What is a firewall?

Firewalls can be viewed as gated borders or gateways that manage the travel of permitted and
prohibited web activity in a private network. The term comes from the concept of physical walls
being barriers to slow the spread of fire until emergency services can extinguish it. By
comparison, network security firewalls are for web traffic management — typically intended to
slow the spread of web threats.
Firewalls create 'choke points' to funnel web traffic, at which they are then reviewed on a set of
programmed parameters and acted upon accordingly. Some firewalls also track the traffic and
connections in audit logs to reference what has been allowed or blocked.
Firewalls are typically used to gate the borders of a private network or its host devices. As such,
firewalls are one security tool in the broader category of user access control. These barriers are
typically set up in two locations — on dedicated computers on the network or the user computers
and other endpoints themselves (hosts).

How do firewalls work?

A firewall decides which network traffic is allowed to pass through and which traffic is deemed
dangerous. Essentially, it works by filtering out the good from the bad, or the trusted from the
untrusted. However, before we go into detail, it helps to understand the structure of web-based
networks.
Firewalls are intended to secure private networks and the endpoint devices within them, known
as network hosts. Network hosts are devices that ‘talk’ with other hosts on the network. They
send and receive between internal networks, as well as outbound and inbound between external
networks.
Computers and other endpoint devices use networks to access the internet and each other.
However, the internet is segmented into sub-networks or 'subnets' for security and privacy. The
basic subnet segments are as follows:
1. External public networks typically refer to the public/global internet or various
extranets.
2. Internal private network defines a home network, corporate intranets, and other
‘closed’ networks.
3. Perimeter networks detail border networks made of bastion hosts — computer hosts
dedicated with hardened security that are ready to endure an external attack. As a secured
buffer between internal and external networks, these can also be used to house any
external-facing services provided by the internal network (i.e., servers for web, mail,
FTP, VoIP, etc.). These are more secure than external networks but less secure than
 internal. These are not always present in simpler networks like home networks but may
often be used in organizational or national intranets.
Screening routers are specialized gateway computers placed on a network to segment it. They
are known as house firewalls on the network-level. The two most common segment models are
the screened host firewall and the screened subnet firewall:
 Screened host firewalls use a single screening router between the external and internal
networks. These networks are the two subnets of this model.
 Screened subnet firewalls use two screening routers— one known as an access
router between the external and perimeter network, and another known as the choke
router between the perimeter and internal network. This creates three subnets,
respectively.
Both the network perimeter and host machines themselves can house a firewall. To do this, it is
placed between a single computer and its connection to a private network.
 Network firewalls involve the application of one or more firewalls between external
networks and internal private networks. These regulate inbound and outbound network
traffic, separating external public networks—like the global internet—from internal
networks like home Wi-Fi networks, enterprise intranets, or national intranets. Network
firewalls may come in the form of any of the following appliance types: dedicated hardware,
software, and virtual.
 Host firewalls or 'software firewalls' involve the use of firewalls on individual user devices
and other private network endpoints as a barrier between devices within the network. These
devices, or hosts, receive customized regulation of traffic to and from specific computer
applications. Host firewalls may run on local devices as an operating system service or an
endpoint security application. Host firewalls can also dive deeper into web traffic, filtering
based on HTTP and other networking protocols, allowing the management of what content
arrives at your machine, rather than just where it comes from.

A network firewall requires configuration against a broad scope of connections, whereas a host
firewall can be tailored to fit each machine's needs. However, host firewalls require more effort
to customize, meaning that network-based are ideal for a sweeping control solution. But the use
of both firewalls in both locations simultaneously is ideal for a multi-layer security system.
Filtering traffic via a firewall makes use of pre-set or dynamically learned rules for allowing
and denying attempted connections. These rules are how a firewall regulates the flow of web
traffic through your private network and private computer devices. Regardless of type, all
firewalls may filter by some combination of the following:
 Source: Where an attempted connection is being made from.
 Destination: Where an attempted connection is intended to go.
 Contents: What an attempted connection is trying to send.
 Packet protocols: What ‘language’ an attempted connection is speaking to carry its
message. Among the networking protocols that hosts use to ‘talk’ with each other,
TCP/IP protocols are primarily used to communicate across the internet and within
intranet/sub-networks.
 Application protocols: Conmmon protocols include HTTP, Telnet, FTP, DNS, and SSH.
Source and destination are communicated by internet protocol (IP) addresses and ports. IP
addresses are unique device names for each host. Ports are a sub-level of any given source and
destination host device, similar to office rooms within a larger building. Ports are typically
assigned specific purposes, so certain protocols and IP addresses using uncommon ports or
disabled ports can be a concern.

