Firewalls act as a barrier between trusted and untrusted networks, typically positioned between a LAN and a WAN. Their primary role is to inspect all traffic passing through and decide, based on defined security policies, whether to allow or block the traffic.
For example:
In the diagram above, a LAN has a host and a switch (SW1). On the right, router R1 connects to the ISP’s router (ISP1). The firewall sits between them, ensuring the LAN remains secure. A router may or may not be necessary depending on the WAN type. For instance:
- If your ISP provides a cable modem with Ethernet, it can connect directly to the firewall.
- If the connection is wireless, a router might be needed to establish connectivity.
- Advanced routing scenarios (like BGP) require a dedicated router.
Most firewalls also support basic routing features such as static routes, default routes, and sometimes routing protocols like RIP, OSPF, or EIGRP.
While this article focuses on hardware firewalls, there are also software firewalls like the one built into Microsoft Windows, which function similarly to their hardware counterparts.
Stateful Filtering #
Like routers, firewalls can use Access Control Lists (ACLs) to filter traffic by source/destination IP addresses and port numbers. Routers, however, perform stateless filtering—treating each packet independently without tracking existing connections.
In contrast, stateful filtering allows firewalls to track sessions and connections. Examples:
- A LAN computer acts as a mail client connecting to a mail server over the Internet. After the initial TCP three-way handshake, the firewall tracks the connection details. When the server responds, the firewall automatically permits the return traffic back to the client.
- A web server behind the firewall receives ~20 new TCP connections per second from different IP addresses. If one IP suddenly exceeds 10 new connections per second, the firewall drops further traffic from that IP to mitigate DoS (Denial of Service) attacks.
Deep Packet Inspection (DPI) #
Most firewalls go beyond basic ACL filtering. While simple ACLs only inspect Layer 3 (IP) and Layer 4 (TCP/UDP) headers, Deep Packet Inspection (DPI) enables inspection into Layer 7 (application data).
In the example above, the network (IP) and transport (TCP) layers are highlighted in red, while the application layer is green. This captured packet shows how a firewall can inspect web browser requests, not just IP addresses and ports.
Security Zones #
By default, Cisco routers forward all packets matching their routing table. To apply restrictions, administrators must configure ACLs. But with multiple interfaces and rules, ACL management can become complex and error-prone.
Example with ACLs:
The router above requires four ACLs—two inbound to block certain LAN traffic and two inbound to block Internet traffic. Managing and reusing ACLs can be cumbersome.
A better solution is using firewall security zones:
Here we have two security zones:
- Inside: Trusted LAN
- Outside: Untrusted WAN
Basic rules of security zones:
- Traffic from a higher security level (LAN) to a lower one (WAN) is allowed.
- Traffic from a lower security level to a higher one is denied.
Since firewalls are stateful, outbound connections are tracked, and their return traffic is permitted automatically. Exceptions—like allowing inbound WAN traffic to LAN—require ACLs.
Most enterprises also deploy a DMZ (Demilitarized Zone) for public-facing servers:
In a DMZ setup:
- Inside → Outside: Allowed
- Inside → DMZ: Allowed
- DMZ → Outside: Allowed
- DMZ → Inside: Denied
- Outside → DMZ: Denied (unless explicitly allowed via ACLs)
- Outside → Inside: Denied
This ensures that even if a DMZ server (e.g., mail server) is compromised, the internal LAN remains protected.
Conclusion #
You now have a foundational understanding of firewall basics. Key takeaways:
- Firewalls use stateful filtering to track sessions and enhance security.
- Advanced firewalls support deep packet inspection for analyzing Layer 7 application traffic.
- Security zones simplify network security by grouping interfaces into trusted and untrusted areas, with DMZs providing controlled access to public-facing services.
Firewalls remain one of the most critical components of data center and enterprise network security, safeguarding trusted networks from external threats.