Stateful firewalls track connections
Stateful inspection eliminates the need for broad return-traffic rules. Use stateful firewalls at every zone boundary.
6.1 Firewalls
The previous chapter covered the services that configure and monitor devices. Those services assume the network is trustworthy. In practice, networks carry both legitimate and malicious traffic. Network appliances enforce security policies, distribute load, and provide specialized storage and wireless connectivity.
Why Network Appliances Exist
Section titled “Why Network Appliances Exist”A switch forwards frames. A router forwards packets. Neither inspects the content of those frames or decides whether a connection is legitimate. Dedicated appliances fill this gap: firewalls filter traffic, intrusion detection systems identify attacks, and load balancers distribute connections across servers.
Firewalls
Section titled “Firewalls”A firewall filters traffic between network zones based on rules. It is the primary enforcement point between trusted and untrusted networks.
Stateless vs Stateful Firewalls
Section titled “Stateless vs Stateful Firewalls”A stateless firewall (packet filter) evaluates each packet independently. It checks the source IP, destination IP, protocol, and port against a rule list. It has no memory of previous packets. A client sending a request on port 443 gets through if a rule permits it, but the server’s response also needs an explicit rule allowing traffic back. This requires broad “allow established” rules that weaken security.
A stateful firewall tracks active connections in a state table. When a client initiates a connection, the firewall creates a state entry. Return traffic matching that entry passes automatically. The firewall drops packets that do not belong to any tracked connection. This eliminates the need for broad return-traffic rules.
| Feature | Stateless | Stateful |
|---|---|---|
| Connection tracking | None | Full state table |
| Return traffic | Requires explicit rule | Allowed automatically |
| Performance | Faster (no state lookup) | Slightly slower |
| Security | Weaker (broad rules needed) | Stronger (tracks sessions) |
| Use case | Simple ACLs on routers | Perimeter firewalls |
ACL Rule Evaluation
Section titled “ACL Rule Evaluation”Firewall rules (also called ACLs, Access Control Lists) are evaluated top-to-bottom. The firewall compares each packet against rule 1, then rule 2, and so on. The first matching rule applies. If no rule matches, the implicit deny at the end drops the packet.
Rule order matters. A broad permit rule early in the list overrides specific deny rules below it. Place the most specific rules at the top and the most general rules at the bottom.
Next-Generation Firewalls
Section titled “Next-Generation Firewalls”An NGFW (Next-Generation Firewall) combines stateful inspection with additional capabilities:
- Application awareness: identifies applications regardless of port (detects HTTP on port 8080, not just port 80)
- TLS inspection: decrypts TLS traffic, inspects the payload, then re-encrypts it
- Integrated IPS: inspects permitted traffic for attack signatures
- User identity: ties rules to user accounts (via Active Directory integration), not just IP addresses
- URL filtering: blocks access to categories of websites
Parsing Firewall Logs for OT Traffic
Section titled “Parsing Firewall Logs for OT Traffic”Firewall logs record every permitted and denied connection. In OT networks, blocked Modbus TCP (port 502) or EtherNet/IP (port 44818) traffic indicates either a misconfigured rule or an unauthorized access attempt.
The following script parses a syslog-format firewall log and extracts denied connections to OT protocol ports.
import refrom collections import Counter
OT_PORTS = {502: "Modbus TCP", 44818: "EtherNet/IP", 2222: "EtherNet/IP IO", 4840: "OPC UA", 20000: "DNP3", 102: "S7comm"}
def parse_firewall_log(logfile: str) -> list[dict]: denied = [] pattern = re.compile( r"(?P<action>DENY|DROP).*src=(?P<src>\S+).*dst=(?P<dst>\S+).*" r"dport=(?P<dport>\d+)" ) with open(logfile) as f: for line in f: m = pattern.search(line) if not m: continue dport = int(m.group("dport")) if dport in OT_PORTS: denied.append({"src": m.group("src"), "dst": m.group("dst"), "port": dport, "protocol": OT_PORTS[dport]}) return denied
entries = parse_firewall_log("/var/log/firewall.log")by_proto = Counter(e["protocol"] for e in entries)for proto, count in by_proto.most_common(): print(f"{proto:20s}: {count} denied connections")for e in entries[:5]: print(f" {e['src']} -> {e['dst']}:{e['port']} ({e['protocol']})")A spike in denied Modbus connections from an unexpected source IP warrants immediate investigation. It indicates either a misconfigured device or a scanning attempt.
Key Takeaways
Section titled “Key Takeaways”Rule order matters
ACLs evaluate top-to-bottom, first match wins. Place specific rules before general rules.
NGFWs inspect beyond ports
Application awareness, TLS inspection, and user identity provide deeper visibility than traditional port-based rules.
What Comes Next
Section titled “What Comes Next”Firewalls block unauthorized connections, but they do not detect attacks hidden inside permitted traffic. The next page covers IDS and IPS, the systems that monitor for suspicious patterns within allowed traffic.
References
Section titled “References”- CompTIA Network+ N10-009 Exam Objectives, Domain 1: Networking Concepts
- Tanenbaum, A. S., & Wetherall, D. J. (2011). Computer Networks (5th ed.). Pearson.