Firewalls – Concepts, Types, and Best Practices

1. What Is a Firewall?

A firewall is a network security device — hardware, software, or a combination of both — that monitors and controls all traffic flowing between network segments based on a defined set of security rules. Its fundamental job is to decide, for every packet or connection, whether to allow, deny, or reject it.

Firewalls act as enforcers of security policy at network boundaries. They sit between zones of different trust levels — most commonly between a trusted internal network and an untrusted external network like the internet — and apply rules that match the organisation's security requirements.

  Internet (untrusted)
       │
  ┌────┴────┐
  │ FIREWALL│  ← Inspects and filters ALL traffic at this boundary
  └────┬────┘
       │
  ┌────┴──────────────────────┐
  │  Internal Network         │
  │  (trusted)                │
  │  192.168.0.0/16           │
  └───────────────────────────┘

2. Firewall vs ACL — Key Distinction

A common source of confusion is the difference between a router ACL (Access Control List) and a stateful firewall. Both filter traffic, but they operate very differently.

Feature	Router ACL	Stateful Firewall
Connection awareness	Stateless — evaluates each packet independently with no memory of previous packets	Stateful — tracks entire connection state (SYN, SYN-ACK, established, FIN)
Return traffic	Must explicitly permit return traffic (e.g., `established` keyword in extended ACL, or separate inbound rule. See Extended ACL Configuration.)	Automatically permits return traffic for established sessions — no separate rule needed
Rule direction	Applied per interface, per direction (in/out). See Applying ACLs.	Applied per zone pair — traffic between zones evaluated once
Granularity	IP, protocol, port	IP, protocol, port, connection state, application (NGFW), user identity
Performance overhead	Low — no state to maintain	Higher — state table lookup for every packet
Protection against spoofing	Limited — cannot verify whether a packet is part of a legitimate session	Strong — RST floods, ACK floods blocked because state table shows no matching session
Typical deployment	Routers and Layer 3 switches for basic traffic filtering. See Standard ACL and Extended ACL labs.	Dedicated security appliances at network perimeter, DMZ, and segmentation points

3. Types of Firewalls

Firewall technology has evolved through several generations, each adding a new inspection capability. Modern deployments often use a combination.

Type	OSI Layer	What It Inspects	Key Characteristic	Limitation
Packet-Filtering	Layer 3–4	Source/destination IP, protocol, port number	Stateless — fast and simple; each packet evaluated independently. Equivalent to a router ACL.	Cannot distinguish between new, established, or forged packets; vulnerable to IP spoofing and fragmentation attacks
Stateful Inspection	Layer 3–4	IP, port, plus full TCP/UDP session state tracking	Maintains a connection state table — only permits packets that match a known established session	Cannot inspect application-layer payload; malware hidden in allowed protocols (HTTP, DNS) passes through
Proxy / Application Gateway	Layer 7	Full application-layer content (HTTP, FTP, DNS, SMTP commands and payload)	Acts as intermediary — terminates the client connection, inspects content, then opens a separate connection to the server; client never connects directly to server	High latency overhead; typically protocol-specific (separate proxy per application); complex to deploy
Circuit-Level Gateway	Layer 5 (Session)	TCP handshake validity and session establishment	Validates that sessions are properly established before allowing data flow; hides internal network addresses	Does not inspect packet content — once session is validated, all data passes through without further inspection
Next-Generation Firewall (NGFW)	Layer 3–7	All of the above + application identification, user identity, encrypted traffic inspection (SSL/TLS), IPS, malware scanning, URL filtering, sandboxing	Integrates multiple security functions in one platform — replaces separate IPS, web filter, and AV appliances	Higher cost and processing overhead; SSL inspection creates privacy and certificate trust issues; can become a bottleneck

4. Stateful Inspection — How the Connection Table Works

Stateful inspection is the defining capability that separates firewalls from simple ACLs. The firewall maintains a connection state table (also called the session table or state table) that records every active TCP/UDP connection passing through it.

  Connection State Table (simplified example):
  ┌─────────────────┬────────────────┬───────┬───────┬─────────────┬───────────┐
  │ Src IP          │ Dst IP         │ SrcPt │ DstPt │ Protocol    │ State     │
  ├─────────────────┼────────────────┼───────┼───────┼─────────────┼───────────┤
  │ 192.168.1.10    │ 93.184.216.34  │ 54321 │ 443   │ TCP         │ ESTABLISHED│
  │ 192.168.1.15    │ 8.8.8.8        │ 41234 │ 53    │ UDP         │ ESTABLISHED│
  │ 192.168.1.20    │ 172.16.50.5    │ 22345 │ 80    │ TCP         │ SYN_SENT  │
  └─────────────────┴────────────────┴───────┴───────┴─────────────┴───────────┘

