TABLE OF CONTENTS

INTRODUCTION
1. Group Information
2. Reason for Topic Selection
3. Objectives
Chapter 1. Overview of Firewall in Network Security (Hà)
1.1. Concept of Firewalls
1.2. Firewalls rules and Policy
1.3 Types of firewalls
1.4. Common techniques in Firewall configuration
Chapter 2. Stateful Firewalls and Its Applications in Network Security ( Đăng )
2.1. Introduction to Stateful Firewalls
2.2. Working of Stateful Firewalls
2.3. Advantages and Limitations
2.4. Configuration
2.4.1. -sT (TCP Connect Scan)
2.4.2. -sV và -A (Service Version & Aggressive Scan)
2.4.3. -p (Port Specification)
2.4.4. -sU (UDP Scan)
2.5. Examples of Stateful Firewall tools and their applications
Chapter 3. Practical Implementation with Stateful Firewall
3.1. Testing Environment
3.2. Parameters Used in the Experiment
3.3. Test Cases (Hà)
3.4. Analysis and Evaluation of Results (Hà)
CONCLUSION
 INTRODUCTION
1. Group Information

Full Name ID Assigned Task Contribution

Phạm Thị Thu Hà 22071065

Phạm Hải Đăng 20070701

Hà Duy Dũng 20070688

Nguyễn Đức Anh 20070668
2. Reason for Topic Selection
In today's rapidly evolving digital landscape, organizations and individuals face increasingly
sophisticated cybersecurity threats, such as data breaches, malware, DDoS attacks, and
unauthorized access. In this context, implementing a firewall has become essential—
especially for businesses, schools, financial institutions, and systems handling sensitive data.
Firewalls provide a strong security barrier between internal networks and the outside world,
control network traffic, and enforce consistent security policies. As remote work and digital
transformation grow, firewalls with integrated VPNs and advanced protection features are
more important than ever. Ultimately, firewalls are chosen not just to protect systems, but to
ensure the integrity, safety, and continuity of operations.

3. Objectives
The objective of using a firewall is to protect the network from unauthorized access and
cyber threats, by monitoring and controlling incoming and outgoing traffic to ensure that
only legitimate connections are allowed. Firewalls also help enforce the organization's
security policies, ensuring the confidentiality, integrity, and availability of data and systems.
Additionally, firewalls support secure remote access and safe online operations, contributing
to the overall cybersecurity strategy of the organization.
 Chapter 1. Overview of Firewall in Network Security

1.1. Concept of Firewalls

A firewall is a security mechanism—comprising both hardware and software—that filters

or blocks unwanted or unauthorized traffic between an internal trusted network and an
untrusted external network such as the Internet. Its main function is to enforce a defined
security policy by monitoring and controlling network traffic.

Firewalls can be standalone devices, software running on servers or routers, or complex

architectures involving multiple filtering components.

1.2. Firewalls rules and Policy

Firewall rules are logical conditions used to determine whether a data packet should be allowed
or denied. These rules are based on various attributes such as:

- Source and destination IP addresses

- Source and destination ports
- Protocol type (TCP, UDP, etc.)
- Direction of traffic (inbound or outbound)

Policies are implemented using rule sets and are typically based on the default-deny principle—
everything is blocked unless explicitly allowed.

1.3 Types of firewalls

 Firewalls can be deployed in different architectures such as single bastion host,
screened host, or DMZ (screened subnet), depending on the security requirements
and also can be categorized based on how they process traffic, at which OSI layer
they operate, and the depth of inspection they perform. The main types include:

● Packet-filtering firewall

This is the most fundamental type, which examines the header information of each
packet and makes decisions based on criteria such as source and destination IP
address, port number, and protocol. These firewalls are fast and simple but cannot
inspect the payload of packets, making them less effective against more sophisticated
attacks.

Packet-filtering can be static (fixed rules), dynamic (rules adjusted based on events), or
stateful, which tracks the state of each connection to ensure that packets belong to a
valid session.

