About
Login
Get Started

What is a Firewall in Cybersecurity?

< Back to Cybersecurity Center

Start Your 30-Day trial today!

Try it Free

Table of Contents

Cybersecurity 101 Categories
Zero Trust
Networking
Network Security
IoT Security
General Security
Endpoint Security
Cyber Threats
Compliance
Authentication
Application Security
Access Control

What is a firewall in cybersecurity?

A firewall is a network security system that monitors and controls incoming and outgoing traffic based on a predefined set of rules. Its core function is simple: allow traffic that is trusted and expected, and block traffic that is not. In doing so, it acts as a barrier between a trusted internal network and untrusted external networks — most commonly the internet.
The term comes from the physical concept of a fire-resistant wall built to slow the spread of fire between structures. In networking, the analogy holds: a firewall does not eliminate threats entirely, but it contains and limits what can pass from one environment to another, buying time and reducing exposure.
Firewalls have been a foundational element of network security for over three decades. They were among the first dedicated security tools deployed at the network perimeter, and they remain a cornerstone of virtually every enterprise security architecture today — though their form, capabilities, and placement have evolved dramatically. Modern firewalls range from simple packet filters to cloud-delivered services capable of inspecting encrypted application-layer traffic in real time.

How does a firewall work?

At its core, a firewall works by inspecting network traffic — individual units of data called packets — and comparing them against a set of rules to determine whether they should be allowed through or blocked. The sophistication of that inspection process varies significantly depending on the type of firewall, but the underlying logic is consistent: match traffic against policy, and enforce the result.

Rule sets and policies
Firewalls operate according to administrator-defined rules that specify what traffic is permitted and what is denied. These rules typically evaluate attributes such as source IP address, destination IP address, port number, and protocol. A rule might specify, for example, that traffic from any external IP address to internal port 22 (SSH) is blocked, while traffic to port 443 (HTTPS) from known trusted ranges is allowed. Rules are evaluated in order, and the first matching rule determines the outcome.

Packet inspection
The most basic firewalls perform stateless packet filtering — examining each packet independently, checking its header information against the rule set, and making a pass or block decision without any context about what came before it. More advanced firewalls perform stateful inspection, tracking the state of active connections so they can make more intelligent decisions. A stateful firewall knows, for example, that a packet arriving on a given port is part of an established, legitimate connection rather than an unsolicited inbound probe — and treats it accordingly.

Traffic logging and auditing
Beyond allowing and blocking traffic, firewalls maintain logs of what they have seen and what actions they took. These logs are a critical resource for security operations teams — they provide a record of connection attempts, blocked traffic, policy violations, and traffic patterns that can be used for threat detection, incident investigation, and compliance reporting. A well-configured firewall that generates no logs is a missed opportunity; the audit trail is often as valuable as the enforcement itself.

Placement and enforcement points
Firewalls are most commonly deployed at the network perimeter — the boundary between an organization’s internal network and the internet. However, modern security architectures deploy firewalls internally as well, between network segments, to limit lateral movement in the event of a breach. A firewall between the corporate network and a sensitive data environment, for example, ensures that even an attacker who has gained a foothold elsewhere on the network cannot freely access the most critical systems. This internal segmentation use case is increasingly important as perimeter-only security models prove insufficient against modern threats.

What are the different types of firewalls?

Firewall technology has evolved through several distinct generations, each building on the limitations of its predecessor. Understanding the different types helps clarify what level of protection each provides — and where the gaps lie.

