 A firewall is a network security device that monitors

incoming and outgoing network traffic and decides

whether to allow or block specific traffic based on a
defined set of security rules.
 Firewalls have been a first line of defense in
network security for over 25 years. They establish a
barrier between secured and controlled internal
networks that can be trusted and untrusted outside
networks, such as the Internet.
 A firewall can be hardware, software, software-as-a
service (SaaS), public cloud, or private cloud
(virtual).
 Based on –
 the system they protect
 form factor
 placement within network infrastructure
 data filtering method
 Network Firewall

 A network firewall is positioned at the juncture between trusted and untrusted

networks, such as internal systems and the internet.
Primary Role Operational Procedure
 its ability to scrutinize each
data packet
 monitor, control, and  By comparing packet
decide on the validity of attributes like source and
incoming and outgoing destination IP addresses
traffic based on a  protocol, and port numbers to
predefined set of rules. its established rules
 These rules are designed to  effectively blocks potential
prevent unauthorized threats
access and maintain
network integrity. Additional:
 Beyond simple traffic
regulation, network firewalls
offer logging capabilities. Logs
assist administrators in
tracking and probing
suspicious activities
 A host-based firewall is software that operates on a singular device
within a network. It is installed directly onto individual computers or
devices, offering a focused layer of protection against potential
threats.
Operational View Usage scenario

 By examining the  In environments where

incoming and outgoing network security is paramount,
host-based firewalls
traffic of that specific complement perimeter-based
device, it effectively solutions
filters harmful content
 While perimeter defenses
secure the broader network's
boundaries, host-based
 ensures that malware, firewalls bolster security at the
viruses, and other device level.
malicious activities do
not infiltrate the system.  This dual protection strategy
ensures that even if a threat
surpasses the network's
primary defenses, individual
computers remain shielded.
 Hardware Firewall
A hardware firewall is a physical device placed between a computer
or network and its connection to the internet. It operates independently
of the host device, examining inbound and outbound traffic to ensure
compliance with set security rules.
Operational Overview
 a hardware firewall  Malicious or suspicious
involves connecting it traffic is blocked, so only
directly between the safe and legitimate data
internet source and the reaches the internal
target network or system. network

 Once implemented, all  Threats are intercepted

internet traffic, whether before reaching internal
incoming or outgoing, must systems, offering a
pass through this device proactive approach to
network security
 it inspects each data
packet, decisions are made
based on predefined
security policies
 A software firewall is a firewall in a software form factor rather
than a physical appliance, which can be deployed on
servers or virtual machines to secure cloud environments.
Operational Overview

 Software firewalls are designed to protect sensitive data,

workloads and applications in environments wherein it is
difficult or impossible to deploy physical firewalls.

 Software firewalls embody the same firewall technology as

hardware firewalls (also known as next-generation firewalls or
NGFWs).

 They offer multiple deployment options to match the needs of

hybrid/multi-cloud environments and modern cloud
applications

 Software firewalls can be deployed into any virtualized

network or cloud environment.
 Container Firewalls

 Virtual Firewalls

 Cloud Firewalls

 Managed Service Firewalls

 A container firewall is a software version of a next-
generation firewall, purpose-built for Kubernetes
environments.

 Container workloads embedded in Kubernetes

environments can be difficult to secure with
traditional firewalls.

 Consequently, container firewalls help network

security teams safeguard developers with deep
security integration into Kubernetes orchestration,
preventing modern application attacks and data
exfiltration.
 A virtual firewall is a virtualized instance of a next-
generation firewall, used in virtual and cloud
environments to secure east-west and north-south
traffic. They are sometimes referred to as “cloud
firewalls.”

 Virtual firewalls are a type of software firewall which can

inspect and control north-south perimeter network
traffic in public cloud environments, as well as segment
east-west traffic inside physical data centers and
branches

 Virtual firewalls offer advanced threat prevention

measures via micro-segmentation
 The term “cloud firewall” aligns most closely with
the concept of a virtual firewall.

