Network Firewalls
The foundation of modern network defense. Learn how firewall rule engines inspect packet headers, shield secure private subnets, and establish packet filtration boundaries.
Overview & Core Functions
A Firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predefined security rules.
It acts as a digital barrier between a trusted internal network and an untrusted external network (such as the public Internet). Without a firewall, any outside device can attempt connection handshakes with private databases, file systems, and internal hosts, exposing systems to immediate attacks.
Monitors & Controls
Filters all incoming and outgoing network data based on predefined configurations.
Acts as a Barrier
Shields private assets from malicious public packets, ensuring network perimeter safety.
Form Factors
Physical servers deployed at the network perimeter (gateway). Inspects all traffic entering the router boundary.
Applications installed locally on hosts (e.g., Windows Defender, iptables) protecting single OS containers.
Core Firewall Architecture (Visual Network Diagram)
Internal Network 172.9.0.0/24
External Network Public IP Space
Host-Based vs Network-Based Firewalls
Host-Based Firewalls
Installed directly on an individual computer or host server. It protects that specific endpoint machine from threats, regardless of the network security at the router layer.
- Protects against internal LAN threats (lateral movement).
- Tailored explicitly to the host operating system.
- Examples: Windows Defender, macOS IPFW, Linux `iptables` / `ufw`.
Network-Based Firewalls
Deploys at the perimeter boundary of a local network, filtering all traffic entering or leaving the physical/logical network segment.
- Protects the entire ecosystem of internal machines simultaneously.
- Usually handles high volume and requires dedicated hardware appliance.
- Examples: Cisco ASA, Palo Alto Networks Next-Gen Gateway, Fortinet FortiGate.
Packet Filtering Firewalls (Layer-4)
Operating at the Transport Layer
A Packet Filtering Firewall acts at the Network (Layer 3) and Transport (Layer 4) levels of the OSI/TCP-IP networking model. Instead of reading application details, it looks purely at packet headers.
Inspects Source and Destination IP addresses to match blocking lists.
Inspects Layer 4 ports (TCP/UDP flags, Source Port, Destination Port).
Can ban individual bad IP hosts, or blacklist entire network blocks.
Can disable web HTTP (port 80), secure web HTTPS (443), FTP (21), etc.
The Firewall Ruleset (From Whiteboard)
Below is the exact ruleset from the whiteboard video lesson. Notice that firewalls evaluate rules sequentially from Rule 1 down to the Default Rule. The moment a packet matches a rule's conditions, the firewall stops searching, executes the Action (DENY or ALLOW), and discards or forwards the packet.
| Rule No. | Source IP | Source Port | Destination IP | Dest. Port | Action | Explanation |
|---|---|---|---|---|---|---|
| 1 | 179.2.4.80 | Any | Any | Any | DENY | Blocks all traffic from known malicious host 179.2.4.80 |
| 2 | 152.32.0.0/16 | Any | Any | Any | DENY | Blocks entire untrusted IP range 152.32.x.x |
| 3 | Any | Any | 172.9.0.3 | Any | DENY | Shields internal DB server 172.9.0.3 from direct external queries |
| 4 | Any | 80 | Any | Any | DENY | Blocks incoming traffic originating from a standard web client (Source Port 80) |
| 5 | Any | Any | Any | 21 | DENY | Blocks all FTP file transfer connections on port 21 |
| 6 | Any | Any | Any | Any | ALLOW | Default-Allow: Permits all traffic not explicitly blocked by rules 1-5 |
Key Whiteboard Observation: The whiteboard rule system is configured as Default-Allow. This means if a packet succeeds in slipping past all specific filtering blocks (Rules 1 to 5), it is automatically allowed. In highly secure real-world systems, network engineers often employ Default-Deny, where they block everything by default and only allow explicitly defined trusted ports/IPs.
Interactive Packet Filtering Simulator
Select a packet from the presets below (based on the whiteboard scenarios) or customize your own header fields, then run the engine to see exactly how the firewall checks the ruleset sequentially!
1. Setup Packet Header
Sequential Matching Execution
Firewall Rule Engine Offline
Customize a packet on the left and click "Send Packet" to test network traffic filtration rules.
Application (Proxy Firewall) Layer-5 Gateway
While Packet Filtering operates efficiently at Layer 4, the **Proxy Firewall** (also known as an **Application Gateway**) acts at the **Application Layer (Layer 5 of the TCP/IP model)**. Instead of inspecting only IP/TCP headers, it performs **Deep Packet Inspection (DPI)** by scanning the actual data payload.
Multi-Layer Defense Architecture
Key Features of Proxy Firewalls
1. Deep Packet Inspection (DPI)
Rather than checking just standard network tags, it parses the entire payload. For example, a mail client proxy scanning incoming emails in deep detail to check for keywords like attack, suspicious scripts, or drop sequences that arrived completely out-of-order.
2. Strong User Authentication
When connecting to core bank portals, databases, or sensitive accounts, it inspects your encrypted User Name, User ID, and Password credentials. Only upon active verification does it spawn a secure session to route data requests to the actual database or server assets.
3. Anomaly & DDOS Mitigation
Protects internal servers from Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks. It tracks active session sequences, detects redundant request floods coming from either individual IPs or botnet networks, and drops invalid out-of-order sequence packets immediately.
4. Complete Session Separation
There is never a direct connection between external clients and internal hosts. The proxy firewall creates one TCP session with the client, performs scanning, and establishes a completely separate secondary session to fetch data from the internal server on the client's behalf.
Comparison: Packet Filtering vs. Proxy Firewalls
Packet Filtering (L4)
- ❌ Insufficient: Only checks header metadata
- ⚡ Extremely Fast processing speeds
- 🔒 Minimal security; vulnerable to payload attacks
- 🔄 Direct connection to target server is established
Proxy Firewall (L5 Gateway)
- ✅ Deep scanning of the full data payload
- 🐢 Slower: Requires decryption & inspection
- 🛡️ Maximum security; shields internal topology
- 🔀 Indirect routing; session is fully isolated
Bypassing Proxies vs. Proxy Firewalls (A Common Confusion)
Students often confuse Proxy Firewalls with the client-side proxies or VPNs they use to bypass university filters. In a college network block (where Facebook is restricted), a Virtual Private Network (VPN) encapsulates your standard network packet inside a secure encrypted tunnel, virtually masking your original IP. Because the firewall in the middle cannot decrypt this tunnel, it cannot see which site you are visiting and thus allows the traffic to bypass. In contrast, an enterprise Proxy Firewall acts as an incoming server gateway—specifically designed to verify credentials, block malware, and ensure external clients meet rigid internal security policies before allowing server access.