  Inbound packet: 93.184.216.34:443 → 192.168.1.10:54321 (return HTTPS data)
  Firewall checks state table:
  → Match found (row 1) → State = ESTABLISHED → ALLOW (no rule lookup needed)

  Inbound packet: 45.10.200.5:80 → 192.168.1.10:54321 (unsolicited)
  Firewall checks state table:
  → No match found → this is NOT a response to an outbound session → DROP

TCP State Tracking

TCP State	Firewall Action
SYN (new connection request)	Check rules — if permitted, create state table entry with state SYN_SENT
SYN-ACK (server response)	Match state table entry — update state to SYN_RECEIVED; allow
ACK (handshake complete)	Update state to ESTABLISHED; all subsequent packets for this session allowed without rule re-evaluation
FIN / RST (session teardown)	Remove state table entry; session closed
ACK with no matching state	DROP — potential ACK flood or spoofed packet; no valid session established

Why stateful inspection blocks spoofed ACK floods: An attacker sending ACK packets to a target hopes to overwhelm it. A stateful firewall checks its state table for each inbound ACK — if there is no matching SYN entry, the ACK is dropped silently. No rule on the firewall needs to explicitly block this — the state table does it automatically. This is the key advantage over a stateless ACL.

5. Firewall Zones and DMZ Architecture

Modern firewalls divide the network into zones — logical groupings of interfaces with similar trust levels. Traffic between zones is evaluated against policy; traffic within the same zone typically flows freely. The most common three-zone model uses an Outside, Inside, and DMZ zone. VLANs are commonly used to map network segments to firewall zones.

  ┌────────────────────────────────────────────────────┐
  │                   INTERNET                         │
  │           (untrusted — Outside zone)               │
  └──────────────────────┬─────────────────────────────┘
                         │
                  ┌──────┴──────┐
                  │   FIREWALL  │
                  └──┬──────┬───┘
                     │      │
        ┌────────────┘      └────────────────┐
        │                                    │
  ┌─────┴──────────┐          ┌──────────────┴──────────┐
  │   DMZ Zone     │          │   Inside Zone (trusted) │
  │  (semi-trusted)│          │   192.168.0.0/16        │
  │                │          │                         │
  │ Web Server     │          │ Finance PCs             │
  │ Mail Relay     │          │ Internal Servers        │
  │ Public DNS     │          │ Employee Workstations   │
  └────────────────┘          └─────────────────────────┘

  Policy (typical):
  Outside → DMZ:    Allow HTTP/HTTPS/SMTP to specific server IPs
  Outside → Inside: DENY ALL (no direct internet access to internal)
  Inside → DMZ:     Allow specific management/monitoring
  Inside → Outside: Allow HTTP/HTTPS/DNS (outbound browsing)
  DMZ → Inside:     DENY ALL (compromised DMZ server cannot reach LAN)

Why the DMZ Is Critical

Servers that need to be accessible from the internet (web servers, email relays, public DNS) cannot be placed inside the trusted network, because if they are compromised they would give an attacker direct access to internal systems. The DMZ creates a quarantine zone: internet users can reach DMZ servers, but even if a DMZ server is fully compromised, the firewall blocks any lateral movement toward the internal trusted network.

6. Firewall Rules — Processing, Order, and the Implicit Deny

Every firewall evaluates traffic against an ordered list of rules. Understanding exactly how rules are processed is critical for both exam questions and real-world firewall configuration. The same top-to-bottom first-match logic applies to both firewall rules and router ACLs.

Rule Processing Order

  Packet arrives at firewall
         │
         ▼
  Rule 1: Match? → YES → Apply action (Allow/Deny/Reject) → DONE
         │ No
         ▼
  Rule 2: Match? → YES → Apply action → DONE
         │ No
         ▼
  Rule 3: Match? → YES → Apply action → DONE
         │ No
         ▼
  Rule N: Match? → YES → Apply action → DONE
         │ No match on any rule
         ▼
  IMPLICIT DENY → DROP (block all unmatched traffic)

Implicit Deny (default deny): Every firewall has an invisible final rule at the bottom of every policy that denies all traffic that did not match any explicit rule. This is the most important single concept in firewall security. It means you only need to write rules for traffic you want to ALLOW — everything else is blocked automatically. The same principle applies to ACLs: every Cisco ACL has an implicit deny any at the end.

