3.2.4 Firewall Types
WAF, UTM, NGFW, Layer 4/7.
Firewalls are network security devices that monitor and filter incoming and outgoing network traffic based on an organization’s previously established security policies.
Packet Filtering and Stateful Inspection - Packet Filtering: Operates at Layer 3 (Network) and Layer 4 (Transport). It inspects headers—source/destination IP and port numbers—using Access Control Lists (ACLs). - Stateful Inspection: Maintains a record of active connections (state table). It remembers the "context" of a conversation, ensuring incoming packets are part of an established, valid session. - Stateless Filtering: Examines packets in isolation without context, making it faster but less secure against complex session-based attacks.
Next-Generation Firewall (NGFW) - Deep Packet Inspection (DPI): Looks beyond the header to analyze the actual data payload. - Application Awareness: Operates at Layer 7 to identify specific applications (e.g., blocking Facebook but allowing LinkedIn) rather than just blocking ports. - Integrated IDS/IPS: Combines signature-based and anomaly-based detection within the firewall hardware. - User Identity: Can tie traffic to specific user accounts rather than just IP addresses.
Web Application Firewall (WAF) - Layer 7 Protection: Specifically designed to protect web servers and applications from HTTP-based attacks. - Threat Mitigation: Defends against Cross-Site Scripting (XSS), SQL Injection, and other OWASP Top 10 vulnerabilities. - Placement: Often situated in front of a web server or as a cloud-based service to inspect incoming POST and GET requests.
Unified Threat Management (UTM) - All-in-One Appliance: Consolidates multiple security functions into a single box to simplify management. - Features: Typically includes a firewall, content filtering, Gateway Antivirus, anti-spam, and sometimes a VPN concentrator. - Trade-offs: Creates a single point of failure; if the UTM goes down, all security services for that segment fail.
Proxy Servers and Gateways - Forward Proxy: Acts as an intermediary for internal clients reaching out to the internet, often used for content filtering and caching. - Reverse Proxy: Protects internal web servers by handling client requests and passing them to the backend, providing load balancing and obfuscation. - Transparent Proxy: Intercepts traffic at the network level without requiring client-side configuration.
Exam tips - Trigger words: If the question mentions "SQL injection" or "HTTP headers," think WAF. - Performance: Stateful firewalls are generally more secure but more resource-intensive than simple packet filters. - Identification: Use STIGs (Security Technical Implementation Guides) to standardize the configuration of these firewall types across a fleet. - Architecture: NGFWs are the standard for modern enterprise perimeters because they handle Layer 2 through Layer 7.