Firewalls - 4.5

Summary

A firewall is an inline device that filters network traffic based on predefined rules, access lists, and ports/protocols, typically positioned between the internet and internal networks. Firewalls also help segment public-facing services from internal networks through screened subnets (DMZ), and additional protection can be provided by intrusion detection and prevention systems (IDS/IPS), which use signature and trend-based detection to identify threats.

Notes:

Rules

  • Predefined conditions that determine whether traffic is allowed or blocked from accessing the network based on factors such as IP address, port, and protocol.

Access List

  • A list used for more generalized management of traffic, defining whether traffic should be allowed or denied based on criteria such as source/destination IP addresses or subnets.

Ports/Protocols

  • Traffic can be allowed or blocked based on the incoming and destination ports and the type of protocol being used.
    • Web Server: TCP:80, TCP:443
    • SSH Server: TCP:22
    • Microsoft Remote Desktop: TCP:3389
    • DNS Query: UDP:53
    • NTP: UDP:123
Firewall Rules

Screened Subnets

  • A screened subnet (also known as a DMZ) is a separated network segment where external services (e.g., public-facing web servers) are isolated from internal networks.
  • A firewall will direct traffic to either the Screened Subnet if it is a public facing resource or to the internal network.
  • This adds a layer of security by keeping public network traffic separate from internal systems that do not need public access or may contain sensitive data.

IDS/IPS

  • Signatures: IDS/IPS devices use signature-based detection to compare traffic against known patterns of malicious activity.
  • Trends: Trend-based detection analyzes traffic behavior for anomalies, which helps detect threats that may not match known signatures.
Next: Web Filtering