Firewall 101

(almost) All you need to know about

Safeguarding Your Digital Fortress

Vitoria Baldan

Computer Software Engineering - Hanyang University

What is a firewall?
A firewall is a network security device or software that acts
as a barrier between an internal network and external
networks, such as the internet. It monitors and controls
incoming and outgoing network traffic based on
predetermined security rules. The primary objective of a
firewall is to enforce security policies and prevent
unauthorized access, while allowing legitimate
communication to pass through.
Contents

1 2 3 4 5
How does a Importance Packet-Filtering Stateful Inspection Proxy Firewalls
Firewall of Firewalls Firewalls Firewalls
work

10 9 8 7 64
Next-
Demonstration Firewall Firewall AI Firewalls Generation
Limitations and SDN Firewalls
(NGFW)
How does a Firewall
work?
1 - Traffic Analysis
2 - Rule-Based Filtering

3 - Access Control
4 - Logging and Auditing
Why do we need a Access Control
firewall?
Firewalls act as gatekeepers, determining which network
traffic is allowed to enter or exit a network.

Threat Mitigation
Firewalls act as the first line of defense against various
network threats, such as unauthorized access, malware,
viruses, and denial-of-service (DoS) attacks

Application Control
Many firewalls provide application-layer inspection, allowing
granular control over network traffic based on specific
applications or protocols

Logging and Monitoring

Firewalls generate logs and provide monitoring capabilities
 Advantages and Limitations
Packet-Filtering Advantages: Simplicity, performance, transparency

Limitations: Limited Context Awareness, vulnerability to IP

Firewalls spoofing, inadequate for application-level filtering

Basic Operation and Principles Use Cases and Examples

Examine individual packets of network traffic and make filtering Can be used as perimeter security, small network environments

decisions based on criteria such as source/destination IP Examples: Pfctl(Mac OS), IPTables (Linux), Windows Firewall
addresses, port numbers, and protocols. (Microsoft Windows), and Access Control Lists (Cisco IOS)

Examining IP Addresses, Ports,

and Protocols
Packet-filtering firewalls inspect packet headers to
determine if they match specific filtering criteria. The key
attributes examined include IP Addresses, Ports and
Protocols
Stateful Inspection Handling of Complex Protocols
They can interpret and monitor the state of TCP (Transmission

Firewalls Control Protocol) connections, which are widely used for reliable
data transmission.

Enhanced Security compared to

Packet-Filtering Firewalls Balancing Security and Performance
Stateful inspection firewalls build upon the basic functionality of
Advancements in hardware and software optimizations have
packet-filtering firewalls by adding an additional layer of security.
significantly improved the performance of stateful inspection
They not only examine individual packets but also keep track of
firewalls, making them suitable for high-speed networks.
the state and context of network connections.

Inspection of Packet Headers

and Session Information
Stateful inspection firewalls examine not only the headers of
individual packets but also the associated session information. They
analyze the packet's source/destination IP addresses, port numbers,
sequence numbers, acknowledgment numbers, and other relevant
connection-related data.
 Proxy Firewalls Benefits of Proxy Firewalls
Enhanced Security, Anonymity and Privacy, Content Filtering,
Caching and Performance.
How Proxy Firewalls Work
Proxy firewalls act as intermediaries between client devices
and the target servers.
Examples of Proxy Firewall
Application-Level Gateway Implementations
Web Proxy, FTP Proxy, SMTP Proxy, SOCKS Proxy
Proxy firewalls operate at the application layer (Layer 7) of
the network protocol stack. They can understand and
interpret the application-layer protocols being used, such
as HTTP, FTP, SMTP, or DNS. By understanding the content
and context of application-layer protocols, proxy firewalls
can enforce more granular security policies and perform
deep inspection of network traffic.
 Intrusion Prevention Systems (IPS)

NGFWs often integrate intrusion prevention systems (IPS)

Next-Generation capabilities. IPS functionality goes beyond simple traffic filtering by

actively inspecting network traffic for known attack signatures,

Firewalls (NGFW) behavior anomalies, and suspicious patterns.

Advanced Features and Capabilities

Deep Packet Inspection
Next-Generation Firewalls (NGFWs) are advanced security
NGFWs employ deep packet inspection (DPI) to examine the
appliances or software that combine the capabilities of traditional
contents of network packets beyond just the packet headers. DPI
firewalls with additional features to provide enhanced security and
enables the firewall to analyze the payload of application-layer
visibility. They go beyond basic packet filtering and offer a range of
protocols, including encrypted traffic, to detect and prevent
advanced capabilities, including
advanced threats.

Application Awarenes

User Identity Awarenes

Threat Preventio

Virtual Private Network (VPN) Suppor

Integration with Threat Intelligence
Centralized Management NGFWs can integrate with threat intelligence feeds and

services to enhance their security capabilities.

 Threat Intelligence Integration
AI Firewall AI firewalls can integrate with threat intelligence feeds and
databases to enhance their detection capabilities.

Behavioral Analysis Automation and Adaptive Security

AI firewalls leverage machine learning algorithms to
analyze the behavior of network traffic and identify AI firewalls have the ability to adapt and self-learn based on
patterns associated with normal or abnormal activities. network behavior and evolving threats.

Deep Packet Inspection

Anomaly Detection
By inspecting the payload of application-layer protocols, they can detect and
AI firewalls excel at detecting anomalies that may go
prevent advanced threats, including encrypted attacks, malware, or
unnoticed by traditional rule-based firewalls. They can
command-and-control communications.
identify unusual patterns, traffic spikes, or suspicious
network activities that deviate from established norms. User and Entity Behavior Analytics (UEBA)
By correlating network traffic patterns with user behavior, they can
detect insider threats, compromised user accounts, or abnormal
user activities.
Firewall and SDN
SDN-enabled Firewall Management
SDN controllers can dynamically push firewall rules and
policies to network devices, including firewalls, making it
easier to implement changes, enforce security policies, and
respond to security threats in real-time.

Enhanced Security with SDN and

Firewalls
SDN can enhance the capabilities of firewalls by providing
increased visibility and control over network traffic. SDN
controllers can gather network flow information from
switches and provide it to firewalls for more intelligent
decision-making. This allows firewalls to make context-
aware decisions based on factors like user identity,
application type, and network behavior, leading to more
effective threat detection and mitigation.
Firewall Limitations Insider Threats and
Social Engineering

Encrypted Traffic
Challenges
Evolving Cyber
Threats

Application-
Layer
Vulnerabilities
 Demonstration - Setting firewall rules using python
pfctl : is a command-line utility on
macOS and other BSD-based
operating systems that is used to
configure and manage the Packet
Filter (PF) firewall

Set rules for

Protoco
Port
IPs
Demonstration - Setting firewall rules using python
Questions?