What is a firewall, formally — and what three properties must it have?
A firewall is a system of hardware and/or software components, deployed between two or more networks, that enforces three core properties: all traffic must be authorized, unknown protocols are dropped, and the firewall itself must resist attack.
The three required properties:
| Property | Why it matters |
|---|---|
| All data traffic through the FW must be authorized → Firewall Rules | The fundamental policy enforcement point |
| Protocols the FW doesn't understand are NOT forwarded (e.g., SPX/IPX, AppleTalk) | Default-deny on the unknown — an attacker can't smuggle data via exotic protocols |
| The FW itself must be resistant to attacks | If the FW is compromised, all rules are bypassed |
The Wikipedia callout for context:
"A security system that protects a computer network or a single computer from unwanted network access."
Why "hardware and software":
A firewall isn't just "a box" or "a piece of software" — it's the combination:
- Software defines the rules and inspects packets.
- Hardware provides the network interfaces and processing power.
- The OS underneath is hardened (often a stripped-down Linux/BSD).
Common physical forms:
| Form | Example |
|---|---|
| Dedicated hardware appliance | Fortinet FortiGate, Palo Alto PA-series, Cisco ASA |
| Virtual appliance (VM) | pfSense VM, Palo Alto VM-series |
| Software on a host | iptables/nftables, Windows Defender Firewall |
| Cloud-managed service | AWS Security Groups, Azure Firewall |
Tip: When someone says "we have a firewall" — ask what kind. Many "firewalls" in SOHO routers are little more than NAT + a basic ACL. Real perimeter firewalls cost from CHF 1k for entry-level appliances up to 6 figures for enterprise stateful clusters.
Go deeper:
Firewall (computing) — Wikipedia — covers the generations (packet filter → stateful → application layer) with their historical dates in one place.
NIST SP 800-41 Rev. 1 — Guidelines on Firewalls and Firewall Policy — the primary-source reference defining firewall technologies and policy; the canonical citation for any firewall topic.