What is an internal firewall?

An internal firewall is a security solution designed to protect a network from attacks that have already gotten past the perimeter. A firewall, in general, is a device or software designed to monitor traffic and prevent unauthorized access, and an internal firewall is an advanced application of that concept.

When comparing an internal firewall versus a perimeter firewall, there are several key differences. Unlike a traditional perimeter firewall, an internal firewall must proactively provide visibility and protection from internal threats, and it must be fast enough to keep up with the demands of internal traffic. Today, cyber-attacks are increasingly likely to make it past the network perimeter, and internal firewalls minimize the damage such attacks can do. 

Although all businesses should have internal firewalls and similar security measures in place, internal firewalls are particularly useful for very large enterprises with multiple network segments for different departments, as well as for networks that have large attack surfaces due to running distributed services across public and private clouds. 

Protect Your Data Center with a Purpose-Built Internal Firewall

Enable Intrinsic Security with the Service-defined Firewall

How does an internal firewall work?

Internal firewalls work by employing two key strategies:
  • Minimizing the attack surface using micro-segmentation, which divides the network into granular zones that are secured separately
  • Using intelligent automation to deploy and update security policies based on “known good” behavior


Instead of trying to identify and neutralize each threat individually, an internal firewall leverages a deeper understanding of internal traffic to identify activity that doesn’t conform to the behavior that administrators expect to see. It defines policy at both the network and process level to mitigate threats that leverage multiple attack vectors. An internal firewall sits at strategic points within the internal network and utilizes a zero-trustapproach to isolate threats and limit the potential damage. In other words, it assumes that threats have already found their way in and prevents them from moving freely throughout the internal network.


How is it different from an external firewall?

An internal firewall monitors and secures east-west (internal) network traffic, rather than north-south traffic at the perimeter. An external firewall monitors the network’s perimeter and prevents unauthorized access from the outside. The two types of firewalls are intended to solve different problems: While an external firewall simply protects against outside intruders, an internal network needs to monitor all traffic on the network to identify bad actors and potential threats. Because of this, internal and external firewall design differs in key ways: 

An internal firewall cannot rely on traditional port-based methods of identifying threats, and it needs to keep up with a high volume of internal traffic. Thus, it must be more advanced than a typical perimeter firewall in order to intelligently identify malicious activity. 

On the other hand, because internal firewalls deal with an enterprise’s own applications and services, they can leverage a deeper understanding of that traffic in order to automate security policies and block suspicious behavior. By learning what constitutes “known good” behavior, an intelligent internal firewall can identify and respond to activity that doesn’t fit the authorized profile.

Do enterprises need an internal firewall?

An internal firewall is a crucial part of network firewall security, especially as networks grow more distributed and it becomes more difficult to keep attackers out of the network perimeter. It complements a perimeter firewall and provides an extra layer of security to lock down east-west traffic and prevent the lateral movement of threats within your enterprise. With cyberattacks increasing in number and sophistication, it’s almost inevitable that an organization’s network perimeter will be breached. When that happens, an internal firewall minimizes the damage that attackers can do.

Why you need an internal firewall

Perimeter firewalls provide a first line of defense against external attacks, but they’re no longer enough to protect your enterprise from sophisticated threats. With more users and devices on the network than ever before, plus a larger attack surface thanks to the increase in distributed services running across public and private clouds, it’s risky to assume that securing the perimeter is enough. If a threat does find its way past the network perimeter, it can gain unfettered access to your internal networks—unless there’s a protective measure like an internal firewall in place.

According to a recent report, 59 percent of attacks involve attempted lateral movement—so it’s crucial to defend your network against these threats. An internal firewall prevents attackers from running rampant in your network and limits the harm they can do.

Best practices for an internal firewall

Although an internal firewall differs from a perimeter firewall in purpose and design, internal firewall best practices are similar to standard network firewall best practices. Here are a few common principles:

  • Document your firewall rules and their purpose. It’s easy to forget why a particular rule was originally implemented, especially if the IT staffer who put it in place has since left the organization. Documentation is important for maintenance over time, as it allows you to reevaluate security policies and remove any that no longer serve a purpose.
  • Audit event logs regularly. This will help you determine which security rules are and aren’t being used, allowing you to remove unused rules and adjust others to tighten security and avoid gaps.
  • Use automation to keep rules up to date.  Left untended, long lists of firewall rules can lead to “rule bloat,” increased overhead, and security gaps. Avoid these problems and keep up with rapid change by using automation to reduce the burden on IT staff.
  • Practice zero-trust security. This means not trusting anyone by default—inside or outside the network—and is key to containing attacks quickly. With the number of cyber attacks increasing, it’s no longer safe to assume that attackers won’t make their way into the network. A zero-trust security approach is key to limiting the impact of threats that do make it past the perimeter.


Related Solutions and Products

NSX Distributed Firewall

NSX Distributed Firewall

Secure your data center with a full-stack firewall distributed at each workload.

NSX Data Center

Network and security virtualization platform

VMware NSX Network Detection and Response

AI-powered network detection and response (NDR)