What is Firewall?

What Is a Firewall?

A firewall is a security system that watches network traffic and decides — based on rules you've set — what's allowed through and what gets blocked. It's the gatekeeper between your network and the outside world.

The metaphor is exactly what the name suggests. A physical firewall stops fire spreading between sections of a building; a network firewall stops unauthorised traffic spreading from the internet into your systems. Firewalls have been around since the early days of the internet, and they're still one of the most important defences any business runs.

How Firewalls Work

Underneath, firewalls inspect network packets — the small chunks of data that flow across networks — and check them against a rule set. The rules say what kinds of traffic are allowed and what's blocked. A typical rule might allow HTTPS on port 443 but block anything on port 23, because port 23 belongs to Telnet, which is ancient and insecure and has no business being open in 2026.

Modern firewalls do more than read port numbers. They inspect the actual content of traffic, identify which application is sending it, spot suspicious patterns, and in some cases decrypt traffic, inspect it, and re-encrypt it on the way through.

Types of Firewalls

• Packet-filtering firewalls — the simplest kind. Look at each packet on its own, allow or block based on source, destination, port, and protocol. Fast but blind to anything more sophisticated than "is this port allowed?"
• Stateful inspection firewalls — track the conversation, not just individual packets. They understand that a reply belongs to a request you sent ten seconds ago, which makes them much better at spotting traffic that doesn't belong.
• Next-generation firewalls (NGFWs) — combine the basics with application awareness, intrusion prevention, deep packet inspection, and threat intelligence feeds. Most enterprise networks run something in this category.
• Web application firewalls (WAFs) — purpose-built for HTTP and HTTPS traffic. They sit in front of web applications and block the attacks the web is famous for: SQL injection, cross-site scripting, credential stuffing. Cloudflare's WAF is probably the most widely deployed example.
• Cloud firewalls — the same protections, delivered as a service. They scale with your infrastructure instead of asking you to size a box for peak load you'll hit twice a year.

Firewalls and PCI DSS

Firewalls aren't optional under PCI DSS — they're Requirement 1, the very first thing the standard talks about. The standard mandates network security controls (primarily firewalls) to protect the cardholder data environment. In practice that means:

• Firewall rules restricting traffic into and out of the cardholder data environment
• Blocking every connection that isn't explicitly required for the business to function
• Reviewing the firewall rule set at least every six months
• Documenting a business justification for every permitted connection

The standard also wants default passwords changed on firewall devices, configurations backed up, and any rule changes going through formal change management — which sounds obvious until you've seen how often someone adds a temporary rule on a Friday afternoon and forgets to remove it.

Why Firewalls Matter for Businesses

If you handle payment data, the firewall isn't negotiable. It's the first line of defence against the automated scanners that crawl the internet day and night looking for weak spots, and a properly configured firewall blocks the vast majority of that noise before it reaches anything important.

But — and this is where most firewall stories go wrong — the kit is only as good as the rules. A firewall with permissive rules, or rules that haven't been updated since the network changed shape, gives you a false sense of safety. Regular review is the difference between a working firewall and a very expensive paperweight.

Firewalls in Telephone Payment Environments

In contact centres and any business taking phone payments, the firewall has a specific job: keep the telephony infrastructure separated from the payment processing environment and the rest of the corporate network. If your phones are VoIP — and they almost certainly are — they're computers on your network and they need the same firewall protection as any other server.

The rule set in those environments has to be careful about which systems can talk to the payment gateway, which ports are open for SIP and RTP traffic, and how agent workstations are isolated from the sensitive payment plumbing. When card data is taken out of the voice channel through DTMF masking, the firewall config gets noticeably simpler — there are fewer data flows to police, and fewer paths a card number could take through the network.

Practical Considerations

• Document every rule and the business reason it exists. "Because it's always been there" is not a business reason.
• Review the rule set at least every six months — PCI DSS says so, and you'll want the audit trail anyway.
• Delete rules nobody needs anymore. Firewalls collect rules the way attics collect boxes; the rule someone added for a project in 2022 is probably still active.
• Test from the outside, not just the inside. An external vulnerability scan will show you holes that look invisible from inside the network.
• Patch the firewall itself. Firewalls have firmware, firmware has bugs, and the bugs get exploited. The kit protecting you also needs protecting.

Firewalls in the Modern Landscape

The role of the firewall is shifting as businesses move into the cloud and people work from everywhere. The old model assumed the network had a hard outer shell — inside was trusted, outside wasn't. Zero trust architecture throws that out: every connection is treated as potentially hostile regardless of where it's coming from. Cloud-native firewalls, security groups, and network access control lists provide the same kind of filtering inside cloud environments. Endpoint firewalls protect individual laptops wherever they happen to be sitting that week. The principle hasn't changed — watch the traffic, enforce the rules — but the perimeter isn't a wall anymore. It's a lot of small fences arranged around what actually matters.