A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

1. Page 1 of 5
A firewall is a network security device, either hardware or software-based, which monitors all incoming and outgoing traffic and
based on a defined set of security rules it accepts, rejects or drops that specific traffic.
Accept : allow the traffic
Reject : block the traffic but reply with an “unreachable error”
Drop : block the traffic with no reply
A firewall establishes a barrier between secured internal networks and outside untrusted network, such as the Internet.
Before Firewalls, network security was performed by Access Control Lists (ACLs) residing on routers. ACLs are rules that determine
whether network access should be granted or denied to specific IP address.
But ACLs cannot determine the nature of the packet it is blocking. Also, ACL alone does not have the capacity to keep threats out
of the network. Hence, the Firewall was introduced.
Connectivity to the Internet is no longer optional for organizations. However, accessing the Internet provides benefits to the
organization; it also enables the outside world to interact with the internal network of the organization. This creates a threat to the
organization. In order to secure the internal network from unauthorized traffic, we need a Firewall.
Firewall match the network traffic against the rule set defined in its table. Once the rule is matched, associate action is applied to
the network traffic. For example, Rules are defined as any employee from HR department cannot access the data from code server
and at the same time another rule is defined like system administrator can access the data from both HR and technical
department. Rules can be defined on the firewall based on the necessity and security policies of the organization.
From the perspective of a server, network traffic can be either outgoing or incoming. Firewall maintains a distinct set of rules for
both the cases. Mostly the outgoing traffic, originated from the server itself, allowed to pass. Still, setting a rule on outgoing traffic
is always better in order to achieve more security and prevent unwanted communication.
Incoming traffic is treated differently. Most traffic which reaches on the firewall is one of these three major Transport Layer
protocols- TCP, UDP or ICMP. All these types have a source address and destination address. Also, TCP and UDP have port
numbers. ICMP uses type code instead of port number which identifies purpose of that packet.
Default policy: It is very difficult to explicitly cover every possible rule on the firewall. For this reason, the firewall must always
have a default policy. Default policy only consists of action (accept, reject or drop).
Suppose no rule is defined about SSH connection to the server on the firewall. So, it will follow the default policy. If default policy
on the firewall is set to accept, then any computer outside of your office can establish an SSH connection to the server. Therefore,
setting default policy as drop (or reject) is always a good practice.
Firewalls can be categorized based on its generation.
1. First Generation- Packet Filtering Firewall : Packet filtering firewall is used to control network access by
monitoring outgoing and incoming packet and allowing them to pass or stop based on source and destination IP address,
protocols and ports. It analyses traffic at the transport protocol layer (but mainly uses first 3 layers).
Packet firewalls treat each packet in isolation. They have no ability to tell whether a packet is part of an existing stream of
traffic. Only It can allow or deny the packets based on unique packet headers.
Packet filtering firewall maintains a filtering table which decides whether the packet will be forwarded or discarded. From the
given filtering table, the packets will be Filtered according to following rules:

