Firewall
A Firewall is a security component in system and network design that monitors, filters, and controls incoming and outgoing traffic based on pre-defined security rules. It acts as a barrier between trusted and untrusted networks, such as a corporate network and the public internet.
Think of it as a gatekeeper: it decides what traffic is allowed to pass and what should be blocked.
Why Use a Firewall in System Design? In modern system design, firewalls are essential for:
- Network security
- Preventing unauthorized access
- Monitoring suspicious activities
- Segmenting internal services
- Compliance (e.g., PCI-DSS, HIPAA)
Types of Firewall
| Type | Description |
|---|---|
| Packet-filtering Firewall | Filters traffic based on IPs, ports, protocols |
| Stateful Firewall | Tracks active connections; allows return traffic |
| Application-layer Firewall (Proxy) | Filters traffic for specific applications (e.g., HTTP, FTP) |
| Next-Gen Firewall (NGFW) | Includes IDS/IPS, deep packet inspection, malware filtering |
| Cloud-based Firewall (FWaaS) | Firewall as a service for cloud-native apps |
Firewall Workflow
Typical Rules Defined in a Firewall:
- Allow HTTP (port 80) and HTTPS (port 443) from public
- Block all access to internal databases from outside
- Only allow SSH from internal network
+------------------------+
| Internet (Public) |
+-----------+------------+
|
v
+------------------+
| Firewall (NGFW)|
+--------+---------+
|
+----------------------+----------------------+
| | |
v v v
Web Server (80/443) App Server (8080) DB Server (3306)
[Public Access] [Internal Access] [No Internet Access]
Behavior:
- Firewall allows HTTP/HTTPS from the internet to Web Server
- App Server only accepts traffic from Web Server IPs
- DB Server only accepts traffic from App Server, not from outside
Where Firewalls Fit
| Layer | Example |
|---|---|
| Network Layer | AWS Security Groups, VPC ACLs |
| Host-based | Linux iptables, Windows Firewall |
| Application Layer | Web Application Firewall (WAF) |
| Cloud-native | GCP Firewall Rules, Azure NSGs |
Stateful vs Stateless Firewall
| Feature | Stateless | Stateful |
|---|---|---|
| Tracks sessions | ❌ No | ✅ Yes |
| Performance | ⚡ Fast | 🚦 Slightly slower due to tracking |
| Security | Basic filtering | More intelligent, prevents spoofing |
| Example Use | Edge routers | Internal firewalls, app security |
Firewall Rule Syntax
In a cloud provider like AWS, this could look like:
Security Group: WebServerSG
Inbound:
- Protocol: TCP, Port: 80, Source: 0.0.0.0/0 (Allow HTTP)
- Protocol: TCP, Port: 443, Source: 0.0.0.0/0 (Allow HTTPS)
Outbound:
- Protocol: ALL, Destination: 0.0.0.0/0 (Allow all)
Security Group: DBServerSG
Inbound:
- Protocol: TCP, Port: 3306, Source: AppServerSG (Allow only app)
Examplf of Firewall
Problem: You’re building an online store with web servers, application servers, and a database. You want to:
- Allow customers to browse and buy products online
- Prevent hackers from directly accessing the database
- Protect against DDoS or port scans
Solution: Implement a firewall with rules like:
| Rule | Action |
|---|---|
| Allow TCP 80/443 to web server | ✅ Allow |
| Allow TCP 3306 from App Server IP | ✅ Allow |
| Block all incoming traffic to DB | ❌ Deny |
| Block all unused ports | ❌ Deny |
| Limit SSH to internal IPs | ✅ Allow |