This chapter covers firewall types and deployment strategies, a critical topic for the SY0-701 Security+ exam under Domain 3.0 (Security Architecture), Objective 3.1: 'Given a scenario, implement secure network architectures.' Firewalls are the cornerstone of network security, and the exam expects you to differentiate between packet-filtering, stateful, next-generation, proxy, and web application firewalls, as well as understand how to deploy them in screened subnet (DMZ), bastion host, and layered architectures. Mastery of these concepts is essential for passing the exam and for real-world network defense.
Jump to a section
Imagine an airport with multiple terminals. Each terminal has a security checkpoint that controls who and what can enter the secure boarding area. A packet-filtering firewall is like a security guard checking IDs and tickets against a simple list: only ticketed passengers with valid ID can pass. The guard doesn't inspect bags deeply—just checks that the person matches the basic criteria. A stateful firewall is like a checkpoint that not only checks IDs but also keeps a record of each passenger's movement. Once a passenger enters the secure area, the guard remembers them and allows them to go to their gate without re-screening. If someone tries to enter from the wrong direction (like a spoofed return packet), the guard stops them because they don't have a matching outbound record. An application-layer firewall (like a next-gen firewall) is like a TSA agent who not only checks IDs but also X-rays every bag, inspects liquids, and scans electronics. They can block specific items (e.g., large liquids) even if the passenger has a valid ticket. A proxy firewall is like a security booth where passengers must hand over their bags to an agent who repackages them before allowing them through. The agent can inspect, modify, or reject the contents, and the passenger's identity is hidden from the destination. A UTM (Unified Threat Management) device is like a single checkpoint that combines ID check, bag X-ray, metal detector, and even a bomb-sniffing dog—all in one station. Deploying firewalls in a layered defense is like having checkpoints at the airport entrance, terminal entrance, and gate entrance—each with different rules, so even if one checkpoint fails, others still protect the aircraft.
What Is a Firewall and What Threat Does It Address?
A firewall is a network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. The primary threat it addresses is unauthorized access to or from a private network. Firewalls act as a barrier between trusted internal networks and untrusted external networks (e.g., the internet), blocking malicious traffic such as worms, reconnaissance scans, and exploitation attempts. The SY0-701 exam focuses on understanding different firewall types and how they inspect traffic at various layers of the OSI model.
How Firewalls Work Mechanically
Firewalls operate by inspecting packets (or data streams) and applying rule sets. The basic process: 1. Packet Arrival: A packet arrives at the firewall's interface. 2. Rule Matching: The firewall compares the packet's header fields (source IP, destination IP, source port, destination port, protocol) against its rule base in order (first-match or best-match). 3. Action: If a rule matches, the firewall performs the specified action: Allow (permit), Deny (drop), or Reject (drop with ICMP unreachable). If no rule matches, the default action is typically Deny (implicit deny). 4. Logging: The firewall logs the action based on logging rules.
For stateful firewalls, a state table is maintained. Each connection is tracked by its source IP, source port, destination IP, destination port, and protocol. When a packet matches an existing state entry, it is allowed without re-evaluating the full rule set. This improves performance and enables the firewall to detect spoofed packets that don't belong to an established session.
Key Firewall Types and Their Components
#### 1. Packet-Filtering Firewall
- Layer: Operates at Layer 3 (Network) and Layer 4 (Transport).
- Inspection: Examines packet headers only—source/destination IP, port, protocol.
- State: Stateless—each packet is evaluated independently; no memory of previous packets.
- Performance: Very fast, low overhead.
- Weakness: Cannot detect attacks that span multiple packets (e.g., fragmentation attacks) or application-layer threats.
- Example: Standard ACLs on a router (e.g., Cisco IOS access-list 100 permit tcp any any eq 80).
- SY0-701 Note: The exam may present a scenario where a simple ACL is used; recognize it as packet-filtering.
#### 2. Stateful Firewall - Layer: Layers 3 and 4, but also tracks session state. - Inspection: Same as packet-filtering plus maintains a state table. - State: Stateful—allows return traffic for outbound connections automatically. - Performance: Slightly slower than stateless due to state tracking, but more secure. - Weakness: Still blind to application-layer attacks. - Example: A typical enterprise firewall like pfSense or Windows Defender Firewall with Advanced Security. - SY0-701 Note: The exam tests that stateful firewalls track the state of active connections and allow return traffic only if it matches an existing session.
