Stateful firewalls track connections
Stateful inspection eliminates the need for broad return-traffic rules. Deploy stateful firewalls at every zone boundary.
6.1 Firewalls
The previous chapter covered services that configure and monitor devices. Those services assume a trustworthy network. In practice, networks carry both legitimate and malicious traffic. Network appliances enforce security policies, distribute load, and deliver specialized storage and wireless connectivity.
Why Network Appliances Exist
Section titled “Why Network Appliances Exist”A switch forwards frames. A router forwards packets. Neither device inspects frame content or decides whether a connection is legitimate. Dedicated appliances fill the gap: firewalls filter traffic, intrusion detection systems identify attacks, and load balancers distribute connections across servers.
Firewalls
Section titled “Firewalls”A firewall filters traffic between network zones based on rules. The firewall serves as the primary enforcement point between trusted and untrusted networks.
Stateless vs Stateful Firewalls
Section titled “Stateless vs Stateful Firewalls”A stateless firewall (packet filter) evaluates each packet independently. The stateless firewall checks the source IP, destination IP, protocol, and port against a rule list. The stateless firewall has no memory of previous packets. A client sending a request on port 443 passes through when a rule permits the request. The server’s response also needs an explicit rule allowing return traffic. This requirement forces broad “allow established” rules that weaken the security posture.
A stateful firewall tracks active connections in a state table. When a client initiates a connection, the firewall creates a state entry. Return traffic matching the entry passes automatically. The firewall drops packets that belong to no tracked connection. Stateful inspection eliminates the need for broad return-traffic rules.
| Feature | Stateless | Stateful |
|---|---|---|
| Connection tracking | None | Full state table |
| Return traffic | Requires explicit rule | Allowed automatically |
| Performance | Faster (no state lookup) | Slightly slower |
| Security | Weaker (broad rules needed) | Stronger (tracks sessions) |
| Use case | Simple ACLs on routers | Perimeter firewalls |
ACL Rule Evaluation
Section titled “ACL Rule Evaluation”Firewall rules (also called ACLs, Access Control Lists) follow top-to-bottom evaluation. The firewall compares each packet against rule 1, then rule 2, and so on. The first matching rule applies. When no rule matches, the implicit deny at the end drops the packet.
Rule order matters. A broad permit rule early in the list overrides specific deny rules below the broad rule. Place the most specific rules at the top and the most general rules at the bottom.
Next-Generation Firewalls
Section titled “Next-Generation Firewalls”An NGFW (Next-Generation Firewall) combines stateful inspection with additional capabilities:
- Application awareness: identifies applications regardless of port (detects HTTP on port 8080, beyond port 80)
- TLS inspection: decrypts TLS traffic, inspects the payload, then re-encrypts the payload
- Integrated IPS: inspects permitted traffic for attack signatures
- User identity: ties rules to user accounts (via Active Directory integration), beyond IP addresses alone
- URL filtering: blocks access to categories of websites
Parsing Firewall Logs for OT Traffic
Section titled “Parsing Firewall Logs for OT Traffic”Firewall logs record every permitted and denied connection. In OT networks, blocked Modbus TCP (port 502) or EtherNet/IP (port 44818) traffic indicates a misconfigured rule or an unauthorized access attempt.
The following script parses a syslog-format firewall log and extracts denied connections to OT protocol ports.
import refrom collections import Counter
OT_PORTS = {502: "Modbus TCP", 44818: "EtherNet/IP", 2222: "EtherNet/IP IO", 4840: "OPC UA", 20000: "DNP3", 102: "S7comm"}
def parse_firewall_log(logfile: str) -> list[dict]: denied = [] pattern = re.compile( r"(?P<action>DENY|DROP).*src=(?P<src>\S+).*dst=(?P<dst>\S+).*" r"dport=(?P<dport>\d+)" ) with open(logfile) as f: for line in f: m = pattern.search(line) if not m: continue dport = int(m.group("dport")) if dport in OT_PORTS: denied.append({"src": m.group("src"), "dst": m.group("dst"), "port": dport, "protocol": OT_PORTS[dport]}) return denied
entries = parse_firewall_log("/var/log/firewall.log")by_proto = Counter(e["protocol"] for e in entries)for proto, count in by_proto.most_common(): print(f"{proto:20s}: {count} denied connections")for e in entries[:5]: print(f" {e['src']} -> {e['dst']}:{e['port']} ({e['protocol']})")A spike in denied Modbus connections from an unexpected source IP warrants immediate investigation. The spike indicates a misconfigured device or a scanning attempt.
Key Takeaways
Section titled “Key Takeaways”Rule order matters
ACLs evaluate top-to-bottom. The first match wins. Place specific rules before general rules.
NGFWs inspect beyond ports
Application awareness, TLS inspection, and user identity deliver deeper visibility than traditional port-based rules.
What Comes Next
Section titled “What Comes Next”Firewalls block unauthorized connections. Firewalls do not detect attacks hidden inside permitted traffic. The next page covers IDS and IPS — the systems that monitor for suspicious patterns within allowed traffic.
References
Section titled “References”- CompTIA Network+ N10-009 Exam Objectives, Domain 1: Networking Concepts
- Tanenbaum, A. S., & Wetherall, D. J. (2011). Computer Networks (5th ed.). Pearson.