What Does A Network Firewall Do?

On Tuesday, November 15th 2022 I hosted a LinkedIn Audio Episode where I rounded up a few industry experts to talk about Network Firewalls. Now full transparency, I work for AWS and we offer a service called AWS Network Firewall. We do talk about that service late in the episode. However, the majority of this episode was spent talking about Network Firewalls in general. I personally think this is great information for anyone working on a Cisco Security Certification, the Comptia Security+, or the AWS Certified Security - Speciality. Unfortunately LinkedIn does not record audio events and my local capture failed so I cannot post the episode for review. Still, In this article I'll summarize some of the key points on what a Network Firewall does, and share a few tips if you're planning on sitting the AWS Certified Security - Specialty Exam.

What is a Network Firewall?

When we talk about Network Security, inevitably the “Firewall” topic comes up. What is a Network Firewall? A Network Firewall is a something that is designed to provide selective access to traffic flows between a source and destination device. A Network Firewall can be a hardware device installed on a network that runs software that provides these controls. It can also be software running in a container, on a hypervisor as an operating system or as an application on a host device. To be technical, a router can act as a Firewall if it makes use of software capabilities within that control traffic flow. Thus an Intrusion Prevention System (IPS) could technically be considered a firewall if it controls the access of a traffic flow. In most cases Network Firewalls make pass, drop, or log decisions, or some combination of those three options.

What other types of firewalls do we hear about?

You might be familiar with Windows Defender. This is a host-based firewall. MacOS also has a host-based firewall. On a Linux distribution you might make use of ????????, also a host-based firewall (although in some implementations ???????? can be used as a network firewall).

The other type of firewall to be aware of is called a Web Application Firewall (WAF). A WAF is specifically designed to protect web resources for several types of attacks. It is said that a WAF operates at Layer 7 of the OSI Model. A simple diagram is seen below.

That being said, a Network Firewall typically operates at Layers 3-7, with Layer 3 and 4 being the primarily layers that a Network Firewall looks at.

Stateless vs. Stateful Inspection

Two more terms to be aware of are Stateless and Stateful inspection. What do these terms refer to? When a packet makes its way through a firewall it can be matched by 5-tuple information. This consists of the source IP address, source port, destination IP address, destination port, and transport protocol. The 5-tuple data uniquely identifies a UDP or TCP session. Stateless operation operates according to the graphic below. Traffic moving from left to right enters the firewall at interface1. An Access Control List (ACL) matches the 5-tuple information in the packet headers. The ACL permits the traffic and it is routed out of interface 2.

Next, return traffic, perhaps a TCP response to the initial traffic enters interface 2, as seen in the graphic below.

Since this is stateless functionality the packet is checked against an ACL applied to interface 2. If the 5-tuple information in the packet header matches a permit statement in the ACL the return traffic is allowed.

In stateless operation, all traffic must be explicitly permitted in each direction, matching the 5-tuple data as seen at that interface for the traffic direction to be allowed.

So how does stateful operation differ? The figure below depicts a similar traffic flow to what was seen above. The Initial traffic flow enters the firewall on interface 1. If the traffic is permitted a state table entry is created. The state table entry contains the 5-tuple information as seen on interface 1. The packet is routed out of interface 2 and reaches the destination.

In the next image we see the return traffic. In this case the firewall consults the state table to determine if this is a valid response to an outbound request. If, based on the 5-tuple data, this is a valid response, the traffic is allowed without the need for an ACL entry.

Some AWS Specifics

Now that you have the basics of a Network Firewall down, let's talk specifically about the AWS Network Firewall. As mentioned, AWS Network Firewall is a cloud-based service that provides Network Firewall functionality for your VPC. Because it's a cloud service the way it is deployed is slightly different, yet extremely easy. To give you the fundamental understanding of what AWS Network Firewall does, I recommend reading the article "AWS Network Firewall – New Managed Firewall Service in VPC." Armed with this basic understanding you can then explore the various deployment models in the article "Deployment models for AWS Network Firewall."

Learning Resources

There are several learning resources available and low or no cost to you. My recommendation would be to get the fundamentals down first, then move into some hands-on learning in a workshop environment. Additionally, I'm told that tutorialsdojo.com has some good content for the AWS Certified Security - Speciality. I am personally using a combination of the Adrian Cantrill training, Wizlabs, and AWS classroom training.

What do you want to learn?

I'd really like to know what you're learning about and what topics you'd like to see me cover. At present I cover cloud infrastructure security topics though Twitter Spaces, LinkedIn Audio Events, blog posts, and Twitch Live Streaming. I'm always looking for feedback to make the content I create better and more applicable so please feel free to reach out.