#### 3. Next-Generation Firewall (NGFW) - Layer: Layers 3-7 (including application layer). - Inspection: Deep packet inspection (DPI), application identification (e.g., recognizing Skype traffic even on port 80), intrusion prevention (IPS), SSL/TLS inspection, and user identity awareness. - State: Stateful plus application-level state. - Performance: Slower due to deep inspection; requires hardware acceleration. - Weakness: Can introduce latency; may miss encrypted traffic if SSL decryption is not configured. - Example: Palo Alto Networks PA-series, Fortinet FortiGate, Cisco Firepower. - SY0-701 Note: The exam emphasizes that NGFWs combine traditional firewall, IPS, and application control.
#### 4. Proxy Firewall (Application-Level Gateway) - Layer: Application layer (Layer 7). - Inspection: Acts as an intermediary—client connects to proxy, proxy establishes a separate connection to the server. The proxy can inspect, modify, or block application data. - State: Stateful per session. - Performance: Slower because it terminates and re-establishes connections; can be a bottleneck. - Weakness: May break applications that require end-to-end encryption or non-standard protocols. - Types: Forward proxy (outbound), reverse proxy (inbound, often used for load balancing and web application protection). - Example: Squid proxy, Apache mod_proxy. - SY0-701 Note: The exam tests that proxies hide internal IP addresses and can perform content filtering.
#### 5. Web Application Firewall (WAF) - Layer: Application layer (Layer 7), specifically HTTP/HTTPS. - Inspection: Analyzes HTTP requests and responses to detect and block attacks like SQL injection, cross-site scripting (XSS), and file inclusion. - State: Stateless or stateful depending on implementation. - Performance: Can add latency but is specialized for web traffic. - Weakness: Only protects web applications; does not replace a network firewall. - Example: ModSecurity, AWS WAF, Cloudflare WAF. - SY0-701 Note: The exam expects you to know that WAFs protect against OWASP Top 10 vulnerabilities.
#### 6. Unified Threat Management (UTM) - Layer: Multiple layers (3-7). - Inspection: Combines firewall, IPS, antivirus, VPN, content filtering, and sometimes WAF into a single appliance. - State: Stateful. - Performance: Can be lower due to multiple inspection engines; often used in SMB environments. - Weakness: Single point of failure; if compromised, all security layers are lost. - Example: Sophos UTM, WatchGuard. - SY0-701 Note: The exam may contrast UTM with a layered approach using separate devices.
Deployment Architectures
#### Screened Subnet (DMZ) A DMZ (demilitarized zone) is a network segment that sits between the internal trusted network and the external untrusted network. It hosts servers that need to be accessible from the internet (e.g., web, email, DNS). Two firewalls are typically used: - External firewall: Between the internet and the DMZ. - Internal firewall: Between the DMZ and the internal network.
Traffic from the internet is allowed only to the DMZ servers; traffic from the DMZ to the internal network is tightly controlled. This architecture ensures that even if a DMZ server is compromised, the attacker cannot directly access the internal network.
#### Bastion Host A bastion host is a hardened server placed in the DMZ that acts as a gateway for administrative access (e.g., SSH, RDP) from the internet to internal systems. It is the only host allowed to receive inbound management traffic. All other hosts are blocked from direct internet access. The bastion host is heavily monitored and patched.
#### Layered Defense (Defense in Depth) Firewalls are deployed in multiple layers: perimeter firewall, internal firewall (between network segments), and host-based firewalls on endpoints. This approach ensures that if one firewall fails, others still provide protection. For example, a packet-filtering firewall at the perimeter, a stateful firewall between departments, and Windows Firewall on each workstation.
How Attackers Exploit Firewalls and How Defenders Deploy Countermeasures
Attackers attempt to bypass firewalls through: - Port scanning: Use Nmap to find open ports; firewall should block unsolicited inbound traffic. - IP spoofing: Firewall can block packets with source IPs that don't match the ingress interface (anti-spoofing rules). - Application-layer attacks: Use encryption (HTTPS) to hide payload; NGFW with SSL decryption can inspect. - Tunneling: Encapsulate malicious traffic in allowed protocols (e.g., DNS tunneling); application-layer inspection can detect anomalies.
