A host-based firewall monitors traffic going in and out of a single host, such as a server or a workstation. It monitors traffic passing through the NIC and can prevent intrusions into the computer via the NIC. Many operating systems include software-based firewalls used as host-based firewalls.

Host-based firewalls provide protection for individual hosts such as servers or workstations. A host-based firewall provides intrusion protection for the host. Linux systems support xtables for firewall capabilities. Network-based firewalls are often dedicated servers or appliances and provide protection for the network.

A network-based firewall controls traffic going in and out of a network. It does this by filtering traffic based on firewall rules and allows only authorized traffic to pass through it. Most organizations include at least one network-based firewall at the boundary between their internal network and the Internet.

A network-based firewall would have two or more network interface cards (NICs) and all traffic passes through the firewall. Many network-based firewalls are dedicated servers or appliances.

Firewall Rules

  • Permission. You’ll typically see this as PERMIT or ALLOW allowing the traffic. Most systems use DENY to block the traffic.
  • Protocol. Typically, you’ll see TCP or UDP here, especially when blocking specific TCP or UDP ports. If you want to block both TCP and UDP traffic using the same port, you can use IP instead. Using ICMP here blocks ICMP traffic effectively blocking ping and some other diagnostics that use ICMP.
  • Source. Traffic comes from a source IP address. You can identify a specific IP address to allow or block, or a range of IP addresses. Wildcards such as any or all include all IP addresses.
  • Destination. Traffic is addressed to a destination IP address. You can identify a specific IP address to allow or block, or a range of IP addresses, just as you can with the source. Wildcards such as any or all include all IP addresses.
  • Port or protocol. Typically, you’ll see the well-known port such as port 80 for HTTP. However, some devices support codes such as www for HTTP traffic. Some systems support the use of keywords such as eq for equal, lt for less than, and gt for greater than. For example, instead of just using port 80, it might indicate eq 80.

Firewalls use a deny any any, deny any, or a drop all statement at the end of the ACL to enforce an implicit deny strategy. The statement forces the firewall to block any traffic that wasn’t previously allowed in the ACL. The implicit deny strategy provides a secure starting point for a firewall.

A web application firewall (WAF) is a firewall specifically designed to protect a web application, which is commonly hosted on a web server. In other words, it’s placed between a server hosting a web application and a client. It can be a stand-alone appliance, or software added to another device.

Web application firewalls provide strong protection for web servers.  They protect against several different types of attacks, with a focus on web application attacks such as cross-site scripting attacks.

Note that you wouldn’t use a WAF in place of a network-based firewall. Instead, it provides an added layer of protection for the web application in addition to the network-based firewall.

Many buffer overflow attacks start with a series of no operation (NOOP) commands called a NOOP sled or a NOOP ramp. The WAF inspects the contents of traffic to the web server, can detect this malicious content, and blocks it. Similarly, it can detect malicious code in a cross-scripting attack.

Advanced Firewalls

Firewall capabilities have advanced significantly over the years and are frequently identified as separate generations. Each new generation includes the capabilities of the previous generation, but adds newer capabilities. The four generations most commonly mentioned are:

  • First generation. Packet-filtering rules such as those in the previous section were the first generation of firewalls. First-generation firewalls are stateless. In other words, the firewall examines each packet individually and allows or blocks it based on the set of rules in the ACL.
  • Second generation. Second-generation firewalls added in stateful inspection. In other words, the firewall keeps track of established sessions and inspects traffic based on its state within a session. It blocks traffic that isn’t part of an established session.
  • Third generation. The third generation added application-level firewalls. An application level firewall is aware of specific commands used in different applications or protocols. For example, a WAF is an application-level firewall that can inspect HTTP traffic and block malicious HTTP traffic.
  • Next generation. Current network-based firewalls integrate multiple capabilities into a single firewall. As new threats emerge, vendors update the firewalls to adapt. Many firewalls integrated into unified threat management appliances are next generation firewalls.

Protecting Network Perimeter

A DMZ is a buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network. In other words, Internet clients can access the services hosted on servers in the DMZ, but the DMZ provides a layer of protection for the internal network.