Traditionally, a firewall sits in the forwarding path of all packets so that the firewall can
then choose which packets to discard and which to allow through. By doing so, the firewall
protects the network from different kinds of issues by allowing only the intended types
of traffic to flow in and out of the network. In fact, in its most basic form, firewalls do the
same kinds of work that routers do with ACLs, but firewalls can perform that packet-filtering
function with many more options, as well as perform other security tasks.
Although firewalls have some router-like features (such as packet forwarding and packet
filtering), they provide much more advanced security features than a traditional router. For
example, most firewalls can use the following kinds of logic to make the choice of whether
to discard or allow a packet:
■ Like router IP ACLs, match the source and destination IP addresses
■ Like router IP ACLs, identify applications by matching their static well-known TCP and
■ Watch application-layer flows to know what additional TCP and UDP ports are used by
a particular flow, and filter based on those ports
■ Match the text in the URI of an HTTP request—that is, look at and compare the contents
of what is often called the web address—and match patterns to decide whether to
allow or deny the download of the web page identified by that URI
■ Keep state information by storing information about each packet, and make decisions
about filtering future packets based on the historical state information (called stateful
inspection, or being a stateful firewall)
The stateful firewall feature provides the means to prevent a variety of attacks and is one
of the more obvious differences between the ACL processing of a router versus security filtering by a firewall. Routers must spend as little time as possible processing each packet
so that the packets experience little delay passing through the router. The router cannot
take the time to gather information about a packet, and then for future packets, consider
some saved state information about earlier packets when making a filtering decision.
Because they focus on network security, firewalls do save some information about packets
and can consider that information for future filtering decisions.
As an example of the benefits of using a stateful firewall, consider a simple denial of service
(DoS) attack. An attacker can make this type of attack against a web server by using tools
that create (or start to create) a large volume of TCP connections to the server. The firewall
might allow TCP connections to that server normally, but imagine that the server might
typically receive 10 new TCP connections per second under normal conditions and 100 per
second at the busiest times. A DoS attack might attempt thousands or more TCP connections
per second, driving up CPU and RAM use on the server and eventually overloading
the server to the point that it cannot serve legitimate users.
A stateful firewall could be tracking the number of TCP connections per second—that is,
recording state information based on earlier packets—including the number of TCP connection
requests from each client IP address to each server address. The stateful firewall could
notice a large number of TCP connections, check its state information, and then notice that
the number of requests is very large from a small number of clients to that particular server,
which is typical of some kinds of DoS attacks. The stateful firewall could then start filtering
those packets, helping the web server survive the attack, whereas a stateless firewall or a
router ACL would not have had the historical state information to realize that a DoS attack
Firewalls not only filter packets, they also pay close attention to which host initiates communications.
That concept is most obvious with TCP as the transport layer protocol, where
the client initiates the TCP connection by sending a TCP segment that sets the SYN bit only.
Firewalls use logic that considers which host initiated a TCP connection by watching these
initial TCP segments. To see the importance of who initiates the connections, think about
a typical enterprise network with a connection to the Internet, as shown in Figure 5-6. The
company has users inside the company who open web browsers, initiating connections to
web servers across the Internet. However, by having a working Internet connection, that
same company opens up the possibility that an attacker might try to create a TCP connection
to the company’s internal web servers used for payroll processing. Of course, the company
does not want random Internet users or attackers to be able to connect to their payroll
Firewalls use the concept of security zones (also called a zone for short) when defining
which hosts can initiate new connections. The firewall has rules, and those rules define
which host can initiate connections from one zone to another zone. Also, by using zones, a
firewall can place multiple interfaces into the same zone, in cases for which multiple interfaces
should have the same security rules applied.
Most companies have an inside and outside zone, as well as a special zone called the demilitarized
zone (DMZ). Although the DMZ name comes from the real world, it has been used
in IT for decades to refer to a firewall security zone used to place servers that need to be
available for use by users in the public Internet. For example, Figure 5-8 shows a typical
Internet edge design, with the addition of a couple of web servers in its DMZ connected
through the firewall. The firewall then needs another rule that enables users in the zone
outside—that is, users in the Internet—to initiate connections to those web servers in the
DMZ. By separating those web servers into the DMZ, away from the rest of the enterprise,
the enterprise can prevent Internet users from attempting to connect to the internal devices
in the inside zone, preventing many types of attacks.
Intrusion Prevention Systems (IPS)
Traditionally, a firewall works with a set of user-configured rules about where packets
should be allowed to flow in a network. The firewall needs to sit in the path of the packets
so it can filter the packets, redirect them for collection and later analysis, or let them continue
toward their destination.
A traditional intrusion prevention system (IPS) can sit in the path packets take through the
network, and it can filter packets, but it makes its decisions with different logic. The IPS
first downloads a database of exploit signatures. Each signature defines different header
field values found in sequences of packets used by different exploits. Then the IPS can
examine packets, compare them to the known exploit signatures, and notice when packets
may be part of a known exploit. Once identified, the IPS can log the event, discard packets,
or even redirect the packets to another security application for further examination.
