This module explores firewall technologies and their role in network security architecture. Students will learn about different firewall types, their capabilities and limitations, and how to design secure network infrastructures using various firewall deployment strategies.
📋 Overview
🔑 Key Terms
Firewall
System or group of systems that enforces access control policy between networks.
Packet Filtering Firewall
Stateless firewall that filters based on Layer 3 and 4 information using simple policy tables.
Stateful Firewall
Firewall that tracks connection state and makes decisions based on connection context.
Application Gateway
Proxy firewall that filters information at Layers 3, 4, 5, and 7 of the OSI model.
DMZ
Demilitarized Zone - network segment that provides controlled access to public services.
Bastion Host
Hardened computer typically located in the DMZ that provides controlled access to services.
Types of Firewalls
Firewall Classification
Packet Filtering (Stateless)
Filters based on Layer 3 and 4 information:
- Source/destination IP addresses
- Protocol type
- Source/destination port numbers
- SYN packet receipt
Stateful Firewall
Tracks connection state and context:
- Maintains connection state tables
- Tracks TCP connection establishment
- Allows return traffic for established connections
- Provides better security than packet filtering
Application Gateway
Deep packet inspection at multiple layers:
- Operates at Layers 3, 4, 5, and 7
- Examines application-specific content
- Acts as proxy between networks
- Provides comprehensive security
Next Generation Firewall
Advanced features beyond traditional firewalls:
- Integrated intrusion prevention
- Application awareness and control
- Future information feeds
- Advanced threat protection
Additional Firewall Implementations
| Type | Description | Use Case |
|---|---|---|
| Host-based | PC or server with firewall software | Individual device protection |
| Transparent | Filters IP traffic between bridged interfaces | Invisible network protection |
| Hybrid | Combination of various firewall types | Comprehensive security solution |
Common Properties
All Firewalls Share
- Resistant to network attacks
- Single transit point between networks
- Enforce access control policies
Packet Filtering Firewalls
Benefits and Limitations
Benefits
- Simple permit/deny rule sets
- Low impact on network performance
- Easy to implement and widely supported
- Initial security at network layer
- Cost-effective solution
Limitations
- Susceptible to IP spoofing attacks
- Cannot reliably filter fragmented packets
- Complex ACLs difficult to maintain
- Cannot dynamically filter certain services
- Stateless - examines packets individually
Security Limitation
Fragmented Packet Vulnerability
Packet filters carry TCP header information only in the first fragment. All subsequent fragments pass through unconditionally, creating a potential security vulnerability.
Stateful Firewalls
Benefits and Limitations
| Benefits | Limitations |
|---|---|
| Primary means of defense | No application layer inspection |
| Strong packet filtering control | Limited tracking of stateless protocols |
| Improved performance over packet filters | Difficult to defend against dynamic port negotiation |
| Defends against spoofing and DoS attacks | No user authentication support |
| Richer data logging | Cannot prevent application layer attacks |
Connection Tracking
State Table Management
Stateful firewalls maintain connection state tables that track the status of network connections. This allows them to make intelligent decisions about whether to allow or deny traffic based on the connection context.
Protocol Considerations
- TCP: Full connection state tracking with three-way handshake
- UDP: Pseudo-stateful tracking based on recent traffic
- ICMP: Limited state information available
🔒 Security Architectures
Common Firewall Designs
Private and Public
Simple two-interface design:
- Public network (untrusted)
- Private network (trusted)
- Traffic from private to public permitted and inspected
- Return traffic for established connections allowed
- Traffic from public to private generally blocked
Demilitarized Zone (DMZ)
Three-interface design with DMZ:
- Public network (untrusted)
- DMZ (semi-trusted)
- Private network (trusted)
- Public services hosted in DMZ
- Controlled access between all zones
Zone-Based Policy Firewalls
Flexible zone-based approach:
- Interfaces grouped into security zones
- Policies applied between zones
- Traffic within zones generally trusted
- Granular control over inter-zone traffic
- Scalable for complex networks
Trust Levels
Network Zone Classification
- Trusted: Internal networks with full access
- Semi-trusted: DMZ networks with limited access
- Untrusted: External networks (Internet)
Layered Defense
Layered defense uses multiple types of firewalls and security measures combined at different network layers to provide comprehensive protection.
Defense Layers
1. Network Core Security
Protects against malicious software and traffic anomalies, enforces network policies, ensures survivability.
2. Perimeter Security
Secures boundaries between different security zones and network segments.
3. Communications Security
Provides information assurance through encryption and secure protocols.
4. Endpoint Security
Provides identity and device security policy compliance at individual devices.
Screened Subnet Configuration
Traffic flow through multiple policy enforcement points:
- Edge router with packet filtering
- Screened firewall or bastion host
- Interior screening router
- Internal destination host
Defense Limitations
What Firewalls Cannot Do
- Stop intrusions from within the network
- Protect against rogue access points
- Replace backup and disaster recovery
- Substitute for informed administrators
Firewall Security Policy Best Practices
- Position firewalls at security boundaries
- Deny all traffic by default
- Permit only necessary services
- Control physical access to firewalls
- Regularly monitor firewall logs
- Practice change management
- Remember firewalls protect primarily against external technical attacks
✅ Quick Checks
- What are the three common firewall properties?
Resistant to network attacks, single transit point between networks, and enforce access control policies. - Which firewall type filters at Layers 3, 4, 5, and 7?
Application gateway (proxy) firewall. - What is the main difference between stateful and stateless firewalls?
Stateful firewalls track connection state and context, while stateless firewalls examine each packet individually. - What are the three interfaces in a DMZ design?
Inside (trusted), outside (untrusted), and DMZ (semi-trusted) interfaces. - What is a bastion host?
A hardened computer typically located in the DMZ that provides controlled access to services.
📝 Summary
- Firewalls enforce access control policies between networks
- Packet filtering firewalls provide basic Layer 3/4 filtering
- Stateful firewalls track connection state for better security
- Application gateways provide deep packet inspection
- Next-generation firewalls offer advanced threat protection
- Common architectures include private/public, DMZ, and zone-based designs
- Layered defense provides comprehensive protection at multiple levels
- Proper firewall placement and policy design are critical
- Firewalls have limitations and cannot protect against all threats
- Regular monitoring and maintenance are essential
References
- Module 9: Firewall Technologies - Introduction (Ch. 9.0)
- Secure Networks with Firewalls (Ch. 9.1)
- Firewalls in Network Design (Ch. 9.2)
- Network Security Architecture Best Practices
- Firewall Implementation Guidelines