Firewall.

A firewall enforces an access-control policy at a network boundary by inspecting packets and either allowing, denying, or logging them according to rules referencing source/destination IP, ports, and protocols. The technology evolved through three generations: stateless packet filters that judge each packet in isolation; stateful inspection, pioneered by Check Point FireWall-1 in 1994, which tracks connection state so return traffic is matched to an established session; and next-generation firewalls (NGFWs) that add application identification, TLS inspection, user awareness, and integrated IPS.

Perimeter firewalls have well-known blind spots: they cannot inspect encrypted east-west traffic inside a flat network, and a single permissive or shadowed rule can undermine the whole policy. Misconfiguration is the dominant real-world failure mode — the 2019 Capital One breach, which exposed roughly 100 million records, stemmed from an over-permissive web-application-firewall role abused via SSRF to reach cloud metadata. Effective deployment means default-deny rulebases, least-privilege rules, periodic recertification to remove stale entries, change management, and centralised logging fed to a SIEM to detect drift and lateral movement. Modern designs pair firewalls with micro-segmentation and zero-trust gateways rather than relying on a single hard perimeter.

flowchart TD
  P[Incoming packet] --> S{Matches state table?}
  S -- Yes --> A[Allow established flow]
  S -- No --> R{Matches a rule?}
  R -- Permit --> L[Allow, log, add to state table]
  R -- Deny --> D[Drop or reject, log]
  R -- No match --> DD[Default deny]