Rule Elements

Element	Description	Example Values
Source	Where the traffic originates — IP address, subnet, or named object	`192.168.1.0/24`, `any`, `Finance_VLAN`
Destination	Where the traffic is going	`10.0.0.5`, `any`, `WebServer_DMZ`
Protocol	Layer 4 protocol	`TCP`, `UDP`, `ICMP`, `any`
Port / Service	Destination port number or named service	`443` (HTTPS), `22` (SSH), `53` (DNS)
Action	What to do when the rule matches	Allow / Permit, Deny / Drop, Reject
Log	Whether to generate a log entry for matching traffic	Log, No-log

Allow vs Deny vs Reject

Action	What Happens	Sender Notified?	When to Use
Allow / Permit	Packet forwarded to destination	N/A (connection proceeds)	Explicitly permitted traffic
Deny / Drop	Packet silently discarded — no response sent to source	No — source times out waiting	Blocking external threats (silence prevents reconnaissance — attacker doesn't know if host exists)
Reject	Packet discarded AND TCP RST or ICMP Unreachable sent to source	Yes — source receives immediate notification	Internal users blocked from a service (better UX — application fails fast instead of hanging); avoid for internet-facing rules

Example Rule Set

Rule 1:  Allow  src=192.168.1.0/24  dst=any         proto=TCP  port=443  → Outbound HTTPS
Rule 2:  Allow  src=192.168.1.0/24  dst=any         proto=TCP  port=80   → Outbound HTTP
Rule 3:  Allow  src=192.168.1.0/24  dst=8.8.8.8     proto=UDP  port=53   → DNS to Google
Rule 4:  Allow  src=any             dst=10.10.10.5   proto=TCP  port=443  → Inbound HTTPS to web server
Rule 5:  Deny   src=10.0.0.0/8     dst=192.168.2.0/24 proto=any port=any → Block branch from finance
         ⋮
         [implicit deny all — blocks everything not matched above]

7. Next-Generation Firewalls (NGFW)

A Next-Generation Firewall (NGFW) goes beyond packet filtering and stateful inspection by integrating multiple advanced security capabilities into a single platform. The term was coined by Gartner in 2009 to describe firewalls with deep packet inspection at the application layer.

NGFW Capabilities

Capability	Description	Practical Example
Application Identification (App-ID)	Identifies the actual application regardless of port — detects Skype on port 80, BitTorrent on any port, etc.	Allow Microsoft Teams but block WhatsApp, even though both use port 443
User Identity (User-ID)	Maps network traffic to Active Directory users/groups — policies apply per user, not per IP address. Integrates with RADIUS or AD.	Allow HR department to access Facebook; block everyone else
Intrusion Prevention (IPS)	Analyses packet payloads for attack signatures, protocol anomalies, and behavioural indicators in real time	Blocks SQL injection in HTTP POST, EternalBlue exploit attempts, CVE-specific signatures
SSL/TLS Inspection	Decrypts HTTPS traffic, inspects the content, re-encrypts and forwards — effectively a man-in-the-middle for security purposes. Detect with Wireshark to verify re-encryption.	Scans encrypted downloads for malware; applies DLP to HTTPS uploads
URL Filtering	Categorises and blocks websites by content category (gambling, adult, malware-hosting, phishing) using a cloud threat intelligence database	Block social media during business hours; always block phishing URLs
Malware/Sandboxing	Executes suspicious files in an isolated VM before allowing them through — detects zero-day threats that have no known signature	New malware in a ZIP file is detonated in a sandbox; if it shows malicious behaviour it is blocked even without an existing signature
Threat Intelligence Integration	Dynamically blocks connections to known-malicious IPs, domains, and URLs fed from external threat intelligence feeds	Outbound connection to a known C2 (Command & Control) server is blocked even if no local rule exists for that IP

NGFW vs Traditional Firewall — Same Port, Different Traffic:

  Traditional firewall rule: Allow TCP port 80 from any to any
  Result: ALL HTTP traffic passes — legitimate web browsing AND malware C2 callbacks
          that use port 80 to bypass the firewall

  NGFW rule: Allow application=Web-Browsing from any to any
  Result: Legitimate browsers allowed; applications masquerading as HTTP but using
          non-browser protocols (BitTorrent, Skype, malware) are blocked

8. NAT and PAT in Firewalls

Firewalls commonly integrate Network Address Translation (NAT), translating private internal IP addresses to public addresses when traffic crosses the perimeter. NAT also provides a layer of obscurity — external hosts cannot directly address internal hosts by their private IP.

NAT Type	Mapping	Use Case	Example
Static NAT	One private IP ↔ One public IP (permanent, bidirectional)	Public-facing servers that need to be reachable from the internet by a fixed public IP	Web server 10.0.0.5 always appears as 203.0.113.10 to the internet
Dynamic NAT	Many private IPs → Pool of public IPs (one-to-one from pool, first-come-first-served)	Organisations with a block of public IPs and fewer users than IPs	Pool of 10 public IPs shared by up to 10 simultaneous outbound sessions
PAT / NAT Overload	Many private IPs → One public IP, differentiated by source port number	Most home and enterprise outbound internet access — conserves IPv4 address space	All 500 office PCs share one public IP; each session tracked by unique source port (e.g., 192.168.1.10:54321 → 203.0.113.1:54321)

NAT is not security: While NAT hides internal addressing and prevents unsolicited inbound connections (since external hosts cannot initiate to a private IP), it is not a substitute for firewall rules. NAT and firewall policy are separate functions. A firewall with only NAT and no deny rules would still allow all internally-initiated connections outbound — including malware callbacks.

