What is a Firewall?

What is a Firewall?

A firewall is a security system that monitors and controls network traffic based on predefined rules. It acts as a barrier between trusted internal networks and untrusted external ones, inspecting incoming and outgoing packets to enforce an organization's security policy.

Types of firewalls

• Packet-filtering firewalls — inspect individual packets against a set of rules based on IP addresses, ports, and protocols. Simple and fast but limited in context.
• Stateful inspection firewalls — track the state of active connections and make decisions based on the context of traffic, not just individual packets.
• Next-generation firewalls (NGFW) — combine traditional firewall capabilities with intrusion prevention, application awareness, and deep packet inspection.
• Web application firewalls (WAF) — specifically protect web applications by filtering and monitoring HTTP traffic between the application and the internet.
• Cloud firewalls — delivered as a service to protect cloud-based infrastructure and applications.

Firewalls in compliance frameworks

Firewalls are a foundational control across compliance standards:

• PCI DSS — Requirement 1 mandates installing and maintaining firewall configurations to protect cardholder data.
• ISO 27001 — Network security controls (A.8.20, A.8.21) require network segmentation and filtering.
• NIST CSF — PR.AC and PR.PT cover network protection and access enforcement.
• SOC 2 — CC6.6 requires restricting access through network security controls.

Best practices

• Define explicit allow and deny rules rather than relying on default configurations
• Segment networks to limit lateral movement in the event of a breach
• Review and update firewall rules regularly to remove stale or overly permissive entries
• Log all firewall activity and monitor logs for anomalies
• Test firewall configurations as part of regular penetration testing

How episki helps

episki tracks firewall-related controls, links them to evidence like configuration exports and rule reviews, and sends reminders when periodic reviews are due. Learn more on our compliance platform.