An organization creates a boundary whenever it connects its internal network to any external environment (the internet, a cloud platform, a partner network, a remote access infrastructure). To the other side of that line, (your) traffic flows constantly: users getting secure access to external services, applications communicating with cloud-hosted resources, remote workers accessing internal systems and threats searching for any point-of-entry left exposed. Network firewall is the chief control at the boundary of either allowing traffic to cross or blocking it.
This notion of being responsible for controlling what happens at the boundary is less clear in enterprise environments than it may seem. Today, enterprise networks have multiple perimeter boundaries: the connection between internal segments and the internet, on-premise systems and cloud infrastructure, headquarters networks and branch offices, as well as intra-data centre microsegments. Knowing what a network firewall does at each of those boundaries, and how its features align with the traffic and threats that define them, is essential for effective perimeter protection.
Security teams building or reviewing their enterprise perimeter architecture can examine network firewall for enterprise perimeter to understand how modern platform capabilities map to the specific requirements of guarding traffic at each type of network boundary.
How Enterprise Perimeter Traffic Appears
Enterprise perimeter traffic is anything but a monolithic stream. It is a blend of both authorized traffic bearing legitimate business activity and unauthorized or malicious traffic trying to exploit every opportunity to do so. What this mix looks like at the enterprise boundary is step one in understanding what a firewall must do to manage it.
- Example of Authorized inbound traffic: Requests for internet-facing services, return traffic from outbound connections initiated by internal users, VPN connections from remote workers, and communication from trusted partner networks.
- The types of authorized outbound traffic include the following: User access to external services, application-to-application communication with cloud platforms, and system updates and telemetry.
- Perimeter security threats are most commonly about unauthorized inbound traffic: Port scans, connection attempts to unexposed services, exploit attempts against known vulnerabilities, phishing payloads and command-and-control communications attempting to reach already compromised hosts within our network.
- Related: Unauthorized outbound traffic is equally important: data exfiltration attempts, internal hosts talking to known malicious infrastructure and malware also trying to set up outbound command-and-control channels.
All of this traffic, in both directions, needs to be evaluated at the enterprise perimeter by the network firewall, and in real-time.
Firewall at the Enterprise Boundary
Access Control and Default Deny
Answering the question of what traffic can and cannot cross the enterprise perimeter is how a network firewall at its basic function, works. A default deny policy is a necessity for proper enterprise perimeter rule-making – if there is not an explicit permit for some traffic flow, it is blocked. This approach leaves the attack surface that an external actor can see to only what the organization has specifically chosen to expose.
Practically, this implies that around the perimeter edge every service accessible through each port, each convention, each destination exists since a cognizant choice was made to empower it through strategy. Services we do not have explicit permissions to access are simply inaccessible from outside the boundary. When external actors are capable or persistent, this structural constraint is one of the most powerful means of limiting attack surfaces.
The technical and formal basis for this type of control is captured in authoritative standards guidance. The concept of boundary protection as defined across federal cybersecurity standards specifically as the monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and unauthorized communications, is documented in the reference material on network boundary protection controls maintained by the National Institute of Standards and Technology.
Stateful Traffic Management
Enterprise firewalls not only access but also maintain a state table that monitors ongoing sessions for flow control in the network with respect to time. This is an important aspect of perimeter traffic management for two key reasons: For one it enables the firewall to permit return traffic for sessions legitimately initiated from inside without needing to keep permanent rules for all possible response destinations and ports. Second, it enables the firewall to reject incoming unsolicited traffic that pretends to target allowed service ports but is not associated with any legitimate active session.
An example of major vulnerability is a firewall that allows inbound traffic on port XXXX in order to allow access to a service it hosts, with the absence of stateful tracking; since all incoming source (ie. Any) on port XXXX will also be allowed through as well. Stateful inspection fills this gap by maintaining connection context throughout each session.
Application-Layer Traffic Inspection
At the enterprise perimeter, most threat traffic no longer comes in formats that can be easily identified and blocked with port and protocol filtering. Traffic at the application layer, HTTP and HTTPS traffic that could be legitimate web requests, communications between apps, API calls, or attack payloads, cannot be effectively distinguished from each other by devices working at the network layer. An enterprise firewall that is only allowed to examine network-layer aspects of traffic can only allow incoming HTTPS traffic to web-facing services, which means anything an attacker has concealed within a compliant HTTP request must be okay.
Next-gen firewall solutions resolve this challenge by extending inspection up the application stack to evaluate content and behavior of a traffic flow as opposed to only their addressing and connection properties. This allows the firewall to recognize certain types of applications and protocols regardless of port, inspect harmful patterns in allowed flows, identify protocol misuse as well as enforce content-based policies that determine with specificity what traffic can go where.
Further, the SSL and TLS inspection expands this capability to also inspect encrypted traffic which moreover now accounts for the majority of enterprise internet-facing traffic. Since you cannot inspect the content of encrypted sessions, an application-layer firewall is effectively blind to any threat that slips inside an allowed TLS container. SSL/TLS decryption enables the firewall to inspect interior content (payload) of packets that have been encrypted prior to reaching internal systems then re-encrypting the return signal before directing it back out again.
