It's a Long Slog
For the past few weeks, I have been S-L-O-W-L-Y working my way through the Network Support and Security online class from Cisco Networking Academy.
To be sure, it has been a L-O-N-G slog.
The course contains only three modules:
- Module 1: Network Support
- Module 2: Cybersecurity Threats, Vulnerabilities, and Attacks
- Module 3: Network Security
Like all online classes from Cisco Networking Academy, each module contains several sub-modules. Each sub-module contains numerous definitions, charts, graphics, videos, pull-down menus, lists, and whatnot. If you are trying to take notes as you read each sub-module, it can be a time-consuming process.
When I started the Network Support and Security online course, my initial thought that it would be a quick and easy course to complete.
Boy, I was wrong.
Types of Firewalls
Sub-module 3.5.2 "Types of Firewalls" gives a basic introduction to four different types of firewalls.
The types of firewalls analyzed by the sub-module are:
- Packet Filtering (Stateless) Firewall
 |
| Packet Filtering (Stateless) Firewall |
- Packet filtering firewalls are usually part of a router firewall, which permits or denies traffic based on Layer 3 and Layer 4 information.
- Source IP address
- Destination IP address
- Protocol
- Source port number
- Destination port number
- Synchronize/Start (SYN) packet receipt
- Packet filtering firewalls are stateless firewalls that use a simple policy table look-up that filters traffic based on specific criteria.
- There are several advantages of using a packet filtering firewall:
- Packet filters implement simple "permit or deny" rule sets.
- Packet filters have a low impact on network performance.
- Packet filters are easy to implement and are supported by most routers.
- Packet filters provide an initial degree of security at the Network layer.
- Packet filters perform almost all the tasks of a high-end firewall at a much lower cost.
- There are several disadvantages of using a packet filtering firewall:
- Packet filters are susceptible to IP spoofing. Threat actors can send arbitrary packets that meet Access Control List (ACL) criteria and pass through the filter.
- Packet filters do not reliably filter fragmented packets.
- Because fragmented IP packets carry the TCP header in the first fragment and packet filters filter on TCP header information, all fragments after the first fragment are passed unconditionally.
- Decisions to use packet filters assume that the filter of the first fragment accurately enforces the policy.
- Packet filters use complex ACLs, which can be difficult to implement and maintain.
- Packet filters cannot dynamically filter certain services.
- Packet filters are stateless. They examine each packet individually rather than in the context of the state of a connection.
- Packet filters do not represent a complete firewall solution, but they are an important element of a firewall security policy.
- Stateful Firewall
 |
| Stateful Firewall |
- Stateful firewalls are the most versatile and most common firewall technologies in use.
- Stateful firewalls provide stateful packet filtering by using connection information maintained in a state table.
- Stateful filtering is a firewall architecture that is classified at the Network layer.
- Stateful firewalls also analyze traffic at OSI Layer 4 (Transport) and Layer 5 (Session).
- There are several benefits to using a stateful firewall in a network:
- Stateful firewalls are often used as a primary means of defense by filtering unwanted, unnecessary, or undesirable traffic.
- Stateful firewalls strengthen packet filtering by providing more stringent control over security.
- Stateful firewalls improve performance over packet filters or proxy servers.
- Stateful firewalls defend against spoofing and DoS attacks by determining whether packets belong to an existing connection or are from an unauthorized source.
- Stateful firewalls provide more log information than a packet filtering firewall.
- Stateful firewalls also present some limitations:
- Stateful firewalls cannot prevent Application layer attacks because they do not examine the actual contents of the HTTP connection.
- Not all protocols are stateful. For example, UDP and ICMP do not generate connection information for a state table, and, therefore, do not garner as much support for filtering.
- It is difficult to track connections that use dynamic port negotiation.
- Some applications open multiple connections.
- This requires a whole new range of ports that must be opened to allow this second connection.
- Stateful firewalls do not support user authentication.
- Application Gateway Firewall
 |
| Application Gateway Firewall |
- An application gateway firewall (proxy firewall) filters information at Layers 3, 4, 5, and 7 of the OSI reference model.
- Most of the firewall control and filtering is done in software.
- When a client needs to access a remote server, it connects to a proxy server.
- The proxy server connects to the remote server on behalf of the client.
- Therefore, the server only sees a connection from the proxy server.
- Next Generation Firewall
 |
| Next Generation Firewall |
- Next generation firewalls (NGFW) go beyond stateful firewalls by providing the following:
- Integrated intrusion prevention.
- Application awareness and control to see and block risky apps.
- Upgrade paths to include future information needs.
- Techniques to address evolving security threats.
Additional types of firewalls include:
- Host-Based (Personal and Server) Firewall - a PC or server with firewall software running on it.
- Transparent Firewall - filters IP traffic between a pair of bridged interfaces.
- Hybrid Firewall - a combination of the various firewall types.
I will come back to this post after I complete Module 3.5 Firewalls and Host-Based Intrusion Prevention.
There is a lot of good information about firewalls.
Additionally, I found some really good information and graphics about the different types of firewalls over at Palo Alto Networks' webpage.
As always, more to follow.