  • Packet filtering firewalls: The earliest and most basic form of firewall, packet filtering operates at Layers 3 and 4 of the OSI model. It inspects packet headers — source and destination IP addresses, ports, and protocols — and applies rules to allow or deny traffic. Packet filtering is fast and lightweight, but it has no awareness of connection state or application context. It cannot distinguish between a legitimate response packet and a malicious one using the same port, making it relatively easy to circumvent with modern techniques.
  • Stateful inspection firewalls: Stateful firewalls introduced connection tracking, maintaining a table of active network sessions and using that context to make smarter decisions. Rather than evaluating each packet in isolation, a stateful firewall understands whether a given packet is part of an established connection or an unsolicited attempt. This became the dominant firewall model through the 1990s and 2000s and remains the baseline expectation for any firewall deployed today.
  • Proxy firewalls: Proxy firewalls operate at Layer 7 — the application layer — acting as intermediaries between clients and servers. Rather than passing traffic directly, they terminate the connection on behalf of the client, inspect the full content of the request, and then establish a new connection to the destination. This deep inspection capability makes proxy firewalls effective at detecting application-layer threats, but the overhead of terminating and re-establishing every connection can introduce latency and scalability challenges.
  • Next-generation firewalls (NGFW): NGFWs represent the current standard for enterprise firewall technology. They combine stateful inspection with deep packet inspection (DPI), integrated intrusion prevention (IPS), application awareness and control, identity-based policy enforcement, and SSL/TLS decryption. Where traditional firewalls ask “where is this traffic going?”, an NGFW asks “where is it going, what application is it, who sent it, and is it safe?” NGFWs are the default choice for organizations that need visibility and control beyond what port-and-protocol filtering can provide.
  • Web Application Firewalls (WAF): WAFs are purpose-built to protect web applications and APIs from application-layer attacks — including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities. Unlike network firewalls that protect the perimeter, WAFs sit in front of web-facing applications and inspect HTTP and HTTPS traffic for malicious patterns. They are a distinct and complementary tool, not a replacement for a network firewall.
  • Firewall as a Service (FWaaS): FWaaS delivers firewall capabilities from the cloud rather than through on-premises hardware. Traffic is routed to cloud-based enforcement points where NGFW-level inspection is applied, regardless of where the user or device is located. FWaaS is a key component of Secure Access Service Edge (SASE) architectures and is particularly well-suited to organizations with distributed workforces, hybrid environments, and heavy cloud adoption — where traditional perimeter appliances simply cannot follow the traffic.

What can’t a firewall protect against?

Firewalls are essential — but they are not a complete security solution. Understanding their limitations is just as important as understanding what they do well, because organizations that treat a firewall as their primary or only defense consistently find themselves exposed in ways that a firewall was never designed to address.

  • Threats that originate inside the network: Firewalls are designed to control traffic crossing a boundary — most commonly the perimeter between internal and external networks. They have limited visibility into traffic that never crosses that boundary. An insider threat, a compromised internal device, or an attacker who has already gained a foothold on the network can move laterally between systems without ever triggering a perimeter firewall rule. Internal segmentation firewalls help, but they require deliberate architectural design and cannot fully compensate for the absence of broader access controls.
  • Unmanaged and unverified endpoints: A firewall controls what traffic enters and exits the network, but it does not evaluate the security posture of the devices generating that traffic. A compromised laptop, an unpatched IoT device, or a personal device connecting under a valid user account can all pass through a firewall without issue — because from the firewall’s perspective, the traffic looks legitimate. The device itself is never interrogated. Network Access Control (NAC) addresses this gap by assessing device posture and compliance at the point of connection, before network access is granted.
  • Identity and credential-based attacks: Firewalls enforce policy based on network attributes — IP addresses, ports, protocols, and in the case of NGFWs, application identity. They are not purpose-built to verify whether the human or system behind a connection is who they claim to be. Stolen credentials, session hijacking, and pass-the-hash attacks can all result in traffic that appears completely legitimate to a firewall because it is technically originating from a valid account. Identity-centric controls — multi-factor authentication, Zero Trust Network Access (ZTNA), and continuous authentication — are required to address this class of threat.
  • Encrypted threats: While NGFWs can perform SSL/TLS inspection, many organizations do not fully enable it due to performance concerns, privacy considerations, or the complexity of certificate management at scale. Attackers are well aware of this, and an increasing proportion of malware delivery, data exfiltration, and command-and-control communication now travels over encrypted channels specifically to avoid inspection. A firewall that cannot see inside encrypted traffic is effectively blind to a growing share of modern attacks.
  • Misconfiguration and rule decay: Firewalls are only as effective as the rules governing them. Over time, firewall rule sets tend to grow complex and unwieldy — legacy rules accumulate, exceptions multiply, and the original intent of policies becomes unclear. Misconfigured firewalls are a consistent contributor to real-world breaches. A firewall with overly permissive rules, unnecessary open ports, or poorly scoped allow-lists provides a false sense of security that may actually be worse than no firewall at all, because it creates unwarranted confidence.

The most resilient security architectures use firewalls as one layer within a broader defense-in-depth strategy. A firewall controls what traffic is allowed to reach the network. NAC controls which devices and users are allowed to join it. ZTNA enforces least-privilege access to specific resources based on verified identity and device posture. Centralized authentication services ensure that credentials are consistently validated across every connection type. Together, these layers close the gaps that no single tool — including the best firewall available — can address alone.

Try Portnox Cloud for free today

Gain access to all of Portnox’s powerful zero trust access control free capabilities for 30 days!

Start a Free Trial

Discover the ROI Behind Portnox in the New TEI Study

See the Impact
X