Types of firewall
Different types of firewalls incorporate varied methods of filtering. While each type was
developed to surpass previous generations of firewalls, much of the core technology has passed
between generations.
Firewall types are distinguished by their approach to:
1. Connection tracking
2. Filtering rules
3. Audit logs

Each type operates at a different level of the standardized communications model, the Open
Systems Interconnection model (OSI). This model gives a better visual of how each firewall
interacts with connections.
Static Packet-Filtering Firewall
Static packet-filtering firewalls, also known as stateless inspection firewalls, operate at the OSI
network layer (layer 3). These offer basic filtering by checking all individual data packets sent
across a network, based on where they're from and where they're attempting to go. Notably,
previously accepted connections are not tracked. This means each connection must be re-
approved with every data packet sent.
Filtering is based on IP addresses, ports, and packet protocols. These firewalls, at the bare
minimum, prevent two networks from directly connecting without permission.
Rules for filtering are set based on a manually created access control list. These are very rigid
and it is difficult to cover unwanted traffic appropriately without compromising network
usability. Static filtering requires ongoing manual revision to be used effectively. This can be
manageable on small networks but can quickly become difficult on larger ones.
Inability to read application protocols means the contents of a message delivered within a packet
cannot be read. Without reading the content, packet-filtering firewalls have a limited quality of
protection.
Circuit-Level Gateway Firewall
Circuit-level gateways operate on the session level (layer 5). These firewalls check for functional
packets in an attempted connection, and—if operating well—will permit a persistent open
connection between the two networks. The firewall stops supervising the connection after this
occurs.
Aside from its approach to connections, the circuit-level gateway can be similar to proxy
firewalls.
The ongoing unmonitored connection is dangerous, as legitimate means could open the
connection and later permit a malicious actor to enter uninterrupted.
Stateful Inspection Firewall
Stateful inspection firewalls, also called dynamic packet-filtering firewalls, are unique from
static filtering in their ability to monitor ongoing connections and remember past ones. These
began by operating on the transport layer (layer 4) but nowadays, these firewalls can monitor
many layers, including the application layer (layer 7).
Like the static filtering firewall, stateful inspection firewalls allow or block traffic based on
technical properties, such as specific packet protocols, IP addresses, or ports. However, these
firewalls also uniquely track, and filter based on the state of connections using a state table.
This firewall updates filtering rules based on past connection events logged in the state table by
the screening router.
Generally, filtering decisions are often based on the administrator's rules when setting up the
computer and firewall. However, the state table allows these dynamic firewalls to make their
own decisions based on previous interactions it has ‘learned’ from. For example, traffic types
that caused disruptions in the past would be filtered out in the future. Stateful inspection's
flexibility has cemented it as one of the most ubiquitous types of shields available.
Proxy Firewall
Proxy Firewalls, also known as application-level firewalls (layer 7), are unique in reading and
filtering application protocols. These combine application-level inspection, or ‘deep packet
inspection (DPI),’ and stateful inspection.
A proxy firewall is as close to an actual physical barrier as it's possible to get. Unlike other types
of firewalls, it acts as an additional two hosts between external networks and internal host
computers, with one as a representative (or ‘proxy’) for each network.
Filtering is based on application-level data rather than just IP addresses, ports, and basic packet
protocols (UDP, ICMP) like in packet-based firewalls. Reading and understanding FTP, HTTP,
DNS, and other protocols allow for more in-depth investigation and cross-filtering for many
different data traits.
Similar to a guard at a doorway, it essentially looks at and evaluates incoming data. If no
problem is detected, the data is allowed to pass through to the user.
The downside to this kind of heavy security is that it sometimes interferes with incoming data
that isn't a threat, leading to functionality delays.
Next-Generation Firewall (NGFW)
Evolving threats continue to demand more intense solutions, and next-generation firewalls stay
on top of this issue by combining the features of a traditional firewall with network intrusion
prevention systems.
Threat-specific next-generation firewalls are designed to examine and identify specific threats,
such as advanced malware, at a more granular level. More frequently used by businesses and
sophisticated networks, they provide a holistic solution to filtering out threats.
Hybrid Firewall
As implied by the name, hybrid firewalls use two or more firewall types in a single private
network.
What Is Firewall Configuration?

A firewall plays a vital role in network security and needs to be properly configured to keep
organizations protected from data leakage and cyberattacks.

This is possible by configuring domain names and Internet Protocol (IP) addresses to keep the
firewall secure. Firewall policy configuration is based on network type, such as public or private,
and can be set up with security rules that block or allow access to prevent potential attacks from
hackers or malware.
Proper firewall configuration is essential, as default features may not provide maximum
protection against a cyberattack.

