This chapter covers firewalls and access control lists (ACLs), two of the most fundamental network security technologies on the N10-009 exam. Firewalls enforce security policies by filtering traffic based on rules, while ACLs provide granular control at the router or switch level. Approximately 10–15% of Network+ exam questions touch on firewall types, ACL placement, and rule evaluation. Mastering these concepts is essential for understanding how networks are secured in the real world.
Jump to a section
Imagine a secure facility with a single entrance staffed by security guards. Every person entering or leaving must pass through this checkpoint. The guards have a rulebook listing allowed destinations and permitted actions. When a person arrives, the guard checks their ID (source IP), asks where they are going (destination IP), what they plan to do (port/protocol), and whether they are arriving or leaving (direction). If the rulebook allows it, the guard opens the door. If not, the person is turned away. But here's the key: the guard also maintains a clipboard with a list of people who have already been allowed inside. When someone exits, the guard checks the clipboard to see if they were previously admitted—if not, they are detained (stateful inspection). The guard can also inspect bags (packet inspection) for prohibited items (malicious payloads). A deeper inspection might even open envelopes to read letters (deep packet inspection). The rulebook can be updated dynamically based on observed behavior (application-level gateway). This checkpoint is the firewall, and the rulebook is the access control list (ACL). Without it, anyone could walk in and out freely—like a network with no firewall.
What is a Firewall?
A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It establishes a barrier between trusted internal networks and untrusted external networks (like the Internet). Firewalls can be hardware appliances, software running on a server, or virtual instances in the cloud.
Why Firewalls Exist
Without a firewall, any device on the Internet can attempt to connect to any service on your network. This exposes services to scanning, exploitation, and denial-of-service attacks. Firewalls reduce the attack surface by permitting only authorized traffic and blocking everything else by default (implicit deny).
How a Firewall Works: Packet Filtering
Packet filtering is the simplest form. The firewall examines each packet's header fields: source IP, destination IP, source port, destination port, and protocol (TCP/UDP/ICMP). It compares these against a set of rules (the ACL) and either permits or denies the packet. Stateless packet filters treat each packet independently—they have no memory of previous packets. This makes them fast but vulnerable to spoofing and fragmented packet attacks.
Stateful Inspection
Stateful firewalls (also called stateful inspection firewalls) maintain a state table that tracks the state of active connections. For TCP, the firewall monitors the three-way handshake (SYN, SYN-ACK, ACK) and only allows packets that belong to an established connection. For UDP, it creates pseudo-state entries based on source/destination IP and port. This prevents attackers from sending unsolicited packets into the internal network. The default timeout for a TCP session in many firewalls is 60 seconds of inactivity; for UDP, it is typically 30 seconds.
Next-Generation Firewalls (NGFW)
NGFWs combine traditional firewall capabilities with additional features like application awareness, intrusion prevention (IPS), SSL/TLS inspection, and threat intelligence. They can identify applications (e.g., Facebook vs. web browsing) even if they use non-standard ports. On the exam, know that NGFWs operate up to Layer 7 (application layer) of the OSI model.
Proxy Firewalls (Application-Level Gateways)
A proxy firewall acts as an intermediary between clients and servers. The client connects to the proxy, which then establishes a separate connection to the destination server. This hides the client's IP address and allows deep inspection of application data. Proxies are slower but provide the highest security. They are often used for web traffic (HTTP/HTTPS proxies).
Access Control Lists (ACLs)
ACLs are ordered sets of rules applied to router or switch interfaces. Each rule contains a permit or deny statement and match criteria (IP, port, protocol). ACLs are evaluated top-down: the first matching rule determines the action. If no rule matches, an implicit deny all is applied at the end. Cisco IOS uses numbered ACLs (1-99 for standard, 100-199 for extended) and named ACLs.
Standard ACLs
Standard ACLs filter only based on source IP address. They are applied as close to the destination as possible because they don't consider destination IP. Example:
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny anyExtended ACLs
Extended ACLs filter based on source IP, destination IP, protocol, and port numbers. They should be applied close to the source to save bandwidth. Example:
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 100 deny ip any anyACL Placement Rules
Standard ACLs: Place near the destination (traffic is filtered as it exits the router).
Extended ACLs: Place near the source (traffic is filtered as it enters the router).
