Information Assurance and
Security
ITec 4133
Chapter 3
Network Firewall Security
By: Mulatu D. 1
� Presentation outline
• Definitions and Terminology
• Internet Security Architecture
• IPv6 Security Considerations
• Host Security (authentication and authorization
techniques)
By: Mulatu D. 2
� Network Firewall security
• One of the major challenges that companies face when trying to secure
their sensitive data is finding the right tools for the job.
• Even for a common tool such as a firewall (sometimes called a
network firewall), many businesses might not have a clear idea of how to
find the right firewall (or firewalls) for their needs, how to configure those
firewalls, or why such firewalls might be necessary.
• A network firewall is a security system that acts as a barrier between a
trusted internal network and untrusted external networks, like the internet.
• It monitors, filters and controls both incoming and outgoing network
traffic based on predetermined security rules to protect the network from
threats such as malware, unauthorized access and cyber attacks.
• It is one of the most important parts of network protection.
• Firewall is a security device (hardware, software or both)
• It decides whether to allow or block specific traffic depending on:-
o Source and destination IP address
o Port numbers
o Protocols
o Application types
By: Mulatu D. 3
�Network Firewall security
By: Mulatu D. 4
� Network Firewall security
• How firewall provide security?
q Barriers:-
• a firewall establishes a security
boundary, ensuring all network
traffic passes through it for
inspection before reaching the
internal network.
• In blocks suspicious or dangerous
traffic from the internet before it
reaches to the company network.
• It is a protection wall between
trusted and untrusted networks.
• It ensures confidentiality, integrity
and availability of the internal
network.
By: Mulatu D. 5
� Network Firewall security
• How firewall provide security?
q Traffic Monitoring
• It examines data packets attempting to enter or leave a
network comparing their origin, destination and type
against its security rules.
• Observing, analyzing and recording data packets that
travel across a network.
• Firewall watches who is sending what, to where, and how.
• Firewall looks:-
o Unusual traffic volume
o Unauthorized access attempts
o Malicious IP address
o Port scans
o Suspicious protocols
o Application misuse By: Mulatu D. 6
� Network Firewall security
• How firewall provide security?
q Traffic Monitoring
By: Mulatu D. 7
� Network Firewall security
o How firewall provide security?
q Filtering and blocking
• Based on the security policies, the firewall either allows
legitimate traffic to pass or blocks malicious or
unauthorized traffic.
q Threat prevention:
• by filtering traffic, firewalls prevent external threats like
virus, phishing attacks and denial of services (DoS)
attacks from entering the network.
By: Mulatu D. 8
� Network Firewall security
o How firewall provide security?
q Insider threat Mitigation:
• Firewalls can also restrict outgoing traffic to prevent data exfiltration
and identify risky applications or known bad actors within the
network.
q Logging and awareness:
• Logging is a fundamental security concept that involves recording all
significant activities and events occurring in an information system.
• It is part of the monitoring and incident detection phase of
security management.
• Firewalls record connection attempts and other network
activity, which helps in identifying suspicious behavior and
improving security awareness.
• Examples:
o Login attempts (successful or failed)
o Firewall traffic logs (allowed/denied)
o File access and modification logs
By: Mulatu D. 9
o System configuration changes
� Network Firewall security
• Types of Firewalls
1. Packet-Filtering firewall
• Packet filtering firewall is a network security device that inspects
incoming and outgoing network data packets, allowing or
blocking them based on a pre-defined sets of rules.
• This rules are typically involve checking a packet’s source and
destination IP address, and the protocol being used.
• The header information (IP address, port, protocol) is compared
against a set of predefined rules, often called Access controlled
list.
• If the packet matches an “allow” rule, it is permitted to pass to its
destination, if the packet does not match an “allow” rule or
matches a “deny” rule, it is blocked /dropped.
• Limitation:- This fundamental security measures is less secure
than the modern firewalls because it examines packet headers
without inspecting the internal content, making it vulnerable to
attacks that can bypass simple rule checks.
By: Mulatu D. 10
� Network Firewall security
• Types of Firewalls
2. Statefull inspection firewall
• A statefull inspection firewall is a network security device that
monitors active connections by tracking a "state table" of
information like IP addresses, ports, and protocols.
• It uses this context to make intelligent decisions about whether
incoming or outgoing traffic is part of a legitimate, established
session, providing more comprehensive security.
• It monitors entire sessions or connections, not just individual
packets.
• Monitors the connection status but not the context.
• Only allows packets that are part of a valid established
connection.
• Example: If you initiate a web request to [Link], the firewall
remembers that and allows the returning packets.
• But if a random packet comes from the internet with no matching
outbound request, it blocks it.
