An abstract representation of a firewall standing between malicious traffic coming from the internet and the devices on the private network.

A firewall is a network security scanner that constantly checks all the data coming into your smartphone or computer for malicious traffic (read: hackers). There. Now you know the short answer to the question, “what is a firewall?” But for a more in-depth answer, read the rest of this article.

Table of contents

    What is a firewall?

    A firewall is a network security system that’s the first line of defense between a secure space (your device) and an unsecured network (usually the internet). It checks network traffic for malicious traffic trying to get into the device. It’s named after the structural component of the same name found in buildings and vehicles, usually meant to contain fires in a single area.

    A firewall operates according to security rules: basically, a list of allowed connections, like your browser, Steam client, Facebook Messenger, and so on. The incoming and outgoing traffic sent via these channels is automatically let through. However, if some unauthorized party tries to get through, it’s automatically blocked. That’s why we need to add firewall exceptions for the new multiplayer games we install.

    What are the types of firewalls?

    a graph explaining that with a software-based firewall, the barrier is set on the protected device itself, whereas in a network-based firewall, the firewall exists between the internet and the devices to be protected.

    Depending on where the firewalls are installed, they’re classed as host- or network-based:

    1. A host-based firewall exists in the protected device itself. Thus, it’s a software firewall as it doesn’t have a physical device. You probably have one. 
    2. A network-based firewall monitors network traffic by sitting between one network (usually the internet) and another (your office’s internal network, for example). A proxy firewall or proxy service firewall is in this general area. Network-based firewalls are split into more categories:
    • Software appliance firewall runs on a device that is like a stripped-down version of a computer;
    • Hardware appliances are stored on a dedicated computer-like device built from the ground up to monitor the connected data streams. Likely to be found at an office;
    • Virtual appliances are stored on virtual machines and are thus meant to be used for extremely nerdy purposes. 

    Most users will only ever interact with the #1 version of this, as many operating systems these days come with their own firewalls (notably Windows).  Yet, at the same time, different types of firewalls exist as they have evolved over time. 

    What are the generations of firewalls? 

    The modern firewall didn’t spring fully formed out of Microsoft’s head. In fact, there have been a few types of firewalls that replaced or supplemented each over the years. Here’s an attempt to classify them by generation:

    1. Packet filtering firewall

    Ye olde packet filtering firewall was created by the Digital Equipment Corporation in 1988.  As the name implies, it does basic packet filtering: inspecting data packets sent between devices by checking the IP addresses, port numbers, and so on against an allowed list. 

    Imagine someone looking at received parcels and chucking away those that weren’t addressed right. 

    Packet filtering firewalls are as old and basic as firewalls can get. They also operate on the network layer, which is one of the most basic levels (the third) of data transfers as classified by the OSI (Open Systems Interconnection) model. I will explain what it means in an article one day, promise. 

    1. Stateful inspection firewall

    With the packet filter firewall being so basic, it didn’t take long for someone to remix it into the stateful inspection firewall. AT&T Bell Labs introduced stateful inspection in 1989. It improved the efficiency of packet filtering by tracking the states of connection between your device and some other service – hence “stateful.” Old packet filter firewalls checked every packet in isolation and had no such state memory. 

    So if the stateful firewall knows that is an ongoing connection, it allows the network traffic packets coming from without filtering. If the package doesn’t fit one of the existing connections, it is checked by the filter criteria for establishing new connections. This allowed for a much greater processing speed than simple package filters, as packages were no longer checked individually. Stateful inspection firewalls work on the Network and Transport layers of the OSI model, which shows even more sophistication. 

    1. Application layer firewall 

    It didn’t take long for DEC to one-up themselves and release the first example of an Application Layer Firewall. To explain what that means would take some time, but working on the Application level (which sits a lot higher on the OSI model) allowed the firewall access to the most complex layer of data handling on a device. 

    This means that it is much better at sorting through the data no matter the source: browsers, HTTPS, FTP, the works. If you recall the Network and Transport communication layers, they are the 3rd and 4th on the OSI model. The Application layer is the 7th level – the final and the most complex. This is where all the apps and the programs you use daily live. 

    1. Next-generation firewall 

    Next-generation firewall (NGFW) is a term that covers one of the newest approaches to firewall designs that combine all the features of the previous generations as well as swanky tech-like deep packet inspection, which will check the contents of the packet as well as the label. 

    A greater understanding of internet communication protocols (HTTP, FTP, other acronyms that end in “P”) allows next-generation firewalls to better tell if a certain data package is trying to go somewhere it shouldn’t. It also includes a variety of additional network security technologies that aren’t simply firewalls: user identity management, intrusion detection and prevention, and so on. 