 These are software-based mechanisms anchored

in the cloud, primarily responsible for sifting out
malevolent network traffic

 The delivery model in the cloud has led to

common identification as firewall-as-a-service
(FWaaS).
 Software firewalls are also available as a managed
service, similar to many other software-as-a-
service (SaaS) offerings.

 Some managed service firewall offerings provide a

flexible way to deploy application-level (Layer 7)
security without the need for management
oversight.

 As managed services, some of these firewalls can

be quickly scaled up and down
 standalone physical  software firewall
device operates within a
server or virtual
 monitors and controls machine
both incoming and
outgoing network traffic
based on predefined  runs on a security-
security policies centric operating
system, typically
layered over generic
 Deployment of a hardware resources
hardware firewall
requires skilled personnel
 can often be rapidly
implemented using
cloud automation
tools
 Internal Firewall

 Distributed Firewall

 Perimeter Firewall
 Next-Generation Firewall
A next-generation firewall (NGFW) extends the
capabilities of traditional firewalls, offering more
comprehensive security solutions

 enhanced features to understand and control

application traffic
 integrate intrusion prevention mechanisms
 utilize cloud-sourced threat intelligence
 meticulous inspection of data packets, accounting
for the intricate nuances of modern cyber threats
 rely on pre-defined rules that evaluate specific
attributes of the packets such as source IP,
destination IP, ports, and protocols

 If the attributes match the established rules, the

packet is allowed to pass through. If not, the packet
is blocked

 Types of packet filtering firewalls can be further

broken down into static packet-filtering firewalls,
dynamic packet-filtering firewalls, stateless packet-
filtering firewalls, stateful packet-filtering firewalls
 to oversee and validate the handshaking process
between packets, specifically for TCP and UDP
connections

 examine the handshake process and the IP

addresses associated with packets

 primarily focuses on header information, ensuring

the traffic aligns with the firewall's rule set without
delving into the actual content of the data
packets.
Operational Overview

 When a user seeks to initiate a connection with a remote host,

the circuit-level gateway establishes a circuit, which is
essentially a virtual connection between the user and intended
host.

 This gateway then supervises the traffic traversing this circuit. It

ensures traffic aligns with an already established connection,
permitting only verified and authorized traffic to pass.

 When data packets meet these criteria, the firewall facilitates a

connection, allowing either the transmission control protocol or
user datagram protocol to communicate with the destination
server on the user's behalf

 If packets do not meet the criteria, the gateway rejects the

connection, effectively ending the session.
 functions by examining and filtering HTTP traffic, thereby
safeguarding web applications from threats like cross-
site-scripting (XSS), SQL injection, and file inclusion

 WAFs differentiate themselves by operating at Layer 7,

specifically targeting application layer threats.

 Positioned in front of web applications, WAFs act as

reverse proxies

 This means that they intercept and inspect requests

bound for the web application
 Stateful inspection firewalls are  A practical example of stateful
integral in active network inspection's ability is its
connection monitoring interaction with Transmission
Control Protocol (TCP).
 tracks connections
 TCP facilitates the simultaneous
sending and receiving of data
 analyze the context of and uses a three-way
incoming and outgoing traffic handshake process to establish
connections
 Works on Layers 3 and 4 of the
Open Systems Interconnection  The handshake involves
(OSI) model synchronization (SYN),
synchronization-acknowledge
 Inspects Packets (SYN-ACK), and
acknowledgment (ACK).
 scrutinizes the contents of each
data packet to determine if it  The stateful firewall utilizes this
matches the attributes of process to recognize potential
previously recognized safe threats by examining packet
connections contents during the handshake
 A Layer 3 firewall functions  A Layer 7 firewall operates
at the network layer of the at the application layer of
Open Systems the OSI model.
Interconnection (OSI)
model  deeply inspect the content
within data packets.
 Filtering traffic based on
parameters -  analyzing the specific
IP addresses contents
port numbers
specific protocols  application-specific traffic,
effectively guarding against
 allowing or denying threats like SQL injections or
packets based on their other application-layer
source and destination attacks
details.
Reference

Palo Alto Networks

Cisco Systems Inc.