What Is a Firewall? Types, Functions, and How It Secures Networks

1. What is a firewall?

A firewall (Firewall) originally referred to a fire‑resistant wall preventing fire spread; the term was later adopted in networking to describe strategies that block unauthorized inbound or outbound traffic, implementing CIA (Confidentiality, Integrity, Availability) policies.

2. Types of firewalls

Firewalls are divided into software firewalls and hardware firewalls . Software firewalls include personal firewalls that run on PCs (e.g., Windows Firewall) and gateway firewalls that operate on network gateways. Hardware firewalls are dedicated appliances resembling routers, typically equipped with gigabit or 10‑Gbps interfaces.

Personal firewall

Runs on a PC, monitors traffic between the host and external networks, and is often bundled in security suites.

Gateway firewall

Deployed at the network edge, it controls traffic for all devices behind it, applying policies at the gateway.

Hardware firewall

A standalone device with multiple network ports, providing high‑performance packet inspection and NAT capabilities.

3. Technical types of firewalls

Include packet‑filtering, stateful inspection, application‑layer gateways, and deep inspection, each examining different protocol layers to enforce security.

4. Proxy server

An application‑level gateway that acts on behalf of a client, forwarding HTTP requests to servers and returning responses, thereby creating separate client‑proxy and proxy‑server sessions.

Inspects request and response packets at the application layer.

Hides the client’s IP address from the server.

5. Session management

A session is the logical connection between two endpoints, lasting from initiation to termination. In TCP, a three‑way handshake establishes a session; in UDP, a flow of packets with matching source/destination IP/port constitutes a session; ICMP uses the protocol number to generate a session.

TCP connection management

Firewalls examine SYN packets to start a session, use ACK checks to prevent SYN‑Flood attacks, detect duplicate segments, enforce window limits, reassemble segments, and verify checksums.

How firewalls establish sessions

Check the session table for an existing entry; if found, reject duplicate establishment.

Determine forwarding path via routing or MAC tables.

Perform NAT if required, then forward to the appropriate interface.

Apply security policies (source, destination, service) to allow or deny traffic.

If allowed, create a new session entry in the session table.

Session timeout

Sessions have a lifetime (TTL). Typical defaults: TCP 30 minutes–1 hour, UDP 30 seconds, ICMP based on protocol number. Expired sessions are removed to free resources and prevent abuse.

6. Security zones

Firewalls define zones such as Trust Zone (internal), Untrust Zone (external/Internet), DMZ (public servers), and custom zones (e.g., Sales Zone). Interfaces are assigned to zones, and traffic between zones must match security policies.

7. Security policies

Firewalls enforce access control rules that specify source, destination, service, and action. Unlike router ACLs, firewall policies use zones as objects and can include applications or users. Policies are evaluated top‑down; the first match applies. An implicit deny (default deny) rule handles unmatched traffic, while an explicit any rule can permit all.

access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet

8. Network Address Translation (NAT)

NAT converts private IP addresses to public ones. Types include:

Static NAT : One‑to‑one mapping, manually configured.

Dynamic NAT : Uses an address pool to assign public addresses on demand.

Source NAT (SNAT) : Translates the source address of outbound traffic.

Destination NAT (DNAT) : Translates the destination address of inbound traffic, often used to expose internal servers.

NAPT (Network Address Port Translation): Maps multiple private addresses to a single public address using port numbers.

9. Virtual Private Network (VPN)

VPN creates secure tunnels over public networks. Common topologies:

Site‑to‑site (point‑to‑point) VPN : Connects two networks via an IPsec tunnel.

Hub‑and‑spoke (central) VPN : A central site connects to multiple remote sites.

Remote‑access VPN : Individual users connect to the corporate network using IPsec or SSL‑VPN.

IPsec uses two phases:

Phase 1 (IKE) : Authenticates peers and establishes a secure IKE SA.

Phase 2 : Negotiates IPsec SA and generates encryption keys.

Key terms include SA, ESP, AH, IKE, HMAC, SPI, NAT traversal, and rekeying. VPNs can be policy‑based (traffic filtered by ACLs) or route‑based (traffic routed through tunnel interfaces).

10. Denial‑of‑Service (DoS) attacks and mitigation

Common DoS types:

SYN Flood – mitigated with SYN‑Cookie and rate limiting.

ICMP Flood – limited by maximum ICMP packets per second.

UDP Flood – limited by maximum UDP packets per second.

IP Flood – rate‑limited IP packets.

Land, Tear‑Drop, Ping of Death – malformed packets are dropped.

Smurf, Fraggle – broadcast‑based attacks blocked by disabling vulnerable services.

Connection Flood – limits concurrent connections.

Reload – mitigated by request throttling.

11. Port scanning

Attackers probe targets using various scans:

SYN scan (half‑open)

ACK scan (bypasses SYN detection)

NULL, FIN, Xmas scans (no flags or all flags set)

UDP scan

Host sweep (ICMP/TCP probes across many hosts)

Firewalls can detect and block these scanning patterns.

12. IDS/IPS and Deep Inspection

IDS (Intrusion Detection System) monitors and alerts; IPS (Intrusion Prevention System) blocks malicious traffic. Capabilities include detecting information leakage, code execution, DoS, buffer overflow, SQL injection, XSS, exploit attacks, botnets, phishing, and more. Responses: alerting, logging, and active blocking (e.g., sending TCP RST).

13. Additional security features

CVE : Common Vulnerabilities and Exposures identifiers for known flaws.

Antivirus : Host‑based (installed on endpoints) and gateway‑based (scans traffic).

Anti‑spam : Filters bulk or malicious email.

DLP (Data Loss Prevention): Monitors and blocks sensitive data exfiltration.

URL filtering : Blocks access to malicious or unwanted web sites.

Monitoring, logging, reporting : Real‑time status, alerts (SNMP, email, syslog), and detailed logs.

Packet capture : Captures traffic for analysis, exportable to PCAP.

14. Performance metrics

Key factors include:

Maximum concurrent sessions (tens of thousands to millions).

NAT table size (if separate from session table).

New sessions per second (session‑establishment rate).

Throughput (bits per second) and packets per second.