Traffic Direction and Perimeter Security Being Bidirectional
Inbound Traffic Control
Inbound perimeter traffic control is the piece that most closely correlates to enterprise firewall deployment. Malicious external actors probing for open ports, attempting to attack Internet-facing services or delivering phishing payloads directed at internal users are all threats that arrive at the inbound perimeter, at which a well-tuned firewall can be expected to catch them.
Inbound control requires clearly defined and kept rules. The exposure leveraged by attackers is made when broad permit rules allowing all traffic from any source on many ports are created. The granularity of access control is purposely restrictive such that only source, destination, port and protocol necessary for defined business functions are allowed (everything else is blocked), whittling the inbound attack surface down to its most viable minimum. Inbound rules should always be specific; reviewing and updating them is a continuous operational discipline, not a one-time configuration.
Outbound Traffic Control and Egress Filtering
Outbound traffic control is the dimension of perimeter security which is less consistently covered and equally as vital. Sophisticated attackers can leverage the assumption that traffic originating from inside the enterprise boundary is inherently trustworthy. Unless there is egress filtering available, an internal host that has been compromised can freely start outbound connections, setting up command-and-control channels, exfiltrating data over permitted protocols and downloading more tools or payloads into the environment.
Egress filtering at the enterprise perimeter defines which internal systems can talk where externally, on what ports and using what protocols. Systems that do not need to communicate outside on specific ports should be blocked from doing so at the perimeter. This kind of preemptive restriction prevents any attacker who has managed to gain remote access on an internal host, however that was achieved, from jumping onto other devices.
Enterprise Architecture: Perimeter Firewall
Internet Edge
From the enterprise viewpoint, most of the available placement options for them is at the internet edge ie. that Intrusion Prevention systems reside on critical location points hence they are embedded between any endpoint in an organization and the public internet. Firewalls at this boundary then control all ingress and egress traffic between the internal environment and external networks, including internet-facing applications, remote users, cloud services, and other external partners where perimeter access control is required.
Inbound and outbound rule sets (most services can specify source or destination OK). Default-deny policies make sure that any traffic not matching an explicit rule is blocked instead of allowed.
Internal Segmentation
In addition to perimeter protection, enterprise firewalls further enforce access control between different parts of the internal network, a function that has risen in significance as threats have become more advanced at moving laterally. Having a perimeter firewall to protect the environment from outside threat actors won’t stop an attacker with initial access gained from phishing/run-owning/captured credentials, or via an exploit of a public-facing app from lateral movement across the internal network.
Internal segmentation firewalls are used to enforce access control between various zones: between the user network and the server infrastructure, between production environments and development systems, or between financial systems and general business applications. Every allowed boundary supports the movement options of an adversary who owns any system in a given area.
Firewall As An Enterprise Security Architecture Component
The network firewall is the first line of perimeter security control in enterprise security programs, reducing the attack surface and applying access policy at the boundary. It does not operate alone. An intrusion prevention system inspects allowed traffic for attack patterns. The tools such as the endpoint detection approach, are only monitoring what is happening on the system level once access has been established. Securing information and events management platforms correlating firewall log data with all other event oceanic perception to find patterns across the perimeter.
The placement of the network firewall within this broader architecture as the access control layer that determines what reaches the inspection and detection layers beyond it makes its configuration quality and rule set maintenance practices among the most consequential operational security decisions an enterprise makes. The comprehensive framework of essential security tools in which firewalls operate as a foundational control alongside endpoint security, identity management, and detection technologies is documented in the practitioner coverage of enterprise security tools guide maintained by CSO Online’s security editorial team.
Frequently Asked Questions
What is the enterprise perimeter like for a network firewall?
The role of an enterprise perimeter network firewall is to inspect all traffic attempting to cross the border between internal networks and external environments, allowing traffic that matches access control rules while blocking everything else. It retains connection state so that it can identify bona fide return traffic from unsolicited inbound attempts, and contemporary platforms extend inspection all the way up to the application layer, assessing content of approved traffic flows for malicious patterns.
Why is outbound traffic control important at the enterprise perimeter?
Blocking outbound traffic prevents internal systems from externally communicating, disrupting attack infrastructure that requires resorting to establishing outbound channels after the initial compromise. Most malware that is transmitted into an internal host needs to communicate out with command-and-control and exfiltrate data. Egress filtering prevents those connections even when the host itself is compromised, restricting the functional reach available to an attacker who has evaded inbound perimeter controls.
How does a network firewall support internal network segmentation?
Network firewalls are positioned both at the external perimeter and also along internal network boundaries, controlling access between segments such as user networks, server infrastructure, and sensitive data environments. This type of internal segmentation restricts an attacker that has access to one segment from being able to move freely laterally, as moving onto a new boundary requires overcoming additional access control rather than allowing free reign of the entire internal environment based on initial access.
