A computer firewall provides a security barrier between the untrusted external network (the Internet) and a trusted internal network (servers).
In general terms, a "firewall" is a wall which is used to stop a fire. Automobiles have a sheet of metal as a firewall between the engine and the passengers riding inside. It provides a protective barrier between a potentially dangerous area and areas that need to be safe.
Computer firewalls perform this function as well. They monitor and control the flow of network traffic. Incoming traffic is always the primary concern, but firewalls regulate outgoing traffic too. Firewalls are configured with a set of rules instructing it on what traffic attributes it should look for and what to do with traffic matching particular patterns. There are three options: allow the traffic, deny (reject) the traffic and return an error, or drop (ignore) the traffic silently without sending any error.
Firewalls can be hardware devices or software running on a server. Network firewalls are hardware devices which usually reside at the point where the external and internal networks first interface. It is like a front door for the entire network, and protects many servers inside. Host-based firewalls are software which runs on a single server and which is the first software encountered when a packet is sent to the server over its open communication ports. It acts as a front door for the server.
Packet filtering is the primary task of all firewalls. The firewall examines each packet it receives to decide if the packet should be allowed to pass through. It can examine many attributes of the data including the origin, the destination, the protocol being used (HTTP, FTP, SMTP, DNS), and the port number being used. Modern packet filtering is also aware of the packets which have previously been received and can examine a packet's relationship to other packets. It can know if a packet is starting a new connection or is part of an existing connection which has already been allowed. It can know if packets are being sent too frequently from the same source. Packet filter also watches for common abuses of communication protocols in an attempt to bypass security measures. It will stop malformed packets and stop known attacks.
Firewalls are capable of performing throttling and rate limiting. Rules can be used to assign a bandwidth restriction to a category of traffic. The "category" can be a specific IP address or a range of IP addresses, certain protocols, traffic on specific ports, and more. If traffic in a category exceeds the bandwidth restriction, then the firewall can put new packets into a queue, deny them outright with an error, or silently drop them. Throttling and rate limiting is effective in preventing network resources and servers from being overwhelmed by large or too frequent requests.
Firewall rules allow admins to whitelist or blacklist a category of traffic. Whitelisting traffic can exempt it from certain rules, while blacklisting traffic will cause the firewall to always deny or drop it. This can be used to block well-known offenders and previous attackers. Many firewalls include the ability to automatically add offending traffic to a blacklist. Dynamic blacklisting prevents problems, such as problems in the middle of the night, without admin intervention. This dynamic blacklisting can be permanent, but more often it is temporary ("a time out") in case an attacker was borrowing an someone else's IP address.
Firewalls frequently perform Network Address Translation (NAT). NAT translates between public IP addresses and private IP addresses. It allows many computers to share a few public IP addresses. It is popular for corporations who have many users. With NAT, a server's real IP address is kept private, but the server is just as accessible as if the IP address were public. The firewall allows and denies the same traffic either way. It is a common misconception that NAT is a security measure (perhaps because it is a firewall feature). While it does add convenience, it adds little to no additional security.
Firewalls do not just filter incoming traffic. They also filter traffic exiting the secure network and entering the insecure network. This is called egress filtering.
Why is it necessary or desirable to filter outbound traffic? It can prevent botnets, key-loggers, and other malware from "calling home" to an attacker's command and control servers. It can prevent spam from being sent from internal servers. It can prevent data exfiltration, a fancy term for "theft". For these reasons, egress filtering is required for certain levels of credit card PCI compliance.
Egress filtering can also prevent users from accessing certain content. This content could be known malicious sites, pornography, their web mail, entertainment such as games or video streaming, or social networks. This could be desirable for political, business, productivity, or security reasons. (Many of those sound like good ways to pick up malware via drive-by download.) Some government agencies, large companies, and financial service firms use egress filtering to block content for their employees.
Firewalls offer admins greater visibility and control of the data which is entering and leaving their network. It provides a hardened security layer which must be penetrated by attackers before they can reach servers. Firewalls restrict the spread of worms, viruses, and malware. Firewall throttling is the best defense again Denial-of-Service Attacks. Specialized Web Application Firewalls (WAF) can filter attempts at Cross-Site Scripting and SQL Injection.
The best advice for firewall configuration is to start by disallowing everything. Install default rules which deny all traffic, all protocols, and all ports. Then begin the process of whitelisting specific servers, ports, and types of traffic that should be allowed. (Refer to the Principle: Prefer whitelisting over blacklisting). Be sure to whitelist expected outgoing traffic. On a network firewall the outgoing traffic may be broad to allow users to perform many activities, but on a host-based firewall, they should be narrow and specific to the type of traffic for that server (web traffic from web servers, DNS traffic from DNS servers, etc.) Once the process of whitelisting is complete, then rules can blacklist any additional traffic which should be disallowed.
After firewall rules are in place, regularly test them via network scans, using a tool like nmap
.