Firewall Basics and Configuration

Firewalls constitute one of the foundational control categories in network security architecture, functioning as the primary enforcement boundary between trusted and untrusted network segments. This page covers the classification of firewall types, the operational mechanisms that distinguish them, the regulatory frameworks that reference or mandate their use, and the decision criteria that govern deployment scope. The subject is directly relevant to compliance professionals, network engineers, and security program managers operating under federal and sector-specific mandates.

Definition and scope

A firewall is a network security control that enforces access policy by inspecting and filtering traffic based on defined rules. In formal terms, NIST SP 800-41 Revision 1Guidelines on Firewalls and Firewall Policy — defines a firewall as "a device or software that enforces a set of rules about what network packets will be permitted to enter or exit a network." That definition spans hardware appliances, software processes, and cloud-native virtual instances.

The scope of firewall controls extends across four primary deployment contexts:

  1. Network perimeter firewalls — positioned at the boundary between an organization's internal network and external networks, including the public internet.
  2. Internal segmentation firewalls (ISFWs) — positioned between internal network zones to restrict lateral movement within an enterprise environment.
  3. Host-based firewalls — software resident on individual endpoints, enforcing per-host traffic policy independently of network-layer devices.
  4. Cloud-native and virtual firewalls — enforced through software-defined networking layers in public cloud environments, including security groups and virtual appliance instances.

Regulatory frameworks treat firewall controls as baseline requirements rather than optional enhancements. The Payment Card Industry Data Security Standard (PCI DSS) — administered by the PCI Security Standards Council — designates firewall installation and maintenance as Requirement 1 of its control framework. Under HIPAA's Security Rule (45 CFR § 164.312), covered entities are required to implement technical security measures that guard against unauthorized access, a standard that federal guidance consistently associates with firewall deployment.

The Cyber Safety Directory provides additional context on the broader regulatory environment within which firewall requirements operate.

How it works

Firewall inspection operates through one of three primary technical mechanisms, each representing a distinct generation of capability and an associated set of tradeoffs.

Packet filtering examines individual packets at the network layer (Layer 3) and transport layer (Layer 4) using static rule sets that evaluate source IP address, destination IP address, source port, destination port, and protocol. Packet filtering imposes minimal processing overhead but carries no state awareness — each packet is evaluated in isolation without reference to whether it belongs to an established session.

Stateful inspection — introduced as a significant advancement over pure packet filtering — maintains a state table that tracks active connections. A packet is permitted not only if it matches an access rule but also if it corresponds to a known, established session. This mechanism eliminates a class of spoofing attacks that defeat stateless filters. Stateful inspection operates primarily at Layers 3 and 4.

Next-generation firewalls (NGFWs) extend inspection into Layer 7 (the application layer), enabling identification and control of specific applications, users, and content types regardless of port or protocol. NIST SP 800-41 Rev 1 distinguishes application-layer gateways as a separate category; the NGFW designation consolidates stateful inspection with deep packet inspection (DPI), intrusion prevention system (IPS) functionality, and SSL/TLS decryption in a single platform.

The decision path for rule evaluation follows a structured sequence:

  1. Packet arrives at the firewall interface.
  2. The firewall checks the packet against the state table for an existing session match.
  3. If no session match exists, the packet is evaluated against the rule base in order of rule priority.
  4. The first matching rule determines the action: permit, deny, or drop.
  5. If no rule matches, the default policy applies — in hardened configurations, the default is deny-all.
  6. Session state is recorded for permitted connections to support subsequent packet evaluation.

NIST SP 800-53 Revision 5 addresses firewall controls under control family SC (System and Communications Protection), specifically SC-7 (Boundary Protection), which mandates monitoring and control of communications at external and internal boundaries.

Common scenarios

Firewall deployment patterns align with recognizable architectural scenarios that recur across industries and organizational sizes.

DMZ architecture: A demilitarized zone places publicly accessible servers — web servers, mail relays, DNS resolvers — on a separate network segment bounded by two firewall rule sets. Internal traffic to the DMZ is restricted; traffic from the DMZ to the internal network is blocked by default. This pattern directly supports cyber safety listings requirements for organizations operating public-facing infrastructure.

Microsegmentation in healthcare: Organizations subject to HIPAA routinely implement internal segmentation firewalls to isolate electronic protected health information (ePHI) systems from general enterprise networks. The HHS Office for Civil Rights (OCR) has cited inadequate network segmentation in enforcement actions involving unauthorized access to ePHI.

Cardholder data environment (CDE) isolation: PCI DSS Requirement 1.3 mandates that the CDE be isolated from all other network segments using firewall controls. Organizations failing Requirement 1 audits face loss of payment processing authorization in addition to potential fines.

Cloud workload protection: In AWS, Azure, and Google Cloud environments, security groups and network access control lists (NACLs) function as virtual packet-filtering firewalls. Cloud Security Alliance (CSA) guidance treats these controls as equivalent in function — though not in architecture — to on-premises perimeter devices.

Remote access filtering: Site-to-site VPN terminations require firewall policy enforcement at the tunnel endpoint to prevent split-tunnel abuse, where remote clients route internet traffic outside the VPN while maintaining internal network access.

Decision boundaries

Selecting and scoping firewall controls involves structured decision points that determine deployment type, placement, and rule architecture.

Packet filtering vs. stateful inspection vs. NGFW: Organizations processing sensitive data categories — financial records, ePHI, federal controlled unclassified information (CUI) under NIST SP 800-171 — are generally expected to deploy stateful inspection at minimum. Pure packet filtering is considered insufficient for perimeter defense in environments subject to PCI DSS or FISMA. NGFW deployment becomes the operative standard where application-layer visibility is required by policy or where advanced persistent threat (APT) modeling demands protocol-level inspection.

Hardware appliance vs. software vs. cloud-native: The architectural choice is driven by traffic volume, latency tolerance, and management model. Hardware appliances support throughput measured in tens of gigabits per second for high-volume environments. Software firewalls on commodity hardware suit medium-scale deployments. Cloud-native virtual firewalls are operationally appropriate where the protected workloads reside entirely within a cloud tenancy, though they introduce provider-specific policy syntax and audit tooling requirements.

Rule base construction: NIST SP 800-41 Rev 1 recommends a default-deny posture — all traffic is blocked unless explicitly permitted — as the baseline rule architecture. Permit rules should be specific to source, destination, port, and protocol. Overly permissive rules (e.g., any-to-any on port 443) undermine inspection value. Rule bases require periodic review; NIST guidance recommends review at defined intervals following change management procedures.

Logging and monitoring requirements: CISA's Zero Trust Maturity Model treats firewall log collection and correlation as a foundational network visibility requirement. Federal agencies subject to OMB M-21-31 are required to retain network log data for defined retention periods, with firewall logs explicitly included. Organizations seeking structured reference on how firewall decisions integrate with broader service sector frameworks can access the resource overview.

References

Read Next

Cyber Safety Directory: Purpose and Scope Entries span federal agencies, independent service providers, standards bodies, and sector-specific compliance resources. Cyber Safety Listings Each entry is structured to support service seekers, compliance professionals, and researchers who need to identify qualified... How to Use This Cyber Safety Resource The Cyber Safety Listings index presents categorized service provider information, while the Directory Purpose and Scope page...