A firewall is a network security system—hardware, software, or both—that monitors and controls network traffic by applying a set of predefined security rules to permit or block packets. This guide covers the 4 primary firewall types, how each inspects traffic differently, how Windows Defender Firewall is configured, and the DMZ concept used in network architecture.
What Is a Firewall?
A firewall is a security enforcement point that sits between a trusted internal network and an untrusted external network (such as the internet) and inspects all traffic attempting to cross the boundary. Based on configured rules, the firewall permits, blocks, or logs each packet or connection.
The term “firewall” borrows from the construction term for a fire-resistant barrier between building sections that contains a fire and prevents its spread. In networking, a firewall contains network threats within defined zones and prevents lateral spread.
The first network firewalls were developed in 1988 by engineers at Digital Equipment Corporation (DEC). The first paper on firewall technology was published by researchers at AT&T Bell Labs in 1988. The first commercial firewall product was DEC SEAL, released in 1992.
How Does a Firewall Work?
A firewall works by comparing every network packet against an ordered list of rules (a ruleset or access control list). Each rule specifies: source IP address, destination IP address, source port, destination port, protocol (TCP/UDP/ICMP), and action (allow, deny, drop, log).
Rules are evaluated in order. The first matching rule determines the action. A default deny rule at the end of the ruleset blocks all traffic not explicitly permitted—this is the fail-safe default principle applied to network security.
Example rule (Windows Defender Firewall): Allow inbound TCP traffic on destination port 443 from any source to this host. This rule permits HTTPS connections. A rule blocking inbound TCP port 23 (Telnet) prevents unencrypted remote terminal access.
What Are the 4 Types of Firewalls?
Firewall technology has evolved through 4 generations, each adding deeper traffic inspection capability:
1. Packet Filtering Firewall
A packet filtering firewall examines individual packets in isolation, inspecting only the packet header: source IP, destination IP, source port, destination port, and protocol. It does not maintain state between packets or inspect the payload content.
Packet filtering is the fastest firewall type because it requires minimal processing per packet. It operates at OSI Layer 3 (Network) and Layer 4 (Transport).
The limitation: a packet filtering firewall cannot distinguish whether a packet is part of an established connection or a new unsolicited connection attempt. An attacker can craft packets with spoofed source addresses that pass filter rules.
2. Stateful Inspection Firewall
A stateful inspection firewall (also called a stateful firewall or dynamic packet filtering firewall) maintains a state table tracking all active network connections. When a packet arrives, the firewall checks whether it belongs to an established, permitted session before evaluating static rules.
For TCP, the firewall tracks the 3-way handshake (SYN, SYN-ACK, ACK) to establish state. Return traffic from an established connection is automatically permitted without requiring a separate inbound rule, while unsolicited inbound packets from the same IP/port pair are blocked.
Stateful firewalls are the baseline type in all modern operating systems (Windows Defender Firewall, iptables on Linux, pf on macOS/FreeBSD) and enterprise hardware appliances.
3. Application Layer (Proxy) Firewall
An application layer firewall (proxy firewall) inspects the payload of packets—the actual application data—rather than just headers. It understands specific application protocols: HTTP, HTTPS, FTP, DNS, SMTP.
For HTTP traffic, an application layer firewall can inspect URLs, headers, and request methods. It can block specific URLs, detect SQL injection in HTTP parameters, enforce allowed HTTP methods (GET, POST only), and validate DNS responses for anomalies. Because the firewall terminates the connection and acts as a proxy, it inspects the complete data stream before forwarding it.
The limitation: application layer firewalls add significant latency and are limited to protocols they explicitly support. A new application protocol must be added to the firewall’s inspection engine before it can be analyzed.
4. Next-Generation Firewall (NGFW)
A next-generation firewall combines stateful inspection with deep packet inspection (DPI), an integrated intrusion prevention system (IPS), application awareness (identifying and controlling applications regardless of port), SSL/TLS inspection, user identity integration (tying rules to Active Directory users rather than IP addresses), and threat intelligence feeds.
NGFW products include Palo Alto Networks PA-Series, Fortinet FortiGate, Cisco Firepower, and Check Point Quantum. An NGFW can identify a Tor connection on port 443, block specific application features (allow LinkedIn but block LinkedIn messaging), and correlate traffic with threat intelligence to block known botnet C2 IP ranges.
The NGFW market is the current enterprise standard. The global NGFW market was valued at $4.7 billion in 2023 and is projected to reach $10.2 billion by 2028 (MarketsandMarkets).
Hardware Firewall vs. Software Firewall
Firewalls are deployed as hardware appliances or software applications:
- Hardware firewall: A dedicated physical appliance with a custom OS optimized for packet processing. Sits at the network perimeter between the internet and the internal network. Protects all devices on the network simultaneously. Examples: Cisco ASA, Fortinet FortiGate, pfSense (open-source on commodity hardware). Throughput ranges from 100 Mbps on small office devices to 1 Tbps+ on enterprise chassis.
- Software firewall: A firewall application installed on a host OS. Protects only the device it runs on. Examples: Windows Defender Firewall, macOS Application Firewall, iptables/nftables on Linux. Software firewalls are essential for laptops used outside the corporate network perimeter.
Windows Defender Firewall Configuration Basics
Windows Defender Firewall with Advanced Security provides stateful inspection on Windows 10 and Windows 11. Basic configuration principles:
- Profiles: Windows Defender Firewall applies 3 profiles based on network type: Domain (corporate Active Directory network), Private (home/trusted network), and Public (untrusted network, e.g., coffee shop Wi-Fi). Public profile applies the most restrictive default rules, blocking most inbound connections.
