If you’ve ever watched Lord of the Rings then I’m certain you get the reference. When I think of a firewall I can totally see Gandalf (our firewall) standing between all the bad things in the internet and our network. And if any traffic passing through is set to be denied I can hear Gandalf saying “YOU SHALL NOT PASS!”. The traffic is then dropped to some place we will never know. If you haven’t watched Lord of the Rings before then I strongly suggest you give it a watch!
That’s really the thing about firewalls, they are there to protect us from internet threats as well as even internal threats. Firewalls have evolved into many different iterations from their base where they would only deny or accept traffic based on port and protocol information firewalls now fill the roles of being Next-Generation Firewalls or NGFW for short. Which allows us to implement great features like IPS (Intrusion Prevention Systems) as well as content filtering where you could stop users from accessing certain types of malicious websites. This gives us greater control over our networks and what we can allow and drop.
Firewalling the short of it.
If you recall I mentioned firewalls operate typically at the 4th layer of the OSI model which is the transport layer. Reason being the main job of a firewall is to INSPECT any traffic that comes into any of its ports. Before the firewall makes a decision to forward the traffic it will first reference a policy rule-set that has been implemented by us as administrators. Typically when you first install a firewall it will come with a base policy that is set to deny traffic from any source to any destination, this is called the implicit deny rule. So we as administrators will need to implement some policies in order to allow traffic based on our requirements. We also have firewalls operating and stateless and stateful manners, however the typical devices you will find will be working in a stateful manner
Stateless vs Stateful?
So I’ll explain this again in the simplest way possible, whenever you are working on a Stateless firewall you will have to manually create policies for each connection. An example would be traffic coming into port 1 going out of port 2 you will need to create a policy for any traffic from port 1 to port 2, however you would also need to create a return policy to allow traffic back. So you would add another policy from port 2 to port 1.
Stateful firewalls on the other-hand keeps tracking the connection once it is accepted. This means that the firewall is smart enough to know if I am allowing traffic from port 1 to port 2 for HTTPs then I will need to allow the return traffic as well. This way you will only ever need to create a single policy instead of pairs in order to get connections working.
So since we know firewalls work with policies you will also need to learn that each firewall works on a hierarchy. This only means that firewalls will inspect traffic and reference it against its policy table from top to bottom, if any policy is matched an action is taken. If nothing is matched then this traffic will hit the implicit deny rule at the end of the policy table.
Policies are typically configured with source and destination interfaces(Layer 2). From those interfaces you will also need to specify the source and destination addresses(Layer 3). Next you will specify services, this is typically your port information such as a port number 80,443,8081 also is this TCP,UDP or something else(Layer 4)? We also then specify a schedule, so when exactly will this policy run? Only certain hours,days or always? Lastly we need to set an action are we denying or allowing the traffic.
There’s some other nice additions we can add in our policies, however what we discussed in the previous paragraph is the base for any firewalling. The more we work on firewalls the more advanced features we will start discussing and implementing.
You have now learned the basics of firewalling, this is another major fundamental and is also something that you can pursue exclusively in your career path, many network engineers also become network security engineers where your job will be to protect the network for threats.
I hope this has been informative for you and I would like to encourage you again to sign up to our mailing list as well as subscribe to my Youtube channel where these blogs are covered in a video format.
Hungry for more?