A
host-based firewall runs on individual endpoints, controlling inbound and outbound traffic at the host — providing protection even on trusted internal segments.
Defense in depth: perimeter firewall + host firewall on each system. Windows Firewall/Defender, iptables/nftables (Linux). Critical for stopping lateral movement — internal attackers can't reach a hardened host even on the same VLAN.