● Application layer proxy firewall

Also known as proxy firewall. It acts as an intermediary between the internal network
and external services, operating at the application layer (e.g., HTTP, FTP).
These firewalls can inspect the full content of traffic, allowing for more granular control
and filtering based on application-specific rules. For example, a proxy may allow web
browsing but block file uploads via HTTP.

● MAC layer firewall

It operates at the data link layer (layer 2) by filtering traffic based on hardware (MAC)
addresses. This type of firewall is useful in tightly controlled environments like internal
LAN segments but is less common in broader enterprise applications.

● Hybrid firewall
It combines features from multiple firewall types. A hybrid system may include both
packet filtering and proxy functionalities, along with stateful inspection. Modern firewalls
often fall into this category and are marketed as Next-Generation Firewalls (NGFWs) or
Unified Threat Management (UTM) devices.
These solutions typically provide additional features:
- Intrusion detection/prevention systems (IDS/IPS),
- Deep packet inspection
- Application awareness (e.g., blocking social media)
- SSL inspection.
 1.4. Common techniques in Firewall configuration

Firewall configuration is a critical task to ensure the system operates securely and efficiently.

One of the most widely used techniques is the default-deny policy, where all network traffic is
blocked by default, and only explicitly allowed services are permitted. This is considered a best
practice because it minimizes the attack surface.

Network Address Translation (NAT) is another key method, allowing private internal IP
addresses to access the internet using a single public IP, thus hiding internal network structure.
Port forwarding is used when specific internal services (like a web server or SSH access) must be
accessible from outside, by mapping external ports to internal IP and ports.

Firewall administrators also apply zone-based configurations, dividing the network into
segments such as inside, outside, and DMZ. Different rules are applied to traffic between each
zone, allowing for granular control and better isolation of services.

Other techniques include setting time-based rules, protocol restrictions (e.g., blocking Telnet or
FTP), and applying logging/auditing for tracking unauthorized access attempts.
Chapter 2. Stateful Firewalls and Its Applications in Network Security

2.1. Introduction to Stateful Firewalls

A stateful firewall (or stateful inspection firewall) is a network security device that
monitors active connections and makes filtering decisions based on both predefined rules
and the state of network traffic. In contrast to basic packet-filtering firewalls which inspect
packets in isolation, a stateful firewall keeps a state table tracking details of each ongoing
connection (e.g. source/destination IPs, ports, connection status) from the moment it is
opened until it is closed. This context awareness means the firewall can recognize if an
incoming packet is part of an existing legitimate session or a brand new request. Now
considered a traditional firewall technology, stateful firewalls examine packet header
information (like addresses and ports) and remember past traffic, allowing them to allow or
block traffic based on both rules and connection context. This was a major improvement
over early “stateless” firewalls, which had no memory of past packets.
2.2. Working of Stateful Firewalls

Stateful firewall operation: A stateful firewall examines traffic in the context of existing
connections. When the first packet of a new connection arrives, the firewall performs
thorough checks (e.g. against security policies, access control lists, routing, and NAT rules)
to decide if that connection is allowed. If permitted, the firewall will create an entry in its
state table for that session, recording details like the 5-tuple (source/dest IP, source/dest
port, protocol) and the connection’s state. Once the connection is established, subsequent
packets do not need to be re-evaluated from scratch against all rules; the firewall
recognizes them as part of an existing session and lets them through as long as they match
the expected state. This greatly speeds up packet processing – in Cisco’s ASA firewall, for
example, established flows go through a “fast path” that quickly verifies the packet’s
session and sequence numbers rather than repeating full ACL checks. Essentially, if a
packet is part of a known active connection, the firewall allows it automatically, whereas
unknown packets (not matching any saved state) are subject to security policies.

For example: consider a client inside a network browsing a website: the client initiates an
outgoing TCP connection (the TCP three-way handshake) to the web server. The stateful
firewall sees this new connection setup and, if allowed by policy, adds it to the state table.
When the web server responds with packets back to the client, the firewall checks its state
table, recognizes these packets as belonging to the established session, and automatically
permits them back to the client without needing an explicit inbound rule. In effect, the
firewall enables bidirectional communication for the duration of the session by tracking the
state – the return traffic is allowed in because it’s matching an outbound request that was
already approved. This behavior simplifies security management and improves security,
since unsolicited packets (not matching any known connection) can be dropped by default.

