In construction, a firewall is a partition made of fireproof material to prevent the spread of a fire from one part of a building to another. In a duplex or townhome, for example, there will be double thick brick walls between each home to both keep potential firewalls isolated to one portion of the structure. This can also have the additional benefit of providing a certain degree of privacy in the form of sound-proofing between the homes
.
The same principle is used to isolate an engine compartment, such as on a plane or automobile, from the passenger compartment.
A term firewall can also refer to a person, thing, or event that acts as a barrier or protection against something undesirable. For example, an employee handbook could create a firewall against unethical business conduct in a corporate environment.
For the purposes of this discussion, however, we will concern ourselves with data and information security as impacted by modern digital technology. In this context, a firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system and its stored data or information.
There are essentially two kinds of firewalls in this context to protect data and information. There are software based firewalls for computers on which that software is installed. This can include McIntosh, Windows, and Linux machines. The drawback to this kind of firewall is that it can only protect the computer on which it is installed, not an entire network.
For the network there are purpose-built devices that are specifically designed to protect a network and all the devices connected to it. These devices, called firewalls, are equipped to do many of the normal functions of a router, with specific functionality for the actual firewall aspect of the device as well. There are several companies who manufacture these firewall devices, which are referred to as stateless firewalls, statefull firewalls, and so-called next-gen firewalls.
Stateless firewalls basically depend on access control lists (ACL), but do not monitor the session state of the traffic, and the traffic is allowed through as long as it matches the ACL each time the traffic hits the firewall. An example of these would be Cisco PIX or Cisco ASA firewalls.
Statefull firewalls have rules or policies that allow the firewall to form sessions according the rules the traffic matches based on source IP(s), destination IP(s) and destination port(s). The statefull aspect comes in when the session is formed and the firewall determines whether subsequent traffic matches that existing session or not. An example of these would be Juniper Netscreen firewalls or Juniper SRX firewalls.
Next-gen, or next generation, firewalls take statefull a step further in that they allow the firewall to inspect incoming traffic through the entire seven levels of the OSI model before allowing sessions to form according to rules or policies that define the much more complex allowable traffic patterns that add to the allowable source IP(s), destination IP(s), and destination port(s). These can include, but are not limited to, User-ID, Application-ID, custom service variations of known applications, and so on. An example of these would be Palo Alto firewalls.
