Introduction to Firewalls

The firewall is the barrier between a trusted and untrusted network, often used between your LAN and WAN. It’s typically placed in the forwarding path so that all packets have to be checked by the firewall, where we can drop or permit them. Here’s an example:

firewall location network

Above we have our LAN that has a host computer and a switch. On the right side, there’s a router that is connected to the ISP which offers Internet connectivity. The firewall sits in between to protect our LAN. The router is optional, it depends on your connectivity to the WAN. For example, if your ISP offers cable then you probably have a cable modem with an Ethernet connection that you can connect directly to your firewall. When it’s a wireless connection, you probably need the router there for the connection. You will also probably need the router if you do any (advanced) routing like BGP. Most firewalls support some basic routing options: static routes, default routes and sometimes routing protocols like RIP, OSPF or EIGRP.

We are talking about hardware firewalls here. There’s also software firewalls, like the one that comes preinstalled with Microsoft Windows. It has a similar function as our hardware firewalls.

Stateful Filtering

Firewalls, like routers can use access-lists to check for the source and/or destination address or port numbers. Most routers however, don’t spend much time at filtering…when they receive a packet, they check if it matches an entry in the access-list and if so, they permit or drop the packet. That’s it.

No matter if they receive a single packet or thousands, each packet is treated individually and we don’t keep track of packets we have seen before or not. This is called stateless filtering.

Firewalls, on the other hand, use stateful filtering. They keep track of all incoming and outgoing connections. Here are some examples:

  • A computer on the LAN uses its email client to connect to a mail server on the Internet. The client will start the connection with a TCP three-way handshake, which the firewall sees. The firewall will keep track of this connection and when the mail server responds, the firewall will automatically permit this traffic to return to the client.
  • A web server is sitting behind a firewall, it’s a busy server that accepts an average of 20 new TCP connections per second from different IP addresses. The firewall keeps track of all connections, once it sees a source IP address that is requesting more than 10 new TCP connections per second, it will drop all traffic from this source IP address, preventing a DoS (Denial of Service).

Packet Inspection

Most firewalls support some form of (deep) packet inspection. Simple access-lists only check source/destination addresses and ports, that’s layer 3 and 4 of the OSI model. Packet inspection means we can inspect up to layer 7 of the OSI model. This means we can look at application data and even the payload:

wireshark osi model layer 3 4 7

Above you see the network (IP) and transport layer (TCP) marked in red, the application layer is marked with green. This is an example of a webbrowser that is requesting a webpage.

HTTP Get Request

Here are some examples:

  • Instead of blocking all IP addresses that belong to lolcats.com, you can create a filter that looks for the URI in HTTP requests and block those instead. You won’t have to worry about IP addresses of web servers that might change in the future.
  • Your firewall can check the payload to block any packets that contains known worms or viruses.

Security Zones

Cisco routers, by default, will permit and forward all packets they receive, if they have a matching route in their routing table. If you want to restrict this, you have to configure some access-lists. This can become an administrative nightmare if you have a lot of interfaces and/or access-list rules. Here’s an example:

Cisco router many access-lists interfaces

The router above has two incoming access-lists to block some of the traffic from the hosts. We also have two access-lists that prevent traffic from the Internet from entering our network. We might be able to reuse some of the access-lists but we have to apply an access-list to four interfaces.

There is a better solution, firewalls work with security zones. Here’s an example:

firewall inside outside zone

Above we have two security zones:

  • INSIDE: this is our LAN
  • OUTSIDE: this is our WAN

The interfaces have been assigned to the correct security zone. These zones have two simple rules:

  • Traffic from a “high” security level to a “lower” security level is permitted.
  • Traffic from a “low” security level to a “higher” security level is denied.

Our LAN is our trusted network, which would have a high security level. The WAN is untrusted so it will have a low security level. This means that traffic from our LAN > WAN will be permitted. Traffic from the WAN to our LAN will be denied. Since the firewall is stateful, it keeps track of outgoing connections and will permit the return traffic from our LAN.

If you want to make an exception, and permit traffic from the WAN to the LAN then this can be accomplished with an access-list.

Most companies will have one or more servers that should be reachable from the Internet. Perhaps a mail or web server. Instead of placing these on the INSIDE, we use a third zone called the DMZ (Demilitarized Zone). Take a look at the picture below:

firewall inside outside dmz zone

The DMZ security zone will have a security level that is in between the INSIDE and OUTSIDE. This means that:

  • Traffic from INSIDE to OUTSIDE is permitted.
  • Traffic from INSIDE to DMZ is permitted.
  • Traffic from DMZ to OUTSIDE is permitted.
  • Traffic from DMZ to INSIDE is denied.
  • Traffic from OUTSIDE to DMZ is denied.
  • Traffic from OUTSIDE to INSIDE is denied.

To ensure traffic from the OUTSIDE is able to reach the servers in the DMZ, we will use an access-list that only permits traffic to the IP address (and port numbers) that the servers in the DMZ use. This setup is very secure, if one of your servers in the DMZ gets hacked, your INSIDE network will still be secure.

Some of the features described above are also available on routers. For example, Cisco IOS routers support the reflexive access-list which is a “poor mans” stateful firewall. Cisco IOS also supports the Zone Based Firewall, which as the name suggests uses security zones. Hardware firewalls however, offer a better network performance / throughput.

Conclusion

You have now learned the basics of firewalls. Firewalls use stateful filtering to keep track of all incoming and outgoing connections. They are also able (depending on the firewall) to inspect up to layer 7 of the OSI model, looking into the payload of applications.

They also use security zones where traffic from a high security level is permitted to go to a lower security level. Traffic from a low security level to a higher security level will be denied, exceptions can be made with access-lists.

Forum Replies

  1. Thanks Rene for your introduction to firewall.
    just a friendly feedback, I like a lot your videos when you use the White Board in person with your colored pens, It’s amazing, please keep using it. I feel like I am sitting in a real classroom.

  2. Hi, quick question regarding the service policy placement on the ASA, not including global because that’s pretty self explanatory. I created just a simple topology where the ASA was in the middle and has 2 routers on either side, the outside interface had a security level of 0 and inside 100, the outside interface is also blocking all traffic coming in. I implemented NAT on the ASA as well to change the inside network IP’s to the outside interface.

    My policy map inspects ICMP and i applied it to a service policy that was placed on the inside interface, i tested

    ... Continue reading in our forum

  3. Hello Michael

    First of all, we apologise for the late response. This is an excellent question, and thank you for sharing it with us.

    It all has to do with order of operations. The standard document that is usually provided for order of operations regarding NAT is the following:

    https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html


    Based on this, the inside to outside and outside to inside orders are different. This means that when the traffic returns, it first goes through a NAT outside to inside translation and then goes

    ... Continue reading in our forum

  4. Hello Juan

    Keep in mind that traffic from a lower security level to a higher security level is denied by default. In general, a DMZ will have a higher security level than the outside interface, so in order to go against this default behaviour, an access list which will permit such traffic must be applied.

    Now the ACL itself is defined globally using the well-known access list syntax. Once it is defined, you must then apply it to an interface specifying an in our outbound direction. You can find out more information about how to apply access lists on an ASA a

    ... Continue reading in our forum

9 more replies! Ask a question or join the discussion by visiting our Community Forum