9. VPN Termination at the Firewall

Enterprise firewalls typically also serve as VPN concentrators, terminating encrypted tunnels from remote sites and remote users. This consolidates perimeter security — all VPN traffic enters through the same device that enforces security policy on it.

VPN Type	Description	Firewall Role	Typical Use
Site-to-Site IPSec VPN	Permanent encrypted tunnel between two firewalls connecting two office networks	Terminates IPSec tunnel; applies security policies to decrypted traffic between sites	HQ to branch office connectivity; replacing leased lines
Remote-Access VPN (IPSec/SSL)	Individual remote users connect to the corporate network from anywhere using a VPN client	Authenticates users (RADIUS/AD), assigns IP from pool, enforces split-tunnel or full-tunnel policies, applies NGFW inspection to VPN user traffic	Work-from-home employees; contractor access; mobile users

Split tunnelling vs full tunnelling: Split tunnel — only corporate-bound traffic goes through the VPN; internet traffic goes directly from the user's device. Full tunnel — all traffic (including internet browsing) routes through the corporate firewall. Full tunnel provides better visibility and control but increases firewall load and latency for the remote user's internet experience.

10. Firewall Deployment Modes

Deployment Mode	Description	Traffic Flow	Typical Use
Routed Mode (Layer 3)	Firewall acts as a router — each interface is in a different IP subnet; traffic is routed between zones	Traffic is forwarded at Layer 3 — the firewall is a hop in the routing path	Most common deployment; perimeter firewall between internet and LAN
Transparent Mode (Layer 2)	Firewall acts as a bridge — interfaces share the same subnet; devices on each side are on the same IP network	Traffic flows as if through a switch — the firewall is invisible to Layer 3 routing	Inserting a firewall between two devices without changing IP addressing (retrofitting security into an existing network)
Inline (Active) Mode	All traffic physically passes through the firewall — it can actively block traffic	Traffic flows: Source → Firewall → Destination	Standard perimeter and internal segmentation firewalls
Passive (Monitor/TAP) Mode	Firewall receives a copy of traffic via SPAN port or network TAP — it analyses but cannot block. Capture with Wireshark for forensics.	Traffic copy flows to firewall for analysis; actual traffic bypasses the firewall	IDS-style monitoring, traffic baseline analysis, testing before inline deployment
Host-Based Firewall	Software firewall running on an individual endpoint (PC, server)	Controls traffic to/from that specific host only	Windows Defender Firewall, iptables on Linux, endpoint security on servers — defence-in-depth layer complementing network firewalls

11. Common Firewall Attacks and Mitigations

Attack	Method	Firewall Mitigation
SYN Flood (DoS)	Attacker sends thousands of SYN packets, exhausting the firewall's state table with half-open connections	SYN cookies (validate TCP handshake without state table entry), SYN rate-limiting, connection limits per source IP
IP Spoofing	Attacker forges source IP to impersonate a trusted host or bypass ACL	Anti-spoofing rules (block traffic from the internet with a source IP matching internal ranges — RFC 2827 / BCP 38 ingress filtering); stateful inspection detects spoofed return traffic
Fragmentation Attack	Attacker fragments packets to hide exploit payloads across multiple fragments — packet-filtering firewalls inspect only the first fragment and allow all subsequent fragments	Fragment reassembly before inspection (stateful firewalls reassemble fragments before applying rules)
Port Scanning	Attacker probes ports to discover open services and build network map. Capture scans with Wireshark.	Drop (not reject) all traffic to closed ports — denies reconnaissance feedback; IPS detects scan patterns and blocks scanning source IP
Application-Layer Exploits	Exploits (SQL injection, buffer overflows) hidden inside permitted application traffic (HTTP, SMB)	NGFW IPS signatures detect and block known exploits; WAF (Web Application Firewall) for web-specific attacks
Firewall Rule Bypass	Using allowed ports (80, 443) for disallowed protocols (malware C2, tunnelling)	NGFW application identification — identifies actual application regardless of port number

12. Firewall Logging and Monitoring

A firewall without comprehensive logging provides security enforcement but no visibility. Logs are essential for security incident investigation, compliance auditing, troubleshooting, and detecting attack patterns. Forward logs to a SIEM using syslog.

Permitted traffic logs: Record all allowed connections — useful for baselining normal behaviour and detecting unexpected internal-to-external connections (potential malware callbacks).
Denied traffic logs: Record all blocked connections — the most important category for detecting attacks, port scans, and policy violations.
Authentication events: Admin logins (successful and failed), VPN authentications, and management access attempts. See AAA Authentication Methods.
System events: Interface state changes, failover events, policy pushes, and configuration changes.
Alert thresholds: Configure real-time alerts for: repeated denied connections from same source (port scan), repeated failed authentications (brute force), traffic to known-malicious IPs (threat intelligence hits).