Importance of Basic Firewall Configuration

Improper firewall configuration can result in attackers gaining unauthorized access to protected
internal networks and resources. As a result, cyber criminals are constantly on the lookout for
networks that have outdated software or servers and are not protected. Gartner highlighted the
size and magnitude of this issue, predicting that 99% of firewall breaches would be caused by
misconfigurations in 2020.

The default settings on most firewalls and protocols like the File Transfer Protocol (FTP) do
not provide the necessary level of protection to keep networks secure from cyberattacks.
Organizations must ensure basic firewall configuration meets the unique needs of their networks.

How To Configure a Firewall

1. Secure the firewall

Securing a firewall is the vital first step to ensure only authorized administrators have access to
it. This includes actions such as:

1. Update with the latest firmware

2. Never putting firewalls into production without appropriate configurations in place
3. Deleting, disabling, or renaming default accounts and changing default passwords
4. Use unique, secure passwords
5. Never using shared user accounts. If a firewall will be managed by multiple
administrators, additional admin accounts must have limited privileges based on
individual responsibilities
6. Disabling the Simple Network Management Protocol (SNMP), which collects and
organizes information about devices on IP networks, or configuring it for secure usage
7. Restricting outgoing and incoming network traffic for specific applications or
the Transmission Control Protocol (TCP)

2. Establish firewall zones and an IP address structure

It is important to identify network assets and resources that must be protected. This includes
creating a structure that groups corporate assets into zones based on similar functions and the
level of risk.
A good example of this is servers—such as email servers, virtual private network (VPN) servers,
and web servers—placed in a dedicated zone that limits inbound internet traffic, often referred to
as a demilitarized zone (DMZ). A general rule is that the more zones created, the more secure
the network is.

However, having more zones also demands more time to manage them. With a network zone
structure established, it is also important to establish a corresponding IP address structure that
assigns zones to firewall interfaces and sub interfaces.

3. Configure access control lists (ACLs)

Access control lists (ACLs) enable organizations to determine which traffic is allowed to flow in
and out of each zone. ACLs act as firewall rules, which organizations can apply to each firewall
interface and subinterface.

ACLs must be made specific to the exact source and destination port numbers and IP addresses.
Each ACL should have a “deny all” rule created at the end of it, which enables organizations to
filter out unapproved traffic. Each interface and subinterface also needs an inbound and
outbound ACL to ensure only approved traffic can reach each zone. It is also advisable to disable
firewall administration interfaces from public access to protect the configuration and disable
unencrypted firewall management protocols.

4. Configure other firewall services and logging

Some firewalls can be configured to support other services, such as a Dynamic Host
Configuration Protocol (DHCP) server, intrusion prevention system (IPS), and Network
Time Protocol (NTP) server. It is important to also disable the extra services that will not be
used.

Further, firewalls must be configured to report to a logging service to comply with and fulfill
Payment Card Industry Data Security Standard (PCI DSS) requirements.

5. Test the firewall configuration

With the configurations made, it is critical to test them to ensure the correct traffic is being
blocked and that the firewall performs as intended. The configuration can be tested through
techniques like penetration testing and vulnerability scanning. Remember to back up the
configuration in a secure location in case of any failures during the testing process.
6. Manage firewall continually
Firewall management and monitoring are critical to ensuring that the firewall continues to
function as intended. This includes monitoring logs, performing vulnerability scans, and
regularly reviewing rules. It is also important to document processes and manage the
configuration continually and diligently to ensure ongoing protection of the network.

Mistakes To Avoid When Setting Up a Firewall

Configuring a firewall can present difficulties, which can commonly be prevented by avoiding
common mistakes, such as:

1. Using broad policies or the wrong firewall settings can result in server issues, such
as Domain Name System (DNS) and connectivity issues.
2. Ignoring outgoing traffic can present a risk to networks.
3. Relying solely on a firewall for network security or non-standard authentication methods
may not protect all corporate resources.

