Learning Center | Glossary | Firewall
What is a Firewall?
A firewall can generally be described as a hardware device that acts as a network security barrier between an internal network and the internet. As there are many more ways that a firewall exists within network infrastructure such as a virtualized instance or living at different boundary types, we will focus on the ones described above for the purposes of this article.
A firewall has a very simple premise: Do I let this network connection through or not? For as complex as modern firewalls seem, it really comes down to that question and there will only be one answer from two possible choices. In the image below, an IP header is shown in detail and gives you an idea of the kinds of things a firewall can see for a given piece of traffic.
How a firewall arrives at that choice has been experiencing a prominent evolution over the past 30 years is now derived from three types of scrutiny:
- Packet Filtering: This is traffic inspection at the simplest level. The traffic is examined at the level of port, protocol, source and destination address. This is analogous to directing vehicle traffic in an intersection and deciding which cars are allowed through based upon their color.
- Stateful Inspection: Keeping track of the state of a given TCP connection was introduced in the early 90’s by the larger Unix networking brain trust at AT&T Bell Laboratories as a means to provide a more intelligent means of deciding whether it was malicious or not. A good example of this kind of analysis is a user on an internal network making a request to Google.com and watching as that request elicits a response back from a web server which sends an HTML / HTTPS 200 back to the browser. Since the firewall saw that a request was made from inside the trusted zone, it would be reasonable for a response to come back from the destination IP address using the same port and protocol. If suddenly a large number of responses began to pour into the buffer of the firewall without a preceding request, the firewall would recognize the illegitimacy of the traffic and drop it.
- Application Level Analysis: With what has been branded as an NGFW spearheaded by arguably the most robust firewall platform on the market, Palo Alto Networks has changed the in-line inspection paradigm by looking at the traffic it processes at the level of the application origin point. If a firewall has a whitelisted set of applications that it knows will be making calls out to the internet on a regular basis, it has a great baseline of understanding the difference between uninteresting and malicious traffic. If you spent some time tuning your firewall to recognize the traffic patterns of an installed instance of GoToMeeting or a browser trying to access Dropbox, you will have given it the ability to manage traffic at a level or resolution specific to the application itself. So when an unknown application begins sending encrypted traffic through port 53, it will have the ability to take deterministic action upon that traffic based upon the tuning parameters you with which you have enabled it.