Log management: Forward firewall logs to a centralised SIEM (Security Information and Event Management) system via syslog. Do not rely on logs stored locally on the firewall — storage is limited and an attacker who compromises the firewall may delete local logs. Centralised, tamper-evident logging is a compliance requirement for PCI-DSS, HIPAA, and ISO 27001. Monitor with SNMP for real-time interface and system health alerts.

13. Firewall Best Practices

Default deny (implicit deny all): Start with everything blocked. Add explicit allow rules only for traffic that is specifically required. Never create "allow any any" rules. The same principle applies to ACLs.
Principle of least privilege: Rules should be as specific as possible. Instead of "allow all traffic from Finance VLAN," write individual rules for each required service. Over-broad rules create unnecessary attack surface.
Regular rule audits: Rules accumulate over time and many become unnecessary. Schedule quarterly reviews to remove rules that are no longer needed (decommissioned servers, ended projects). Unused rules are security risks and performance overhead.
Order rules by frequency: Place the most commonly matched rules near the top of the rule base to reduce average processing overhead. The firewall evaluates rules in order — frequently matched rules processed early reduce latency.
Secure management access: Restrict administrative access to the firewall management interface by source IP (management station only), use SSH or HTTPS (never HTTP or Telnet), enable multi-factor authentication, and log all management sessions. See AAA Authentication Methods.
Separate management plane: Use a dedicated out-of-band management network for firewall administration — this prevents an attacker who compromises a data-plane network from reaching the management interface. Use a dedicated management VLAN.
Keep firmware and signatures current: Firewall vendors release security patches and IPS signature updates continuously. Unpatched firewalls are vulnerable to known exploits even when rules are correct.
Test rules before production deployment: Simulate rule changes in a test environment or use the firewall's policy analysis tools to verify that new rules do not accidentally permit unwanted traffic or block required traffic. Use Wireshark or a passive TAP to validate traffic behaviour.
Document and version-control all changes: Maintain a change log for every rule modification with the business justification, approver, and date. This is mandatory for PCI-DSS and ISO 27001 compliance and invaluable for incident response. Log all changes to syslog.

14. Key Points & Exam Tips

A firewall monitors and controls traffic based on predefined security rules — it is the primary enforcement point of network security policy.
Packet-filtering: Stateless, Layer 3–4, inspects IP/port/protocol. Fast but cannot verify connection state. Equivalent to a router ACL.
Stateful inspection: Tracks TCP/UDP sessions in a state table — allows return traffic automatically; blocks unsolicited inbound packets. Most common firewall type.
Proxy firewall: Terminates client connection, inspects Layer 7 content, opens new connection to server. Most thorough inspection but highest latency.
NGFW: Adds application-ID, user-ID, IPS, SSL inspection, URL filtering, and sandboxing on top of stateful inspection. Integrates with RADIUS for user-based policies.
Implicit deny: The invisible last rule that blocks everything not explicitly permitted. Critical concept — the firewall is "closed by default." Same as the implicit deny any at the end of every ACL.
Rules processed top-to-bottom; first match wins. Rule order is critical. See Applying ACLs.
Drop = silent discard (no response — preferred for internet-facing rules). Reject = discard + ICMP/RST notification (faster failure for internal users).
DMZ = semi-trusted zone for public-facing servers — internet can reach DMZ, but compromised DMZ server cannot reach internal trusted network. Use separate VLANs per zone.
PAT = many-to-one NAT using port numbers (most common form of NAT at perimeter). NAT ≠ security — it hides addressing but does not replace firewall rules.
Firewall vs ACL: ACL is stateless (must explicitly permit return traffic with established keyword — see Extended ACL Configuration); stateful firewall auto-permits return traffic for established sessions.
Always use SSH (not Telnet) for firewall management. Log all events to a centralised syslog server.

15. Firewall Quiz

1. A stateful firewall has a rule permitting outbound HTTPS from the internal network. A remote web server sends a reply packet back to an internal client. The firewall has NO explicit inbound rule for this traffic. What happens to the reply packet?

A. The packet is dropped — no inbound rule exists to permit it B. The packet is dropped unless HTTPS port 443 is explicitly permitted inbound C. The packet is permitted — the stateful firewall's connection table shows an established session for this src/dst IP and port pair; return traffic is automatically allowed without requiring an explicit inbound rule D. The packet is queued until an admin adds an inbound rule

Correct answer is C. This is the core advantage of stateful inspection over ACLs. When the internal client sent the outbound HTTPS request, the stateful firewall created an entry in its connection state table recording: source IP, destination IP, source port, destination port, protocol, and state (ESTABLISHED). When the web server's reply arrives, the firewall checks the state table, finds a matching established session, and automatically permits the packet without any separate inbound rule. A stateless packet-filtering firewall or ACL, by contrast, would require an explicit inbound rule like "permit tcp any any established" to allow return traffic. See Extended ACL Configuration for the established keyword.