Applied to interfaces with ip access-group command in a specific direction (in or out).
Implicit Deny
Every ACL ends with an implicit deny all. Even if you have a permit statement, any traffic not explicitly permitted is denied. This is a common exam point.
Wildcard Masks
ACLs use wildcard masks (inverse subnet masks) to match IP addresses. A 0 means exact match, 1 means ignore. Example: 0.0.0.255 matches any host in the last octet. This is opposite of subnet masks.
Firewall Zones
Firewalls often divide networks into zones: inside (trusted), outside (untrusted), and DMZ (semi-trusted). Policies are written to control traffic between zones. Typically, traffic from inside to outside is allowed, outside to DMZ is restricted, and outside to inside is blocked.
NAT and Firewalls
Network Address Translation (NAT) is often performed on firewalls. Static NAT maps a private IP to a public IP one-to-one. Dynamic NAT uses a pool of public IPs. PAT (Port Address Translation) maps multiple private IPs to a single public IP using different source ports. Firewalls maintain NAT state in their connection table.
Common Firewall Features
Stateful inspection: Tracks connection state.
Application filtering: Blocks specific applications.
URL filtering: Blocks access to certain websites.
VPN termination: Supports IPsec or SSL VPN.
Logging and alerts: Records allowed/blocked traffic.
Firewall Deployment Types
Network-based firewall: Dedicated hardware appliance (e.g., Cisco ASA, Palo Alto).
Host-based firewall: Software on a single host (e.g., Windows Firewall, iptables).
Virtual firewall: Software appliance in a hypervisor (e.g., VMware NSX, AWS Security Groups).
Exam-Specific Defaults and Values
Default ACL direction: inbound (traffic entering the interface).
Implicit deny: always present at the end of every ACL.
Standard ACL range: 1-99 and 1300-1999.
Extended ACL range: 100-199 and 2000-2699.
TCP port numbers: HTTP=80, HTTPS=443, FTP=21, SSH=22, DNS=53.
Firewall rule order: most specific first, most general last.
Configuration Verification Commands
On Cisco devices:
show access-lists
show ip interface
show running-config | include access-listOn Linux (iptables):
iptables -L -n -vInteraction with Other Technologies
IDS/IPS: Firewalls often integrate IPS to block malicious traffic based on signatures.
VLANs: Firewalls can enforce policies between VLANs (inter-VLAN routing).
VPNs: Firewalls terminate VPN tunnels and apply policies to decrypted traffic.
Load Balancers: Firewalls may be placed before load balancers to filter traffic.
Packet Arrives at Firewall Interface
An IP packet arrives on the ingress interface of the firewall. The firewall examines the packet header: source IP, destination IP, protocol (TCP/UDP/ICMP), and port numbers. If the firewall is stateful, it also checks the state table for an existing connection. For a new connection, it proceeds to rule evaluation. The interface's configured ACL direction (in or out) determines which rules are applied. At this point, no filtering decision has been made yet.
Rule Evaluation Begins at Top of ACL
The firewall starts with the first rule in the ACL. It compares the packet's attributes against the rule's match criteria. If the rule is a permit statement and the packet matches, the firewall allows the packet and skips all remaining rules. If the rule is a deny statement and the packet matches, the packet is dropped immediately. If the packet does not match, the firewall moves to the next rule. This process continues until a match is found or the end of the ACL is reached.
Implicit Deny Applied if No Match
If the packet does not match any explicit rule in the ACL, the firewall applies the implicit deny all rule at the end. The packet is dropped and typically logged (if logging is enabled). This is a critical security feature—it ensures that only explicitly permitted traffic is allowed. On the exam, remember that the implicit deny is always present, even if not shown in the ACL output.
State Table Update (Stateful Firewalls)
If the packet is permitted and the firewall is stateful, it creates an entry in the state table. For TCP, this entry includes source/destination IP and port, sequence numbers, and connection state (e.g., SYN_SENT, ESTABLISHED). For UDP, a pseudo-state entry is created with a timeout (typically 30 seconds). Return traffic matching this entry is automatically allowed without re-evaluating the ACL. The state table is consulted before ACL rules for subsequent packets in the same flow.
