A firewall is a security system that monitors and controls network traffic based on a set of rules. Think of it as a checkpoint between your network and the outside world: traffic that matches the rules gets through; everything else gets blocked. Firewalls are one of the oldest and most fundamental security controls — but the term covers a wide range of technologies, from simple packet filters to sophisticated next-generation appliances.
How firewalls work
At their core, all firewalls inspect network traffic and decide whether to allow or deny it based on rules. What differs between firewall types is how much they inspect and what they inspect. More inspection = more security, but also more processing overhead.
Types of firewall
Packet filtering firewall
The simplest form. Examines individual packets (units of data) and checks source IP, destination IP, port number and protocol against a ruleset. Allows or denies based purely on these headers — no context about whether a packet is part of a legitimate conversation. Fast and cheap, but easy to circumvent and unable to detect attacks that spread across multiple packets. Most routers include basic packet filtering.
Stateful inspection firewall
An improvement on packet filtering that tracks the state of network connections — it knows whether a packet is part of an established, legitimate session or an unexpected, potentially malicious one. Traffic that isn't part of a recognised connection is denied. The standard for network firewalls since the 1990s; most hardware and software firewalls use stateful inspection as a baseline.
Next-generation firewall (NGFW)
Adds capabilities on top of stateful inspection:
- Deep packet inspection (DPI) — examines the actual content of packets, not just headers. Can detect threats hidden inside legitimate protocols.
- Application awareness — identifies and controls traffic by application (Slack, Zoom, BitTorrent) regardless of port used.
- Intrusion prevention system (IPS) — actively blocks traffic that matches known attack signatures.
- TLS/SSL inspection — decrypts encrypted traffic to inspect it, then re-encrypts it. Essential for detecting threats that use HTTPS to hide.
- User identity awareness — applies rules based on who is logged in, not just which IP address the traffic comes from.
NGFWs are the standard for enterprise network security. Vendors include Palo Alto Networks, Fortinet, Check Point and Cisco. Cloud-hosted NGFW services (firewall-as-a-service) are increasingly common for distributed or remote-first organisations.
Web application firewall (WAF)
A firewall specifically designed for HTTP/HTTPS traffic — it operates at the application layer and protects web applications from attacks like SQL injection, cross-site scripting and OWASP Top 10 vulnerabilities. A WAF sits in front of your web application (or is embedded in a CDN like Cloudflare) and inspects every request before it reaches your application code. See our full guide: what is a web application firewall?
Host-based firewall
Software running on an individual device (Windows Firewall, macOS firewall, ufw on Linux) that controls traffic to and from that specific machine. Useful as a second layer of defence even when a network firewall exists — it limits what can happen if traffic gets past the perimeter or an attacker is already inside the network.
Cloud firewall / firewall-as-a-service (FWaaS)
Network firewall functionality delivered from the cloud, used by organisations without on-premises hardware or with distributed workforces. Traffic is routed through the cloud firewall before reaching your network or applications. Part of the SASE (Secure Access Service Edge) architecture that many enterprises are moving toward.
Firewall vs WAF — what's the difference?
| Feature | Network firewall | WAF |
|---|---|---|
| Protects | Network perimeter, servers, services | Web applications specifically |
| Inspects | Network and transport layer traffic | HTTP/HTTPS requests and responses |
| Blocks | Unauthorised connections, known bad IPs, port scans | SQLi, XSS, OWASP Top 10 attacks |
| Deployed at | Network edge or cloud perimeter | In front of the web application |
You typically need both: a network firewall for perimeter security and a WAF for your web-facing applications. They complement rather than replace each other.
Does your business need a firewall?
Yes — but what kind depends on your setup:
- Self-hosted website or app: your hosting provider's network firewall handles the perimeter; add a WAF (Cloudflare free tier works for most) to protect your application.
- Office network with on-premises servers: an NGFW at the perimeter is essential. Also enable host-based firewalls on all devices.
- Cloud-hosted infrastructure (AWS, GCP, Azure): use cloud security groups as your packet filter baseline, plus a WAF (AWS WAF, Cloudflare, etc.) for web applications.
- Remote-first team with no central office: cloud firewall / FWaaS routes all traffic through centralised inspection regardless of where employees are.
Common firewall mistakes
- Overly permissive rules — "allow all outbound" policies mean malware and data exfiltration can operate freely once inside the network.
- Never reviewing rules — firewall rulesets accumulate technical debt. Rules added for old systems or vendors stay open long after they're needed.
- Relying on the firewall alone — a firewall is one layer. You still need patching, MFA, endpoint protection and monitoring. Attacks increasingly come through trusted channels (SaaS, supply chain) that the firewall allows by design.
- Ignoring encrypted traffic — without TLS inspection, attackers use HTTPS to bypass signature-based detection.
FAQ
Does Windows have a built-in firewall?
Yes. Windows Defender Firewall is a host-based firewall enabled by default on all modern Windows versions. It blocks incoming connections that don't match allowed programmes or rules. It's a useful baseline but not a replacement for a network firewall or WAF for servers or business networks.
Can a firewall stop all attacks?
No. Firewalls stop a range of network-based attacks but can't prevent phishing, credential theft, insider threats, or attacks that use legitimate encrypted traffic. They're one essential layer in a defence-in-depth strategy.
What port does a firewall block by default?
Most default configurations deny all inbound traffic except on ports you explicitly allow (typically 80/443 for web, 25/587/465 for email, 22 for SSH). Outbound is often allowed by default — which is why outbound filtering matters for stopping data exfiltration and malware callbacks.