2. Page 2 of 5
1. Incoming packets from network 192.168.21.0 are blocked.
2. Incoming packets destined for internal TELNET server (port 23) are blocked.
3. Incoming packets destined for host 192.168.21.3 are blocked.
4. All well-known services to the network 192.168.21.0 are allowed.
2. Second Generation- Stateful Inspection Firewall : Stateful firewalls (performs Stateful Packet Inspection) are able to
determine the connection state of packet, unlike Packet filtering firewall, which makes it more efficient. It keeps track of the
state of networks connection travelling across it, such as TCP streams. So the filtering decisions would not only be based on
defined rules, but also on packet’s history in the state table.
3. Third Generation- Application Layer Firewall : Application layer firewall can inspect and filter the packets on any OSI
layer, up to the application layer. It has the ability to block specific content, also recognize when certain application and
protocols (like HTTP, FTP) are being misused.
In other words, Application layer firewalls are hosts that run proxy servers. A proxy firewall prevents the direct connection
between either side of the firewall, each packet has to pass through the proxy. It can allow or block the traffic based on
predefined rules.
Note: Application layer firewalls can also be used as Network Address Translator(NAT).
4. Next Generation Firewalls (NGFW) : Next Generation Firewalls are being deployed these days to stop modern security
breaches like advance malware attacks and application-layer attacks. NGFW consists of Deep Packet Inspection, Application
Inspection, SSL/SSH inspection and many functionalities to protect the network from these modern threats.
Firewalls are generally of two types: Host-based and Network-based.
1. Host- based Firewalls : Host-based firewall is installed on each network node which controls each incoming and outgoing
packet. It is a software application or suite of applications, comes as a part of the operating system. Host-based firewalls are
needed because network firewalls cannot provide protection inside a trusted network. Host firewall protects each host from
attacks and unauthorized access.
2. Network-based Firewalls : Network firewall function on network level. In other words, these firewalls filter all incoming and
outgoing traffic across the network. It protects the internal network by filtering the traffic using rules defined on the firewall. A
Network firewall might have two or more network interface cards (NICs). A network-based firewall is usually a dedicated
system with proprietary software installed.
A firewall is a network security system which monitors and takes actions on the ingoing or outgoing packets based on the defined
rules. It can be a hardware device or a software.
An organisation that cannot afford a hardware firewall device uses an alternative i.e implementing firewall features on Cisco IOS
router by using CBAC or by using Zone-based firewall.CBAC is a predecessor to Zone-based firewall.
Zone-based Firewall –
A Zone-based firewall is an advanced method of stateful firewall. In stateful firewall, a stateful database is maintained in which
source IP address, destination IP address, source Port number, destination port number is recorded. Due to this, only the replies
are allowed i.e if the traffic is Generated from inside the network then only the replies (of inside network traffic) coming from
outside the network is allowed.
Cisco IOS router can be made firewall through two methods:
1. By using CBAC: create an access-list and apply it to the interfaces keeping in mind what traffic should be allowed or denied
and in what direction. This has an extra overhead for the administrator.
2. Using a Zone-based firewall.
Terms:
1. Zone – A zone is a logical area in which the devices having same trust levels resides. After creating a zone, an interface is
assigned to a zone.By default, traffic is not allowed from one zone to another.

3. Page 3 of 5
For example, first we create a zone called inside then if the router interface fa0/0 resides on the most trusted network which
we name as inside, then fa0/0 is assigned to inside zone.
2. Zone-pair – Policies are defined in which traffic is identified (what type of traffic) then what action should be taken (Inspect
Denied, permit). Then we have to apply this policies to a zone-pair. A zone-pair is always unidirectional. If we want to make it
bidirectional then we have to create another zone-pair.
For instance, we want to allow the traffic from inside to outside network then we have to create a zone-pair. If we have
chosen the action inspect then the reply is permitted from outside the network if the traffic is generated from the inside
network (stateful filtering).
Now, if we want to allow outside traffic to be able to reach inside network then we have to make a separate zone-pair. This
zone-pair will allow the traffic to reach the inside network if the traffic is generated from the outside network.
3. Self-zone – Traffic destined to the router itself, irrespective of which device has send, is known as self zone. The traffic
generated from router is known as traffic coming from self-zone. Traffic going to router is considered as traffic going to Self-
zone. By default, the traffic to or from the Self-zone is allowed however it can be changed according to the policies applied.
Working:
First, the zones are defined and named. Although, we can give any name but by naming convention that makes sense, name the
zones as inside, outside and DMZ.
 inside: The most trusted (private) network.
 outside: The most untrusted (public) network.
 DMZ: (public zone) contains devices like servers.
Now, as zones have been named, policies are created which will include what type of traffic is allowed to be generated and allowed
to go through from inside network to outside network and what actions (such as inspect [stateful inspection]) should be taken on
the traffic.
The actions can be:
 inspect: an entry will be made in stateful database for the protocols (for which the policies has been applied) so that the
replies (for inside network) can come back.
 drop: default action if the traffic does not match the policies.
 pass: the traffic will be allowed from one zone to another but no session is maintained.
The traffic which will not match the policies will be dropped due to default policy. This policies will be defined for one direction
(such as inside to outside) in a zone pair.
If conditions requires to allow initial traffic to be generated in both directions (inside to outside network and outside to inside
network), then two separate zone-pairs will be created and separate policies are applied.
Advantages – Some of the advantages are:
1. By default, the traffic is blocked unlike CBAC. In Zone-based firewall, no traffic is allowed from one zone to another while in
CBAC, all traffic is allowed if no explicit ACL is applied.
2. Unlike CBAC, Zone-based firewall is no heavily dependent on ACL.
3. It is easy to add another interface as only the zone has to be declared to which the interface belongs as all the policies will be
same as applied explicitly before for that zone.

