Firewalls and Access Control

Firewalls are the most fundamental network security control. They act as gatekeepers, deciding which traffic is allowed to enter or leave a network. Combined with access control lists (ACLs), firewalls enforce the principle of least privilege at the network level.

---

What is a Firewall?

A firewall is a security device — hardware, software, or both — that monitors and filters network traffic based on a defined set of rules. It sits at the boundary between trusted and untrusted networks.

Firewall Placement

                    ┌─────────────┐
   Internet ◀──────▶│  Firewall   │◀──────▶ Internal Network
                    └─────────────┘
                          │
                    ┌─────────────┐
                    │     DMZ     │
                    │ (Web, Mail) │
                    └─────────────┘

---

Types of Firewalls

Type	How It Works	Pros	Cons
Packet Filter	Inspects packet headers (IP, port, protocol)	Fast, simple	No state tracking, easily spoofed
Stateful Inspection	Tracks connection state (SYN, ACK, FIN)	Understands sessions	Cannot inspect application payloads
Application Layer (Proxy)	Inspects full application-layer data (HTTP, DNS, FTP)	Deep visibility	Higher latency, more resource intensive
Next-Generation Firewall (NGFW)	Combines stateful inspection, DPI, IPS, and application awareness	Comprehensive protection	Complex configuration, higher cost
Web Application Firewall (WAF)	Protects web applications from Layer 7 attacks (SQLi, XSS)	Application-specific protection	Only covers web traffic

Packet Filter vs Stateful vs NGFW

Packet Filter:     Checks IP + Port only          → Layer 3/4
Stateful:          Tracks connection state         → Layer 3/4 + state table
NGFW:              DPI + IPS + App awareness       → Layer 3-7

---

Firewall Rules

Firewall rules define what traffic is permitted or denied. Rules are evaluated top-to-bottom — the first matching rule is applied.

Rule Structure

Field	Description	Example
Source IP	Where the traffic originates	192.168.1.0/24
Destination IP	Where the traffic is going	10.0.1.50
Source Port	Originating port (often dynamic)	Any
Destination Port	Target service port	443
Protocol	TCP, UDP, ICMP	TCP
Action	Permit or Deny	Permit

Example Rule Set

#	Source	Destination	Port	Protocol	Action
1	Any	10.0.1.50	443	TCP	Permit
2	Any	10.0.1.50	80	TCP	Permit
3	192.168.1.0/24	10.0.1.100	22	TCP	Permit
4	Any	Any	Any	Any	Deny

Rule 4 is the critical default deny — any traffic not explicitly allowed is blocked.

Best Practices for Firewall Rules

1. Default deny — always end with an explicit deny-all rule
2. Principle of least privilege — only open ports and protocols that are required
3. Order matters — place more specific rules before general rules
4. Document every rule — include comments explaining the business justification
5. Regular review — audit rules quarterly and remove stale entries
6. Separate inbound and outbound — control both directions of traffic
7. Log denied traffic — capture blocked connection attempts for analysis

---

Access Control Lists (ACLs)