Handling of UDP and other protocols: Because UDP and certain other protocols are
connectionless (they have no built-in handshake or explicit session teardown), a stateful
firewall cannot track them in exactly the same way as TCP. However, stateful firewalls
 still manage these using pseudo-state mechanisms. For instance, when a UDP packet is
sent from an internal host to an external server, the firewall will temporarily allow the
corresponding response from that server’s IP/port back in, treating it as part of a “UDP
conversation” tracked in the state table. If the response arrives within a certain timeout and
matches the expected addresses/ports, it is permitted. In Cisco ASA, even protocols like
UDP or ICMP can have connection state information created for them, so that return traffic
is recognized and allowed just like with TCP. The firewall essentially remembers recent
UDP communications and will let the reply packets through (and then remove the state
entry after an idle timeout). If no matching state exists for an incoming UDP packet, the
firewall will treat it as unsolicited and block it (unless explicitly allowed by a rule). This
way, stateful inspection extends to connectionless traffic as well, improving security for
UDP-based services.
2.3. Advantages and Limitations

Advantages of Stateful Firewalls:

● Contextual Security: Because they maintain memory of connections,

stateful firewalls provide enhanced security by examining the context of traffic,
not just individual packets. They can recognize and block suspicious or malicious
traffic that doesn’t fit an expected connection pattern. For example, stateful
inspection firewalls can detect and prevent various types of attacks, such as IP
spoofing and session hijacking, which a stateless firewall might miss. By tracking
the state of TCP streams or UDP exchanges, the firewall can ensure packets are
part of a legitimate session, thus thwarting certain network attacks that exploit the
protocol handshake or sequence.

● Dynamic & Accurate Filtering: Stateful firewalls can make dynamic

decisions based on connection state. This means they are more flexible – for
instance, they automatically allow return traffic for established sessions without a
specific rule for the return path. This reduces the chance of accidentally blocking
legitimate traffic and yields fewer false alarms. By understanding the context of a
conversation, a stateful firewall is less likely to mistakenly block valid traffic or
allow malicious packets out of context. In practice, this also simplifies policy
management: administrators don’t need to write separate rules for outbound and
inbound directions of the same connection. The firewall’s ability to remember
connections provides a more granular control and adaptive filtering compared to
stateless ACLs.

● Simplified Policy Management: With stateful inspection, security

rules are easier to manage for bidirectional traffic. An administrator can create a
rule allowing, say, outbound web traffic and trust the firewall to automatically
allow the corresponding inbound responses, instead of writing two opposite rules.
A stateful firewall enables bidirectional communication without rules having to
 be established in both INBOUND and OUTBOUND directions. This means fewer
firewall rules and less administrative overhead, especially for protocols like FTP
or voice that open multiple channels dynamically. The firewall’s state table takes
care of tracking and permitting response traffic, making policy configuration
more intuitive and reducing errors.

● Improved Logging and Diagnostics: Because stateful firewalls

maintain details of each session, they often provide detailed logging of connection
events and traffic patterns. Administrators can review logs of allowed/denied
connections with context (which session, which stage) for better troubleshooting
and audit. Over time, this helps in understanding network behavior and
identifying anomalies.

Limitations of Stateful Firewalls :

● Performance and Resource Overhead: Maintaining and checking a

state table for every connection uses more memory and CPU on the firewall. In
high-traffic environments, a stateful firewall can become a bottleneck if not sized
properly. Tracking thousands or millions of simultaneous connections imposes a
performance cost. For example, each new connection must be added to the table
and each packet for existing connections must be matched against it. This extra
work can introduce latency and requires robust hardware. In contrast, simpler
stateless filters might have lower latency since they don’t store connection info –
but they lack the security benefits.

