No security professional, IT guru, or shade tree PC tech will ever tell you to connect directly to the Internet unprotected. If you ask anyone, they will all say you need a firewall to protect your data and all the devices in your home or office. “Of course! A firewall! Even I know that,” you say. But then you ask. “What is a Firewall?”

The only dumb questions are the ones not asked. Too many of us in the computing field take for granted that the average home and business user don’t care how the Internet works, it just needs to be fast and secure. In this blog, I will explain exactly what a firewall is and isn’t. I will also explain how to pick the right combination of options for your needs. If you do want to know how the Internet works, click here (Link).

Firewall or Router?

First, don’t confuse the term “firewall” with “router”. While you can block ports on a router to emulate a firewall, a router simply moves data from one place to another without looking at the traffic. Think of it as a traffic light or the Interstate. Routers are essential in getting data from one place to another.

A firewall may have a router built in, but the firewall’s primary purpose is protection from the outside. The firewall sits between you and the Internet or any untrusted network. All traffic from the inside may be allowed to go out anywhere on the Internet, but no traffic from the outside is allowed in, unless the traffic originated inside. When bots and hackers scan the firewall IP address looking for open ports, the firewall recognizes the scan and refuses to respond, mostly.

Multiple Firewalls?

Many companies have multiple firewalls that protect internal users and confidential data from a guest wireless network or the warehouse. This is called Defense in Depth. A firewall sits between the company and the Internet. Then there is a section called the Demilitarized Zone (DMZ). This is where Internet-facing servers, like Web and Email servers, and shared systems can sit and communicate back and forth to the Internet. There is another firewall that protects the company as a whole from the DMZ. Separation of duties and the increase in data protection leads many companies to create individual firewalls for sensitive departments, such as Human Resources and Billing, to block traffic from the rest of the company.

Home users and Small and Medium Business (SMB) typically only need a single firewall device. Most don’t have a firewall at all. “But, Mr. Hacker,” you say. “My Internet Service Provider (ISP) gave me a secure Internet router with my service.” It’s not a firewall. It is a poorly secured mini computer with an open-source version of Linux with a limited number of preprogrammed passwords that passes traffic back and forth to the Internet provider. Remember, a router is NOT a firewall.

Firewall Basics

Attaching to the Internet involves certain inherent risks. To fully protect yourself you need to ensure you size and purchase the right tool for the job.

Sizing

Firewalls, like all network devices, physically connect to the network or Internet through a physical cable. Some connect wirelessly, but understanding bandwidth and connection speeds are key. If you pay for 50 Megabits per second (Mbps) from your ISP, your firewall must be able to support at least 50 Mbps to the ISP. Read about bandwidth naming conventions here (Link). Also be sure to confirm how many devices the firewall supports internally. Because the firewall is a mini computer, it must have enough processor and memory to pass traffic for all of you devices. Read about bandwidth sizing here (Link).

Updates

Firewalls require constant firmware and software updates as the manufacturers finds and fixes issues on their system. Every manufacturer will have updates and you must stay on top of them. Not updating your firewall or Internet router will allow a bot or hacker to log right into your network without a password! Look up your firewall or router at the Mitre Vulnerabilities site (Link). When is the last time you updated your Internet router or firewall? Nearly all quality devices on the market today include automatic updates. DO NOT buy a firewall without this capability unless you have a full-time staff to manage it.

Firewall Advanced

Intrusion Prevention Systems (IPS)

This may also be referred to as IDPS, meaning Intrusion Detection and Prevention Systems, but nearly all newer systems simply state IPS. It functions as a subsystem of the firewall, monitoring traffic as it flows in and out of the firewall. Using stateful packet inspection, the IPS can see inside the traffic stream to determine if a malicious person, application, or bot is masking as a legitimate user, computer, or service.

Encrypted Packet Inspection (HTTPS)

The Internet is built on HyperText Transmission Protocol (HTTP). If you look at your browser now, you’ll see this website begins with HTTPS. The “S” indicates Secure, or encrypted. How can a firewall see what is inside an encrypted packet? Newer firewalls have the horsepower and programming to decrypt the traffic, inspect what’s going on in there, and encrypt it again before sending it on its way. This ensures users who find themselves redirected to a malicious website aren’t accidentally downloading malware, ransomware, or a remote access backdoor.

Security Subscriptions

Very few consumer-grade devices include a subscription-based service to protect your device and network. This is a mainstay of corporate firewalls. The firewall communicates with a live global database of known threats, websites, and IP addresses. If someone on your network attempts to access one of these forbidden locations, the connection is dropped and the user is warned.

Domain Name Service (DNS) Protection

Not many subscription services include Domain Name Service (DNS) monitoring and protection. This ensures that users aren’t tricked into accepting faulty or fake DNS requests, sending the user to a malicious website instead of where they wanted to go. This is a paid service and nearly all major organizations use it to protect their users.

Geofencing

One of the greatest features of newer firewalls is the ability to block traffic to and from specific countries. How does it work? Every country has a specific block of IP addresses assigned to them. The firewall knows those addresses and all traffic destined to or from those countries can be blocked. Never have a reason to send and receive traffic from China? Block it! In fact, we could reduce our overall global Internet bandwidth if ISPs would simply block traffic at the submarine fiber plants.

To WiFi or Not To WiFi

Most consumer-grade and SMB firewall devices include wireless capability with the unit. This should be sufficient if your load is low, say five (5) devices or less, and they are all in close proximity. If you want to pile on the devices or include a protected guest wireless network or enable WPA3 security or need to cover a large area, you must use a separate wireless Access Point (AP). Let the firewall manage security and the wireless AP manage the wireless. A future blog will dive deep into wireless coverage and best practices.

SIDEBAR – You probably have heard that your computer includes a firewall. True, this is a software firewall, typically built into Windows or part of your endpoint protection software. While this can protect you from certain local threats, it is not meant to protect you from direct access to the Internet.

Is the Expensive Firewall Worth It?

You can buy an Internet router from Wally World for $25. You get what you pay for. It supports only five (5) internal devices, a maximum Internet speed of 1 Gigabits per second, a 1-year warranty, and no support. Seven (7) vulnerabilities have been found on this device in 2024 alone and it does not offer automatic updates!

Wally World’s top of the line consumer device sells for $130, supports up to 20 devices, maximum Internet speeds of 1 Gibabits per second, a 1-year warranty, automatic updates, and a 30-day trial of security subscription. Automatic updates are good because there are seven (7) open vulnerabilities on this device from 2023.

To Best Honest (TBH)

Honestly, the more you need to protect, the more you should spend. Don’t believe that the most expensive is the best, either. Don’t simply buy on name. Ask an IT professional for help. They can guide you through the pitfalls of buying networking equipment for you and your organization. I recommend not buying any network equipment from Wal-Mart.

DO NOT buy any new or used network device from eBay, Amazon, Wal-Mart, or other retail site. Do your research or ask a professional. You have no idea what malicious software is hiding on it or who will have direct access to your computers, phones, and data. And you can’t get rid of firmware with a factory reset. Don’t take my word for it (Link).