π₯ The Firewall
π€ What is a Firewall?
A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on a set of defined security rules. Its primary purpose is to allow legitimate traffic while blocking malicious or unwanted traffic, protecting your internal network from threats.
Analogy: A firewall is like a security guard at the gate of a secure building. The guard checks the credentials of everyone trying to enter or leave and only permits those who are authorized according to a strict set of rules.
βοΈ How Firewalls Work
A firewall analyzes data packets and decides whether to allow or block them based on a set of rules. This set of rules is often called an Access Control List (ACL). These rules can filter traffic based on:
- Source and Destination IP Address: Where the traffic is coming from and where itβs going.
- Source and Destination Port: Which application the traffic is intended for.
- Protocol: The type of traffic (e.g., TCP, UDP, ICMP).
π Access Control Lists (ACLs)
An ACL is the specific list of instructions that a firewall or router uses to manage traffic.
- What it is: An ACL is an ordered list of permit or deny statements. These statements are known as Access Control Entries (ACEs).
- How itβs Processed:
- Top-Down: The device checks a packet against the rules in the ACL from top to bottom.
- First Match Wins: As soon as a packet matches a rule, the specified action (permit or deny) is taken, and no further rules are checked.
- Implicit Deny: At the end of every ACL, there is an invisible βdeny allβ rule. If a packet does not match any preceding βpermitβ rule, it will be dropped. This enforces a highly secure βdefault denyβ posture.
- Types of ACLs:
- Standard ACLs: Simple rules that filter traffic based only on the source IP address.
- Extended ACLs: Much more powerful and granular. They can filter based on source & destination IP, protocol, and port numbers.
- Example Rule:
permit tcp host 192.168.1.50 any eq 443- Meaning: βAllow (
permit) TCP traffic (tcp) from the specific device (host)192.168.1.50to any destination (any) as long as it is for secure web traffic (equal to port443).β
- Meaning: βAllow (
π Common Types of Firewalls
Firewalls have evolved over time, becoming more intelligent and capable.
-
Packet-Filtering Firewalls (Stateless) This is the most basic type. It inspects individual packets in isolation and makes decisions based on the IP and port information in the packetβs header. It doesnβt know the context of the traffic.
-
Stateful Inspection Firewalls A major improvement. This type of firewall monitors the βstateβ of active connections. It knows if an incoming packet is part of an established conversation that was initiated from inside the network. This allows it to block unsolicited traffic and is the most common type found in home routers.
-
Proxy Firewalls This firewall acts as an intermediary (a proxy) for specific applications. It inspects the content of the traffic itself, providing deeper security. All traffic appears to come from the proxy server, hiding the internal clientβs IP.
-
Next-Generation Firewalls (NGFW) The modern standard for enterprise security. NGFWs combine stateful inspection with advanced features like:
- Deep Packet Inspection (DPI): Examines the data payload of a packet, not just the header.
- Intrusion Prevention System (IPS): Actively blocks known network exploits.
- Application Awareness: Can identify and control traffic from specific applications (e.g., block Facebook, allow Microsoft Teams) regardless of the port number.
π₯οΈ Hardware vs. Software Firewalls
- Hardware Firewalls: These are dedicated physical appliances that sit at the edge of a network, protecting all the devices within it. The firewall in your home Wi-Fi router is a simple example.
- Software Firewalls: These are programs installed on an individual computer or server, like Windows Defender Firewall or the macOS Firewall. They protect only the single device they are installed on.