Chapter 66 Β· Examples

Firewall Types β€” Real-World Examples

How traditional firewalls, UTMs, NGFWs, and WAFs each solve different security problems β€” and when each type falls short.

Example 1
Traditional Firewall β€” What It Can and Cannot Stop

Organization: A mid-size accounting firm. Their internet edge firewall runs a traditional Layer 4 rule set. The security administrator has carefully defined all permitted traffic by port and protocol.

The traditional firewall rule set (simplified):

ALLOW TCP 443 inbound β†’ web server (HTTPS)
ALLOW TCP 25 inbound β†’ mail server (SMTP)
ALLOW TCP 443 outbound β†’ any (employees browsing HTTPS sites)
ALLOW TCP 80 outbound β†’ any (employees browsing HTTP sites)
DENY TCP 23 any β†’ any (block Telnet)
DENY UDP 161 any β†’ any (block SNMP from internet)
DENY all other traffic

What the traditional firewall successfully blocks:

  • Port scans looking for Telnet (port 23) β€” blocked by explicit deny rule
  • SNMP reconnaissance from internet scanners β€” blocked by explicit deny
  • Any connection attempt on ports not explicitly allowed β€” blocked by default deny
  • Connection to internal servers on unauthorized ports (e.g., port 8080) β€” blocked

What the traditional firewall cannot stop:

  • An employee using a personal Dropbox account to exfiltrate client tax data β€” the connection is HTTPS on port 443 (allowed), and the firewall sees only "HTTPS outbound β€” allow"
  • An employee streaming Netflix for hours β€” HTTPS on port 443 (allowed)
  • Malware that uses HTTPS to communicate with its command-and-control server β€” allowed on port 443
  • An attacker who compromises the web server via SQL injection β€” the HTTPS connection is allowed; the SQL injection payload is inside the HTTP request which the traditional firewall never inspects

The lesson: A traditional firewall enforces which connections are permitted. It cannot enforce what happens inside a permitted connection. Applications that use allowed ports are completely invisible to it at the content level. This is why organizations moved to NGFWs (to see what application is running on allowed ports) and WAFs (to validate what input is in allowed web traffic).

Example 2
NGFW Application Control β€” Granular Policies on Port 443

Organization: A 1,200-person marketing company. The CISO replaces the old Layer 4 firewall with a Palo Alto NGFW. Deep packet inspection is enabled. The security team implements application-aware policies.

Previous state (traditional firewall): Allow TCP 443 outbound. Result: employees can do anything over HTTPS β€” personal file sharing, streaming video, social media, gambling sites, everything. The firewall sees only "HTTPS: allowed."

NGFW policies after deployment:

ALLOW application: microsoft-office365 β†’ any (business productivity)
ALLOW application: salesforce β†’ any (CRM access)
ALLOW application: youtube-base (view) β†’ any (viewing permitted)
DENY application: youtube-uploading β†’ any (upload blocked β€” DLP concern)
DENY application: twitter-posting β†’ any (posting blocked β€” brand policy)
ALLOW application: twitter-base (viewing) β†’ any (reading permitted)
DENY category: gambling β†’ any (policy violation)
DENY category: personal-cloud-storage β†’ any (Dropbox, Google Drive, iCloud blocked β€” DLP)
DENY application: bittorrent β†’ any (P2P blocked regardless of port)
DENY application: tor β†’ any (anonymization tools blocked)
ALLOW application: ssl/tls β†’ any (general HTTPS for unclassified apps β€” fallback)

How the NGFW enforces YouTube viewing but not uploading:

YouTube uses port 443 for all of its traffic β€” both viewing and uploading. A traditional firewall sees only "HTTPS: allow" for both. The NGFW decodes the HTTP/2 protocol inside the HTTPS session and identifies the specific YouTube API calls: a GET request to fetch a video stream is "youtube-base" (allowed); a POST request to the upload API endpoint is "youtube-uploading" (denied). The application-layer decode identifies the direction and type of the YouTube interaction.

Business outcomes:

  • Data loss risk reduced: personal cloud storage blocked; employees cannot exfiltrate client files to personal Dropbox
  • Legal risk reduced: gambling and adult content blocked across the workforce
  • Brand policy enforced: employees cannot post to Twitter from corporate network (preventing rogue brand posts)
  • No legitimate productivity impact: Office 365, Salesforce, YouTube viewing, and general HTTPS browsing all work normally
Example 3
WAF Blocking SQL Injection β€” What the Firewall Logs Show

Organization: An e-commerce retailer processing approximately 50,000 credit card transactions per month. PCI DSS requires a WAF. The WAF is deployed as a reverse proxy in front of the checkout and account management web servers.

