Firewall

Technologi
es

Presentation_ID 1
Defining Firewalls
 A firewall prevents undesirable traffic
from entering prescribed areas within a
network.
 A firewall is a system or group of
systems that enforces an access
control policy between networks. For
example:
• A packet filtering router
• A switch with two VLANs
• Multiple hosts with firewall
software
 In 1989, AT&T Bell Laboratories
developed the first stateful firewall. A
stateful firewall is able to determine if
a packet belongs to an existing flow of
data.
Basic firewall flow
diagram:
Securing Networks with Firewalls

Defining Firewalls Cont.

 Benefits
 Exposure of sensitive hosts and
applications to untrusted users can be
prevented.
 The protocol flow can be sanitized,
preventing the exploitation of protocol
flaws.
 Malicious data can be blocked from
Securing 
servers and clients.
Security policy enforcement can be
Networks with made simple, scalable, and robust.
Limitations
Firewalls  If misconfigured, can have serious
consequences, such as single point of
Benefits and 
failure.
The data from many applications
Limitations of cannot be passed over firewalls
securely.

Firewalls  Users might proactively search for

ways around the firewall to receive
blocked material, exposing the network
to potential attack.
 Network performance can slow down.
 Unauthorized traffic can be tunneled or
hidden as legitimate traffic through the
firewall.
  Packet filtering firewall -
Typically is a router with the
capability to filter some packet
content, such as Layer 3 and
sometimes Layer 4 information.
 Stateful firewall - Monitors
the state of connections,
Types of whether the connection is in an
initiation, data transfer, or
Firewalls 
termination state.
Application gateway firewall
Firewall (proxy firewall) - A firewall
that filters information at
Layers 3, 4, 5, and 7 of the OSI
Types reference model. Most of the
firewall control and filtering is
done in the software.
 Network address translation
(NAT) firewall - A firewall that
expands the number of IP
addresses available and hides
network addressing design.
  Packet-filtering firewalls
are usually part of a router
firewall and primarily uses
ACLs. It examines a packet
based on the information
in a packet header.
 Packet-filtering firewalls
Types of use a simple policy table
lookup that permits or
Firewalls denies traffic based on
specific criteria:
Packet • Source IP address

Filtering • Destination IP address

Protocol
Firewall
•

• Source port number

• Destination port
number
• Synchronize/start
(SYN) packet receipt
Types of Firewalls
Stateful Firewalls
 Stateful firewalls are the most versatile and
the most common firewall technologies in
use.
 Stateful filtering tracks each connection
traversing all interfaces of the firewall and
confirms that they are valid. The firewall
examines information in the headers of Layer
3 packets and Layer 4 segments.
 Also called “stateful packet filters” and
“application-aware packet filters.”
 Stateful firewalls have two main
improvements over packet filters
• Maintain a session table (state table)
where they track all connections.
• Recognize dynamic applications and know
which additional connections will be
initiated between the endpoints.
Types of Firewalls

Stateful Firewalls Cont.

 Stateful firewalls inspect every packet, compare the packet
against the state table, and may examine the packet for any
special protocol negotiations.
 Stateful firewalls operate mainly at the transport (TCP and
UDP) layer.
Classic Firewall

 Classic Firewall, formerly known as context-

based access control (CBAC)
 Classic Firewall provides four main functions
that include traffic filtering, traffic inspection,
intrusion detection, and generation of audits
and alerts
 Classic Firewall is a dramatic improvement
over the TCP established and reflexive ACL
firewalls in several ways
• Monitors TCP connection setup
• Tracks TCP sequence numbers
• Monitors UDP session information
• Inspects DNS queries and replies
• Inspects common ICMP message types
• Supports applications that rely on multiple
connections
Classic Firewall

Classic Firewall Operation

Classic Firewall

Classic Firewall Operation Cont.

 With Classic Firewall, the protocols to inspect are specified in an
inspection rule.
 An inspection rule is applied to an interface in a direction, either in
or out, where the inspection applies.
Classic Firewall

Classic Firewall Configuration

To configure Classic
Firewall:
Step 1. Select an
interface, either
internal or external.
Step 2. Configure IP ACLs
at the interface.

Step 3. Define inspection

rules.
Step 4. Apply an
inspection rule to an
interface.
Key Differences:
 Inspection Depth
 Classical: Only examines packet headers
 Stateful: Examines packet headers and maintains connection
state
 Connection Awareness
 Classical: Treats each packet independently
 Stateful: Tracks entire connection sessions
 Security Features
Classical:
 Basic ACL rules
 Source/destination IP filtering
 Port filtering
 Stateful:
 Connection state tracking
 TCP sequence number tracking
 Protocol awareness
Firewalls In Network Design

Demilitarized Zones
Demilitarized Zones (DMZs) define the portions of a network
that are trusted and untrusted.
Firewalls In Network Design

Layered Defense
Factors to consider when building a complete in-depth
defense.
Firewalls In Network Design

Firewalls and the Security Policy

Firewall Best Practices
Sample Questions

 Q. Explain how a DMZ provides

additional security compared to a
single firewall implementation.

 Q.Describe three best practices

for firewall configuration in a
corporate environment.