Packet Forwarded or Dropped
If the packet is permitted, the firewall forwards it out the egress interface. If it is denied, the firewall drops the packet. In some firewalls, an ICMP unreachable message (type 3, code 13) may be sent to the source. The firewall logs the event according to its logging configuration. The state table entry is updated for future packets. The entire process occurs in microseconds for hardware-based firewalls.
Enterprise Scenario 1: Branch Office Perimeter Firewall
A retail company with 50 branch offices uses a stateful firewall at each branch to connect to the corporate HQ over a VPN. The firewall is configured with an ACL that permits only the necessary traffic: HTTPS to the HQ web server (TCP 443), DNS to the HQ DNS server (UDP 53), and ICMP for monitoring. All other outbound traffic is denied. Inbound traffic from the Internet is blocked except for SSH from a management jump box. The firewall also performs NAT to allow branch devices to access the Internet. A common misconfiguration is forgetting to allow return traffic for DNS, which causes name resolution failures. The firewall's stateful nature handles return traffic automatically once the outbound connection is established, but if the state table overflows (e.g., due to a high number of concurrent connections), legitimate traffic may be dropped. Scaling considerations include choosing a firewall with sufficient connection table capacity (e.g., 1 million concurrent connections) and throughput (e.g., 1 Gbps).
Enterprise Scenario 2: Data Center Demilitarized Zone (DMZ)
A financial institution hosts a public web server and an email server in a DMZ. The perimeter firewall has three interfaces: inside (trusted), outside (untrusted), and DMZ (semi-trusted). The ACL on the outside interface permits HTTP/HTTPS to the web server (TCP 80/443) and SMTP to the email server (TCP 25). All other inbound traffic is denied. The inside interface permits the web server to make outbound database queries to the internal database server (TCP 1433). The DMZ interface is configured with an ACL that only allows the web server to initiate connections to the database server; the database server cannot initiate connections to the web server. This prevents an attacker who compromises the web server from pivoting to the internal database. A common mistake is placing the web server directly on the internal network, exposing internal resources. Performance considerations include enabling hardware acceleration for SSL inspection if HTTPS traffic is decrypted for malware scanning.
Enterprise Scenario 3: Cloud Network Security Group
A SaaS company uses AWS Security Groups (stateful virtual firewalls) to protect their EC2 instances. Each instance is assigned to a security group that acts as a host-based firewall. The security group rules permit inbound SSH from the company's VPN IP range (TCP 22), HTTP/HTTPS from anywhere (0.0.0.0/0), and all outbound traffic. The stateful nature automatically allows return traffic. Misconfigurations often involve overly permissive rules (e.g., allowing all inbound traffic from 0.0.0.0/0 for debugging) that are left in production. Scaling is handled by AWS, but the rule limit per security group is 60 inbound and 60 outbound rules. Performance is not a concern because AWS implements security groups at the hypervisor level.
What N10-009 Tests on Firewalls and ACLs
The exam objectives under 4.3 (Given a scenario, implement network security controls) include firewall types, ACLs, and rule placement. Key sub-objectives: 4.3.1 (Compare and contrast firewall types), 4.3.2 (Given a scenario, configure ACLs), 4.3.3 (Explain firewall rules and zones). Expect 2-3 questions directly on these topics.
Common Wrong Answers and Why Candidates Choose Them
"Standard ACLs filter based on source and destination IP" — Wrong. Standard ACLs only filter on source IP. Extended ACLs use both. Candidates confuse the two because they think "standard" means more features.
"Apply standard ACLs close to the source" — Wrong. Standard ACLs should be applied close to the destination because they only check source IP. Applying them near the source might block traffic unnecessarily. Extended ACLs go near the source.
"Firewalls block all inbound traffic by default" — Partially true but misleading. Firewalls have an implicit deny, but they also allow return traffic for stateful connections. The exam tests that stateful firewalls allow established connections.
"ACLs are processed from bottom to top" — Wrong. ACLs are processed top-down. The first match wins. Candidates misremember because they think of other ordered lists.
Specific Numbers and Terms on the Exam
Implicit deny: always present.
Standard ACL ranges: 1-99, 1300-1999.
Extended ACL ranges: 100-199, 2000-2699.
Wildcard mask: 0.0.0.0 matches a single host; 255.255.255.255 matches any.
TCP port 80 (HTTP), 443 (HTTPS), 22 (SSH), 23 (Telnet), 21 (FTP).