The attack scenario:

An attacker discovers that the retailer's product search URL passes the search term directly to a database query. The URL looks like: https://store.example.com/search?q=laptop. The attacker tests SQL injection:

First probe: https://store.example.com/search?q=laptop' OR '1'='1
Second probe: https://store.example.com/search?q=1; SELECT * FROM customers;--
Third probe: https://store.example.com/search?q=1 UNION SELECT card_number,cvv,expiry FROM payment_cards;--

What the NGFW sees: Three HTTPS GET requests to store.example.com on port 443. The NGFW identifies this as "ssl/tls" traffic to a known legitimate web server. All three are allowed β€” the NGFW has no WAF-level input validation. The connection is permitted.

What the WAF sees and does:

WAF LOG ENTRY 1:
Time: 2024-03-15 14:23:11 | ID: 000847261
URL: /search | Method: GET | Parameter: q
Client IP: 203.0.113.45 | Country: [BLOCKED REGION]
Attack: SQL Injection β€” OR-based blind injection
Action: BLOCKED | Policy: PCI-Standard-Rule-942100

WAF LOG ENTRY 2:
Attack: SQL Injection β€” Stacked query (semicolon separator)
Action: BLOCKED | Policy: PCI-Standard-Rule-942110

WAF LOG ENTRY 3:
Attack: SQL Injection β€” UNION-based data extraction attempt
Action: BLOCKED | Policy: PCI-Standard-Rule-942120

The outcome: All three SQL injection probes are blocked at the WAF. The web application server never receives any of these requests β€” they are absorbed at the reverse proxy layer. The backend database never executes any injected SQL. The payment card data is not exposed.

Why this matters for PCI DSS: The WAF log entries show exactly what attack type was attempted, which rule blocked it, and from which source. This is the audit evidence that PCI DSS assessors look for: not just that attacks were blocked, but that the WAF is actively operating and logging application-layer threats against the cardholder data environment.

Example 4
UTM Deployment β€” The All-in-One Trade-off for a Regional Branch

Organization: A 45-person regional office of a national consulting firm. The office has a dedicated IT person who manages everything; there is no local security team. The WAN connection is a 1 Gbps fiber link to the internet and a VPN to headquarters.

Security requirements: The office needs firewall, VPN to HQ, IPS, URL filtering (block gambling, adult, malware distribution), antivirus scanning on downloads, and spam filtering on email. The IT administrator does not have time to manage five separate appliances.

UTM solution deployed: A Fortinet FortiGate UTM appliance in the 100F series. Single device; single management console. The IT administrator enables:

  • Firewall policies (allow/deny by IP and port)
  • IPS with default signature set enabled
  • Web filter (URL categorization: block gambling, adult content, malware distribution)
  • Antivirus scanning on HTTP and HTTPS downloads
  • Spam filtering on SMTP
  • Site-to-site IPsec VPN to headquarters

The performance reality:

Firewall only (no features):                   8 Gbps throughput
Firewall + IPS:                                 4 Gbps throughput
Firewall + IPS + AV scanning:                2 Gbps throughput
All features enabled simultaneously:          800 Mbps throughput

The trade-off accepted: At 45 users with a 1 Gbps link, 800 Mbps is more than adequate β€” the office never approaches that limit. The UTM's performance limitation does not affect this deployment. For this branch, the UTM is the right choice: it provides all required security functions with one device and one administrator.

When the UTM becomes the wrong choice: If this office scaled to 500 users, or if throughput requirements grew (high-definition video conferencing, large file transfers), or if the organization needed application-level control (block personal Dropbox but allow corporate OneDrive β€” both on port 443), the UTM's Layer 4 orientation and performance limits would make an NGFW necessary. The UTM that works perfectly for a branch office would be inadequate as the headquarters perimeter firewall for 10,000 users and 10 Gbps of internet traffic.

Exam Scenario
Multi-Part Firewall Selection and Design

Scenario: A financial services company operates an online banking platform with 200,000 registered customers. They have a corporate office with 800 employees, three regional branch offices of 50 employees each, and a public-facing web application (the online banking portal). Answer the following questions.

