Firewall is the guard standing between your network and the big bad world outside. In the simplest sense firewall is a filter that filters traffic based on rules and policies.
The processes used by a firewall to filter traffic may include the following.
- Simple packet-filtering techniques
- Proxy Servers
- Stateful Inspection Firewalls
- Transparent Firewall
- Next-generation context ad application-aware firewalls
Simple or Static packet filtering is the most basic form of packet filtering. It normally operates at layer 3 or 4 of OSI model. An example of static packet filtering will be an access list that simply allows or denys the traffic without any awareness of the communication.
Proxy Server Firewall is also known as Application Layer Gateway (AGL). A proxy server can operate at layer 3 or higher in the OSI model. A proxy server may include specialized application software that accepts a request for a connection from a client, puts the client on hold and makes that connection on his behalf as if its proxy servers own request to connect to that service that client wants to connect. If the connection is malicious, its dropped by the proxy server firewall.
Since we are talking about proxy servers we might as well address Reverse proxy server. A reverse proxy server is a type of proxy server that typically sits behind the firewall in a private network and directs client requests to the appropriate backend server. A reverse proxy provides an additional level of abstraction and control to ensure the smooth flow of network traffic between clients and servers.
A Reverse proxy server can perform the following task
- Load balancing
- Web Acceleration
- Security and anonymity
In Stateful Packet filtering the firewall remembers the state of the session. By default, a stateful firewall won’t allow traffic from the outside of the network through it. Devices in the local inside network have to initiate the session. Once a session is initiated, the firewall stores the source IP, Destination IP, ports, and any other information in the stateful database.
When the traffic returns from the outside network it is matched with ongoing sessions in the stateful database and then allowed through.
Transparent Firewall sits between the client and the server without the client or the server being aware of its presence. A transparent firewall can do pretty much everything a firewall can with few major exceptions
- A transparent firewall works at layer 2 of OSI model
- Apart from a management IP address, the interfaces of the transparent firewall don’t have IP’s
- It can be integrated into the network without any change in topology
The following lab will clear more concepts
ZPFs are the latest development in the evolution of Cisco firewall technologies. In this activity, you will configure a basic ZPF on an edge router R3 that allows internal hosts access to external resources and
blocks external hosts from accessing internal resources. You will then verify firewall functionality from internal and external hosts.
• Verify connectivity among devices before firewall configuration.
• Configure a zone-based policy (ZPF) firewall on R3.
• Verify ZPF firewall functionality using ping, SSH, and a web browser.
R3#sh run Building configuration... Current configuration : 3796 bytes ! ! Last configuration change at 16:27:31 UTC Sun Dec 22 2019 ! version 15.6 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! class-map type inspect match-any my-class-map match protocol ssh match protocol http match protocol icmp ! policy-map type inspect my-policy-map class type inspect my-class-map inspect class class-default drop ! zone security inside zone security outside zone-pair security inside-to-outside source inside destination outside service-policy type inspect my-policy-map ! interface GigabitEthernet0/0 description S3 ip address 192.168.3.1 255.255.255.0 zone-member security inside duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 description R2 ip address 10.2.2.1 255.255.255.252 zone-member security outside duplex auto speed auto media-type rj45 ! router eigrp 10 network 10.0.0.0 network 192.168.3.0 passive-interface default no passive-interface GigabitEthernet0/1 ! control-plane ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login transport input none ! no scheduler allocate ! end R2#sh run Building configuration... Current configuration : 3497 bytes ! ! Last configuration change at 16:30:15 UTC Sun Dec 22 2019 ! version 15.6 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 !! enable secret 5 $1$oj1p$Zc77yg0FrXh.Teg3zUdqd/ ! ! no ip domain lookup ! username cisco password 0 cisco ! redundancy ! ! interface GigabitEthernet0/0 description R1 ip address 10.1.1.2 255.255.255.252 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 description R3 ip address 10.2.2.2 255.255.255.252 duplex auto speed auto media-type rj45 ! router eigrp 10 network 10.0.0.0 passive-interface default no passive-interface GigabitEthernet0/1 no passive-interface GigabitEthernet0/0 ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login local transport input all line vty 5 15 login local transport input all ! no scheduler allocate ! end