2. An attacker floods a stateful firewall with thousands of TCP SYN packets from spoofed source IPs but never completes the three-way handshake. What problem does this create and what mechanism mitigates it?

A. The firewall's CPU is overloaded by rule lookups — increase hardware capacity B. The firewall's routing table fills up — increase memory C. The firewall's rule base is bypassed because SYN packets are processed differently D. The connection state table fills with half-open SYN_SENT entries, eventually exhausting memory and preventing legitimate connections. SYN cookies mitigate this by generating a cryptographic token instead of a state table entry until the handshake is completed

Correct answer is D. This is a SYN flood attack — the most common DoS attack targeting stateful firewalls. For every inbound SYN, the firewall creates a state table entry in SYN_SENT state and waits for the ACK to complete the handshake. With thousands of SYNs from spoofed IPs, the SYN-ACK responses are never answered and the state table fills with half-open connections. When the state table is full, the firewall cannot accept new legitimate connections. SYN cookies solve this by replacing the state table entry with a cryptographic hash embedded in the SYN-ACK. Only when a valid ACK arrives (proving the handshake was real) is a state entry created. This means spoofed SYNs consume no state table memory.

3. A company places its public web server in the DMZ and connects the DMZ to the firewall. The firewall rule from DMZ to Inside is "DENY ALL." The web server is later compromised by an attacker. What does the DMZ architecture achieve in this scenario?

A. The attacker gains immediate access to internal network resources because the web server is inside the network perimeter B. The attacker controls the web server but cannot reach the internal network — the DENY ALL rule from DMZ to Inside blocks lateral movement, containing the breach to the DMZ C. The DMZ prevents the attacker from compromising the web server in the first place D. The web server automatically recovers from the attack because it is in the DMZ

Correct answer is B. The DMZ does not prevent the server from being compromised — a public web server is inherently exposed to attacks. What the DMZ provides is containment: even after full compromise, the attacker's ability to move laterally toward the internal network is blocked by the firewall's DMZ-to-Inside DENY ALL rule. The attacker controls the web server but cannot pivot to attack finance systems, internal databases, or Active Directory. This limits the blast radius of the breach to the DMZ servers only — the critical difference between a controlled incident and a catastrophic breach. This is the primary security value of DMZ architecture. Complement with VLAN segmentation for each DMZ zone.

4. A firewall rule base contains these rules in order:
Rule 1: ALLOW src=10.0.0.0/8 dst=any proto=TCP port=443
Rule 2: DENY src=10.1.0.0/24 dst=any proto=any port=any
A host at 10.1.0.50 tries to connect to a web server on HTTPS. What happens?

A. The connection is allowed — Rule 1 matches first (10.1.0.50 is within 10.0.0.0/8) and is applied; Rule 2 is never reached for this traffic B. The connection is denied — Rule 2 blocks all traffic from 10.1.0.0/24 regardless of Rule 1 C. Both rules match; the firewall applies the more specific rule (Rule 2) D. The firewall prompts for admin input because two rules conflict

Correct answer is A. Firewall rules are processed strictly top-to-bottom and the first matching rule is applied — no further rules are evaluated. 10.1.0.50 is within 10.0.0.0/8, so Rule 1 matches (source matches, TCP port 443 matches). The action is ALLOW and the connection proceeds. Rule 2 is never reached for this packet. This illustrates a critical rule-ordering mistake: if the intent was to block 10.1.0.0/24 while allowing the rest of 10.0.0.0/8, Rule 2 must come BEFORE Rule 1. The more specific deny rule must always precede the broader allow rule. The same first-match logic applies to ACLs. See Applying ACLs.

5. A security engineer notices that a malware infection on an internal PC is making outbound connections to a command-and-control server on TCP port 443 (HTTPS). The firewall has a rule allowing all outbound TCP port 443 traffic. A traditional stateful firewall cannot block this. What capability of a Next-Generation Firewall would detect and block it?

A. Deeper packet filtering — inspect more header fields B. Better NAT — translate the port number to prevent the malware from reaching port 443 C. Threat intelligence integration (blocking known-malicious destination IPs/domains) plus SSL inspection (decrypting and inspecting the payload for C2 signatures) — the NGFW can block the connection even though the port is permitted D. The NGFW blocks all HTTPS traffic from infected hosts automatically using machine learning

Correct answer is C. This is the fundamental limitation of traditional firewalls and the reason NGFWs exist. A stateful firewall allows all outbound TCP/443 — it cannot distinguish legitimate HTTPS from malware using HTTPS for C2. An NGFW addresses this two ways: (1) Threat intelligence: if the destination IP or domain is in a known-malicious feed (e.g., registered as a C2 server), the connection is blocked regardless of port. (2) SSL/TLS inspection: the NGFW decrypts the HTTPS session, inspects the decrypted content for C2 communication patterns or malware signatures, then re-encrypts and forwards (or blocks). Use Wireshark to verify SSL inspection is working as expected in a test environment.

