Firewall

What is a Firewall?

A firewall is a hardware, software, or cloud-based security tool (or device) that functions as a protective barrier between a trusted private network and untrusted external networks like the Internet. Firewalls secure private networks by monitoring, filtering, and controlling both incoming and outgoing network traffic based on programmed security rules and policies.

Some firewalls function by examining data packets as they cross the network perimeter and determining whether to allow or block those packets based on defined criteria, including things like: 

  • Source IP address,
  • Destination IP address,
  • Packet protocols (e.g. TCP, UDP, etc.),
  • Application protocols (e.g. HTTP, DNS, SSH, etc.)
  • Destination port number,
  • Direction (incoming or outgoing)
  • User identity,
  • Flags in the TCP header,
  • …and more

Other firewalls control network access by monitoring TCP handshakes, executing stateful packet inspections to continuously validate network connections, or via Deep Packet Inspection (DPI).

Enterprise IT organizations deploy firewalls to monitor the network perimeter and automate the process of detecting and blocking unauthorized or suspicious traffic. But while firewalls are effective at securing the network perimeter, enterprises often remain vulnerable to phishing, account takeover, and social engineering attacks that originate outside the private network.

Why is a Firewall Important for Cybersecurity?

Monitoring Network Traffic

Firewalls monitor network traffic by analyzing incoming and outgoing packets. This provides visibility into traffic on the network, allowing network administrators to identify suspicious access patterns or potential security breaches.

Enforcing Access Controls

Firewalls implement predefined rules that control what types of traffic are allowed on the network. These rules can include Access Control Lists (ACLs), a type of policy that restricts who can access or transmit data on a network. By enforcing these rules, a firewall can block malicious actors from gaining unauthorized access to the network.

Blocking Cyber Threats

Firewalls play an important role in blocking cyber threats against enterprise networks. They can be programmed to block packets with known threat signatures, or that originate from IP addresses that have been associated with malware, botnets, or DDoS attacks.

Supporting Regulatory Compliance

Some organizations are subject to data security and privacy regulations that require them to properly secure and maintain the integrity of sensitive data. Firewalls can help these organizations fulfill their regulatory obligations by safeguarding sensitive data and verifying that there was no unauthorized access.

3 Ways to Deploy a Firewall

  • Hardware-based Firewalls: A hardware firewall is a physical appliance that acts as a secure gateway between a private on-prem data center and the Internet. 
  • Software-based Firewalls: A software-based firewall runs directly on a server or computer and monitors data packets traveling between that device and any untrusted external networks.
  • Cloud-based Firewalls: Cloud-based firewalls are provided by 3rd-party vendors and hosted in the public cloud. Cloud firewalls offer advanced threat protection, leverage up-to-date threat intelligence to shield cloud-based applications and services from malicious network traffic.

    5 Types of Firewalls and How They Work

    • Packet Filtering Firewall: A packet filtering firewall is the most basic type of firewall. Packet filtering firewalls sit at the network edge and check incoming/outgoing packets against predetermined criteria to determine whether the traffic should be allowed or blocked. IT administrators can configure packet filtering firewalls to block any type of network traffic that can be identified by its source or destination IP address, packet type and characteristics, communication protocol, target port, or other factors.
    • Circuit-Level Gateway: Circuit-level gateways don’t monitor data packets directly, but they do monitor TCP handshakes to validate new connections and check whether the remote device is trusted.
    • Proxy Firewall: A proxy firewall, also called an application firewall, filters network traffic at the application layer. Proxy firewalls often serve as an intermediary or gateway between a private network and the public Internet, inspecting and filtering data packets before relaying them into or out of the network.
    • Stateful Inspection Firewall: State-aware firewalls take packet inspection a step further by tracking whether each packet is part of an established TCP handshake or legitimate network session before determining whether the pack should enter or exit the network.
    • Next-Generation Firewall (NGFW): Next-generation firewalls incorporate a variety of firewall and security technologies, including stateful inspection, DPI, malware filtering, and antivirus.

    3 Types of Threats You Can Block with a Firewall

    Firewalls can be used to block traffic from known malicious sources, including IP addresses, domains, and networks associated with digital threats. Here are three types of threats that can be blocked using a firewall.

    • Malware and Trojans: Digital adversaries frequently attempt to distribute trojans or launch malware, ransomware, and other kinds of malicious software attacks over the public Internet. Firewalls can block malicious software from infiltrating a targeted network or machine via the Internet. 
    • Command and Control Attacks: Digital adversaries use command & control (C2) attacks to gain control of machines in a targeted network and leverage their storage or compute resources to launch DDoS attacks, mine crypto, or for other nefarious purposes. A firewall can block packets from known botnets and C2 servers to shield a private network against this type of attack.
    • Denial of Service (DoS) Attacks: A DoS attack is when a digital adversary leverages a botnet to bombard a target network with illegitimate traffic, overwhelming its servers and causing poor performance or service outages for real users. A firewall can block DoS attacks that originate from a known IP address, subnet, or domain.

      3 Cyber Threats You Can’t Block with a Firewall

      • Phishing and Spear Phishing: Digital adversaries use social engineering tactics like phishing and spear phishing to financially defraud or steal sensitive data from enterprise organizations. Social engineering tactics allow digital adversaries to manipulate targets and gain unauthorized access to secure systems without having to penetrate network defenses using electronic means (e.g. malware, hacking, etc.).
      • Zero-Day Threats: Firewalls are good at blocking malicious traffic from known sources, but unknown zero-day threats can often evade firewall security rules or bypass the firewall altogether by exploiting some other vulnerability in the targeted organization’s attack surface.
      • DNS Spoofing/Cache Poisoning: Digital adversaries are always searching for new ways to circumvent firewall defenses. One technique we’ve seen is known as DNS spoofing or DNS cache poisoning. 
        In a DNS spoofing attack, digital adversaries manipulate vulnerabilities in the Domain Name System (DNS) to redirect legitimate web traffic to a fraudulent site. A successful DNS spoofing attack can evade detection by firewalls and make a connection to a malicious website appear trusted.

      Block Cyber Threats Beyond the Network Perimeter with ZeroFox

      A firewall site at the edge of your network, blocking connections to and from malicious actors. But while firewalls are effective at securing the network perimeter against known cyber threats, digital adversaries are increasingly targeting enterprises with threats that originate outside the network perimeter.

      ZeroFox provides digital risk protection, threat intelligence, and adversary disruption to dismantle external threats to brands, people, assets, and data across the public attack surface in one, comprehensive platform.

      Ready to learn more?

      Read our free white paper External Cybersecurity is Your First Line of Defense to learn more about threat activity beyond the corporate perimeter and how to develop an external cybersecurity program.