4. Page 4 of 5
A firewall is a network security system which monitors and takes actions (permit or deny traffic) on the basis of policies defined
explicitly.It can be performed by a single device, group of devices or by software running on a single device like server.
Cisco ASA has the biggest share in the market while there are other vendors of firewall also like checkpoint, Juniper etc.
Firewall Methodologies –
There are certain methods through which firewall can be implemented. These are as follows:
1. Static packet filtering – Packet filtering is a firewall technique used to control access on the basis of source IP address,
destination IP address, source Port number and destination port number. It works on layer 3 and 4 of OSI model.Also, an ACL
doesn’t maintain the state of session. A router with ACL applied on it is an example of static packet filtering.
Advantages –
 If the administrator has a good knowledge of network, it is easy to implement.
 It can be configured on almost all routers.
 It has minimal effect on network performance.
Disadvantage –
 Large amount of ACLs are difficult to maintain.
 ACLs uses IP address for filtering. If someone spoofs the same source IP address then that will be allowed by ACL.
2. Stateful packet filtering –
In stateful packet filtering, the state of the sessions are maintained i.e when a session is initiated within a trusted network, it’s
source and destination IP address, source and destination ports and other layer information are recorded. By default, all the
traffic from untrusted network is denied.
The replies of this session will be allowed only when the IP addresses (source and destination IP address) and port numbers
(source and destination )are swapped.
Advantages –
 Dynamic in nature as compared to static packet filtering.
 Not susceptible to IP spoofing.
 Can be implemented on routers.
Disadvantage –
 Might not be able to prevent application layer attack.
 Some applications open dynamic ports on the server side, if the firewall is analysing this, it can cause application failure.
This is where application inspection comes into use.
3. Proxy firewalls –
These are also known as application layer firewalls. Proxy firewall acts as an intermediary between the original client and the
server. No direct connection takes place between the original client and the server.
The client, who has to establish a connection directly to the server to communicate with it, now have to establish a connection
with proxy server. The proxy server then establishes a connection with the server on the behalf of client. Now, the client sends
the data to the proxy server and proxy server forwards it to the server. Proxy server can operate upto layer 7 (application
layer).
Advantage –
 Difficult to attack server as proxy server is the intermediate between the client and the server.
 Can provide detailed logging.
 Can be implemented on common hardware.
Disadvantage –
 Processor intensive
 Memory and disk intensive
 Single point of failure in network security
4. Application inspection –
These can analyze the packet upto layer 7 (deep inspection) but can’t act as a proxy server. These can deeply analyze
conversation between a client and server even when the server is assigning a dynamic port to the client therfore it doesn’t fail
in these cases (which can occur in stateful firewall).
Advantages –
 Can analyze deeper into the conversation between the server and the client.
 If there is a protocol anamoly happening from standard then it can deny the packets.
5. Transparent firewall –
By default, the firewall operates at layer 3 but the benefit of using transparent firewall is that it can operate at layer 2.It has 2

5. Page 5 of 5
interfaces which will act like a bridge so can be configured through a single management IP address. Also, users accessing the
network will not even know about that a firewall exists.
The main advantage of using transparent firewall is that we don’t need to re-address our networks while putting up a firewall
in our network. Also, while operating at layer 2, it can still perform functions like building stateful database, application
inspection etc.
6. Network Address Translation (NAT) –
NAT is implemented on a router or firewall. NAT is used to translate private IP address into a public IP address through which
we can hide our source IP address.
And if we are using dynamic NAT or PAT, an attacker will not be able to know that what devices are dynamically assigned
which IP address from the pool. This makes difficult to make a connection from outside world to our private network.
7. Next-Generation Firewalls –
NGFWs are third generation security firewall that is implemented in either in software or device. It combines basic firewall
properties like static packet filtering, application inspection with advanced security features like integrated intrusion prevention
system. Cisco AAA with firePOWER services is an example of Next-Generation firewall.