1. Home
  2. /Security Fundamentals
  3. /Firewall Technologies
Feeling StupidKeyboard Layout

Firewall Technologies

Compare packet-filtering, stateful, proxy, NGFW, WAF, host-based, and cloud-native controls.

Understand classic and next-generation firewall types, deployment models, and selection criteria for layered defence.

Core Firewall Types

Firewall TypeOSI LayerKey CharacteristicsUse Cases & Considerations
Packet-Filtering FirewallNetwork Layer (Layer 3)
  • Evaluates packets based on source/destination IP, port, and protocol.
  • Stateless (classic ACLs) or basic stateful tracking for established connections.

Strengths: Low latency, easy to deploy on routers and simple appliances.

Limitations: Limited visibility into payload; susceptible to spoofing and application-layer attacks.

Use Cases: Perimeter filtering, Embedded router ACLs, IoT network segmentation

Stateful Inspection FirewallNetwork/Transport Layers (Layers 3-4)
  • Maintains connection state tables for TCP/UDP sessions.
  • Allows return traffic dynamically based on established session context.

Strengths: Better protection against spoofed packets and unauthorized session attempts.

Limitations: Still limited visibility into application payload; can be resource intensive on large-scale networks.

Use Cases: Enterprise edge firewalls, VPN gateways, Data center north-south traffic

Application / Layer-7 Firewall (Proxy)Application Layer (Layer 7)
  • Terminates client sessions and establishes new ones to the destination (proxy model).
  • Understands application protocols (HTTP, SMTP) and can enforce granular policies.

Strengths: Deep inspection, protocol validation, content filtering.

Limitations: Higher latency, requires protocol-specific configuration, may break encrypted sessions without TLS inspection.

Use Cases: Web application proxies, Email security gateways, Outbound content filtering

Next-Generation Firewall (NGFW)Multi-layer (3-7)
  • Combines stateful inspection with deep packet inspection, intrusion prevention, and application awareness.
  • Often integrates threat intelligence feeds, sandboxing, and user identity awareness.

Strengths: Comprehensive control, unified policy management, granular app/user rules.

Limitations: Complex to deploy/tune, higher cost, requires regular updates for signatures and apps.

Use Cases: Enterprise edge, Segmentation between trust zones, Cloud virtual firewalls

Web Application Firewall (WAF)Application Layer (HTTP/HTTPS)
  • Protects web applications from OWASP Top 10, input validation issues, and zero-day patterns.
  • Supports positive security (allow lists), negative security (block lists), and virtual patching.

Strengths: Focused protection for web apps, integrates with DevSecOps for rapid mitigation.

Limitations: Requires tuning to avoid false positives, limited visibility beyond HTTP/S.

Use Cases: Protecting internet-facing web services, API gateways, CDN edge security

Cloud-Native Firewall / Security GroupsVirtualized network layer per cloud provider
  • Policy constructs tied to workloads, subnets, or tags in AWS, Azure, GCP.
  • Enforce east-west segmentation without traditional appliances.

Strengths: Scales with cloud deployments, integrates with automation and IaC workflows.

Limitations: Limited L7 features in basic offerings, provider-specific syntax.

Use Cases: Microsegmentation in cloud, Hybrid workloads, Serverless protections

Host-Based Firewall / Endpoint FirewallHost network stack (Layers 3-4)
  • Runs on individual servers or endpoints (Windows Defender Firewall, iptables, ufw).
  • Policies applied close to workload, enabling zero trust segmentation.

Strengths: Granular per-host control, protects against lateral movement.

Limitations: Requires configuration management, risk of inconsistent policy if unmanaged.

Use Cases: Server hardening, Workstation protection, Containerized workloads

Layered Architecture Diagram

  • Layer 1

    Perimeter Firewall

    Edge NGFW providing north-south inspection, VPN termination, and threat intel blocking.

  • Layer 2

    Internal Segmentation Firewall

    Rules between user VLANs and critical workloads implementing zero trust.