DMZ, NAT, and Static IP in Network Security

 Static IP
Giving an apparatus a static IP address improves the predictability and stability of network
management. Static IP addresses offer constancy in contrast to dynamic ones, which might alter
over time and make network administration easier. Static IP addresses are more secure to use
than dynamic ones since they have a smaller attack surface. Static IP addresses are the preferred
choice for crucial servers such as DNS or authentication servers that need to be reachable and
identifiable at all times. Secure static IP administration is essential, even though it reduces the
dangers related to IP address changes and facilitates easy internal network communication.
Intentional breaches or misconfigurations could result in intentionally exposed static IP
addresses, which could be the focus of potential targeted assaults. Enterprises should install
strong access restrictions and routinely audit and monitor how static in order to prevent
unwanted access (Ribeiro et al., 2022).
 Demilitarized Zone (DMZ)
By creating a safe boundary between the internal network and the untrusted external network—
typically the internet—the DMZ plays a crucial architectural role. Security is improved by
placing servers in the DMZ, particularly those that must be accessible to the public, such web
servers. In the event that there is no demilitarized zone (DMZ), an infiltrated external web server
may be able to freely access the internal network, which could have dire repercussions. Potential
dangers can be mitigated by enterprises by isolating these servers within the authorized DMZ.
This isolation lessens the possibility of lateral movement and illegal access, even in the event
that a DMZ server is compromised by an outside party.
Careful planning and configuration are necessary for DMZ implementation. Robust access
controls, firewall rule changes, and routine security audits are all necessary to maintain the
integrity of the DMZ. Organizations should think about putting intrusion detection and
prevention systems in place in order to keep an eye on and respond to any dangers that may arise
within the DMZ (Vega Caicedo, 2023).

Figure 2: Demilitarized Zone (GeeksforGeeks, 2022)

 NAT (Network Address Translation)
By separating internal IP addresses from external networks, Network Address Translation, or
NAT, is essential to improving network security. NAT functions as a firewall, preventing direct
access to devices within the network by converting private IP addresses into a single public IP
address. This extra degree of secrecy offers protection against particular kinds of assaults,
including port probing.

If internal devices use private IP addresses without NAT protection, attackers might be able
to list all of the devices and use each one's IP address to target and enumerate them. By
hiding the internal network architecture and only disclosing one public IP address to outside
parties, NAT reduces this danger.
Examine a TechSecure Solution web server that isn't protected by a DMZ and is linked
straight to the internal network. This web server could have uncontrolled access to the
internal network in the unlikely case that it is compromised by an outside party, which could
 have fatal results. By isolating servers within the approved media zone, organizations can
lessen the chance of lateral movement and unwanted access (Ribeiro et al., 2022).
Delicate planning and configuration are necessary for DMZ implementation. Maintaining the
integrity of the DMZ requires regular security audits, firewall regulations, and access
controls. In order to keep an eye on and counter possible threats inside the DMZ,
organizations ought to think about implementing intrusion detection and prevention systems.

Figure 3: Network Address Translation (Aakriti, 2022)

2.4 Describe a Method for Assessing and Resolving IT Security Issues

2.4.1 Techniques for Assessment
A thorough process for assessing the risks associated with IT security includes the following
techniques
Vulnerability Scanning: To continuously check the network and systems for vulnerabilities, use
automated technologies. This proactive approach helps to find possible weaknesses that
malevolent actors can take advantage of. Web applications, servers, workstations, network
devices, and other internal and external assets should all be included in vulnerability
assessments.
Penetration testing: Construct cyberattack scenarios to evaluate how well current security
controls work. By using a manual approach, vulnerabilities that automated scans might miss are
found. Penetration testing should mimic real-world conditions and look for weaknesses in both
human and technological aspects.
Assess risk: Ascertain the possibility and consequences of hazards that have been recognized. In
order to prioritize mitigation efforts, this entails determining risk scores, comprehending the
threat environment, and evaluating the criticality of assets. To give a comprehensive picture of
the organization's risk position, a thorough risk assessment should take into account both
quantitative and qualitative factors.
Patch management: To keep software and systems up to date, install updates on a regular basis.
Antivirus and anti-malware software should be updated often to protect against known flaws.
Create a patch management process that involves evaluating updates in a safe setting before
applying them to operational systems.
Employee Education: To increase knowledge of security best practices, lower the danger of
social engineering scams, and promote a security-aware culture, engage in continuous
cybersecurity education for your workforce. Training materials should be updated often to
account for emerging dangers and technologies.
Incident Response Plan: To guarantee a timely and efficient reaction to security incidents,
develop and test an incident response plan on a regular basis. This covers communication
methods, confinement strategies, and recovery approaches. Regular tabletop exercises and
simulated incident scenarios are used to verify the efficacy of the incident response strategy.
Continuous Monitoring: To quickly detect and handle security incidents, put in place real-time
monitoring systems. This covers intrusion detection systems, log analysis, and anomaly
detection. Ongoing surveillance affords insight into network functioning, facilitating the timely
identification and mitigation of possible hazards.
Regular Audits and Compliance Checks: Perform routine security audits to assess how well
security policies and controls are working. Assure adherence to industry regulations and norms
that are pertinent to the operations of the firm. Frequent audits assist in locating departures from
established security procedures.