Join Mike Chapple for an in-depth discussion in this video Firewalls, part of CompTIA Security+ Exam Prep (SY0-401): Network Security.
- If routers and switches are the connectivity building blocks of a network, firewalls are the security workhorses. Firewalls act like the security guards of a network, analyzing all attempts to connect to systems on the network, and determining whether those requests should be allowed or denied, according to the organization's security policy. Firewalls often sit at the network perimeter in between an organization's routers and the internet. From this network location, they can easily see all inbound and outbound connections.
Traffic on the internal network may flow between trusted systems unimpeded, but anything crossing the perimeter to or from the internet must be evaluated by the firewall. Firewalls often connect three networks together: the internet, an internal network, and a special purpose network known as the demilitarized zone, or DMZ. The DMZ contains systems that must accept direct connections from the outside world, such as public web servers.
The DMZ isolates those systems because they are at higher risk of compromise. If an attacker manages to compromise a system located in the DMZ, he or she still does not have direct access to other systems located on the internal network. Firewalls use a technique known as stateful inspection that allows them to keep track of established connections. For example, when a user on the internal network requests a webpage from a server, the firewall notes that request, and then allows the web server to respond and the two systems to communicate back and forth for the duration of the connection without reevaluating the request each time a new packet appears at the firewall.
When the firewall encounters a new connection request, it evaluates it against a set of rules created by system administrators. These rules describe network connections that the firewall should act upon using several important characteristics. The first of these is the address of the source systems affected by the rule, as well as the destination IP addresses for systems affected by the rule. It also includes the destination port and protocol and tells the firewall the action that it should take when encountering traffic matching these characteristics.
This is normally either allow or deny, telling the firewall to permit or block traffic that matches the description in the rule. For example, imagine that we have a web server located in our DMZ with the IP address 10.15.100.1. If we want users on the internet to access that system, we must write a firewall rule that permits access from the internet into the DMZ. This is a rule that permits access, so we set the action to Allow. In this case, the connection request would be coming from an unknown internet system to the web server.
Since we do want anyone to have access to the website, we set the source address on this rule to Any. We do want to limit this access to the web server only, so we set the destination IP address to 10.15.100.1, the IP address of our web server. We also want to limit access to resources on that system to the HTTP protocol which uses port 80, so we set the destination port as 80 and protocol as TCP. And that's how you create a firewall rule.
Firewall configurations simply consist of writing many different rules like this one and adding them to the configuration as new systems require access. One of the core principles of a firewall is that any traffic that isn't explicitly permitted by a rule should be automatically denied. This principle is known as the default deny or implicit deny rule. This is a very important concept that is often tested on the Security+ Exam. Web application firewalls are a specialized type of firewall that is application aware.
They understand how the HTTP protocol works and peer deep into those application connections, looking for signs of SQL injections, cross-site scripting, and other web application attacks. Firewalls of all types play a very important role in building strong, secure networks.
We are now a CompTIA Content Publishing Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Working with the TCP/IP suite
- Securing switches and routers
- Configuring firewalls
- Setting up virtual private networks (VPNs)
- Detecting and preventing network intrusions
- Implementing unified threat management
- Using public and private network addressing effectively
- Segmenting networks
- Virtualization and cloud computing
- Managing secure networks