• More secure than simple packet filters
By: Mulatu D. 11
� Network Firewall security
• Types of Firewalls
3. Proxy firewall (application level gateway)
• Works at application layer (layer 7)
• Acts as an intermediary between users and services
• A proxy firewall, also known as an application-level gateway
(ALG), acts as an intermediary that inspects and filters traffic at the
application layer (layer 7) of the OSI model, providing more
granular security than traditional firewalls.
• By creating a proxy between a client and server, it can analyze
the content of individual packets to enforce policies based on
data such as URLs or application protocols like FTP.
• This allows it to block web application attacks, filter unwanted
content, and log activity, though it can introduce performance
overhead.
• So, the website never sees your real IP address — it only sees the
proxy’s IP.
• Filters based on content (E.g http, ftp)
By: Mulatu D. 12
� Network Firewall security
• Types of Firewalls
4. Cloud firewall
• A cloud firewall is a network security solution deployed in the
cloud, designed to protect cloud infrastructure, applications, and
data from unauthorized access, Distributed Denial of Service
attacks, malware, and more.
• A cloud firewall, also known as Firewall-as-a-Service (FWaaS), is a
software-based, virtual security device that protects cloud-based
resources from unwanted network access.
• Unlike traditional firewalls that are physical hardware, cloud
firewalls are hosted in the cloud, making them flexible, scalable,
and accessible from anywhere to protect virtual assets and
applications.
• They filter network traffic based on predefined rules, acting as a
virtual barrier around cloud platforms, infrastructure, and data.
• Examples of cloud firewalls:- Azure Firewall, Google Cloud Platform Firewall,
Netskope cloud firewall.
By: Mulatu D. 13
� Network Firewall security
• Types of Firewalls
5. Next generation firewall
• A next-generation firewall (NGFW) is a network security
device that combines traditional firewall functions with
advanced threat protection features.
• Combines traditional firewall with intrusion prevention,
deep packet inspection, and application awareness.
• Unlike traditional firewalls that primarily filter based on
ports and protocols, NGFWs use deep packet inspection to
identify and control applications, users, and content,
offering advanced capabilities like intrusion prevention,
application awareness, and threat intelligence.
By: Mulatu D. 14
� Network Firewall security
• Firewall security policies
• Firewall security policies are a set of rules and high-level
guidelines that define how a firewall manages network traffic to
protect an internal network from unauthorized access.
• A firewall security policy defines what type of traffic (data packets)
is allowed or denied between different parts of a network (for
example, between the internal network and the internet).
• They operate on a positive security model, by default, blocking all
traffic unless explicitly allowed, and are based on criteria like
source/destination IP address, service, and direction.
• Define what traffic is allowed or blocked.
• Example:- allow internal users to access web services (HTTP)
• Block all incoming traffic from unknown IP
• Firewall policy should be documented in the system security plan
and maintained and updated frequently as classes of new attacks
or vulnerabilities arise, or as the organization’s needs regarding
network applications change.
By: Mulatu D. 15
� Network Firewall security
• Firewall security policies
• Objectives of Firewall Policies
o Protect the internal network from external threats.
ü implement a multi-layered defense strategy including a firewall and
Intrusion Detection System (IDS), regularly update software and use
antivirus, enforce strong access controls and password policies, encrypt
sensitive data, and train employees on cybersecurity practices.
o Control user access to internet or network resources.
ü Control user access to internet or network resources through methods
like Network Access Control (NAC), which uses security policies to
authorize compliant users and devices, and by implementing firewalls,
which act as a barrier against unauthorized access. Other key techniques
include using Multi-factor authentication (MFA), setting up Access
control lists (ACL) to define rules, and employing Role-based access
control (RBAC) to grant permissions based on a user's role.
By: Mulatu D. 16
� Network Firewall security
• Firewall security policies
• Objectives of Firewall Policies
o Prevent data leaks or unauthorized data transfer.
ü To prevent data leaks and unauthorized data transfer,
organizations must implement a multi-layered security strategy
that combines robust technical controls, clear data management
policies, and comprehensive employee training. Key measures
include data encryption, strong access controls, and data loss
prevention (DLP) software
o Maintain logs for auditing and compliance.
ü To maintain logs for auditing and compliance, implement clear
policies for log retention and access control, use tamper-resistant
storage, and regularly review logs for anomalies. Log management
ensures accountability, supports security investigations, and
proves compliance with regulations by providing a detailed history
of system and user activities
o Ensure only legitimate traffic passes through.
ü creating a set of security rules that monitors and filters all
By: Mulatu D. 17
� Network Firewall security
• Policies include:
I. Access control lists
• An access control list (ACL) is a list of permissions associated with
a system resource that specifies which users or processes can
access it and what actions they can perform.