Defenders deploy: - Default deny: Block all traffic except that which is explicitly allowed. - Least privilege: Only allow necessary ports/protocols. - Logging and alerts: Monitor firewall logs for scanning attempts. - Regular rule review: Remove unused or overly permissive rules.
Real Command/Tool Examples
- iptables (Linux):
# Allow SSH from specific IP
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT
# Default deny
iptables -P INPUT DROP- Windows Firewall (PowerShell):
New-NetFirewallRule -DisplayName "Allow HTTP" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow- pfSense: GUI-based; rules are processed top-down. - Cisco IOS ACL:
access-list 100 permit tcp 10.0.0.0 0.0.0.255 any eq 80
access-list 100 deny ip any any
interface GigabitEthernet0/0
ip access-group 100 inKey Standards and RFCs
RFC 1918: Private IP address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
RFC 2827: Network Ingress Filtering (anti-spoofing).
RFC 4301: IPsec architecture.
OWASP Top 10: Web application vulnerabilities relevant to WAFs.
Identify Network Zones and Requirements
Begin by mapping the network architecture: identify the internal trusted network, the DMZ (screened subnet), and the external untrusted network (internet). Determine which services need to be accessible from the internet (e.g., web server on TCP 80/443, email server on TCP 25, DNS on UDP 53). Also identify management access requirements (e.g., SSH from specific admin IPs). Document the security policy: what traffic is allowed, what is denied, and the default action (typically deny all). This step ensures that the firewall rules align with the principle of least privilege. A common mistake is to allow all traffic 'just to get things working'—this violates security best practices and is a frequent exam trap.
Select Firewall Types for Each Zone
Based on the requirements, choose appropriate firewall types. For the perimeter (between internet and DMZ), a stateful firewall or NGFW is typically used to allow specific inbound services while blocking unsolicited traffic. For the internal network (between DMZ and internal LAN), a stateful firewall with strict rules can protect internal assets. For web applications, a WAF may be placed in front of the web server to filter application-layer attacks. For remote administration, a bastion host with a stateful firewall can control access. The SY0-701 exam tests your ability to match firewall types to scenarios: e.g., 'Which firewall type can block SQL injection?' Answer: WAF or NGFW with DPI.
Define Firewall Rules Based on Least Privilege
Write explicit allow rules for required traffic only. For example, allow inbound HTTP/HTTPS to the web server's IP, allow SMTP to the mail server, and allow DNS queries from internal DNS servers. Use specific source/destination IPs and ports—avoid 'any any' rules. Apply anti-spoofing rules: drop packets from the internet that claim to have a source IP from your internal range. Order rules from most specific to least specific; the last rule should be 'deny all'. Log denied traffic for monitoring. A typical mistake is placing the 'deny all' rule before more specific allows—this will block all traffic. The exam may present a rule ordering scenario; remember that firewalls process rules sequentially.
Deploy Firewalls in a Screened Subnet Architecture
Place the external firewall between the internet and the DMZ. This firewall allows inbound traffic only to DMZ servers. Place the internal firewall between the DMZ and the internal network. This firewall allows only necessary traffic from DMZ to internal (e.g., database queries from web server to internal SQL server). The DMZ itself is isolated; if a DMZ server is compromised, the attacker cannot directly access the internal network. Deploy a bastion host in the DMZ for administrative access: all SSH/RDP sessions from the internet must terminate at the bastion, and from there administrators connect to internal systems. This architecture is a core SY0-701 concept—know that a screened subnet uses two firewalls to create a DMZ.
Implement Logging, Monitoring, and Rule Review
Configure firewalls to log all denied traffic and allowed traffic for critical services. Send logs to a SIEM (e.g., Splunk, ELK) for correlation. Set up alerts for repeated denied packets (indicating scanning). Regularly review firewall rules (e.g., quarterly) to remove stale rules. Use tools like `iptables -L -n -v` to see packet counts; rules with zero hits may be unnecessary. Monitor for signs of misconfiguration: e.g., if a rule allows inbound SSH from anywhere, that is a security risk. The exam may ask about best practices for firewall management—remember to log, monitor, and review.