6. An internet-facing firewall blocks an inbound packet with a source IP address of 192.168.5.50. The firewall's outside interface faces the internet. What security mechanism is this and why is it important?

A. The firewall's NAT table is full and cannot translate the address B. Anti-spoofing (RFC 2827 / BCP 38 ingress filtering) — packets arriving from the internet with a source IP in private RFC 1918 space (192.168.x.x, 10.x.x.x, 172.16–31.x.x) are impossible in legitimate traffic and indicate IP spoofing or misconfiguration; they are dropped C. The firewall's routing table has no route to 192.168.5.50 D. The firewall blocks all traffic from class C addresses by default

Correct answer is B. RFC 2827 (BCP 38 — "Network Ingress Filtering") defines that packets arriving on an internet-facing interface with source IPs from private RFC 1918 address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are illegitimate — these addresses are never routed on the public internet. Such packets are always either: (1) IP spoofed by an attacker attempting to impersonate an internal trusted host, or (2) a routing misconfiguration. Anti-spoofing rules (configured as ACL-style entries) drop these immediately. This is fundamental perimeter security — attackers cannot spoof an internal source IP to trick the firewall into thinking traffic is coming from a trusted source.

7. A company has 300 internal hosts sharing one public IP address for internet access. The firewall keeps track of which internal host made each outbound connection so return traffic reaches the correct host. What NAT mechanism enables this?

A. Static NAT — one public IP for each internal host B. Dynamic NAT — each host gets its own temporary public IP from a pool C. Proxy ARP — the firewall responds to ARP for all hosts D. PAT (Port Address Translation / NAT overload) — all 300 hosts share one public IP; each connection is tracked by a unique source port number, allowing the firewall to demultiplex return traffic to the correct internal host

Correct answer is D. PAT (Port Address Translation), also called NAT overload, is the mechanism that allows many internal hosts to share a single public IP address. When host 192.168.1.10 connects to a web server, the firewall translates the source address to the public IP and records the source port (e.g., 54321) in its NAT table: 192.168.1.10:54321 → 203.0.113.1:54321. When host 192.168.1.11 makes a simultaneous connection to the same server, it uses a different source port: 192.168.1.11:54322 → 203.0.113.1:54322. When return traffic arrives, the firewall matches the destination port to the correct internal host. This is how every home router and enterprise firewall handles internet access for multiple devices on one public IP.

8. A firewall rule uses the "Reject" action for internal users trying to access a blocked website, while using "Drop" (deny) for all inbound traffic from the internet. Why is this the correct choice for each direction?

A. Reject for internal users gives an immediate error (application fails fast instead of hanging for 30+ seconds); Drop for internet-facing rules prevents reconnaissance — an attacker scanning ports receives no response, making it harder to determine if a host or service exists B. Reject is faster for the firewall to process than Drop, so it should be used wherever performance matters C. Both Reject and Drop behave identically — the choice is a matter of preference D. Drop should be used for internal users because it is more secure; Reject for internet traffic to comply with RFC standards

Correct answer is A. The Reject vs Drop choice has practical implications in both directions. For internal users: Reject sends a TCP RST or ICMP Unreachable immediately — the browser or application receives an instant "connection refused" and shows an error. Without Reject, the application waits for the full TCP timeout (30–120 seconds) before giving up, creating a poor user experience. For internet-facing rules: Drop is strongly preferred. When an attacker port-scans a firewall using Drop, they receive no response — they cannot distinguish between "port closed," "host down," or "filtered." Reject would confirm that the host exists and that the port is actively filtered, helping the attacker map the network. Silence maximises obscurity. Log all dropped inbound attempts to syslog.

9. An admin is configuring a firewall and wants to ensure that traffic between the Finance VLAN and the Engineering VLAN is blocked by default, with only specific database queries allowed from Engineering to Finance. Which architectural approach best implements this?

