Skip to main content

3.4 Protecting Networks - Firewalls

Topic 3.4: Protecting Networks: Firewalls

A firewall is a network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and an untrusted external network, such as the internet. Firewalls can be implemented as standalone hardware devices, or as software running on a server or integrated into a router.

There are several types of network-based firewalls, each with different capabilities:

  • Stateless Firewall: Also known as a packet-filtering firewall, this is the most basic type. It inspects the header of each packet individually and makes a decision to permit or deny it based on information like source and destination IP addresses, ports, and protocols. It does not consider the context of the traffic or whether a packet is part of an existing conversation.
  • Stateful Firewall: Also known as dynamic packet filtering, this type of firewall is more advanced. It tracks the state of active network connections and makes filtering decisions based on the context of the traffic. For example, it can allow incoming traffic from a web server only if that traffic is a response to a request that originated from inside the network. This provides much more granular control and higher security than a stateless firewall.
  • Next-Generation Firewall (NGFW): This is the most modern type of firewall. It includes all the capabilities of stateful firewalls but adds more advanced features. NGFWs can perform deep packet inspection to identify the specific applications generating the traffic (e.g., distinguishing between general web traffic and Facebook traffic), integrate intrusion prevention systems, and filter traffic based on user identity.

Firewalls operate based on a set of rules known as an access control list (ACL). A network administrator configures the ACL to define what traffic is permitted and what is denied. Each rule in an ACL typically specifies criteria such as the direction of the traffic (inbound or outbound), the source or destination IP address, the protocol (TCP or UDP), the port number, and the action to take (permit or deny). The firewall processes these rules in sequential order. When a packet arrives, the firewall checks it against the first rule, then the second, and so on, until a match is found. Once a matching rule is found, the firewall applies the specified action and stops processing further rules for that packet.

The effective placement of firewalls is crucial for a strong network security architecture. As a best practice, each network segment should be protected by a firewall to control the traffic entering and leaving it. This is especially important for segments with different security requirements, such as separating a corporate network from a guest network. Most critically, a firewall must be placed at every point of ingress and egress between the organization's internal network and the public internet to serve as the primary line of defense.

When configuring a firewall, an administrator translates security requirements into specific ACL rules. For example, to allow external users to access a company's public web server, a rule would be created to permit inbound TCP traffic on port 443 (for HTTPS). Rules are implemented in a specific order, and this order matters. A common practice is to place more specific rules before more general rules. Most firewalls end with an implicit "deny all" rule, meaning that any traffic that does not match a specific "permit" rule will be blocked by default.