Scenario 1: SOC Analyst Investigating Suspicious Outbound Traffic
A SOC analyst notices alerts of outbound connections from a workstation to a known malicious IP address on TCP 4444. The firewall logs show that the traffic was allowed because a rule permits all outbound traffic from the internal network. The analyst investigates: the workstation is infected with malware that establishes a reverse shell. The correct response is to immediately block the outbound rule (or create a deny rule for that IP), isolate the workstation, and initiate incident response. A common mistake is to only block the specific IP, but the malware may use different IPs; the better approach is to implement application-layer inspection (NGFW) to detect the malware's command-and-control traffic regardless of IP. The analyst uses the firewall's rule base and logs to identify the gap: lack of outbound filtering. The SOC then deploys a proxy or NGFW to inspect all outbound traffic.
Scenario 2: Network Engineer Configuring a DMZ for a Web Application
A company deploys a web application accessible from the internet. The engineer sets up a screened subnet with two firewalls. The external firewall allows inbound HTTP/HTTPS to the web server's public IP. The internal firewall allows the web server to make outbound database queries to an internal SQL server on TCP 1433. The engineer also deploys a WAF in front of the web server to block SQL injection and XSS. During testing, the WAF blocks legitimate traffic because a rule is too restrictive. The engineer tunes the WAF by switching from blocking mode to alert mode initially, then gradually enabling blocking after reviewing false positives. A common mistake is to deploy the WAF in blocking mode immediately, causing service disruption. The correct approach is to first run in monitoring mode, analyze logs, then enable blocking. The SY0-701 exam may test that WAFs can operate in detection or prevention mode.
Scenario 3: Security Auditor Reviewing Firewall Rules
An auditor reviews the firewall rules of a mid-size company. They find a rule that allows inbound RDP (TCP 3389) from any source to any internal host. This is a critical vulnerability because RDP is frequently targeted by ransomware groups. The auditor recommends removing the rule and instead implementing a VPN for remote administration, or using a bastion host with MFA. The firewall administrator's mistake was using an overly permissive rule for convenience. The correct response is to enforce least privilege: allow RDP only from specific admin IPs, and only to the bastion host. The auditor also checks for unused rules; they find a rule allowing FTP (TCP 21) that hasn't been used in months. That rule should be removed. The SY0-701 exam includes questions about firewall best practices: always use specific source/destination, remove unused rules, and follow the principle of least privilege.
Exactly What SY0-701 Tests on This Objective
Objective 3.1: 'Given a scenario, implement secure network architectures.' The exam specifically tests your ability to:
Differentiate between firewall types: packet-filtering, stateful, next-generation, proxy, WAF, and UTM.
Identify appropriate deployment scenarios for each type (e.g., WAF for web application protection, proxy for content filtering).
Understand DMZ (screened subnet) architecture and the role of bastion hosts.
Recognize the characteristics of each firewall type at different OSI layers.
Apply the principle of least privilege when configuring firewall rules.
Common Wrong Answers and Why Candidates Choose Them
Choosing 'stateful firewall' for application-layer protection: Candidates see 'stateful' and think it's advanced, but stateful firewalls only track session state, not application data. The correct answer for application-layer filtering is NGFW or WAF.
Confusing proxy with WAF: Both work at Layer 7, but a WAF is specialized for HTTP/HTTPS and web attacks, while a proxy can handle any application protocol and can also provide anonymity.
Selecting 'packet-filtering firewall' to block SQL injection: Packet-filtering firewalls only see headers, not payloads. They cannot detect SQL injection. Candidates may think that blocking port 80 would block the attack, but SQL injection occurs on legitimate ports.
Thinking a UTM is always better than separate devices: UTM provides multiple functions in one box, but it is a single point of failure. The exam may present a scenario where a layered defense with separate devices is more resilient.
Specific Terms and Values That Appear Verbatim
Screened subnet: Also called DMZ. Know that it uses two firewalls (external and internal).
Bastion host: A hardened server in the DMZ for administrative access.
Implicit deny: The default action of a firewall when no rule matches.
State table: Used by stateful firewalls to track connections.