A. Place both VLANs on the same firewall interface and use MAC address filtering B. Use VLAN ACLs on the switch to block inter-VLAN routing C. Place each VLAN in a separate firewall zone with a DENY ALL inter-zone policy by default, then add a specific ALLOW rule permitting only the database protocol and port from the Engineering zone to the Finance zone's database server D. Place both VLANs behind the same firewall interface and rely on the implicit deny to block traffic between them

Correct answer is C. Zone-based internal segmentation is the correct approach. By placing Finance and Engineering in separate firewall zones: (1) The default inter-zone policy is DENY ALL — no traffic flows between zones unless explicitly permitted. (2) A specific rule allows only the required database protocol (e.g., TCP 1433 for SQL Server) from Engineering zone to the Finance database server only. Everything else (file shares, RDP, ping, other ports) remains blocked. This prevents lateral movement — if Engineering is compromised, the attacker cannot pivot to Finance systems. This is the "defence in depth" or "zero trust" internal segmentation model, increasingly required by security frameworks and compliance standards. Complement with VLAN segmentation at the switch level.

10. A firewall administrator removes a rule that was "Allow src=any dst=Finance-Server port=22 (SSH)" because the server is decommissioned. Before deleting, the admin checks the logs and finds that 15 hosts were still matching this rule last week. What does this finding suggest and what should the admin do?

A. The logs are incorrect — the server is decommissioned so traffic could not have matched; delete the rule immediately B. 15 hosts were recently connecting to the decommissioned server via SSH — this may indicate misconfigured services, ghost credentials, or a security issue. Investigate the 15 hosts before deleting the rule, ensure no active sessions exist, and check why connections were being attempted to a decommissioned server C. The 15 hosts should be immediately blocked by adding a deny rule for all their traffic D. Firewall logs are unreliable — proceed with deletion without investigation

Correct answer is B. This scenario illustrates the security value of reviewing logs before rule changes — a practice known as rule cleanup auditing. Finding active traffic to a "decommissioned" server is a security red flag that demands investigation: (1) The server may not actually be decommissioned — it may still be running, just forgotten (shadow IT / zombie server). (2) Applications or scripts may be misconfigured to connect to it (discovering breakage before deletion is better than after). (3) The connections may indicate an attacker pivoting or beacon traffic to a compromised host. The correct process: identify the 15 hosts, determine why they're connecting, ensure it's safe to remove the rule (no legitimate traffic will break), then delete. Never delete rules based solely on documentation — always verify against actual traffic logs.

← Back to Home

Firewalls – Concepts, Types, and Best Practices

1. What Is a Firewall?

2. Firewall vs ACL — Key Distinction

3. Types of Firewalls

4. Stateful Inspection — How the Connection Table Works

TCP State Tracking

5. Firewall Zones and DMZ Architecture

Why the DMZ Is Critical

6. Firewall Rules — Processing, Order, and the Implicit Deny

Rule Processing Order

Rule Elements

Allow vs Deny vs Reject

Example Rule Set

7. Next-Generation Firewalls (NGFW)

NGFW Capabilities

8. NAT and PAT in Firewalls

9. VPN Termination at the Firewall

10. Firewall Deployment Modes

11. Common Firewall Attacks and Mitigations

12. Firewall Logging and Monitoring

13. Firewall Best Practices

14. Key Points & Exam Tips

15. Firewall Quiz

1. A stateful firewall has a rule permitting outbound HTTPS from the internal network. A remote web server sends a reply packet back to an internal client. The firewall has NO explicit inbound rule for this traffic. What happens to the reply packet?

2. An attacker floods a stateful firewall with thousands of TCP SYN packets from spoofed source IPs but never completes the three-way handshake. What problem does this create and what mechanism mitigates it?

3. A company places its public web server in the DMZ and connects the DMZ to the firewall. The firewall rule from DMZ to Inside is "DENY ALL." The web server is later compromised by an attacker. What does the DMZ architecture achieve in this scenario?

4. A firewall rule base contains these rules in order: Rule 1: ALLOW src=10.0.0.0/8 dst=any proto=TCP port=443 Rule 2: DENY src=10.1.0.0/24 dst=any proto=any port=any A host at 10.1.0.50 tries to connect to a web server on HTTPS. What happens?

6. An internet-facing firewall blocks an inbound packet with a source IP address of 192.168.5.50. The firewall's outside interface faces the internet. What security mechanism is this and why is it important?

7. A company has 300 internal hosts sharing one public IP address for internet access. The firewall keeps track of which internal host made each outbound connection so return traffic reaches the correct host. What NAT mechanism enables this?

8. A firewall rule uses the "Reject" action for internal users trying to access a blocked website, while using "Drop" (deny) for all inbound traffic from the internet. Why is this the correct choice for each direction?

9. An admin is configuring a firewall and wants to ensure that traffic between the Finance VLAN and the Engineering VLAN is blocked by default, with only specific database queries allowed from Engineering to Finance. Which architectural approach best implements this?

4. A firewall rule base contains these rules in order:
Rule 1: ALLOW src=10.0.0.0/8 dst=any proto=TCP port=443
Rule 2: DENY src=10.1.0.0/24 dst=any proto=any port=any
A host at 10.1.0.50 tries to connect to a web server on HTTPS. What happens?