A traditional IPS differs from firewalls in that instead of an engineer at the company defining
rules for that company based on applications (by port number) and zones, the IPS
applies the logic based on signatures supplied mostly by the IPS vendor. Those signatures
look for these kinds of attacks:
To accomplish its mission, the IPS needs to download and keep updating its signature
database. Security experts work to create the signatures.
For example, think about what happens when an entirely new computer virus has been created.
Host-based security products, like antivirus software, should be installed on the computers
inside the company. These tools use a similar model as the IPS, keeping an updated
database of virus signatures. The signatures might look for patterns in how a computer virus
could be stored inside files on the computer, or in files sent to the computer via email or
web browsers. But there will be some time lag between the day when the virus has been
discovered (called zero-day attacks) and when researchers have developed a virus signature,
changed their database, and allowed time for all the hosts to update their antivirus software.
The hosts are at risk during this time lag.
The IPS provides a complimentary service to prevent viruses. Researchers will look for ways
an IPS could recognize the same virus while in flight through the network with new IPS signatures—
for instance, looking for packets with a particular port and a particular hex string
in the application payload. Once developed, the IPS devices in the network need to be
updated with the new signature database, protecting against that virus. Both the host-based
and IPS-based protections play an important role, but the fact that one IPS protects sections
of a network means that the IPS can sometimes more quickly react to new threats to protect
Cisco Next-Generation Firewalls
The CCNA 200-301 exam topics mention the terms firewall and IPS but prefaced with the
term next-generation. Around the mid 2010s, Cisco and some of their competitors started
using the term next generation when discussing their security products to emphasize some
of the newer features. In short, a next-generation firewall (NGFW) and a next-generation
IPS (NGIPS) are the now-current firewall and IPS products from Cisco.
However, the use of the term next generation goes far beyond just a marketing label: the
term emphasizes some major shifts and improvements over the years. The security industry
sees endless cycles of new attacks followed by new solutions, with some solutions requiring
new product features or even new products. Some of the changes that have required
new security features include the proliferation of mobile devices—devices that leave the
enterprise, connect to the Internet, and return to the Enterprise—creating a whole new level
of risk. Also, no single security function or appliance (firewall, IPS, antimalware) can hope
to stop some threats, so the next-generation tools must be able to work better together toprovide solutions. In short, the next-generation products have real useful features not found
in their predecessor products.
As for Cisco products, for many years Cisco branded its firewalls as the Cisco Adaptive
Security Appliance (ASA). Around 2013, Cisco acquired Sourcefire, a security product company.
Many of the next-generation firewall (and IPS) features come from software acquired
through that acquisition. As of 2019 (when this chapter was written), all of Cisco’s currently
sold firewalls have names that evoke memories of the Sourcefire acquisition, with most of the
firewall product line being called Cisco Firepower firewalls (www.cisco.com/go/firewalls).
An NGFW still does the traditional functions of a firewall, of course, like stateful filtering
by comparing fields in the IP, TCP, and UDP headers, and using security zones when defining
firewall rules. To provide some insight into some of the newer next-generation features,
consider the challenge of matching packets with ports:
1. Each IP-based application should use a well-known port.
2. Attackers know that firewalls will filter most well-known ports from sessions initiated
from the outside zone to the inside zone (see Figure 5-8).
3. Attackers use port scanning to find any port that a company’s firewall will allow
through right now.
4. Attackers attempt to use a protocol of their choosing (for example, HTTP) but with
the nonstandard port found through port scanning as a way to attempt to connect to
hosts inside the enterprise.
The sequence lists a summary of some of the steps attackers need to take but does not list
every single task. However, even to this depth, you can see how attackers can find a way to
send packets past the corporate firewall.
The solution? A next-generation firewall that looks at the application layer data to identify
the application instead of relying on the TCP and UDP port numbers used. Cisco performs
their deep packet inspection using a feature called Application Visibility and Control
(AVC). Cisco AVC can identify many applications based on the data sent (application layer
headers plus application data structures far past the TCP and UDP headers). When used
with a Cisco NGFW, instead of matching port numbers, the firewall matches the application,
defeating attacks like the one just described.
The following list mentions a few of the features of an NGFW. Note that while NGFW is
a useful term, the line between a traditional firewall and a next-generation firewall can be
a bit blurry, as the terms describe products that have gone through repeated changes over
long periods of time. This list does summarize a few of the key points, however:
■ Traditional firewall: An NGFW performs traditional firewall features, like stateful firewall
filtering, NAT/PAT, and VPN termination.
■ Application Visibility and Control (AVC): This feature looks deep into the application
layer data to identify the application. For instance, it can identify the application based
on the data, rather than port number, to defend against attacks that use random port
■ Advanced Malware Protection: NGFW platforms run multiple security services, not
just as a platform to run a separate service, but for better integration of functions. A
network-based antimalware function can run on the firewall itself, blocking file transfers
that would install malware, and saving copies of files for later analysis.
■ URL Filtering: This feature examines the URLs in each web request, categorizes the URLs,
and either filters or rate limits the traffic based on rules. The Cisco Talos security group
monitors and creates reputation scores for each domain known in the Internet, with URL
filtering being able to use those scores in its decision to categorize, filter, or rate limit.
■ NGIPS: The Cisco NGFW products can also run their NGIPS feature along with the