Search
Home Search Center IP Encyclopedia Online Courses Intelligent Model Selection

What Is a Firewall?

As a type of network security device, a firewall monitors, filters, and controls incoming and outgoing network traffic based on preset security policies to protect a network zone against attacks and intrusions from another network zone.
The firewall mentioned here does not actually refer to a physical wall used to isolate a fire source, a built-in Windows firewall, or the wall involved in wall-flipping software. Instead, it refers to a network firewall, which can be in the form of hardware, software, or software as a service (SaaS).
As the first line of defense for security protection in network deployment, firewalls can be flexibly deployed at network perimeters and locations requiring subnet isolation. For example, they can be used on enterprise network egresses, or to segment internal subnets in large networks, or on data center perimeters.

Firewall History

Similar to the evolution of human beings, firewalls have also undergone a long development history, evolving from beginner to advanced level and from having simple functions to delivering diversified functionality. In this process, the ever-developing network technologies and ever-rising new requirements promote the evolution of firewalls.

Firewall history
Firewall history

The earliest firewall can be traced back to the late 1980s. In the past three decades, firewall development can fall into the following three phases:

1989–1994

  • The packet filtering firewall, which is also known as the first-generation firewall, was developed in 1989 for simple access control.
  • The proxy firewall was developed soon after as a proxy for communications between an internal network and an external network at the application layer. This type of firewall is referred to as the second-generation firewall. The proxy firewall offers high security, yet has a slow processing speed. In addition, it is difficult to develop a proxy service for each type of application. Therefore, a proxy is provided for only a few applications.
  • In 1994, Check Point released the first stateful inspection firewall, which determined what action should be taken by dynamically analyzing packet status. As it does not need to proxy each application, a stateful inspection firewall provides faster processing and higher security. The stateful inspection firewall is called the third-generation firewall.

1995–2004

  • In this period, stateful inspection firewalls became popular. In addition to access control, firewalls began to offer other functions, such as virtual private network (VPN).
  • In the same period, some dedicated devices started to appear, such as web application firewalls (WAFs) that are designed to protect web servers.
  • In 2004, the concept of united threat management (UTM) was proposed in the industry. A host of functions, such as the conventional firewall functions, intrusion detection, antivirus, URL filtering, application control, and mail filtering, are integrated into one firewall for all-round security protection.

2005–now

  • After 2004, the UTM market develops exponentially and UTM products keep emerging one after another, but new problems also arise. The first problem is limited detection of application-layer information. In this case, more advanced detection methods are required. This is where service awareness technology comes in. Second, firewall performance is significantly challenged. Concurrent running of multiple functions greatly deteriorates the processing performance of UTM devices.
  • In 2008, Palo Alto Networks released the next-generation firewall (NGFW) to solve this performance deterioration issue. Furthermore, the NGFW can perform management and control by user, application, and content.
  • In 2009, Gartner defined the NGFW to clarify its functions and features. Then, security vendors released their own NGFWs, meaning a new era of firewalls.
  • Around 2014, with the development of cloud computing and virtualization technologies, firewalls began to be cloudified and deployed in the cloud environment as software to provide users with scalable and flexible security services.
  • In 2018, Huawei built a threat detection model using machine learning and deep learning and released the industry's first AI firewall that was equipped with intelligent detection technologies. Intelligent detection technologies have solved many problems of traditional threat detection technologies, such as coarse detection granularity and long threat detection periods. All of this helps to better cope with the ever-evolving advanced threats represented by advanced persistent threats (APTs), such as ransomware and machine-to-machine (M2M) attacks.

Types of Firewalls

According to the firewall development history, firewalls fall into the following types based on their technical implementation methods:

Table 1-1 Types of firewalls

Firewall Type

Working Mechanism

Advantages

Disadvantages

Packet filtering firewall

Based on the network and transport layers, this type of firewall analyzes the source address, destination address, protocol type, and port number of each IP data packet passing through it. The firewall then matches such information against the preset security policies so as to determine whether to permit, deny, or discard the packets.

  • Simple and efficient: This type of firewall features high processing speed and low resource consumption.
  • Robust compatibility: It can be configured and used at almost any network layer.
  • Limited security: Only the network and transport layers of data packets can be inspected, and the application layer cannot be checked. Therefore, complex attacks cannot be identified.
  • Simple functions: Lack of more advanced network security functions, such as stateful inspection and content review.

Application proxy firewall

Based on application-layer firewall technologies, this type of firewall processes the incoming and outgoing data packets through the proxy server. It can filter and check the contents of data packets, identify application-layer protocols (such as HTTP and FTP), and encrypt and decrypt data packets.