Deep packet inspection (DPI): Performed by NGFWs and WAFs.
Port numbers: Common services: HTTP (80), HTTPS (443), SSH (22), RDP (3389), DNS (53), SMTP (25).
Common Trick Questions
'Which firewall type can filter traffic based on application identity?' The answer is NGFW, not stateful. Candidates may think 'stateful' because it tracks state, but application identity requires DPI.
'What is the purpose of a bastion host?' It provides a secure gateway for administrative access; it is not a general-purpose server. A trick answer might be 'to host web services'—that would be a DMZ server, not a bastion.
'In a screened subnet, where should the web server be placed?' In the DMZ, not on the internal network. A trick answer might be 'on the internal network with a firewall rule allowing inbound traffic'—but that defeats the purpose of isolation.
Decision Rule for Eliminating Wrong Answers
When given a scenario question about firewall deployment, ask yourself: 1. What layer of the OSI model does the threat operate at? If it's application-layer (e.g., SQL injection, XSS), you need a Layer 7 firewall (WAF or NGFW). If it's network-layer (e.g., port scan), a packet-filtering or stateful firewall may suffice. 2. Does the scenario require tracking session state? If yes, eliminate stateless (packet-filtering). If no, stateful is not required. 3. Is the goal to hide internal IP addresses? Then a proxy or NAT is needed. 4. Is there a need for multiple security functions in one device? That points to UTM, but remember the trade-off of single point of failure. 5. Is the scenario about web application security? The answer is almost always WAF.
By applying these rules, you can eliminate at least two incorrect options on multiple-choice questions.
A packet-filtering firewall inspects only packet headers (Layers 3-4) and is stateless.
A stateful firewall maintains a state table to track active connections and allows return traffic automatically.
A next-generation firewall (NGFW) performs deep packet inspection (DPI) and includes IPS, application control, and user identity awareness.
A web application firewall (WAF) protects against Layer 7 attacks like SQL injection and XSS, specifically for HTTP/HTTPS.
A proxy firewall acts as an intermediary, hiding internal IPs and can perform content filtering; forward proxies protect clients, reverse proxies protect servers.
A screened subnet (DMZ) uses two firewalls (external and internal) to isolate public-facing servers from the internal network.
A bastion host is a hardened server in the DMZ used for administrative access (e.g., SSH, RDP) and is heavily monitored.
UTM combines multiple security functions (firewall, IPS, antivirus, VPN) into one appliance, but is a single point of failure.
Implicit deny is the default action when no rule matches; always place deny rules at the end of the rule set.
Firewall rules should follow least privilege: allow only necessary traffic, specify source/destination IPs and ports, and log all denied traffic.
These come up on the exam all the time. Here's how to tell them apart.
Packet-Filtering Firewall
Operates at Layers 3-4 (Network and Transport).
Stateless: Each packet inspected independently.
No state table; cannot detect spoofed packets in a session.
Faster performance, lower overhead.
Example: Standard ACL on a router.
Stateful Firewall
Operates at Layers 3-4, plus tracks session state.
Stateful: Maintains state table for active connections.
Can detect spoofed packets that don't match an existing session.
Slightly slower due to state tracking.
Example: Windows Firewall with Advanced Security.
NGFW (Next-Generation Firewall)
Operates at Layers 3-7, including application identification and IPS.
Inspects all traffic types (not just HTTP).
Can block malware, intrusions, and application-layer attacks.
Requires SSL decryption to inspect encrypted traffic.
Example: Palo Alto Networks PA-220.
WAF (Web Application Firewall)
Operates at Layer 7, specifically HTTP/HTTPS.
Inspects HTTP requests/responses for web attacks (SQLi, XSS).
Cannot protect non-web protocols (e.g., SMTP, FTP).
Does not typically perform SSL decryption (but can).
Example: ModSecurity, AWS WAF.
Proxy Firewall (Forward Proxy)
Sits between internal clients and the internet.
Hides internal client IPs from external servers.
Can cache content to improve performance.
Used for outbound traffic control and content filtering.
Example: Squid proxy.
Reverse Proxy
Sits between internet clients and internal servers.
Hides internal server IPs from external clients.
Can perform load balancing and SSL termination.
