A reader recently asked, “What is a firewall? How does it work, and what is it doing?” Both good questions, so let’s dig in and uncover what this critical network defense system does.
Most of us that have owned a car know that in an automobile, the firewall is the heavy metal panel that sits between the passenger compartment and the engine. Since 
the engine (in gas-powered and hybrid vehicles) works by exploding petroleum products, the chance that something could cause a fire is not insignificant. Especially in a crash or after taking damage from other sources, engine fires could pose a huge threat to anyone in the car itself. Therefore, the physical firewall does exactly what it says on the tin – it serves as a barrier between a fire in the engine compartment and everyone sitting in the passenger compartment. Physical firewalls are not uncommon in many other areas, such as in boats, different types of home/office areas, etc.
Digital firewalls are one of those things in cybersecurity that sound incredibly confusing, but the basic functions are actually straightforward. While there are advanced firewall platforms which do a ton of additional things, the primary function of a firewall is to control what comes into and goes out of a network. In essence, it serves the same function as the physical firewall – it keeps something burning through the Internet from getting in to your controlled networks at home or in the office. It does this by looking at the traffic that is being moved into and out of the network itself, trying to find systems and patterns that just don’t belong there and blocking them from entering. The firewall also acts as a boundary to keep internal traffic from going out across the Internet as well, so that network information doesn’t leak. Note that we’re not talking about keeping confidential data from getting stolen here – the firewall deals with network traffic and cannot, alone, stop someone from sending a file outside the org if they’re sending it to a non-malicious target like Dropbox or OneDrive.
One bit of clarification before we move on: Commercial firewalls are designed to be used in corporate networks and are capable of seeing and filtering massive amounts of information – up to several gigabytes of data per second or more. They also can optionally have many of the advanced features that the rest of this post will describe. Home firewalls are significantly more limited, both in the speed of data they can process and in the features that are available. Your home firewall (most likely built into the router/modem you got from your cable provider or phone company) can cover the basics described below, but most likely can’t process more than one gigabyte of data per second or handle IDS/IPS and other advanced feature-sets.
Most of this blocking activity is based on allow and block lists that are updated regularly within the firewall itself. Most commercial (and some home) firewalls come with subscriptions to threat intelligence feeds that provide them with constantly-updated lists of known malicious websites, IP addresses, and known malware file signatures to help make sure that any inbound our outbound traffic isn’t coming from/going to somewhere that is known to be a threat to the org. Most commercial and home firewalls can block traffic that doesn’t conform to known-safe patterns as well, such as when an application attempts to reach out over a weird port and/or some external website or app tries to communicate to your computer without your computer first communicating with that site or app.
Threat actors haven’t ignored how firewalls act, though, and have begun to take steps to overcome the protection a basic firewall can provide. For example, since most websites now use the more secure “HHTPS” protocol instead of the plainly visible HTTP, threat actors have started to also use HTTPS communication for their malicious actions. As HTTPS transmissions are encrypted, it’s very difficult – if not impossible – for a basic firewall to see if the communication is moving malicious files or performing other forms of bad behavior. While it is still possible to block connections by port or by originating site/URL, the firewall can no longer see the traffic itself, and therefore loses some important functionality. So, how do firewalls evolve to help with this?
Modern firewalls have many additional features, though generally they’re only available on more expensive commercial firewalls or very high-end home firewalls costing about as much as a commercial firewall. These include things like SSL decryption and inspection and Intrusion Detection Systems/Services (IDS) and Intrusion Prevention Systems/Services (IPS). These tool-sets make it significantly more difficult for a threat actor to succeed in getting across the firewall, but also add layers of complexity to cybersecurity that require trained and knowledgeable staff to set up and maintain.
