basic form of firewall, they are also the oldest. They operate at the network layer (layer 3) of the OSI model. They perform basic checks on each packet that arrives. These basic checks include source IP, destination IP, protocol, source port and destination port. The packet will then be ‘allowed’ or ‘denied’ depending on the firewall’s ruleset.


Packet filtering firewalls are basic and often easily bypassed during Penetration Testing or Red Teaming engagement using techniques such as IP spoofing, source routing attacks or fragment attacks. They are numerous tools in both the Ethical Hacker’s and Malicious Hacker’s arsenals to defeat packet filtering firewalls.


Packet filtering firewalls are stateless, meaning that each packet is treated in isolation when it’s inspected. There is no ‘state’ maintained and therefore no stored knowledge of or reference to past packets.


Stateful inspection firewalls

Stateful inspection firewalls will typically be found in all modern networks. A stateful firewall is continuously monitoring and analysing traffic to ensure a full state of active connections is maintained. They will create state tables on a connection that has been established and permitted. Stateful firewalls have the visibility and context of an entire packet stream, rather than assessing each packet in isolation like non-stateful (stateless) firewalls will.


Application Firewalls

Application firewalls operate at the application layer (layer 7) of the OSI model. Application firewalls operate on a higher layer (layer 7, rather than layer 3) than traditional firewalls. This enables packet decisions to be based on more than just source IP, destination IP, port etc. Decisions are instead based on input/outputs or system calls to an application directly. The application will inspect traffic at the higher layer. For example, an application-level firewall can restrict traffic to certain ‘parts’ of an application (such as administrative functionality), therefore a network-level firewall can only allow or deny access to the whole application (IP / port).


If you like this blog post, find more content in our Glossary.