How a Firewall Works with PCs and Macs
Firewalls are the very foundation of an organization’s or individual’s network security solution. They help to limit access to one or more computers by filtering traffic based upon predefined rules. By blocking all traffic that does not fit into certain categories, a firewall can dramatically limit a system’s vulnerability to cyber threats.
At the user level, firewalls on PCs and Macs can also be utilized in order to protect that specific endpoint. These host-based firewalls are often built into a computer’s operating system itself. For example, Windows PCs are protected by the Windows Firewall, which is part of the Windows Defender suite of security tools built into the operating system by Microsoft.
These endpoint firewalls complement the network firewalls that enterprises deploy to prevent malicious content from entering their internal networks. While a network firewall may be more powerful, it can lack insight into a particular system’s needs or to internal traffic flows within the network. A desktop firewall can be tuned to provide protection specific to a particular computer, and it filters all traffic entering and leaving the machine. This can enable it to protect against internal threats like malware moving laterally through an organization’s network.
Desktop Firewalls 101
A personal or desktop firewall actually works similarly to a network-level one. Two important concepts to understand regarding desktop firewalls are the differences between inbound and outbound traffic and the various zones of trust.
Inbound vs Outbound Network Connections
The most basic level of filtering that a firewall can perform is blocking certain ports or protocols from entering or leaving the computer. Like a corporate email system, a computer may have a number of different communication addresses or ports. Some may be intended for only internal access while others are designed to be public-facing (like a company’s support and contact email addresses).
A desktop firewall can only make a small set of its ports available to external systems to service the applications listening to a particular port. For example, it is common to allow communication on ports 80 (HTTP) and 443 (HTTPS) on a web server because these are the standard ports for web traffic.
The decision of which ports to allow through or block depends heavily upon the direction in which traffic is flowing:
- Inbound Traffic: Inbound traffic is traffic entering the computer. For inbound traffic, firewalls typically have a DEFAULT_DENY policy, meaning that traffic is blocked unless the firewall policies are configured otherwise (like allowing port 80 or 443 traffic for a web server).
- Outbound Traffic: Outbound traffic is traffic leaving the computer. For this traffic, the default is DEFAULT_ALLOW, meaning that all traffic is permitted to pass through the firewall unless the policies say otherwise. For example, a firewall policy may be configured to only allow SSH traffic to particular addresses.
While a desktop firewall has default policies, they can be changed to reflect the unique needs of the computer and its user.
Trusted vs Untrusted Zones
Another important concept regarding personal firewalls is that of zones of trust. Endpoint firewalls can be configured to have different policies depending on the network that they are connected to. This is an asset with mobile devices and laptops, which may move often between different Wi-Fi networks.
If you’ve connected a computer to a new Wi-Fi network, you’ve likely made a decision about zones of trust already. When Windows asks if a network should be treated as public or private, this is what it means. On a private home network, firewall policy rules will be more permissive than on a public one, for instance a Wi-Fi network at the local cafe. This makes it possible to access file shares and other resources on trusted private networks, but have these potentially dangerous connections blocked on public ones.
Firewall Policy Rules Management
A firewall’s default policies are designed to fit the majority of cases, but they are not perfect for every scenario. An individual or organization may need to tweak a desktop firewall’s policies to improve their security or usability.
An endpoint firewall can be set up to have its policy rules centrally managed or managed from the device. In the former case, an organization can set firewall policy settings to conform with corporate security policy and make it impossible for users to modify them.
In the latter, users have full control over how their personal firewall is configured. In general, it is better to leave the default settings in place unless there is a legitimate need not to (like running a web server on a device). Every open port on a computer creates another potential attack vector.
5 Must-Have Endpoint Protections
A firewall is an essential part of an organization’s network protection strategy; however, a firewall alone is not enough to protect against cybersecurity threats. Five must-have capabilities for an endpoint security solution include:
- Anti-Phishing Capabilities
- Anti-Ransomware Protections
- Content Disarm and Reconstruction (CDR)
- Anti-Bot Protections
- Automated Post-Breach Detection and Response
Check Point Sandblast Agent endpoint security solution can help to protect an organization’s endpoints against cybersecurity threats. To learn more about Sandblast Agent, contact us. You’re also welcome to request a demo to see Sandblast Agent in action.

 
		

