Firewalls are one of the most important security technologies in modern networks.
What Is A Firewall?
A firewall is a system that controls network traffic (not to be mistaken with IDS/IPS which will be covered in Blue Teaming classes).
Its job is simple:
Allow Traffic
or
Block Traffic
based on defined rules.
Visualized:
Traffic
│
▼
Firewall
│
┌──┴──┐
│ │
Allow Block
Why Firewalls Exist
Without a firewall:
Internet
│
▼
Internal Network
Every system could potentially communicate freely.
With a firewall:
Internet
│
▼
Firewall
│
▼
Internal Network
Traffic must satisfy rules before it is permitted.
Basic Example
Suppose a web server hosts a website.
We may allow:
TCP/443
HTTPS
but block:
RDP
SMB
SQL
Visualized:
Internet
│
▼
Firewall
│
Allowed:
TCP/443
Blocked:
TCP/3389
TCP/445
TCP/1433
Firewall Rules
Rules usually contain conditions such as:
Source
Destination
Protocol
Port
Action
Example:
Allow
Source: Any
Destination: Web Server
Protocol: TCP
Port: 443
Direction
Firewalls often filter:
Inbound Traffic
and
Outbound Traffic
Inbound:
Internet
▼
Internal Host
Outbound:
Internal Host
▼
Internet
Host Firewalls
Firewalls do not have to be dedicated appliances.
Modern operating systems include built-in firewalls.
Examples:
Windows:
Windows Defender Firewall
Linux:
iptables
nftables
ufw
firewalld
Network Firewalls
Many organizations deploy dedicated Firewall appliances.
Example:
Internet
│
▼
Firewall Appliance
│
▼
Internal Network
Examples:
Palo Alto
Fortinet
Cisco
Check Point
pfSense
OPNsense
These devices often protect entire networks.
Firewalls And Segmentation
Firewalls are frequently used to separate network segments.
Example:
Workstations
│
▼
Firewall
│
▼
Servers
Rule:
Workstations
↓
Web Servers
Allowed
Workstations
↓
Domain Controllers
Blocked
This limits attacker movement.
Firewalls And DMZs
A DMZ typically relies on firewalls.
Example:
Internet
│
▼
Outer Firewall
│
▼
DMZ
│
▼
Inner Firewall
│
▼
Internal Network
Compromising a DMZ server does not automatically grant access to internal systems.
Additional firewall rules still exist.
Stateful Firewalls
Modern firewalls are usually:
Stateful
Meaning they track connections.
Example:
Client
│
▼
HTTPS Request
The firewall remembers:
This connection is valid.
and allows the response traffic.
Without state tracking:
Every packet
would need individual evaluation.
Application-Aware Firewalls
Modern enterprise firewalls can inspect applications.
Examples:
HTTP
HTTPS
DNS
SSH
RDP
Instead of only:
IP Address
Port Number
they may evaluate:
Application
User
Content
as well.
Common Misconception
Many beginners assume:
Firewall
=
Complete Security
This is false.
Firewalls are one layer of defense.
They cannot:
- Fix vulnerable software
- Prevent stolen credentials
- Stop every attack
- Replace secure configuration
They simply control traffic.
Firewalls And Operators
One of the first questions after gaining access is:
What can I reach?
The answer is often determined by:
Firewall Rules
Examples:
Can I reach the Domain Controller?
Can I reach SQL?
Can I reach the Internet?
Can I reach another VLAN?
All may depend on firewall policy.
Operators frequently plan how to bypass Firewalls, usually through techniques in which they attempt to "blend in" with normal or already allowed traffic. This also depends on the application generating the traffic - for example "notepad.exe" generating outbound HTTPS traffic is an egregious red flag.
Operator Notes
Operators frequently plan how to bypass firewalls, usually through techniques that attempt to blend in with normal or already permitted traffic.
Whether traffic appears suspicious often depends on both the application generating it and the environment in which it is observed.
For example, a text editor such as Notepad generating outbound HTTPS traffic would be an egregious anomaly and would likely attract immediate attention.
For this reason, operators often consider not only:
- Which traffic is allowed
- Which ports are open
but also:
- Which applications normally generate that traffic
- What behavior defenders expect to observe
- Whether the activity blends into the environment
Modern defenses frequently evaluate behavior and process context in addition to simple network rules.