What a Firewall Does
A firewall is a security control that regulates the flow of network traffic between two points — typically between a trusted internal network and an untrusted external network (the internet), but also between any two network zones. Every packet flowing in or out must pass through the firewall, which inspects it and decides whether to allow or block it based on configured rules.
Firewalls exist at every scale: home routers include basic firewall functionality; enterprise networks deploy dedicated hardware firewall appliances; operating systems (Windows Firewall, macOS firewall, iptables on Linux) include host-based firewalls that control traffic at the individual device level. The concept is the same at every scale — a gatekeeping mechanism that enforces a policy about which traffic is allowed and which is not.
Beyond simple allow/block decisions, firewalls serve additional functions:
- Content control: Organizations can use the firewall to enforce acceptable use policies — blocking access to gambling, social media, or adult content categories. Home firewalls can enforce parental controls using the same mechanism.
- Malware protection: Because all traffic passes through the firewall, it is a natural place to add antivirus and anti-malware scanning. The firewall can inspect file transfers and downloads before they reach the internal network.
- VPN termination: Many firewalls also function as VPN endpoints, encrypting traffic between remote sites or remote users and the corporate network.
Traditional Network-Based Firewalls — Layer 4
A traditional network-based firewall makes forwarding decisions based on OSI Layer 3 (network layer — IP addresses) and Layer 4 (transport layer — TCP and UDP port numbers). The firewall inspects the header of each packet and compares it against a rule set:
- Source IP address
- Destination IP address
- Protocol (TCP, UDP, ICMP)
- Source port and destination port
A rule like "allow TCP port 443 inbound from any source to the web server" is a Layer 4 rule. It allows HTTPS traffic to the web server regardless of which specific HTTPS application or content is being requested. A rule like "deny TCP port 23 from any source" blocks Telnet at the protocol level.
Traditional firewalls do not look inside the packet payload. They cannot see what application is running, what data is being transferred, or what the user is actually doing — they only see the IP header and port number. This is both their strength (speed — header inspection is computationally lightweight) and their limitation (a malicious application using an allowed port passes right through).
Layer 3 Functions: NAT, Routing, and VPN
Most network-based firewalls also operate as Layer 3 routing devices. Sitting at the edge of the network — the ingress/egress boundary between internal and external networks — they are well-positioned to perform routing functions:
- Network Address Translation (NAT): Translates internal private IP addresses (RFC 1918: 10.x.x.x, 172.16.x.x, 192.168.x.x) to the organization's public IP address for outbound connections. This hides internal network addressing from the internet and allows many internal devices to share a small number of public IPs.
- Dynamic routing: Firewalls can participate in routing protocols (OSPF, BGP) to exchange routing information with adjacent routers. Routing protocol authentication ensures only trusted routers participate.
- Site-to-site VPN: Firewalls encrypt traffic between two network locations using IPsec tunnels. A branch office firewall and a headquarters firewall establish an encrypted tunnel — traffic between the sites travels encrypted through the internet.
Unified Threat Management (UTM) Appliances
A UTM (Unified Threat Management) appliance — also called a web security gateway or all-in-one security appliance — bundles multiple security functions into a single device. Instead of deploying a separate firewall, a separate IPS, a separate VPN concentrator, a separate URL filter, and a separate spam filter, a UTM provides all of these capabilities in one box:
- Firewall: Traditional port and protocol-based traffic filtering
- URL filtering / Content inspection: Block access to websites by category or specific URL
- Malware inspection: Scan file transfers and downloads for known malware signatures
- Spam filtering: Block unwanted email before it reaches internal mail servers
- IDS/IPS: Intrusion detection and prevention for known attack signatures
- VPN endpoint: Remote access VPN for mobile users; site-to-site VPN between locations
- Bandwidth shaping / QoS: Prioritize critical business applications over recreational traffic
- Routing and switching: Some UTMs include CSU/DSU (WAN interface hardware), router, and switch capabilities — everything needed for a branch office in one device
The appeal of UTM devices: simplified management. One device, one management console, one vendor relationship, one support contract. For small and medium-sized businesses without dedicated security teams, a UTM dramatically reduces complexity compared to deploying and managing multiple separate devices.
The UTM limitation: Most UTM devices operate primarily at Layer 4 — they use port numbers to make decisions. The device may inspect for malware signatures, but it categorizes traffic by port first. Additionally, because all these features run on a single platform's processing hardware, enabling more features progressively degrades performance. A UTM running firewall only is fast. A UTM running firewall + IPS + URL filter + malware scan + VPN simultaneously may become a bottleneck. This performance limitation is the primary reason larger enterprises moved to dedicated NGFW platforms.
Next-Generation Firewalls (NGFW)
A Next-Generation Firewall (NGFW) operates at OSI Layer 7 — the application layer. Rather than making forwarding decisions based only on port numbers, an NGFW performs a full decode of every packet to identify exactly what application is being used and what data is being transferred.
