Glossary // Firewall

What is a Firewall?

A firewall can be described as a hardware device that acts as a network security barrier between an internal network and the Internet.

A firewall has a very simple premise: Do I let this network connection through or not? For as complex as modern firewalls seem, it really comes down to that question and there will only be one answer from two possible choices.

In the image below, an IP header is shown in detail and gives you an idea of the kinds of things a firewall can see for a given piece of traffic.

How a firewall arrives at that choice has been experiencing a prominent evolution over the past 30 years is now derived from three types of scrutiny: 

1. Packet Filtering: This is traffic inspection at the simplest level. The traffic is examined at the level of port, protocol, source and destination address. This is analogous to directing vehicle traffic in an intersection and deciding which cars are allowed through based upon their color.
2. Stateful Inspection: Keeping track of the state of a given TCP connection was introduced in the early 90’s by the larger Unix networking brain trust at AT&T Bell Laboratories, as a means to provide a more intelligent way of deciding whether it was malicious or not. A good example of this is a user on an internal network making a request to Google.com, and watching as that request elicits a response back from a web server, which sends an HTML / HTTPS 200 back to the browser. Since the firewall saw that a request was made from inside the trusted zone, it would be reasonable for a response to come back from the destination IP address using the same port and protocol. If suddenly, a large number of responses began to pour into the buffer of the firewall without a preceding request, the firewall would recognize the illegitimacy of the traffic and drop it.
3. Application Level Analysis: With what has been branded as an NGFW, spearheaded by a robust firewall platform, Palo Alto Networks has changed the in-line inspection paradigm by looking at the traffic it processes at the level of the application origin point. If a firewall has a whitelisted set of applications, it has a great baseline of understanding the difference between uninteresting and malicious traffic. This means that when an unknown application begins sending encrypted traffic through port 53, the firewall will have the ability to take deterministic action upon that traffic based upon the tuning parameters that have been enabled.