    1. Unified Threat Management 

    The wheels of progress grind towards ever-more grandiose titles like “Unified Threat Management.” As a concept, it encompasses everything NGFW offers and adds even more stuff. We’re talking reverse proxies, modifiable VPN options, data loss prevention technologies, antivirus software, and more. 

    Unlike NGFW, UTM is most likely to be the host rather than network-based. And it may also be the wave of the future precisely due to this decentralized nature. As many services move to the cloud, companies embrace software-as-a-service models, and work-from-home becomes more commonplace, having a single network-based firewall is getting obsolete. But by protecting the endpoint device (meaning your computer or phone) via a UTM, a firewall becomes a lot more attractive. 

    Of course, there is no scientific panel of taxonomy experts sorting firewalls into generations and types. This is more of a rough outline of how these subjects are viewed in the sphere. For the regular user, the distinctions are mostly irrelevant. 

    Except for maybe software vs. hardware firewalls. 

    Software firewalls vs. hardware firewalls

    the difference between software firewalls and hardware firewalls is that the former is installed on the device it’s meant to protect, while the latter has a device of its own that the protected devices connect to.

    The difference between software and hardware firewalls is that the former is a program installed on the device that needs to be protected, while the latter is a device installed between the network (internet) and the device (your work PC). 

    Software firewalls usually protect only the device they’re installed on. This means that when you have an office, a firewall has to be installed on every single computer. On the other hand, this makes the device more secure no matter where it’s being used. So if you take your work laptop to a cafe, you can still work safely.

    Hardware firewalls can usually be found in  routers or as devices specifically designed to act as firewalls. They stand between devices and the network (it’s kinda how proxy firewalls work), checking all the traffic as it crosses it. Thus, hardware firewalls can secure an entire office network at once, no matter how large. On the other hand, moving devices around and connecting them to a different network forfeits any effects a hardware firewall might have. 

    What does a firewall protect against?

    Firewalls, first and foremost, are meant to protect from unauthorized incoming connections. This means that hackers: 

    • Can’t access your data by simply connecting to your device; 
    • Can’t take control of your system for their own goals; 
    • Can’t infiltrate your office/home network by attacking the one device that’s connected to the internet. 

    Having a firewall protect your data is good. Of course, those aren’t the only cyberthreats you face online – stuff like phishing and viruses are spread in ways that can bypass good ol’ firewalls. That’s why later generations of firewalls like UTM encompass many security roles. 

    Difference between antivirus and firewall 

    The difference between an antivirus and a firewall is that an antivirus protects from passive threats that you may activate at some point, while a firewall protects from active intrusions from the outside network. 

    For example, a regular firewall cannot protect your device from a virus delivered via email, especially if it doesn’t need an internet connection to operate. So if a bit of ransomware encrypts your data and demands a ransom in BitCoin, the firewall can’t stop it because it was delivered as a file on the email. 

    On the other hand, antivirus can’t filter incoming traffic. So if you don’t have a firewall, a hacker can access your system fairly easily. 

    In conclusion: use a firewall

    A modern firewall is the first line of your cybersecurity system. It can’t block everything, but neither can any of your tools. So having a quality firewall is definitely a must on your device. Another good security feature to have is a VPN. And an antivirus. Or in the face of Surfshark – both!

    Get a VPN and antivirus in one

    Surfshark One is the perfect package for your cybersecurity needs

    Get Surfshark


    How do firewalls work step-by-step?

    To abstract it, here’s how a firewall works:

    1. A data package arrives via the internet to your device;
    2. The firewall checks whether it comes from one of the approved connections on a list;
    3. If the data package checks out, it is allowed to enter your device. If not, it’s discarded.

    This happens many times a second. 

    What does a firewall actually do?

    A firewall prevents unasked-for/unauthorized connections from outside networks (usually the internet) from accessing your device. 

    How does a firewall know what to block?

    A firewall has a list of things it shouldn’t block. That list is expanded as you install new programs and allow them through the firewall or manually create exceptions. In essence, a firewall doesn’t know what to block; it knows what not to block. 

    What are the three types of firewalls?

    The network-based firewalls are software appliance firewalls, hardware appliance firewalls, and virtual appliance firewalls. They are, in order, firewalls that are installed on a regular device (like a server), firewalls installed on a device that’s constructed from the ground up to serve as a firewall, and simulated firewalls run on virtual machines. However, software firewalls exist as an alternative to network-based firewalls: they’re installed on the protected device itself.