What is a firewall?
Firewalls are security systems with routing functionality that control, log, block or network traffic can allow. They are an important element in a network and are used to restrict access to systems or to their services.
It consists of hardware and software components. The hardware components of a firewall are systems or computers with network interfaces such as routers, servers or hosts. The software components are, for example, packet filters or proxy server .
In general, a distinction is still made between host-based and network-based firewalls. Host-based firewalls run on host computers and control network traffic to and from those computers. Network firewalls filter the data traffic between two or more networks, for example through a VPN connection .
How does a firewall work?
A firewall typically works on the network layer (Layer 3) and the transport layer (Layer 4) of the OSI reference model. For this reason, firewalls are also called packet filters. The firewall uses a set of rules to filter the packets. The rules are created and maintained by a firewall administrator. Every new package is usually checked against all rules. In order from top to bottom. If none of the existing rules can be applied to the package, the so-called “Default Policy” takes effect.
This has two possible configurations, “Allow all” or “Block all”. The latter is recommended because it increases the basic security and only network traffic is allowed for which a rule exists. The firewall or the packet filter is able to filter or manipulate network packets based on various characteristics, such as IP sender addresses, IP destination addresses, protocol or port numbers. Packet manipulation is used, for example, in Network Address Translation (NAT).
A further distinction is made between a stateful packet inspection and a stateless packet inspection. A firewall can use Stateful Packet Inspection to interpret the connection status of the network traffic and thus recognize whether it is a new or an existing connection. This has the advantage that not every single packet of existing connections has to be checked against the entire set of rules. For performance and speed reasons, firewalls usually always work with stateful packet inspection.
The most widespread packet filter is the Linux “netfilter”, which is part of the Linux kernel. This is used in products from well-known manufacturers and can be operated with the well-known “iptables” program.
A classic firewall or a packet filter has no way of performing deep packet inspection. Functions such as IDS (Intrusion Detection System), IPS (Intrusion Prevention System) or WAF (Web application firewall) are usually part of a Next Generation Firewall (NGFW) or the latter part of an application layer gateway.