- Inbound rules: Block all inbound connections that do not match an explicit allow rule by default. Allow only required services: Remote Desktop (TCP 3389—only if needed), file sharing (TCP 445—only on Private profile).
- Outbound rules: Default allow all outbound. For stricter environments, define allow-list outbound rules to permitted services only.
- Logging: Enable firewall logging (dropped packets and successful connections) to
%systemroot%\system32\LogFiles\Firewall\pfirewall.logfor incident investigation.
Command-line management via netsh: netsh advfirewall firewall add rule name="Block Telnet" protocol=TCP dir=in localport=23 action=block blocks inbound Telnet. Management via PowerShell: New-NetFirewallRule -DisplayName "Block Telnet" -Direction Inbound -Protocol TCP -LocalPort 23 -Action Block.
What Is a DMZ (Demilitarized Zone)?
A DMZ (demilitarized zone) is a network segment positioned between the internal trusted network and the external internet, connected by 2 separate firewalls, that hosts publicly accessible services while isolating them from the internal network.
Architecture: The internet connects to the external firewall. The DMZ segment (containing web servers, email servers, and DNS servers) connects to both the external firewall and the internal firewall. The internal network connects to the internal firewall only.
Traffic from the internet reaches DMZ servers but cannot directly reach internal systems. If a DMZ server is compromised, the internal firewall prevents lateral movement to internal resources.
Services hosted in a DMZ: public web servers, external email servers (MX hosts), VPN concentrators, DNS authoritative servers, public API endpoints.
Common Firewall Rules
Standard firewall rules applied in most security configurations include:
- Block inbound TCP port 23 (Telnet): Telnet transmits credentials in cleartext. SSH (port 22) is the encrypted replacement.
- Allow inbound TCP port 443 (HTTPS): Required for encrypted web traffic to web servers.
- Allow inbound TCP port 22 (SSH): For remote server management—restrict source IP to admin network ranges only.
- Block inbound TCP port 3389 (RDP) from external IPs: Remote Desktop Protocol exposed directly to the internet is a top attack vector for ransomware delivery. Restrict to VPN or internal IPs only.
- Block inbound TCP/UDP port 445 (SMB) from external IPs: The SMB protocol (Windows file sharing) is the vector exploited by WannaCry and other network worms. Never expose SMB externally.
- Allow outbound TCP port 443 and 80: Required for HTTPS and HTTP browsing from internal clients.
Comparison of the 4 Firewall Types
| Firewall Type | OSI Layer | Inspects | State Tracking | Application Awareness | Performance |
|---|---|---|---|---|---|
| Packet filtering | L3–L4 | IP headers, ports, protocol | No | No | Highest |
| Stateful inspection | L3–L4 | Headers + connection state | Yes | No | High |
| Application layer (proxy) | L3–L7 | Full payload, protocol semantics | Yes | Yes (per protocol) | Medium |
| Next-generation (NGFW) | L3–L7 | Full DPI, application identity, user identity | Yes | Yes (all applications) | Medium–High |
Key Takeaways
- A firewall enforces security rules on network traffic, permitting or blocking packets based on source/destination IP, port, protocol, and—in advanced types—application identity.
- The first network firewalls were developed in 1988 at DEC and AT&T Bell Labs.
- The 4 firewall types are: packet filtering, stateful inspection, application layer (proxy), and next-generation (NGFW)—each adding deeper inspection capability.
- Stateful inspection is the baseline type; NGFW is the current enterprise standard adding DPI, IPS, and user identity.
- A DMZ isolates publicly accessible servers between 2 firewalls, preventing a compromised server from reaching internal resources.
- Critical ports to block inbound from the internet: TCP 23 (Telnet), TCP 3389 (RDP), TCP/UDP 445 (SMB).
Frequently Asked Questions
What does a firewall do?
A firewall monitors network traffic and applies rules to permit or block packets based on source IP, destination IP, port, and protocol. It enforces a network security boundary between trusted and untrusted networks.
What is the difference between a stateful and stateless firewall?
A stateless (packet filtering) firewall examines each packet independently. A stateful firewall tracks connection state—it knows whether a packet is part of an established session and permits return traffic automatically without separate inbound rules.
What is a next-generation firewall (NGFW)?
An NGFW combines stateful inspection with deep packet inspection (DPI), application identification, user identity-based rules, integrated IPS, and SSL inspection. It can identify applications regardless of port number and apply policy per application.
Does a firewall stop all cyberattacks?
No. A firewall controls network traffic but cannot stop malware delivered via permitted traffic (email attachments over port 25/443), social engineering, physical access, or insider threats. Firewalls are one layer in a defense-in-depth strategy.
What is a DMZ in networking?
A DMZ (demilitarized zone) is a network segment between two firewalls that hosts publicly accessible servers. Internet traffic reaches DMZ servers but cannot directly reach the internal network. A compromised DMZ host cannot access internal resources.
Last Thoughts on What Is a Firewall
A firewall is the primary enforcement point for network security policy, controlling what traffic enters and exits a network based on rules applied at varying depths—from simple packet header inspection in stateless firewalls to full application-layer and user-identity-aware inspection in next-generation firewalls. Correct configuration—blocking inbound Telnet, SMB, and exposed RDP; deploying DMZ architecture for public servers; and applying the principle of default-deny—reduces attack surface without blocking legitimate operations.
