What Is a Perimeter Firewall?

Firewall security software or hardware controls the flow of network traffic -- in other words, units or “packets” of data -- between networks or computers connected to a network (host). Perimeter firewalls control the flow of network traffic entering or leaving the host or organization's border or outer boundary, providing a first line of defense against external attacks and blocking access to inappropriate content from inside an organization.

Internet lock
Firewall software concept.
credit: Павел Игнатов/iStock/Getty Images

Firewall Function

A perimeter firewall is the main defense in the perimeter of a private network. It's an essential component for detecting and protecting the network from unwanted traffic, potentially dangerous content and intrusion attempts and flagging up these threats to the network administrator. The perimeter firewall blocks incoming network traffic from accessing internal networks and hosts and bars outgoing traffic from accessing undesirable external networks and hosts; for example, organizations might block access to Facebook or other social media sites. As such, a perimeter firewall can be thought of as having an internal and external interface.

Static Packet Filter

A basic type of perimeter firewall is known as a static packet filter firewall. A static packet filter firewall works by blocking networking traffic based on the information in the portion of a network packet that contains addressing information, known as the packet header. A static packet filter firewall is either a standalone device or included as part of a router.

Stateful Inspection Firewall

The most common type of perimeter firewall is the stateful inspection firewall. A stateful inspection firewall keeps a record of all outgoing network traffic and only allows incoming traffic that has a corresponding outgoing request. Stateful inspection firewalls can block scanning from the Internet and prevent IP spoofing -- where an attacker gains unauthorized access to a network or computer by impersonating or “spoofing” its Internet Protocol (IP) address. Stateful inspection firewalls inspect more data than static packet filter firewalls and are correspondingly slower.

Denial of Service

Perimeter firewalls typically block incoming network traffic that contains broadcast addresses, which attempt to deliver information to every computer on a network rather than a single host. Any computer that responds to the broadcast will, equally, send information to every other computer on the network, flooding the network with traffic that can be used for a so-called denial of service attack.