A firewall, basically, is a network security device that permit or deny network access to traffic flows passing through it. It can works on two different model of security:

• Positive security (most usual), where you must configure policy rules in order to permit some traffic flows and there is a final rule which deny the rest of the traffic (default deny or implicit deny).

• Negative security (not much used), which is the opposite, where you permit all traffic flows by default and set policy rules in order to deny/drop/reject some traffic.

EVOLUTION

Now let’s go to see how the firewalls have evolved since the beginnings till now. There are three main evolution which are the followings:

• Access Control Lists (ACLs) or Stateless firewall.

At the beginning, there were no Firewall devices, so the security tasks were executed by router with ACLs features. This Access Control Lists are rules which takes decision about every incoming/outgoing packet they process regarding only the packet header (Source IP, Destination IP and port), this is known as packet filtering or stateless firewall.

• Stateful Inspection Firewalls

After ACLs, arrived the Stateful Inspection Firewalls, which is known as stateful filtering. The main improvement against ACLs packet filtering is that stateful filtering firewall keeps track (create a session in their session table) of the state of network connections (such as TCP streams, UDP communication) traveling across it until the connection is closed.

This improvement let the firewall takes decisions based not only on one packet, but also the packet’s history in the session table. It means that when a packet reach the Firewall it checks its session table, if there is a session created for this flow, the packet pass through that existing session, if there is no session created, it is checked against security policy in order to check if it is a permit or deny traffic flow.

• Next-Generation Firewalls

Next-Generation Firewalls (NGFWs) include the typical functions of traditional firewalls such as packet filtering, network- and port-address translation (NAT/PAT), stateful inspection, and virtual private network (VPN) support. The goal of next-generation firewalls is to include more layers of the OSI model (also known as Layer 7 Firewalls), improving filtering of network traffic that is dependent on the packet contents.

NGFWs perform deeper inspection compared to stateful inspection. NGFWs use a more thorough inspection style reaching OSI layer 7 or application layer (stateful firewall only reach OSI layer 4), checking packet payloads and matching signatures for applications or harmful activities such as exploitable attacks and malware.

For your understanding, you can filter traffic on application HTTP rather than TCP port 80. What it means? It means that if you filter on port TCP 80 all traffic flowing through that port will be allowed without more checks, meanwhile, if you filter by application HTTP, the traffic only be allowed if that traffic goes over port TCP 80 and complies with the standard of HTTP protocol.