Intro to Networking - Network Firewall Security


Overview


This is an introductory article on the workings of Stateful and Stateless firewalls.

NOTES:
Find a complete introductory guide on Routing and Switching in our Ubiquiti Broadband Routing & Switching Specialist (UBRSS) guide, downloadable in our Training section.

Table of Contents


  1. Firewall Introduction
  2. Stateless vs. Stateful Firewalls
  3. Gateway Firewalls
  4. Related Articles

Firewall Introduction


Back to Top

Firewalls are network security systems that monitor, track, and control network traffic. When configured on WAN boundaries, firewalls protect against malicious or undesirable traffic. Generally, firewalls apply to inbound, outbound, and local (i.e., destined for the firewall itself) traffic. While most host devices today feature consumer-grade firewall software, IT Admins are responsible for researching and implementing an effective firewall solution on the Enterprise/Broadband network.

With expanded scope, complexity, and importance, the evolution of network firewalls follows layers of the OSI Model in both design and implementation. In the absence of and prior to actually configuring a Network Firewall, a well-designed Network Topology at OSI Layers 1 and 2 reduces risks faced by the network, primarily through physical network access and implementation of VLANs.


topology.png

Dedicated Firewalls are critical to ensuring a safe, high-performing Network for all hosts. The UniFi Security Gateway sits on the WAN boundaries and by default, features basic firewall rules protecting the UniFi Site.


Stateless vs. Stateful Firewalls


Back to Top

Among the earliest firewalls were Stateless Firewalls, which filter individual packets based generally on information at OSI Layer 2, 3, and 4, such as Source & Destination Addresses.

With improvements in power and cost of Network Hardware, Stateful Firewalls emerged as connection-tracking filters, with consideration for information at OSI Layers 2, 3, 4, as well as Layer 7, for Application-based filtering.

Whether filtering based on simple packet criteria, or advanced tracking requirements, Stateless and Stateful Firewalls are both popularly used today and often overlap in when, where, and how they are deployed.

The USG and EdgeRouter use the more advanced Stateful firewalls and can match on the following traffic states:

  • new The incoming packets are from a new connection.
  • established The incoming packets are associated with an already existing connection.
  • related The incoming packets are new, but associated with an already existing connection.
  • invalid The incoming packets do not match any of the other states.

Gateway Firewalls 


Back to Top

Due to their design, function, and location on networks, Routers (Gateways) are well-suited to run firewalls. When configuring a Router Firewall, consider the following criteria:

  • Interface The network interface where the firewall is applied.
  • Direction The traffic direction (ingress, egress or local) in which the firewall is filtering traffic.
  • Type Which traffic types (ports, protocols, source, destination) should be matched on.
  • Action Whether to drop, reject or accept traffic.

Firewalls can be applied to multiple interfaces (for example the WAN or LAN interface) and in multiple directions. The traffic directions are ingress (inbound), egress (outbound), or Local (bound for the Firewall Device). Firewall rules can define whether to Drop, Reject, or Accept the matching traffic and can filter on many different traffic types. Some examples are:

  • Network Protocol
  • Source IP address(es)
  • Destination IP address(es)
  • Port(s)
  • Application
  • State
  • Time

Related Articles


Back to Top

UniFi - USG Firewall: Introduction to Firewall Rules

EdgeRouter - How to Create a WAN Firewall Rule

EdgeRouter - Beginners Guide to EdgeRouter


We're sorry to hear that!