● Complexity of Configuration: Stateful firewalls are more

sophisticated, which means configuration and management can be more complex.
There are often many features and settings (connection timeouts, inspection rules
for various protocols, etc.) that administrators must understand. Misconfigurations
can occur if the administrator is not careful, potentially leading to unintended
open ports or blocked traffic. Additionally, diagnosing issues may be harder
because the firewall’s decision depends on connection state, which isn’t
immediately visible without examining the state table. This complexity means
greater expertise is required to manage stateful firewalls correctly compared to
basic ACLs.

● Resource Intensive & Scalability Issues: Because they inspect and

remember so much information, stateful firewalls can be resource-intensive. They
often require more powerful hardware (CPU, memory) and might cost more,
especially when scaling up to large networks. In very large-scale deployments
with extreme connection volumes, maintaining state for everything might become
impractical, potentially requiring load-balancing or firewall clustering to handle
the load.
 ● Encrypted Traffic Blindness: Traditional stateful firewalls primarily
examine packet headers and basic protocol states. They struggle with encrypted
traffic – for instance, they cannot inspect the contents of HTTPS (TLS) sessions
without additional tools. If a significant portion of traffic is encrypted (as is
common today), a basic stateful firewall may only see that a connection exists, but
not what is inside. This limitation means attackers can sometimes tunnel
malicious payloads inside encrypted sessions beyond the firewall’s inspection.
Addressing this often requires extra solutions (like SSL/TLS decryption or next-
generation firewall features). As a result, stateful firewalls alone have limitations
in dealing with VPN or HTTPS traffic, potentially leaving blind spots

● Single Point of Failure: Since a firewall often sits at critical junctions

of the network, a stateful firewall becomes a crucial component for traffic flow. If
it fails (or if its state table is overwhelmed), it can disrupt all communications
going through it. High availability designs (e.g. firewall failover pairs) are
typically used to mitigate this, but it’s a consideration that the firewall needs to be
robust and redundant.

2.4. Configuration

Chapter 3. Practical Implementation with Stateful Firewall

3.1. Testing Environment

The network model is designed and deployed on Cisco Packet Tracer , simulating a system
consisting of:

● Cisco ASA 5505 firewall , configured to be divided into three security zones:

○ Inside (VLAN 1) : Internal network (192.168.1.0/24) connecting PC-

B.
○ DMZ (VLAN 3) : Buffer zone network (192.168.2.0/24) contains
DMZ host.
○ Outside (VLAN 2) : Connect to the outside network (simulated
Internet).

● Routers R1, R2, R3 represent ISP network routes.

● Layer 2 Switch (2960) to connect PCs and servers.
● Three PCs (PC-B, PC-C) and one server in DMZ are used to test connectivity and
firewall policies.
Inter-zone communication is managed using Access Control List (ACL) policies and the ASA's
stateful inspection functionality . Dynamic NAT is applied to allow outbound access from the
internal network.

3.2. Parameters Used in the Experiment

Device Interface IP Address Subnet Mask Default

Gateway

R1 G0/0 209.165.200.225 255.255.255.248 N/A

S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A

R2 S0/0/0 10.1.1.2 255.255.255.252 N/A

S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A

R3 G0/1 172.16.3.1 255.255.255.0 N/A

S0/0/1 10.2.2.1 255.255.255.0 N/A

ASA VLAN 1(E0/1) 192.168.1.1 255.255.255.0 N/A

ASA VLAN 2(E0/0) 209.165.200.226 255.255.255.248 N/A

ASA VLAN 3(E0/2) 192.168.2.1 255.255.255.0 N/A

DMZ Server NIC 192.168.2.3 255.255.255.0 192.168.2.1

PC-B NIC 192.168.1.3 255.255.255.0 192.168.1.1

PC-C NIC 172.16.3.3 255.255.255.0 172.16.3.1

3.3. Test Cases

Test Case 1: Outbound ICMP (ping) from Inside to Outside

Objective: Verify that ICMP traffic initiated from the inside network is allowed to reach external
networks, and that the return traffic is permitted due to stateful inspection.

