Firewall
A firewall is a security component that monitors, filters and controls network traffic based on defined rules in order to prevent unauthorised access between networks or systems.
A firewall is a central technical safeguard in network security. It inspects inbound and outbound traffic at the boundary between networks of differing trust levels against a defined rule set and either permits or blocks it. In doing so, it enforces an organisation's security policy at the network layer and forms a core element of layered defence (defense in depth). Technically, a distinction is made between packet filters, stateful firewalls, application-level gateways and modern next-generation firewalls, which additionally provide deep packet inspection, application awareness and integrated threat prevention.
The effectiveness of a firewall depends heavily on a consistent, regularly reviewed rule set that follows the principle of least privilege: only explicitly required traffic is permitted, while everything else is discarded by a default-deny stance. Firewalls are typically used for network segmentation in order to separate security zones from one another, contain the spread of malware (lateral movement) and isolate particularly sensitive systems. In modern zero-trust architectures, micro-segmentation and identity-based filtering complement the traditional perimeter firewall.
From a compliance perspective, the firewall is one of the fundamental technical and organisational measures protecting the availability, integrity and confidentiality of information. The German BSI IT-Grundschutz addresses it in module NET.3.2 (Firewall), and ISO/IEC 27001 requires the security of networks and their segregation in Annex A.8.20/A.8.22. The NIS2 Directive likewise requires affected entities to implement risk-appropriate network security measures. Careful documentation of the rule set, regular reviews as well as the logging and analysis of firewall events are prerequisites for demonstrating compliance to auditors and supervisory authorities.
Legal Basis
BSI IT-Grundschutz module NET.3.2; ISO/IEC 27001 Annex A.8.20 and A.8.22; Art. 21 NIS2 Directive (EU) 2022/2555
Practical Example
A mid-sized mechanical engineering company qualifies as an important entity under NIS2 obligations. The information security officer segments the network using a next-generation firewall into a zone for office IT, a separate zone for the production systems (OT) and a DMZ for externally reachable services. The rule set follows the default-deny principle; every authorisation is documented with a justification, an owner and an expiry date, and reviewed every six months in the firewall review. Log data is forwarded to the SIEM, so that suspicious connection attempts from the office network into the OT zone are detected as a potential security incident and escalated to the incident response team.