• An Access Control List (ACL) is a security feature used in
computer systems and networks to control who can access
what — it specifies which users or devices are allowed or denied
access to specific resources (like files, folders, or network traffic).
• Each entry in an ACL typically defines a user or group and the
specific rights granted or denied (e.g., read, write, execute).
• These lists are used in both operating systems and network
devices like routers and firewalls to control permissions, filter
traffic, and protect against unauthorized access.
• They work by inspecting data packets based on details like IP
address, protocol and port number.
• These rules determine whether to permit or block specific traffic.
By: Mulatu D. 18
� Network Firewall security
• Policies include:
I. Access control lists
• How does the ACL Works?
• A file system is an arrangement of files. ACL is a table that informs a PC's
operating system of a client's access privileges to a framework object,
such as a single record or a document registry.
• Each item has a security attribute that links it to the entry control list it
belongs.
• Each client with access privileges to the scenario gets a section in the
rundown.
• The ability to read a single document (or all of the records) in a register,
execute the record, or communicate with the record or records are all
common advantages.
• Microsoft Windows NT/2000, Novell's Netware, Digital's OpenVMS, and
UNIX-based frameworks are examples of working frameworks that use an
ACL.
• When a client requests an article in an ACL-based security model, the
functioning framework examines the ACL for a key part to check if the
requested action is permitted. By: Mulatu D. 19
� Network Firewall security
• Policies include:
I. Access control lists
By: Mulatu D. 20
� Network Firewall security
• Policies include:
I. Access control lists
By: Mulatu D. 21
� Network Firewall security
• Policies include:
I. Access control lists
• Types of ACL
A. Network ACLs (used in routers, switches, firewalls)
• These control network traffic — deciding which packets are
allowed or denied.
a) Standard ACL
• Filters traffic based only on source IP address.
• Simpler but less flexible.
• Applied near the destination (to avoid blocking too much traffic).
• Example (Cisco syntax):
By: Mulatu D. 22
� Network Firewall security
• Policies include:
I. Access control lists
• Types of ACL
A. Network ACLs (used in routers, switches, firewalls)
• These control network traffic — deciding which packets are
allowed or denied.
b) Extended ACL
• Filters based on source IP, destination IP, protocol, and port
number.
• More powerful and specific than Standard ACLs.
• Usually applied close to the source.
• Example:
By: Mulatu D. 23
� Network Firewall security
• Policies include:
I. Access control lists
• Types of ACL
A. Network ACLs (used in routers, switches, firewalls)
• These control network traffic — deciding which packets are
allowed or denied.
b) Extended ACL (First line code meaning)
By: Mulatu D. 24
� Network Firewall security
• Policies include:
I. Access control lists
• Types of ACL
A. Network ACLs (used in routers, switches, firewalls)
• These control network traffic — deciding which packets are
allowed or denied.
b) Extended ACL (Second line code meaning)
By: Mulatu D. 25
� Network Firewall security
• Policies include:
I. Access control lists
• Types of ACL
A. Network ACLs (used in routers, switches, firewalls)
• These control network traffic — deciding which packets are
allowed or denied.
c) Reflexive ACLs:
• Also known as IP session ACLs, these use information from upper-
layer sessions to filter traffic, allowing return traffic to pass
through while blocking unwanted inbound traffic.
By: Mulatu D. 26
� Network Firewall security
• Policies include:
I. Access control lists
• Types of ACL
A. Network ACLs (used in routers, switches, firewalls)
• These control network traffic — deciding which packets are allowed or
denied.
d) Dynamic ACLs:
• A Dynamic ACL (also called a Lock-and-Key ACL) is a type of network
Access Control List that allows temporary, controlled access to a network
after a user authenticates. It’s more flexible than standard or extended
ACLs because it doesn’t allow permanent access.
o A user tries to access a protected resource (like a server).
o The router/firewall blocks the traffic temporarily.
o The user is redirected to a login page (or authentication server).
o After successful authentication, the router dynamically adds a temporary
ACL entry for that user.
o The user can now access the resource for a limited time.
o After the time expires, the temporary ACL entry is removed automatically.
By: Mulatu D. 27
� Network Firewall security
• Policies include:
I. Access control lists
• Types of ACL
B. File ACLs
• is a security mechanism used by an operating system to control
who can access a file or folder and what kind of actions they can
perform.
• It’s a list of permissions attached to each file or directory that
specifies:
• Which users or groups can access the file
• What actions they are allowed to do (read, write, execute, delete,
etc.)
• How It Works?
• Each file or folder has:
o An owner (the user who created it)
o A set of permissions By: Mulatu D. 28
o A list (ACL) that defines access for other users or groups
� Network Firewall security
• Policies include:
I. Access control lists
• Types of ACL
B. File ACLs
By: Mulatu D. 29
� Network Firewall security
• Policies include:
II. Rules based on IP, Port and protocol
q Rules Based on IP
• Source IP: The address from which traffic originates.