  • High security: This type of firewall can check the contents of data packets in depth.
  • Precise control: Detailed access control rules can be set based on application requirements to implement more refined traffic management.
  • High resource consumption: In-depth analysis of data packet contents significantly contributes to the consumption of resources such as central processing units (CPUs).
  • Slow processing: Complex analysis prolongs the processing time and may cause bottlenecks to high-speed networks.

Stateful inspection firewall

This type of firewall originates from the packet filtering firewall. In addition to the basic functions of the packet filtering firewall, it can trace and analyze the status of data flows, including the data packet sequence and connection status in a session.

  • Improved security: By tracing the connection status, this type of firewall can identify the validity of data flows more accurately and effectively defend against simple attacks.
  • Intelligent: More accurate analysis can be made based on the communication status and historical records.
  • High resource consumption: Compared with the packet filtering firewall, the stateful inspection firewall consumes more resources when tracing the connection status.
  • Slow processing: Slow processing may become a bottleneck in the face of extremely high-speed network traffic.

UTM

A host of functions, such as the conventional firewall functions, intrusion detection, antivirus, URL filtering, application identification and control, and mail filtering, are integrated into one firewall for all-round security protection.

  • Comprehensive protection: The UTM integrates multiple security functions to provide all-round protection from the network layer to the application layer.
  • Simplified management: The integration of multiple security functions helps to simplify network security management and reduce the complexity of deploying and maintaining multiple independent security devices.
  • Limited security: The UTM provides a more in-depth security check than firewalls such as the packet filtering firewall, but its security is still limited. For example, it may not be able to completely defend against zero-day attacks or APTs.
  • Performance bottleneck: Concurrent running of multiple functions may cause a performance bottleneck.

NGFW

The NGFW solves the UTM's performance deterioration issue caused by the concurrent running of multiple functions. Based on the in-depth analysis of user, application, and content data in network traffic and by harnessing the high-performance parallel processing engine, the NGFW provides integrated application-layer security protection for users to handle application-layer threats.

  • In-depth detection: The NGFW provides application-based access control using security policies to implement more refined online behavior management.
  • Higher performance: The integrated engine significantly improves the processing performance.
  • Complex management: Intelligent management and control cannot be performed based on intent. Threat handling is thus labor-intensive and time-consuming.
  • Difficult to predict unknown threats: The number of advanced threats is increasing and variants are emerging, which poses significant challenges to the static rule library detection mode of the NGFW.

AI firewall

Equipped with AI technologies, such as machine learning and deep learning, the AI firewall can identify and predict network threats. It can automatically learn and respond to new threat patterns, adjust security policies in real time, and process a large amount of data to identify abnormal behaviors.

  • Adaptability: The AI firewall can automatically learn and respond to new threats, which reduces the dependency on manual intervention.
  • Prediction capability: This type of firewall is able to predict potential security threats and take defense measures in advance.
  • Dependency on computing power: After intelligent detection technologies are introduced, higher computing power is required. Insufficient computing power will cause the failure to the intelligent detection capability.
  • Complex management and O&M: The threat detection model built on machine learning and deep learning depends on a large amount of data. O&M and management are thus complex and require professional O&M personnel.

Based on device forms, firewalls are classified into hardware firewalls, software firewalls, and cloud firewalls.

  • Hardware firewall: As the most common firewall form, the hardware firewall is an independent hardware device with its own resources. Hardware firewalls can be further classified into modular firewalls, fixed firewalls, desktop firewalls, and card-style firewalls based on their forms.
  • Software firewall: a firewall installed on a computer or server as software. It can function as a host-based firewall to protect a single device or as a network firewall in a virtualization environment to protect the entire virtual network. In the virtual machine (VM) environment, a VM can function as a firewall. This type of firewall is called a VM firewall or virtual firewall.
  • Cloud firewall: Firewall services are deployed in the cloud service provider environment and are provided for customers through service subscription. These services, also known as firewall as a service (FWaaS), run in the form of infrastructure as a service (IaaS) or platform as a service (PaaS).

Although virtual firewalls and cloud firewalls are different from hardware firewalls in form, their core functions are the same.

How Does a Firewall Work?

Firewalls have been developed for decades, providing abundant functions like security policy, network attack prevention, IPsec VPN and SSL VPN for secure access, network address translation (NAT), intrusion prevention, and antivirus. However, the firewall is aptly named the "wall of fire" because of its fundamental and primary function — security policy.

Security policies actually serve as the access control system of the network.

  1. At the forefront, security policies have the basic defense capability to defend against most common network attacks and DDoS flood attacks.
  2. At the heart of the access control system lies preset security policies, which already have defined what traffic is permitted and what is denied. The traffic matching conditions encompass a comprehensive range of factors, including the traditional IP address and port, the application to which the traffic belongs, the user who initiates traffic, user's location, and even whether the current time is working hours or weekends. The firewall can then specify whether to permit or deny the traffic that satisfies these conditions.
  3. Even if the access control system declares to permit the traffic, the firewall's tasks are not yet complete. Further content security checks can be performed, such as intrusion detection, antivirus, web page filtering, and data loss prevention. If a risk is detected, the firewall can intercept traffic based on the specified settings or generate an alert.
Access control system of the firewall
Access control system of the firewall

Generally, traffic has two directions. For example, when a user accesses a website, the access request from the user is classified as inbound traffic for the website, while the traffic transmitted from the website back to the user is considered outbound traffic. Therefore, traffic passing through the firewall has two directions as well.