Used to protect web servers from direct exposure.
Example: NGINX, HAProxy.
Mistake
A stateful firewall can inspect application-layer data.
Correct
Stateful firewalls only track session state (source/destination IP, ports, sequence numbers). They do not inspect the payload. Application-layer inspection requires a next-generation firewall or a proxy.
Mistake
A DMZ is a single network segment with one firewall.
Correct
A true screened subnet DMZ uses two firewalls: one between the internet and DMZ, and one between the DMZ and internal network. This isolates the DMZ from both sides.
Mistake
A WAF is the same as a network firewall.
Correct
A WAF is specifically designed for HTTP/HTTPS traffic and protects against web application attacks (SQLi, XSS). A network firewall operates at layers 3-4 and does not understand HTTP semantics.
Mistake
Packet-filtering firewalls are obsolete and never used.
Correct
Packet-filtering firewalls (ACLs on routers) are still used for basic traffic filtering due to their speed and simplicity. They are not obsolete but are insufficient as the sole security measure.
Mistake
A proxy firewall always improves security by hiding internal IPs.
Correct
While a proxy does hide internal IPs, it can also introduce latency and break applications that require end-to-end encryption or non-standard protocols. It must be carefully configured.
A stateless firewall (packet-filtering) inspects each packet independently without any memory of previous packets. A stateful firewall keeps a state table that tracks active connections (source IP, dest IP, ports, sequence numbers). When a packet arrives, the stateful firewall checks if it belongs to an existing connection; if so, it is allowed automatically. This makes stateful firewalls more secure against spoofed packets. For the exam, remember that stateful firewalls are 'connection-aware' while stateless are not.
Use a proxy firewall when you need to inspect or modify application-layer data, hide internal IP addresses, or control outbound web traffic. For example, a forward proxy can block employees from accessing certain websites by inspecting HTTP requests. A stateful firewall cannot perform this application-layer filtering. However, proxies introduce latency and may not support all protocols. The exam may present a scenario requiring content filtering—that points to a proxy.
A DMZ (screened subnet) is a network segment that sits between the internal network and the internet, hosting public-facing servers (web, email, DNS). It is configured using two firewalls: an external firewall between the internet and the DMZ, and an internal firewall between the DMZ and the internal network. The external firewall allows inbound traffic only to DMZ servers; the internal firewall allows only necessary traffic from DMZ to internal (e.g., database queries). This architecture ensures that if a DMZ server is compromised, the attacker cannot directly reach the internal network.
No. A packet-filtering firewall only examines packet headers (source/destination IP, port, protocol). It cannot inspect the payload of the packet. SQL injection occurs in the HTTP request body or parameters, which is application-layer data. To block SQL injection, you need a WAF or an NGFW with deep packet inspection (DPI). The exam may test this by asking which firewall type can prevent SQL injection—the correct answer is WAF or NGFW.
A bastion host is a hardened server placed in the DMZ that serves as a secure gateway for administrative access (e.g., SSH, RDP) from the internet to internal systems. It is the only host allowed to receive inbound management traffic. The bastion host is heavily monitored, patched, and often requires multi-factor authentication. If an attacker compromises the bastion, they still face additional security controls to reach internal systems. The exam may contrast a bastion host with a jump box—they are similar concepts.
UTM (Unified Threat Management) combines multiple security functions (firewall, IPS, antivirus, VPN, content filtering) into a single appliance, typically used in SMB environments. NGFW (Next-Generation Firewall) also integrates multiple functions but focuses on deep packet inspection, application identification, and user awareness, often with higher performance. The key difference is that UTM is an all-in-one box that can be a single point of failure, while NGFW is more scalable and enterprise-grade. The exam may ask which is more suitable for a large enterprise—NGFW.
For a stateful firewall, when an internal host initiates an outbound connection, the firewall creates an entry in the state table. Return packets that match this entry (same source/dest IP and ports, correct sequence numbers) are automatically allowed, even if no explicit inbound rule exists. For a stateless firewall, you must manually create an inbound rule to allow return traffic. This is a key advantage of stateful firewalls—they simplify rule configuration and improve security by only allowing return traffic that belongs to a known session.
You've just covered Firewall Types and Deployment — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?