May 14, 2025

Shalinda's Blog

Subscribe

Firewalls 101

shafdo 11 mins0

This article is going to be a quick refresher on firewalls.

Simply put, a firewall can be a hardware device or a software-based solution whose main purpose is to filter traffic that goes in and out of a network. If the firewall detects any malicious or suspicious data packets they will be blocked.

When talking about firewalls, they can be categorized based on:

  1. The method of delivery
  2. The method of operation

Firewalls based on delivery methods

The sections focus on how the firewall is delivered to the network, end users, or applications:

1. Hardware Firewalls

These are dedicated networking devices installed in the network to filter packets based on a predefined set of security rules. These rules are called Access Control Lists (ACLs). They defined which inbound (coming in) or outbound (going out) traffic is ALLOWED or DENIED in/from our network. The hardware firewall sits between your internal network devices and the public network (internet). All traffic flowing must go through the firewall.

2. Software Firewalls

Software Firewalls are the same as hardware firewalls but instead, they operate at the software level. We don’t need separate equipment installed in our networks. Software firewalls are installed in end-user devices to protect from malicious traffic. An example of a software-based firewall is the Windows firewall that comes preinstalled in all Windows operating systems.

This is useful for scenarios where having a hardware firewall is too difficult or expensive. Example scenario: Imagine a remote worker accessing company resources over public WiFi. It would be more practical and cost-effective to have a software firewall installed on a user’s device than to have hardware firewalls for all users.

3. Cloud-Based Firewalls (FireWall as a Service – FWaaS)

Cloud-based firewalls are quite different. They are hosted in the cloud, eliminating the need for any hardware installation on your network or software on your host devices.

Its main focus is to filter traffic and secure cloud service models such as SaaS, PaaS, and IaaS. Besides that, you can also connect the cloud firewall to your organization’s network. So, the traffic flowing between your organization’s private network and the public network goes via the cloud firewall.

To name a few. Here are some cloud vendors that offer FWaaS solutions: Cisco, Fortinet, Palo Alto Networks, AWS, Azure.

Firewalls based on operation methods

Here we focus on learning the different ways how a firewall filters data.

Packet Filtering Firewalls

  • These firewalls have a predefined set of rules (Access Control List).
  • Rules criteria include:
    • Source IP
    • Destination IP
    • Port address
    • Protocol
  • If the inbound or outbound traffic doesn’t match the rules criteria, the firewall drops these packets.
  • Packet filter firewalls operate under the network layer of the OSI.

Circuit Level Gateway Firewalls

  • These firewalls are host-based, meaning they exist on client and server devices in the network.
  • They operate at the session layer of the OSI model.
  • The firewall creates a virtual connection before the actual connection is made between the client and the server.
  • Circuit Level Gateway Firewalls mainly inspect the packet header information and do not inspect the body content.
  • Circuit-level firewalls are mostly not used as stand-alone firewalls. Instead, they are combined with application proxies and stand-alone firewalls like packet filtering to enhance security.

Stateful Inspection Firewalls

  • Standard firewalls are stateless meaning for each incoming or outgoing packet. They check “IF X rule satisfied then ALLOW; Else DENY”.
  • However, a stateful firewall actively keeps track of the established connections. This is why it is called “stateful.”
  • With the context of these established connections in mind, it analyzes the incoming or outgoing packets.
  • Stateful firewalls offer more security compared to packet filtering and circuit-level firewalls but come at a greater network cost. This is because it needs to store and keep track of all states of the inbound and outbound traffic.
  • Let’s take a look at an example below:
  • Explanation:
    • Client A makes a request to Server B. This session is recorded in the Stateful firewall’s state table.
    • When Client A gets the response from Server B the stateful firewall ALLOW because the state is already recorded in the state table.
    • When Client C makes a request to Client A. The stateful firewall DENY because there is no state in the firewall’s state table.

Proxy Firewalls

  • Before we talk about proxy firewalls. We need to know what a proxy really is. A proxy is a server that sits between a client and a server. Its main job is to forward the traffic between the client and the server.
  • We could add a firewall to the proxy. The goal of the proxy firewall is to filter any malicious traffic that goes in and out of the proxy.
  • A proxy firewall operates in the application layer of the OSI model.
  • Since this firewall operates at the application layer, it can perform deep inspection of data also called Deep Packet Inspection (DPI).
    • It goes beyond examining basic packet header inspection, allowing it to understand the content, behavior, and intent of traffic more thoroughly.
  • Supports Deep Packet Inspection (DPI).
  • A Proxy Firewall can function as both a forward proxy and a reverse proxy, depending on how it is configured and the direction of traffic it handles.

❓ What is Deep Packet Inspection (DPI)

  • Deep Packet Inspection enhances threat intelligence, meaning it can do more than just access control, unlike traditional firewalls:
    • Content Inspection: Detect any malicious content by analyzing the data content of the packet.
    • Protocol: Understand various protocols and application behaviors. Let’s take FTP as an example: The firewall can monitor FTP sessions, block suspicious file transfers, block unauthorized file types, and prevent data from exfiltration.
    • Enforce Policy: We can add policy checks based on the content such as blocking specific keywords, types of files, or unauthorized apps.
    • Log user activities which are later useful to know the network usage patterns and analytics.
    • Identify known attack patterns, anomalies, and indicators of compromise, making it effective in detecting suspicious traffic.

Next-Generation Firewalls (NGFW)

  • An advanced type of firewall with Deep Packet Inspection capabilities.
  • Multi-Layer Support – NGFW can work with all layers of the OSI model except the physical layer.
  • NGFW combines packet filtering + stateful inspection.
  • These firewalls integrate well with Intrusion Detection Systems (IDS).
  • Has the ability to monitor encrypted VPN traffic.

That’s all folks. Hope you found this article interesting. See you in the next one 🙂

shafdo

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Have Missed