0 / 10 flipped
Traditional Network-Based Firewall
Tap to reveal
A firewall that makes forwarding decisions based on OSI Layer 3 (IP address) and Layer 4 (TCP/UDP port number) β it does not inspect packet payloads. Rules specify permitted source IP, destination IP, protocol, and port combinations. Fast due to lightweight header inspection, but cannot identify applications or inspect content. Any traffic using an allowed port passes through regardless of what application or data it carries. Also functions as a Layer 3 routing device with NAT and site-to-site VPN capabilities.
UTM β Unified Threat Management
Tap to reveal
An all-in-one security appliance (also called a web security gateway) that bundles multiple functions into a single device: firewall, IDS/IPS, URL filtering, malware scanning, spam filtering, VPN endpoint, bandwidth shaping, and sometimes routing and switching. Simplifies administration for SMB environments. Primary limitation: most UTMs operate primarily at Layer 4, not Layer 7 (application-aware). Performance degrades as more features are enabled simultaneously β enabling all features creates throughput bottlenecks. Best for small to medium environments that need multi-function security without the resources to manage separate dedicated devices.
NGFW β Next-Generation Firewall
Tap to reveal
A firewall that operates at OSI Layer 7 (application layer) and makes forwarding decisions based on the specific application being used β not just the port number. Uses deep packet inspection to decode every packet's application-layer content, identifying the actual application regardless of which port it uses. Enables granular policies: allow YouTube viewing but block uploads; allow corporate OneDrive but block personal Dropbox (both on port 443). Integrates IPS (applies application-specific vulnerability signatures) and URL categorization. Alternative names: application layer gateway, stateful multilayer inspection, deep packet inspection.
WAF β Web Application Firewall
Tap to reveal
A firewall specifically designed to inspect HTTP and HTTPS traffic and validate application-layer input to web applications. Deployed as a reverse proxy in front of web servers, the WAF inspects every HTTP request (URL, parameters, headers, POST body, cookies) and blocks requests containing attack patterns: SQL injection, XSS, path traversal, HTTP anomalies. Unlike network firewalls that control which traffic flows between points, a WAF controls what input is acceptable within an HTTP conversation. Must be paired with an NGFW (not used instead of it). Required by PCI DSS for organizations processing payment card data.
Deep Packet Inspection (DPI)
Tap to reveal
The process of fully decoding and analyzing the complete contents of a network packet β including the application-layer payload β before making a security decision. DPI enables NGFWs to identify applications regardless of port number, detect attack signatures within application data, and enforce content-based policies. Each packet must be decoded and categorized before a forwarding decision, requiring substantially more processing power than header-only inspection. DPI is what allows an NGFW to distinguish YouTube from Dropbox from SQL Server from malware C2 β all of which may use port 443.
Stateful Multilayer Inspection
Tap to reveal
An NGFW inspection technique combining stateful connection tracking with multilayer packet analysis. "Stateful" means the firewall tracks connection state β it knows a connection was established and automatically permits return traffic without a separate inbound rule. "Multilayer" means inspection occurs across Layers 3 through 7 simultaneously β IP address, port, protocol, and application-layer content. Stateful multilayer inspection is one of the alternative names used to describe NGFW functionality; "application layer gateway" and "deep packet inspection" are equivalent terms for the same technology.
Application Layer Gateway (ALG)
Tap to reveal
An alternative term for NGFW functionality that emphasizes which OSI layer the firewall operates at β the firewall understands application-layer protocols and makes decisions based on application identity and behavior. An ALG decodes the application protocol (HTTP, TLS, SQL, FTP) and applies policy based on what the application is doing, not just which port it uses. On the exam, "application layer gateway," "stateful multilayer inspection," "deep packet inspection," and "next-generation firewall" are all equivalent β they all describe a firewall that operates at Layer 7 with application-aware decision making.
URL Categorization / Content Filtering
Tap to reveal
An NGFW and UTM feature that maintains a database of websites organized by content category (gambling, adult, malware, social media, streaming, etc.). Administrators create policies based on category rather than individual URLs β "block: gambling" applies to all gambling sites in the database. Outbound web requests are checked against the category database; requests to blocked categories are denied. URL categorization databases are maintained and updated by the firewall vendor. Makes it practical to enforce acceptable use policies across the entirety of the internet without manually maintaining lists of individual URLs.
NGFW Integrated IPS
Tap to reveal
A capability of NGFWs where the firewall applies application-specific vulnerability signatures to traffic it has identified and decoded. Because the NGFW can identify the application (e.g., Microsoft SQL Server, Apache HTTP, OpenSSL), it can apply signatures specific to known vulnerabilities in that application β detecting buffer overflow exploits in SQL Server connections, known CVE exploits in HTTP headers, or malware patterns in decoded application data. This turns part of the NGFW into an IPS that understands the application context, unlike a traditional IPS that applies signatures to raw packet data without application understanding.
WAF and PCI DSS
Tap to reveal
PCI DSS (Payment Card Industry Data Security Standard) specifically requires organizations that process, store, or transmit credit card data to deploy a WAF to protect web-facing applications in the cardholder data environment. WAF deployment is a compliance requirement, not just a best practice, because SQL injection and application-layer attacks are the most common vectors for stealing payment card data from web applications. A network firewall or NGFW that allows HTTPS to the payment application does not protect the application's input layer β that requires a WAF. PCI DSS assessors look for active WAF operation and WAF logs showing application-layer threat blocking as audit evidence.