• Destination IP: The address to which traffic is directed.
• Example:- Allow TCP traffic from [Link] to [Link]
• Purpose: Controls which devices can communicate with each other.
q Rules Based on Port
• Ports specify the service being accessed (e.g., HTTP, FTP, SSH).
• Example:-
• Purpose: Restricts specific services regardless of IP addresses.
q Rules Based on Protocol
• Protocols define the type of communication (TCP, UDP, ICMP, etc.).
• Example Rule:-
• Purpose: Blocks or allows certain types of network communication.
By: Mulatu D. 30
� Network Firewall security
• Policies include:
II. Rules based on IP, Port and protocol
By: Mulatu D. 31
� Network Firewall security
• Policies include:
III. Logging and monitoring policies
• involve creating rules for how and what the firewall records about
network traffic to detect threats, ensure compliance, and troubleshoot
issues.
• Key co m p o n e nt s i n c l u d e d ef i n i n g w h at e ve nt s to l o g ( e . g . ,
allowed/denied connections, source/destination IP addresses), setting
log retention periods, and using tools to analyze logs for suspicious
patterns like repeated failed logins or large traffic spikes.
• These policies are crucial for identifying and blocking malicious activity,
verifying that rules are working as intended, and responding to security
incidents.
o Detect unauthorized access attempts.
o Monitor traffic patterns and anomalies.
o Ensure firewall rules are functioning as intended.
o Support incident response and compliance audits.
By: Mulatu D. 32
� Network Firewall security
• Policies include:
III. Logging and monitoring policies
q Define what to log:
• Establish specific criteria for logging, such as logging all connection
attempts (both allowed and denied), specific protocols, or traffic that hits
a particular rule.
q Specify data captured:
• Determine the information to be included in each log entry, such as
timestamp, source and destination IP addresses, port numbers, protocol,
and the action taken (e.g., allowed, denied).
q Establish log retention:
• Set a policy for how long logs are stored, balancing the need for historical
data for investigations against storage costs and performance.
q Implement monitoring and alerts:
• Configure systems to monitor logs in real-time and set up automated
alerts for suspicious activities, such as a high volume of denied
connections from a single IP or an unexpected traffic spike.
By: Mulatu D. 33
� Network Firewall security
• Firewall features
1. Network Address Translation (NAT):-
• Network Address Translation (NAT) is a network feature that modifies IP
address information in packet headers while traffic passes through a
router or firewall.
• Its main goal is to hide internal/private IP addresses from external
networks like the internet.
o Internal devices use private IP addresses (e.g., [Link]).
o When a device sends traffic to the internet: NAT replaces the private
IP with a public IP assigned to the router/firewall.
o When a response comes back: NAT translates the public IP back to
the original private IP so the device receives it.
• It's used by home and business routers to conserve public IPv4 addresses
by letting multiple devices share a single public IP address, while also
acting as a security measure by hiding the internal network from outside
access.
• It provides a basic level of security by hiding the internal network's IP
address structure from the outside world, making it harder for external
users to directly target individual devices.
By: Mulatu D. 34
� Network Firewall security
• Firewall features
2. Packet inspection:- examines header and payload
information
• Packet inspection is the process of examining data packets as they
pass through a network, with deep packet inspection being an
advanced method that analyzes the packet's data content in
addition to its headers.
• This allows for more detailed analysis to identify and block
malicious traffic like malware, prevent data leaks, enforce network
policies, and prioritize certain types of traffic.
By: Mulatu D. 35
� Network Firewall security
• Firewall features
3. Intrusion prevention:-
• Intrusion prevention is a security process that uses an Intrusion
Prevention System (IPS) to monitor network traffic for malicious
activity and automatically take action to stop threats before they
can cause damage.
• This is an active process that differs from an intrusion detection
system (IDS), which only detects and alerts on threats without
taking action.
• An IPS can block malicious traffic, reset connections, or drop
malicious packets to prevent attacks in real-time.
By: Mulatu D. 36
� Network Firewall security
• Firewall features
4. VPN support:- securely connect remote users
• VPN (Virtual Private Network) support securely connects remote
users to a private network by creating an encrypted "tunnel"
through a public network like the internet, allowing them to
access resources as if they were physically in the office.
• This is achieved through client-to-site VPNs, whic h use
authentication credentials and software clients to provide a secure
channel for accessing company files, applications, and internal
systems from any location.
By: Mulatu D. 37
� Network Firewall security
• Reading assignment
v IP V6 Security consideration
v Host Security (authentication and authorization
techniques)
By: Mulatu D. 38
�Thank you
???
By: Mulatu D. 39