Question 1: The online banking portal processes wire transfers and account access. Penetration testers have found that the login form is vulnerable to SQL injection. Which security device should be deployed specifically to block SQL injection attacks against the web application, and where in the network should it be placed?

Show Answer

A WAF (Web Application Firewall) should be deployed as a reverse proxy in front of the online banking portal's web application server. SQL injection is an HTTP input-level attack β€” it is carried inside an HTTP POST or GET request as a malicious parameter value. The NGFW at the perimeter allows HTTPS to the banking application (correct behavior β€” the portal must be accessible). The WAF inspects every HTTP/HTTPS request that the NGFW allowed through and validates the input: SQL syntax in the login parameter is detected and blocked before it reaches the application server. The banking application server never processes the injection payload. For a financial services web application, this deployment is also a PCI DSS requirement (PCI DSS Requirement 6.4).

Question 2: Corporate office employees are using personal Dropbox accounts to transfer work files, creating data loss risks. The existing firewall allows all HTTPS outbound traffic (port 443). The company wants to block Dropbox specifically while allowing corporate OneDrive, Google Workspace, and general HTTPS browsing. Why can't the current firewall solve this, and which firewall type can?

Show Answer

The current traditional firewall cannot solve this because it makes decisions based on port and IP address. Dropbox, OneDrive, and Google Workspace all use port 443 (HTTPS). Blocking Dropbox's IP ranges would be unreliable (Dropbox uses CDN infrastructure with many changing IP addresses, and blocking those IPs would also block other services using the same infrastructure). The traditional firewall cannot distinguish "HTTPS to Dropbox" from "HTTPS to OneDrive" β€” it sees both as "TCP 443: allowed."

An NGFW with deep packet inspection can solve this. The NGFW decodes the HTTPS application-layer traffic and identifies the specific application: the API endpoints, connection headers, and protocol signatures uniquely identify Dropbox vs. OneDrive vs. Google Workspace. The NGFW can apply a policy: "deny application: dropbox" while "allow application: microsoft-onedrive" and "allow application: google-workspace" β€” all of which use port 443, but all of which are identifiable by their application-layer signatures.

Question 3: Each regional branch office needs firewall, VPN to headquarters, URL filtering, and basic IPS. The branch offices each have one IT generalist. Budget is limited. Which firewall deployment type is most appropriate for the branch offices, and why?

Show Answer

UTM (Unified Threat Management) appliances are the right choice for the regional branches. The branches have a defined set of security requirements (firewall, VPN, URL filtering, IPS) that are well within a UTM's feature set. The branch offices have 50 users β€” well within a UTM's throughput capacity even with all features enabled. Each branch has one IT generalist, not a dedicated security team: the UTM's consolidated management console (one device, one interface, one vendor support contract) is operationally appropriate for this staffing level. A UTM appliance at each branch costs significantly less than deploying a separate firewall, IPS, VPN concentrator, and web filter device at three locations. The branches do not need application-aware control at the NGFW level β€” the NGFW's application identification capability is needed at headquarters where the more complex policy requirements exist.

Question 4: The security team wants to ensure the banking application cannot be reached by IPs on known threat intelligence feeds. Which firewall type at which location handles this, and which firewall type handles the SQL injection threat identified in Question 1? Why are both needed?

Show Answer

The NGFW at the network perimeter handles threat intelligence IP blocking. The NGFW maintains threat intelligence feeds (lists of known malicious IPs, botnet C&C nodes, Tor exit nodes, scanning infrastructure) and blocks connections from those IPs before they reach the banking application. This is a network-level control β€” "connections from this IP are not permitted" β€” which is exactly what an NGFW handles via its threat intelligence integration.

The WAF handles the SQL injection threat. Even after the NGFW blocks all known-bad IPs, there will always be unknown attackers, compromised legitimate IPs, and new attack sources that are not yet on threat intelligence feeds. An attacker using a clean IP that passes the NGFW's threat check can still send SQL injection in their HTTP request. The WAF catches that attack by inspecting the HTTP input β€” regardless of whether the source IP is on any list.

Both are needed because they address different attack surfaces: the NGFW operates at the network level (who can connect) and the WAF operates at the application input level (what they can send once connected). A threat-intelligence blocking rule on the NGFW does not protect the login form from SQL injection. A WAF blocking SQL injection does not prevent a malicious IP from establishing a connection. They are complementary, not substitutable.