NGFWs are described by several equivalent terms:
- Application Layer Gateway: The firewall operates at the application layer, understanding application protocols
- Stateful Multilayer Inspection: Inspection occurs across multiple OSI layers simultaneously — from Layer 3 IP headers through Layer 7 application content
- Deep Packet Inspection (DPI): The firewall decodes and analyzes the full packet payload, not just the header
Why application-layer inspection matters: In the traditional internet, applications used predictable, dedicated port numbers — HTTP was port 80, HTTPS was port 443, FTP was port 21. A Layer 4 firewall could identify applications by port. Modern applications have broken this relationship:
- Many applications tunnel through port 443 (HTTPS) to bypass firewall restrictions
- Microsoft SQL Server may be configured to use a non-standard port
- Peer-to-peer applications use random ports or hop through allowed ports
- A traditional firewall that allows port 443 allows all HTTPS traffic — including applications it has no intention of permitting
An NGFW decodes the application layer to identify the actual application — regardless of what port it uses. This enables granular, application-aware policy enforcement:
- Allow YouTube video viewing but block YouTube video uploads
- Allow reading Twitter but block posting to Twitter
- Allow Microsoft SQL Server traffic on any port but only from authorized database servers
- Block all peer-to-peer file sharing applications regardless of which port they attempt to use
All three of the above examples may use port 443 (HTTPS). A traditional firewall sees only "HTTPS — allowed." An NGFW sees the application inside the HTTPS stream and enforces the application-specific policy.
NGFW Integrated Capabilities
Integrated IPS: Because the NGFW can identify the application and decode its traffic, it can also apply application-specific vulnerability signatures. It can detect a SQL injection payload inside an HTTP request directed at an application server, a buffer overflow exploit in a Microsoft SQL Server connection, or a malware command-and-control callback over HTTPS — all identified by examining the application-layer content. This effectively turns part of the NGFW into an IPS, blocking known exploits in real time.
URL categorization and content filtering: NGFWs maintain categorized databases of URLs (gambling, adult content, social media, known malware distribution, etc.). Administrators can write policies that allow or block access to URL categories rather than maintaining manual lists of individual URLs. A single rule — "block category: gambling" — applies across all gambling websites without needing to enumerate every gambling URL.
What a WAF Is — and What Makes It Different
A Web Application Firewall (WAF) is fundamentally different from a network firewall, a UTM, or even an NGFW. While those devices regulate which traffic should flow between network points, a WAF regulates what input is acceptable within an HTTP or HTTPS conversation.
A WAF sits in front of a web application server (deployed as a reverse proxy) and inspects every HTTP request — the URL, the headers, the query parameters, the POST body, the cookies — and compares the input against rules about what legitimate application input looks like. Requests that contain known attack patterns are blocked before they reach the application server. Requests that look legitimate are forwarded to the backend.
This is fundamentally different from port-based filtering: an NGFW might identify that port 443 HTTPS traffic is going to the web server and allow it. The NGFW sees it as legitimate HTTPS. A WAF looks inside that allowed HTTPS traffic and asks: "does this HTTP request contain a SQL injection string in the query parameter? Does this URL contain a path traversal sequence? Does this POST body contain a cross-site scripting payload?" The WAF operates within the application conversation — the NGFW operates at the network level.
What WAFs Protect Against
WAFs specifically target application-layer attacks delivered via HTTP/HTTPS:
- SQL injection: Attackers insert SQL commands into input fields (search boxes, login forms, URLs) attempting to manipulate the backend database query. A WAF detects SQL syntax in input parameters and blocks the request before it reaches the database. Example: a URL containing
?id=1; DROP TABLE users;--is blocked at the WAF; the database server never sees it. - Cross-site scripting (XSS): Attackers inject JavaScript into a web application that will execute in other users' browsers. A WAF detects script tags and event handlers in input and blocks them.
- Path traversal: Attackers use
../sequences in URLs to access files outside the web root. A WAF blocks requests containing these sequences. - HTTP protocol violations: Malformed HTTP requests, oversized headers, invalid method types — all indicators of attack tools or scanning activity.
WAF Deployment — Reverse Proxy Position
A WAF is typically deployed as a reverse proxy in front of the web application server. Internet traffic arrives at the WAF; the WAF inspects the HTTP/HTTPS request; clean requests are forwarded to the backend server; malicious requests are blocked and logged.
Internet → [NGFW] → [WAF / Reverse Proxy] → Web application server
↑ ↑
Network-level Application-input
filtering validation
The WAF and NGFW serve complementary roles: the NGFW filters at the network level (which connections are allowed, is this traffic from a known bad IP, is this the right application type), while the WAF filters at the application input level (is this a legitimate web request, or does it contain an attack payload). They solve different problems and are commonly deployed together, not as alternatives to each other.
PCI DSS Requirement
The Payment Card Industry Data Security Standard (PCI DSS) specifically requires organizations that process, store, or transmit credit card data to deploy a WAF to protect their cardholder data environment (CDE) web applications. The reason is straightforward: SQL injection and other application-layer attacks are the most common vectors for stealing payment card data from web applications. A network firewall or NGFW that allows HTTPS to the payment application does not protect the application's input layer — that is the WAF's job.
PCI DSS Requirement 6.4 (in PCI DSS v4.0) specifically addresses the protection of web-facing applications, with WAF deployment as a recognized technical control. This regulatory mandate makes WAF deployment non-optional for e-commerce organizations and payment processors — not just a best practice, but a compliance requirement with direct audit consequences.
WAF Log Entry — What It Looks Like
A WAF log entry for a blocked SQL injection attack typically contains:
- Timestamp and unique event ID
- URL path that was targeted (e.g.,
/index.cgi) - Web server identity and port (HTTP or HTTPS)
- Source IP address and geographic origin
- Attack name (e.g., "SQL Injection in Parameter")
- Action taken (blocked/allowed)
- Policy that triggered the block (e.g., "Standard Security Policy")
This level of detail — distinguishing SQL injection blocked at WAF from a generic "connection denied" — is what makes WAF logging valuable for forensic investigation and compliance reporting. The WAF tells you not just that an attack was blocked, but exactly what the attack was and which rule caught it.