This material was developed with funding
from the National Science Foundation
This work is licensed with a
Creative Commons Attribution 4.0 International LicenseEndFragment
Click to play
A firewall is a device or program that protects boundaries between two networks, such as an internal private network and the Internet. It guards an organization’s resources from attacks and prevents untrusted parties from accessing organization resources or tampering with internal information and resources. Firewalls review request from outside parties and inspect data going into or out of the protected host or network.Firewalls use rules as part of the inspection process
Threeway Hand Shake
What is a Firewall?
Firewalls can be installed on just about any device (smartphones, tablets, laptops, workstations and servers).Host-based firewalls are applications or programs installed on a device.
A network firewall protects an entire network from attacks coming from users outside the trusted network.
A well-designed environment uses both types of firewalls since traffic that makes it through the network firewall can be stopped by the host-based firewall.
Types of Protection
Click each to see more
Click to play
Host-based firewalls can be built into the operating system to protect that device, or it can be web-based and configured to protect applications and application data. One of the greatest challenges in managing host-based firewalls is to ensure that patches and updates are performed regularly to keep the host protected.Never disable these firewalls without formal permission!Host-based firewalls automatically generate rules based on the applications and services installed on the device. They can also be centrally controlled and configured by the information security team. Host-based firewalls provide protection within the organization
Allow FTP Traffic
Allow file and print sharing
Allow Office 365
Deny all others
Network firewalls provide external or perimeter protection for the organization. Network firewalls are stand-alone appliances or integrated into network devices like routers. Network firewalls can screen all ingress (inbound) and egress (outbound) traffic. Network firewalls also use rules and/or lists of trusted URLs to monitor and control traffic. These lists can be purchased from vendors. Most modern firewalls can track established sessions to determine legitmate connections. These firewalls are know as active state firewalls.
Click to Play
Network Firewall 1
Approved URL List
Unapproved URL List
Hmm, this will
need a response
Network Firewall 2
Network-based firewalls are usually dedicated appliances or systems with their own CPU, memory and software. These systems can monitor, log, and filter traffic. They can have two or more network interface cards (NICs). All inbound and outbound traffic must be approved to pass through the firewall. Network firewalls must have high processing power so that they will not impact network performance.
Application Proxy Filter
Over the years, firewalls have evolved and become much more powerful as the threats have become more sophisticated.Early firewalls were based on simple access control lists to filter packets from known villains or unknown and untrusted sources. These firewalls are called Stateless or Packet-Filtering. Stateless refers to the fact that they are based on rules not authorized connections.
Stateful Firewalls inspect traffic leaving the network and monitor the establishment of a stateful connection. Traffic associated with the established (stateful) connection are then permitted.
Advanced firewalls address the issue of preventing outside untrusted users from directly accessing sensitive and high value resources inside the organization. A Proxy Firewall takes requests from outside the private network and relays (or proxies) the message to the inside resource.
The most advanced type of firewall is known as a Deep Packet Inspection Firewall. These firewalls examine the data within each packet.
Learn which firewall works best for a particular scenario.
Deep Packet Inspection
Stateful Packet Inpection
Packet entering network
Stateless Packet-Filtering Firewall 1
A packet-filtering firewall is the simplest type of firewall. These firewalls examine each packet entering or leaving the protected network. The firewall captures each packet and then examines the basic addressing information (IP addresses and/or TCP/UDP port). The packet is forwarded or dropped based on the inspection rule. The last rule is either a Permit or Deny all.Packets are compared starting with the first rule. If there is a match, the packet is permitted or dropped according to the rule. If the packet does not match the first rule, it is compared to the next rule in the list. If the packet does not match any rule, it will be dropped or forwarded based on the last rule.
The destination IP address of the packet
The specific network protocol being used to communicate between the
source and destination devices (type of traffic such as UDP or TCP
Type of Service
Stateless Packet-Filtering 2
A packet-filtering firewall inspects the IP and TCP headers from each packet.
The packets can be filtered by IP addresses and TCP/UDP ports.
The source and destination ports of the session (TCP:80
for a web server or UDP: 69 for tftp)
The source IP address of the packet
Time to Live
The source port number is either a TCP or UDP port ranging from 1-65386 or
ANY (which means all port numbers)
The destination port number is either a TCP or UDP port ranging from
1-65386 or ANY (which means all port numbers)
Click each button to build firewall rules
All rules require an action; the action is either PERMIT or DENY
Building Firewall Rules
The source IP address can be a single host address, range of IP addresses
or an entire subnet or network, and ANY (which means all addresses)
Source IP address
The destination IP address can be a single host address, range of IP addresses,
or a subnet or network, and ANY (which means all addresses).
Destination IP address
The protocol can be IP, TCP, UDP, or ANY (which means all ports)
Stateful means that a device keeps track of another device’s connection either temporarily or over a long period of time. The TCP three-way hadshake is an example of a stateful connection. When using TCP, the requester sends a SYN request. The receiver records the sender’s information and acknowledges the request. Finally, the original sender acknowledges the three-way handshake. With a stateless connection, no information is retained by either the sender or receiver.
State changes to
State changes to
Stateful Firewall 1
A TCP connection-oriented session
is a stateful connection because
both systems maintain information
about the session during its life.
State changes to
Host1 requests an outside destination originating from the trusted inside network and is allowed. The firewall inspector records the new information in the stateful tracking table.
New [if gte mso 9]>
<![endif] [if gte mso 9]>
<![endif][if gte mso 9]>
<![endif] [if gte mso 10]>
Click on each packet number
The destination server on the untrusted Internet responds and the inspector checks the stateful table. The addresses and port numbers match a new request from Host1. The packet is recorded and allowed.EndFragment
Host1 responds to the server acknowledgement and SYN request. The firewall inspector traces the server’s acknowledgement, records the numbers and allows the packet.EndFragment
A packet from a potential hacker enters the firewall from the untrusted port. The inspector is unable to track a stateful connection and drops the packet. EndFragment
The server sends the requested web page content to Host1. The firewall inspector traces the stateful connection, records the new numbers and allows the packet. EndFragment
Statefule Packet Inspection 1
Host2 requests an outside destination originating from the trusted inside network and is allowed. The firewall inspector records the new information in the stateful tracking table.EndFragment
A proxy firewall acts as an intermediary. It intercepts Internet requests for protected destination devices in the private network. The traffic is inspected for unusual content or requests. If the request is deemed legitimate, the proxy server generates the request. The request is acknowledged, and the proxy server relays the results to the device originating the request. The proxy server eliminates direct access to the protected device.
A deep packet inspection (DPI) firewall is the most sophisticated type of firewall. DPI firewalls examine and filter network traffic by inspecting the actual data within the packets being transmitted (most firewalls only examine the header data). Deep packet inspection firewalls can inspect the header data, but it also looks deeper into the packet data.
Viruses and Malware
Deep Packet Inspection2
DPI firewalls look for: protocol non-compliance; sources and signatures of viruses and malware; sources and signatures of spam; spoofing, reconnaissance and scanning threats; intrusion attempts; incorrect time sequencing; unauthorized VPN tunnels; and many other potential threats. DPI firewalls queue streams of data to make these inspections and perform the necessary analysis.
DPI Firewalls can dramatically impact the organization’s communication bandwidth.EndFragment
Click on each scenario to see which firewall works the best
All new connections are only allowed if originating from the trusted network
Statefule Packet Inspection 2