This tutorial explains the basic functions and features of the firewall in detail with examples. Learn what the firewall is and how it protects the network resources from unauthorized access.
This tutorial is the part of the CCNA Study Guide. It explains the following CCNA topic.
Describe the impact of infrastructure components in an enterprise network.
- 1.3.a Firewalls
What is the firewall?
Firewall is a protective layer. Based on the pre-configured rules, it monitors and controls each packet passing through it.
Broadly there are two types of firewall; hardware firewall and software firewall.
In this type of firewall, firewall is installed in a dedicated device. This device only runs the firewall.
Since all resources of the device are available only for the firewall, it filters the traffic blazingly fast and accurate. It also offers several additional security features such as encryption and logging.
Hardware firewalls are complex in configuration. Only experienced network administrators can configure these firewalls. Besides configuration, hardware firewalls also cost a lot of money as they use dedicated device.
Fast speed and max accuracy are the advantages of the hardware firewall while high cost and complex configuration are the disadvantages of this firewall.
In this type of firewall, firewall is installed in a regular device. This device runs the firewall as the application software. Since this firewall accesses device resources in shared environment through the base system, it provides less speed and accuracy than the hardware firewall. Unlike hardware firewall, it provides limited features and functions.
Software firewalls are easier in configuration. An average network user can easily customize these firewalls to meet his security requirements. Since software firewalls do not require any additional hardware to run, they do not increase the network cost.
Low cost and easier configuration are the advantages of the software firewall while slow speed, less accuracy and lack of additional features are the disadvantages of this firewall.
Basic functions and features of the firewall
A hardware firewall or an advanced software firewall can filter the network traffic based on several rules and conditions. From these, for an entry level exam, you only need to understand three basic types of filtering; packet level filtering, circuit level filtering and application level filtering.
For below section, I assume that you know how the data is formatted and transmitted in the network.
To learn how the data is exchanged in the network, you can check the following tutorial.
Packet level filtering (Network layer filtering)
To route and deliver a data packet across the network, the network layer uses two addresses; source IP address and destination IP address. Each data packet contains these addresses. A firewall can be configured to filter the traffic based on these addresses.
Let’s take a simple example. Suppose there are two computers; Dell and HP. The IP address of the Dell and HP are 10.10.10.10 and 188.8.131.52 respectively. A firewall is configured and placed in that path which connects both computers. The computer Dell sends a data packet to the computer HP. Whether the computer HP will receive this packet or not is depended how the firewall is configured.
The computer HP will receive the packet only if the firewall is configured in such a manner that allows packets from the host 10.10.10.10 to the host 184.108.40.206.
Circuit level filtering (Transport layer filtering)
Circuit level filtering goes beyond the packet level filtering. It filters the traffic based on the Transport layer features.
Transport layer uses port numbers to identify the destination application. To provide the guaranteed data delivery,
it also uses a feature known as the Three-way handshake process. In this process, sender computer setup a temporary connection with the
receiver computer before sending any data.
To learn the Three-way handshake process in detail, see this tutorial.
A firewall can be configured to filter the data based on these functions. For example: –
- A firewall can be instructed to allow or deny a packet based on its destination port number.
- A firewall can be instructed to allow only the outgoing and return traffic.
Let’s take two simple examples.
A server and a workstation are connected through the firewall. Several services are running in the Server. From these services you only want to allow a single service or few services to be accessed by the workstation. In this situation, you can configure the firewall in such a way that it allows only those data packets to pass through it which are intended for the allowed services.
For example you can configure the firewall to allow a packet only if, it has the destination port number 80. The port number 80 is associated with the Web service. Once this rule is placed in the firewall, all traffic will be denied from the workstation except the traffic that is intended for the web server.
A small office is connected with the Internet through the firewall. You want to allow internal users to access the Internet while at same time you also want to secure the internal network from the external Internet users. To achieve this goal, you can configure the firewall in such way that it allows the connection initiating packet only if it is sent by the internal user.
The connection initiating packet is the first packet that is sent in the three-way handshake process. This packet is sent by the host that wants to setup a temporary connection with the remote host. Since the firewall allows only internal user to send this packet, only an internal user can initiate the connection.
There are several ways, commonly known as the conditions, to instruct the firewall about the possible actions that it should take when it receives a packet. Cisco routers provide a dedicate module for the packet and circuit filtering.
To learn how to configure the packet and circuit filtering in Cisco router, you can use this tutorial.
Application level filtering (Application layer filtering)
This is the highest level of filtering. It filters the traffic based on the application layer protocol such as HTTP and FTP. It can also log the traffic for further investigation or actions. Let’s take an example.
A firewall is configured using the packet and circuit level filtering to allow web traffic on port 80. This firewall might allow traffic from an application that establishes a proxy TCP connection across the port 80. To allow only the HTTP traffic and block all proxy traffic on this port, you can configure the firewall to check the application layer protocol or the contents of each packet. After this, only the genuine HTTP traffic will be allowed. All proxy traffic from other applications, such as P2P torrent file sharing program, will be denied.
Application level filtering is more complex and resource intensive than the packet and circuit level filtering. It requires configuration for each application-layer protocol which traffic you want to allow.
Although you can configure this type of filtering in both types of firewalls, but it is recommended to configure this type of filtering only in the hardware firewall. Configuring the application level filtering in the software firewall will slow down the other functionalities of the device.
For example a router that offers the firewall as the add-on feature should not be used to configure the application level filtering. The main functionality of the router is to forward the data packet as soon as possible. To achieve this goal, a router must spend as little time as possible. A router should not spend the additional time in making the filtering decision.
If advance security features are required, instead of overloading the software firewall from lot of configurations, a dedicated hardware firewall should be used.
Besides the above mentioned filters, a hardware firewall also offers several additional features to filter the traffic.
One such a feature that you should know, is the stateful inspection.
Hardware firewall can be configured to gather and save information about each packet passing through it. This information can be used to filter the further packets. Filtering packets based on previously saved information, is known as the stateful inspection.
This feature is mainly used to deal with the DoS (denial of services) type attack. A DoS attack occurs when a genuine host accesses a genuine service too much times in very short period of time.
Let’s take an example. A firewall is configured in such a manner that it allows anonymous access to the webserver on port 80.
A hacker can take advantage of this permission to abuse the webserver. When a server gets more requests than its handling capacity, it crashes.
Suppose the webserver can handle 100 requests per second. To crash this server, a hacker can generate 1000 requests per second. Since requests are valid, the firewall doesn’t filter these.
To deal with this kind of attack, the stateful inspection is used. It can track and log the number of TCP connections requests per second from each client IP address to each server address. Based on saved information, it can track the repeated requests. When it notices that the number of requests is very large from the small number of clients, it blocks those clients to help the server from the DoS attack.
That’s all for this tutorial. If you like this tutorial, please don’t forget to share it with friends through your favorite social network.
Prerequisites for 200-301
200-301 is a single exam, consisting of about 120 questions. It covers a wide range of topics, such as routing and switching, security, wireless networking, and even some programming concepts. As with other Cisco certifications, you can take it at any of the Pearson VUE certification centers.
The recommended training program that can be taken at a Cisco academy is called Implementing and Administering Cisco Solutions (CCNA). The successful completion of a training course will get you a training badge.
Full Version 200-301 Dumps