  • Layer 3

    Host-Based Firewall

    Workload-local policies (iptables, Windows Defender Firewall) enforcing least privilege.

  • Layer 4

    Cloud Security Group

    Provider-native rules attached to instances/subnets for east-west control.

  • Layer 5

    Application Firewall / WAF

    Layer-7 inspection protecting web apps and APIs against OWASP risks.

Deployment Models

Perimeter Firewall

Classic edge firewall between trusted internal network and untrusted external network.

Focus: North-south traffic inspection, VPN termination, DDoS mitigation.

Internal Segmentation Firewall (ISFW)

Enforces policy between internal zones (e.g., user VLANs, data center tiers).

Focus: Zero trust, lateral movement prevention, compliance mandates.

Virtual / Cloud Firewall

Software-based firewalls deployed within cloud or virtualized environments.

Focus: Microsegmentation, workload isolation, policy-as-code integration.

Distributed Firewall / SDN-Based

Policy enforced at the hypervisor or virtual switch level (e.g., VMware NSX, Cisco ACI).

Focus: Scalable east-west control, dynamic policy tied to workloads/tags.

Hybrid Firewall Architecture

Combination of physical, virtual, and cloud-native controls managed centrally.

Focus: Unified visibility across on-prem and cloud, consistent policy enforcement.

Advanced Inspection Features

  • Deep Packet Inspection (DPI) for application signatures and protocol anomalies.
  • Intrusion Prevention (IPS) with signature and behaviour-based detection.
  • SSL/TLS inspection for encrypted traffic visibility (requires certificate management).
  • User and Identity awareness via directory integration (AD/LDAP).
  • Sandboxing and malware analysis for suspicious files.

Selection Checklist

  • Define in-scope traffic flows (north-south, east-west, cloud, remote access).
  • Assess performance needs (throughput, concurrent sessions, SSL inspection impact).
  • Determine compliance requirements (PCI DSS segmentation, HIPAA safeguards, CJIS).
  • Plan for automation and integration (REST APIs, SIEM logging, SOAR workflows).
  • Establish maintenance processes (signature updates, rule review, change control).

Zero Trust Considerations

  • Adopt least privilege policies: default deny, allow only known applications/ports.
  • Leverage dynamic groups/tags to simplify policy in dynamic environments.
  • Continuously monitor policy hits and adjust based on actual application dependency maps.
  • Use layered firewalls (perimeter + host-based) to protect against control plane bypass.
  • Regularly test policies with red/purple team exercises to validate segmentation.

Example Rule Sets

Perimeter Allow Rules
  • Allow: Corporate HQ IP range -> VPN Gateway (UDP 500, UDP 4500, ESP).
  • Allow: Internet -> Web VIP (TCP 443) with WAF inspection.
  • Allow: SOC management network -> Firewall management interface (HTTPS, SSH).

Precede with default deny; enable logging for allowed and denied traffic for auditing.

Internal Segmentation
  • Allow: App Servers -> Database Servers (TCP 1433) with IPS, TLS inspection.
  • Allow: Jump Host -> Admin Subnet (RDP/SSH) with MFA and session recording.
  • Deny: User VLANs -> Database Servers (any) except approved service accounts.

Leverage tags/identity to avoid IP-centric policies in dynamic environments.

Host-Based Example (Linux iptables)
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Apply via configuration management; ensure logging for dropped packets (`-j LOG`).

AWS Security Group Snippet
{ "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "CidrIp": "0.0.0.0/0" }
{ "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "CidrIp": "203.0.113.10/32" }

Restrict administrative access to trusted IPs; use security group references for tier-to-tier traffic.

Azure NSG YAML (Bicep/Terraform-style)
priority: 100, direction: Inbound, access: Allow, protocol: Tcp, source: VirtualNetwork, destination: AppTier, port: 1433
priority: 200, direction: Inbound, access: Deny, protocol: *, source: *, destination: AppTier, port: *

Express rules as infrastructure-as-code to maintain version control and peer review.