Table of Contents
Firewalls are network security systems that monitor, track, and control network traffic. When configured on WAN boundaries, firewalls protect against malicious or undesirable traffic. Generally, Firewalls apply to inbound, outbound, and local (i.e., destined for the firewall itself) traffic. While most host devices today feature consumer-grade firewall software, IT Admins are responsible for researching and implementing an effective firewall solution on the Enterprise/Broadband network.
With expanded scope, complexity, and importance, the evolution of network firewalls follows layers of the OSI Model in both design and implementation. In the absence of and prior to actually configuring a Network Firewall, a well-designed Network Topology at OSI Layers 1 and 2 reduces risks faced by the network, primarily through physical network access and implementation of VLANs.
|Dedicated Firewalls are critical to ensuring a safe, high-performing Network for all hosts. The UniFi Security Gateway sits on the WAN boundaries and by default, features basic firewall rules protecting the UniFi Site.|
Stateless vs. Stateful Firewalls
Among the earliest Firewalls were Stateless Firewalls, which filter individual packets based generally on information at OSI Layer 2, 3, and 4, such as Source & Destination Addresses.
With improvements in power and cost of Network Hardware, Stateful Firewalls emerged as connection-tracking filters, with consideration for information at OSI Layers 2, 3, 4, as well as Layer 7, for Application-based filtering.
Whether filtering based on simple packet criteria, or advanced tracking requirements, Stateless and Stateful Firewalls are both popularly used today and often overlap in when, where, and how they are deployed.
Due to their design, function, and location on networks, Routers (Gateways) are well-suited to run Firewalls. When configuring a Router Firewall, consider the following criteria:
- First, the Network Interface to Firewall.
- For example, Firewall Rules would vary greatly between a trusted Corporate LAN, untrusted Guest VLAN, and the Risky WAN Door to the Internet.
- Secondly, in which Traffic Direction to Firewall,
- Whether ingress (inbound), egress (outbound), or Local (bound for the Firewall Device).
- Thirdly, whether to Drop, Reject, or Accept the Traffic under scrutiny, and
- Finally, the Rules defining the Firewall,
- Including but not limited to Network Protocol, Source & Destination Address, Time, Connection State, and even Application.
- UniFi - L2TP Remote Access VPN with USG as RADIUS Server
- UniFi - USG Port Forwarding Configuration and Troubleshooting
- UniFi - How to Disable InterVLAN Routing on the UniFi USG
- UniFi - How to Disable ICMP over WAN with USG
- EdgeRouter - VLAN-Aware Switch0 with Inter-VLAN Firewall Limiting
- EdgeRouter - IPsec Site-to-Site VPN Additions and Changes (CLI)
- EdgeRouter - How to Protect a Guest Network on EdgeRouter
- EdgeRouter - Router-on-a-Stick with Inter-VLAN Firewall Limiting