Firewall
A firewall is a network security device or software that monitors and controls incoming and outgoing network traffic based on predefined security rules. It acts as a barrier between trusted and untrusted networks (e.g., your internal network and the internet).
Types of Firewalls
Packet Filtering Firewall
Works at Layer 3 (Network) and Layer 4 (Transport) of the OSI model.
Examines each packet's headers (IP, TCP, UDP) and allows or blocks them based on rules.
Example rule: Allow all packets with a source IP
192.168.1.1and destination port80.
Statefull Inspection Firewall
Tracks the state of active connections (Layer 4).
Only allows packets that are part of an established session.
Protects against spoofed packets and unauthorized access.
Application Layer Firewall
Operates at Layer 7 (Application).
Inspects the data payload of packets to understand the application or service being accessed.
Can block specific actions (e.g., sending a certain HTTP request).
Next-Generation Firewall (NGFW)
Combines traditional firewalls with additional features like:
Deep Packet Inspection (DPI): Inspects the entire packet, including payload.
Intrusion Detection/Prevention Systems (IDS/IPS): Detects and blocks threats.
Application and user awareness.
Proxy Firewall
Acts as an intermediary between users and the destination server.
Masks client IPs, examines data, and forwards only safe packets.
How Firewalls Work
1. Packet Filtering (Basic Level)
Each packet entering or leaving the network is checked against a set of rules.
Rules are based on:
Source IP address
Destination IP address
Protocol (TCP, UDP, ICMP, etc.)
Source/Destination port numbers
Example Rule Table:
| Rule ID | Source IP | Destination IP | Protocol | Port | Action |
| 1 | 192.168.1.1 | Any | TCP | 80 | Allow |
| 2 | Any | Any | ICMP | Any | Deny |
2. Stateful Inspection
Tracks the state of each connection.
Only packets that are part of an active session are allowed.
Example: If a user initiates a connection to a web server, the return traffic is allowed because it matches the session.
3. Deep Packet Inspection (DPI)
Inspects the full packet, including headers and payload.
Identifies protocols and malicious patterns.
Example: Detecting malware by scanning the payload for known signatures.
4. Intrusion Detection and Prevention
IDS (Intrusion Detection System):
Monitors traffic for suspicious patterns.
Alerts administrators but doesn't block traffic.
IPS (Intrusion Prevention System):
- Monitors and actively blocks detected threats.
5. Logging and Reporting
Firewalls maintain logs of allowed and denied traffic.
Logs may include:
Timestamp
Source/Destination IPs
Port numbers
Action taken (Allow/Deny)
Example Log Entry:
2024-12-18 10:30:25 - Source: 192.168.1.10 - Destination: 10.0.0.5 - Protocol: TCP - Port: 443 - Action: Allowed
Firewall Zones
Zones define boundaries for traffic control.
Common zones:
Trusted Zone: Internal network (e.g., LAN).
Untrusted Zone: Internet.
DMZ (Demilitarized Zone): Hosts public-facing services like web servers.
Example:
Traffic from LAN to Internet is allowed.
Traffic from Internet to LAN is blocked unless explicitly allowed.
Firewall Deployment Modes
Network-Based Firewall
Deployed on a network perimeter.
Protects multiple devices.
Example: Hardware firewalls (Cisco ASA, Palo Alto).
Host-Based Firewall
Installed on individual devices.
Example: Windows Defender Firewall.
Common Use Cases
Prevent Unauthorized Access:
- Block access to sensitive internal resources from the internet.
Content Filtering:
- Block specific websites or applications.
Intrusion Prevention:
- Detect and stop attempts to exploit vulnerabilities.
Network Segmentation:
- Isolate parts of the network for better security.
Limitations of Firewalls
Cannot Prevent All Attacks:
- Firewalls cannot stop attacks that bypass them, like phishing.
Misconfiguration Risks:
- Poorly defined rules can create vulnerabilities.
Internal Threats:
- Firewalls typically protect against external threats but may not stop malicious insiders.,,,,43