Stateful firewall timeout: TCP 60 seconds, UDP 30 seconds (varies by vendor, but these are common defaults).
Edge Cases and Exceptions
Fragmented packets: Stateless firewalls may allow fragments that reassemble into an attack. Stateful firewalls reassemble before inspection.
Spoofed source IP: ACLs can be used to block private IPs from entering the network (anti-spoofing).
ACL on a router without firewall: Routers can have ACLs but lack stateful inspection. This is a common exam distinction.
How to Eliminate Wrong Answers
For ACL placement questions: ask yourself "Is this ACL checking only source IP?" If yes, it's standard → place near destination. If it checks source and destination, it's extended → place near source. For firewall questions: identify if the scenario mentions tracking connection state. If yes, it's stateful. If it mentions application layer inspection, it's a proxy or NGFW.
Firewalls filter traffic based on rules; implicit deny blocks all unmatched traffic.
Stateful firewalls maintain a state table to track connections; default TCP timeout 60 seconds, UDP 30 seconds.
Standard ACLs filter only on source IP; extended ACLs filter on source/destination IP, protocol, and port.
Standard ACLs should be placed close to the destination; extended ACLs close to the source.
ACLs are evaluated top-down; first match wins; implicit deny at the end.
Wildcard masks are inverse subnet masks: 0 = match, 1 = ignore.
NGFWs add application awareness, IPS, and SSL inspection (Layer 7).
These come up on the exam all the time. Here's how to tell them apart.
Stateful Firewall
Tracks connection state (state table).
Automatically allows return traffic for outbound connections.
More secure; resists spoofing and fragment attacks better.
Higher processing overhead per packet.
Can inspect higher-layer data (if NGFW).
Stateless Firewall (ACL on Router)
Treats each packet independently.
Must explicitly permit return traffic with ACL rules.
Faster but less secure.
Lower overhead; suitable for high-speed core routers.
Limited to Layer 3/4 header inspection.
Mistake
Firewalls block all inbound traffic by default.
Correct
Stateful firewalls allow inbound return traffic for outbound connections because they track connection state. Only unsolicited inbound traffic is blocked by default.
Mistake
Standard ACLs filter on source and destination IP.
Correct
Standard ACLs filter only on source IP address. Extended ACLs filter on source and destination IP, protocol, and port.
Mistake
ACLs are evaluated from bottom to top.
Correct
ACLs are evaluated from top to bottom. The first matching rule is applied, and remaining rules are ignored.
Mistake
You can remove a specific rule from an ACL without affecting others.
Correct
In classic Cisco IOS, you cannot delete a single line from a numbered ACL; you must remove the entire ACL and reapply. Named ACLs allow line deletion with `no permit ...` or `no deny ...`.
Mistake
A firewall and a router with an ACL are equally secure.
Correct
A router with an ACL performs stateless packet filtering and lacks stateful inspection, application awareness, and other advanced features. A dedicated firewall provides higher security.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A stateful firewall tracks the state of active connections using a state table. It allows return traffic automatically for outbound connections. A stateless firewall (or ACL) treats each packet independently and requires explicit rules for return traffic. Stateful is more secure but uses more resources.
A standard ACL should be placed as close to the destination as possible because it only filters on source IP. If placed near the source, it might block traffic that should be allowed to other destinations.
Every ACL has an implicit deny all at the end. If a packet does not match any permit rule, it is denied. This is not displayed in the ACL configuration but is always enforced.
A wildcard mask is the inverse of a subnet mask. A 0 bit means the corresponding bit in the IP address must match exactly; a 1 bit means ignore. For example, 0.0.0.255 matches any host in the last octet. Subnet masks use 1 for network and 0 for host.
No. Routers with ACLs perform stateless filtering and lack stateful inspection, application awareness, and advanced security features. Firewalls provide deeper inspection and better protection.
A DMZ (demilitarized zone) is a network segment that hosts public-facing services (web, email). The firewall restricts inbound traffic to specific ports and prevents the DMZ from initiating connections to the internal network, limiting damage if a server is compromised.
A proxy firewall acts as an intermediary, terminating connections and inspecting application data. It hides internal IPs and provides deep inspection but is slower. A packet-filtering firewall examines headers only and is faster but less secure.
You've just covered Firewalls and ACLs — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?