The data traffic on the network is not one continuous stream. Instead, all data is fragmented into individual packets, like express packages. As a result, the firewall perceives a large number of packets flowing in both directions.

Herein lies the question: do the security policies need to inspect every packet that passes through? The answer is no, because the firewall is smart. Although the traffic passing through the firewall is made up of individual packets, the firewall can identify the correlation between them. That is, the firewall does not look at it a list of isolated and random packets. For example, when a user accesses a website, the access request traffic may contain only two packets, whereas the returned traffic can consist of dozens of packets. In this scenario, these packets collectively fulfill the mission of accessing the website. Sharing the same access purpose, these packets are centrally processed when they pass through the access control system. That's what the firewall does. Specifically, it recognizes different groups of traffic, also referred to as flows according to firewall terminology. The firewall only needs to identify and inspect once for each flow.

What Are the Key Performance Indicators of a Firewall?

The firewall plays a critical role in cyber security, its performance directly affecting the security and stability of the entire network. The following three key performance indicators are used to evaluate whether the firewall performance meets network requirements:

  • Maximum number of concurrent connections: indicates the maximum number of flows that can be maintained at the same time.

    If the number of concurrent connections on the firewall exceeds the preset threshold, new flows cannot be created or pass through the firewall. If there are a large number of endpoints and API servers on a network, or services such as instant messaging or online gaming are provided, a large number of concurrent connections are required on the firewall. This performance indicator is mainly determined by the firewall's memory size.

  • Maximum new connection rate: indicates the number of new connections that can be established by the firewall per second.

    When the new connection rate of the firewall reaches the maximum, frame freezing occurs and user experience deteriorates. In scenarios where cloud services are offered, applications requiring high real-time performance are provided, or the services surges, such as during holiday promotions, this indicator is prominent. This performance indicator mainly depends on the processing performance of the CPU and software on the firewall.

  • Maximum throughput: indicates the maximum amount of data that can pass through the firewall per second, which is mainly measured by the number of bits or packets passed per second.

    Note that this indicator has many sub-items, such as small packet throughput, large packet throughput, and throughput after content security is enabled. These sub-items indicate network throughput under different prerequisites and need to be distinguished. Scenarios that involve streaming media servers, a large number of download activities, cloud storage, and the like attach great importance to throughput. This performance indicator is mainly determined by the performance of the processor and interface, and some firewall products have dedicated hardware acceleration chips to improve the maximum throughput.

What Are the Differences Between a Firewall, a Router, and a Switch?

Firewalls, routers, and switches are all network devices, but their functions are different. Routers are used to connect different networks and ensure interconnection through routing protocols so that packets can be forwarded to the destination. Switches are usually deployed to set up local area networks (LANs) and serve as important hubs for LAN communications. Besides, switches fast forward packets through Layer 2/Layer 3 switching. Firewalls are deployed at the network borders to control access to and from the network. Security protection is the core feature of firewalls. The primary function of routers and switches is forwarding, whereas that of firewalls is control.

Comparing firewalls with switches and routers
Comparing firewalls with switches and routers

Huawei Firewall Products

After more than 30 years of development and evolution, firewalls have more powerful functions and a higher performance. Similarly, Huawei firewalls have been developed from scratch and gradually step towards the cutting edge of cyber security. Over the past three decades, Huawei has embraced innovation and pushed technological boundaries, achieving one milestone after another.

Development history of Huawei firewalls
Development history of Huawei firewalls

Huawei firewalls that have ended their missions or are about to end their missions mainly include four series: USG2000, USG5000, USG6000, and USG9000, covering high-end, mid-range, and low-end firewalls. Among them, the USG2000 and USG5000 series are UTM products, the USG6000 series are mid-range and low-end NGFWs, and the USG9000 series are high-end NGFWs.

Huawei UTM products and NGFWs
Huawei UTM products and NGFWs

In 2018, Huawei first released the mid-range and low-end USG6000E series AI firewalls, followed by the high-end USG12000 series AI firewalls and the next-generation mid-range and low-end USG6000F series AI firewalls. In 2024, Huawei launched AI firewalls for distribution markets, such as USG6000E-S.

Huawei AI firewalls
Huawei AI firewalls

For more information about products, visit Huawei firewall. For details about product configuration and maintenance, see Huawei Firewall Product Documentation.

Share link to