Steps:

- From PC-B (inside network), ping R1 (outside) at IP address 209.165.200.225.

- Initially, the return pings are blocked because the ASA is not configured to inspect
ICMP.
- After modifying the Modular Policy Framework (MPF) to include ICMP inspection,
repeat the ping.

Expected Result: ASA allows the outbound ping and tracks the connection state. When the
ICMP reply returns, the ASA permits it since it matches an established session.

Test Case 2: Inbound ICMP (ping) from Outside to Inside

Objective: Confirm that unsolicited inbound ICMP traffic is blocked by default, demonstrating
ASA’s stateful nature.

Steps: From PC-C (outside), attempt to ping PC-B (inside).

Expected Result: The ASA drops the ping because it did not originate from the inside and no
session exists. This verifies the ASA does not allow inbound traffic unless it is part of an existing
stateful connection.

Test Case 3: TCP Connection Initiated from Inside to Outside

Objective: Test ASA’s behavior when a TCP session is initiated from inside to outside.

Steps:

● From PC-B, access a simulated web service on R1 using HTTP (port 80).

● Use a web browser or command-line curl to initiate the connection.

Expected Result: ASA tracks the TCP handshake (SYN, SYN-ACK, ACK) and allows return
traffic as part of the established session.

Test Case 4: TCP Connection Initiated from Outside to Inside (Blocked)

Objective: Ensure ASA blocks unsolicited inbound TCP connection attempts to internal hosts.

Steps:

● From PC-C (outside), attempt to initiate an HTTP connection to PC-B (inside)

without any port forwarding or ACLs configured.

Expected Result: ASA blocks the connection because it is not part of an existing session. This
behavior is core to stateful firewall functionality.

Test Case 5: TCP Connection to DMZ Server with Static NAT and ACL
Objective: Verify that ASA allows inbound access to a DMZ server when a proper ACL and
static NAT mapping exist.

Steps:

● From PC-C, initiate an HTTP request to the DMZ server using the public IP
209.165.200.227.

● ASA translates the request and checks if it matches the ACL permitting TCP port 80.

Expected Result: ASA allows the traffic due to an explicit ACL and static NAT, and statefully
inspects the session for return traffic.

3.4. Analysis and Evaluation of Results

The test results confirm the effectiveness of Cisco ASA as a stateful firewall, capable of
inspecting traffic and dynamically managing connection states. The ASA distinguishes between
new, existing, and invalid connections, applying different rules based on the context of each
packet.

In Test Case 1, we observed that return ICMP traffic was initially blocked until we explicitly
enabled ICMP inspection. This demonstrated ASA's default policy of allowing only TCP/UDP
return traffic and its flexibility to extend inspection to other protocols via MPF.

Test Case 2 highlighted the core principle of a stateful firewall: unsolicited inbound traffic
without a prior outbound request is blocked, reducing the attack surface of the internal network.

In Test Case 3, the ASA successfully managed the TCP three-way handshake and maintained the
session state, allowing bidirectional communication only within that session.

Test Case 4 confirmed ASA’s strict control over session initiation. No session state existed for
the unsolicited outside-to-inside TCP attempt, so the ASA dropped it silently, consistent with
secure firewall behavior.

Finally, Test Case 5 combined stateful inspection with static NAT and ACLs, showing that ASA
can selectively permit external access to internal services in a secure, controlled way.

Overall, the behavior observed in each scenario validates that the ASA's stateful firewall
maintains comprehensive session awareness. It dynamically opens and closes access based on
session state, which is essential for preventing unauthorized access while allowing legitimate
communication.
Research Sources for ASA :
- What Is a Firewall? - Cisco
- Cisco Secure Workload User Guide – Stateful Firewall Example, Cisco.com

- Cisco ASA 9.4 Guide – Stateful Inspection Overview, Cisco.com

- Stateful Firewall vs. Stateless Firewalls: What's the Difference?
- Nmap Official Documentation – Fyodor’s “Nmap Network Scanning” book