SSL decryption and inspection is exactly what it says on the packet. HTTPS communications are encrypted between the website and the browser/application, and therefore appear as meaningless garbage when viewed by a normal firewall. With SSL decryption, these streams of data are decrypted by the firewall, examined for malicious content or intent, then re-encrypted and passed to the user’s device that requested them. Outbound data is also examined in this way, to look for signs that a user’s device is compromised, or potentially than an insider threat action is happening. Because of the nature of HTTPS, you can’t just decrypt and then re-encrypt data. That would result in major errors in the applications and browsers communicating over HTTPS and create a lot of headaches for users and app creators as well – as apps and browsers automatically look for and block this kind of activity thinking it is a threat action. So, to set up SSL decryption and inspection, the IT/Cybersecurity team must configure both the network itself and also every device that will communicate over it with policies and security certificates which tell the devices that if traffic is re-encrypted by that known firewall, it should be treated as if it was never decrypted in the first place. This is, of course, very specific to the network in question, and only works if the end user device can confirm that the specific firewall in question was the only device to decrypt and then re-encrypt the data. By implementing SSL decryption and inspection, malware and other malicious traffic can be properly examined before it reaches the end-user device, allowing the firewall to resume its duties even where sites and apps are now sending/receiving data over HTTPS. As you might guess, this system requires not only knowledgable IT/Cybersecurity staff; but also help from Legal, Regulatory, Compliance, and often HR teams to make sure that no privacy or data regulations are being violated – as the organization can now see what would otherwise be unreadable data transmissions to banks, medical providers, and other sensitive/confidential communications.
IDS/IPS are systems which look at data packets are being moved into and out of the network like a basic firewall, but they also seek out known patterns and behaviors that are malicious. This is accomplished by keeping track of what is being sent and received, and comparing that information to updated lists of data flows and behaviors which would indicate suspicious or outright malicious behaviors. A common example is a compromised endpoint getting data that is identifiable as Command and Control (C2) information from a threat tool or platform like a ransomware operator or criminal threat group. This would indicate that the end-user device is likely being subverted for use by a threat actor. As with blocking known bad websites and URL’s, this requires continuously updated data on what activity and network traffic is considered to be such an indicator of compromise, and IDS/IPS service providers will also provide threat feeds that supply this information to the firewall on an ongoing basis. IDS/IPS can be used in conjunction with SSL decryption and inspection to perform even more effective scanning activities, and it isn’t uncommon for both functions to be part of a next-generation firewall platform, while still allowing the IT team to decide if they will use one, the other, or both. The names (Intrusion Detection vs. Intrusion Prevention) refer to two forms of this kind of protective feature. IDS will alert staff if indicators of compromise are detected, but will not actively block traffic. While IPS will both alert and block traffic when it sees suspicious activity. A firewall may offer one or the other, but rarely both because IPS includes IDS detection features as part of its basic operations. Blocking benign traffic can create massive disruptions to business, so IT/Cybersecurity teams must properly configure and regularly tune these systems to make sure the bad stuff gets blocked, good stuff gets through, and anything else is reported and quickly evaluated to determine what to do next.
Finally, firewalls can be extended to work with other cybersecurity tools and platforms. Endpoint protection solutions can work cooperatively with firewalls to help detect and deal with malware or other activities that involve more than one stream of data and/or multiple endpoints. Data Loss Prevention tools can integrate with a firewall to block the transmission of data outside of extremely restricted endpoints and business applications. The potential list of integrations is nearly limitless, and your IT/Cybersecurity team can set up the right combination of tools, with the right configurations, to best protect the business while still letting users get their work done.
So, a firewall is a device (usually physical but sometimes virtual) that sits between your internal network and the outside world. Its job is to make sure any communications coming into the network conform to known traffic patterns and aren’t coming from known malicious sites/URLs. Firewalls can be extended to do additional cybersecurity tasks such as decrypting and examining HTTPS communications, and to detect and block known forms of malicious traffic even if they’re coming from otherwise benign sites and services. They can also be extended by integrating firewalls with other cybersecurity systems to enhance all of your cyber resilience plans. This is a bit of an oversimplification of the full depth and breadth of what modern firewalls can do, but it is a good way to visualize their operations and functionality in your networks.