Chapter 66 Β· Glossary

Firewall Types β€” Term Reference

Key terms for traditional firewalls, UTM, NGFW, WAF, and the technologies that distinguish each type.

Firewall
A security control that regulates the flow of network traffic between trusted and untrusted environments by inspecting traffic and enforcing allow/deny rules. Every packet passing through the firewall is evaluated against the configured rule set. Firewalls exist at every scale: host-based (OS-integrated, protects a single device), network-based (dedicated appliance, protects a network segment), and cloud-native (virtual appliances in cloud environments). Core functions include blocking unauthorized access, enforcing acceptable use policies, and providing a central point for traffic inspection. Additional features may include VPN termination, NAT, malware scanning, and content filtering.
Traditional Network-Based Firewall
A firewall that makes forwarding decisions based on OSI Layer 3 (IP address) and Layer 4 (TCP/UDP port number) information in the packet header. It does not inspect the packet payload. Rules specify which source IP, destination IP, protocol, and port combinations are permitted or denied. Traditional firewalls are fast (header inspection is computationally lightweight) but cannot identify what application is running or what content is being transferred β€” only the port and protocol. A traditional firewall that allows port 443 allows all HTTPS traffic regardless of what application or content the HTTPS stream carries. Also functions as a Layer 3 routing device with NAT and VPN capabilities.
UTM β€” Unified Threat Management
An all-in-one security appliance (also called a web security gateway) that bundles multiple security functions into a single device: firewall, IDS/IPS, URL filtering, content inspection, malware scanning, spam filtering, VPN endpoint, bandwidth shaping, and sometimes routing and switching. Designed to simplify security management for environments that need multiple security capabilities but lack the resources to deploy and manage separate dedicated devices. The primary limitation: most UTMs operate at Layer 4 (port-based decisions), not Layer 7 (application-aware). Performance degrades as more features are enabled simultaneously β€” enabling all features at once often creates a throughput bottleneck. Best suited for small and medium-sized business environments.
NGFW β€” Next-Generation Firewall
A firewall that operates at OSI Layer 7 (application layer) and makes forwarding decisions based on the specific application being used β€” not just the port number. An NGFW decodes every packet's application-layer content to identify the actual application, regardless of which port it uses. This enables granular policies: allow SQL Server but only from authorized sources; allow YouTube viewing but block uploads; block all peer-to-peer applications even if they tunnel through HTTPS. NGFWs also integrate IPS capabilities (applying application-specific vulnerability signatures), URL categorization (blocking sites by category), and full packet logging. Requires significantly more processing power than traditional firewalls due to application-layer decoding of every packet.
WAF β€” Web Application Firewall
A firewall specifically designed to inspect HTTP and HTTPS traffic and validate application-layer input to web applications. Unlike network firewalls that control which traffic flows between network points, a WAF controls what input is acceptable within a web conversation. Deployed as a reverse proxy in front of web servers, the WAF inspects every HTTP request (URL, parameters, headers, cookies, POST body) and blocks requests containing attack patterns such as SQL injection, cross-site scripting (XSS), path traversal, and HTTP protocol violations. Deployment alongside an NGFW is common β€” the NGFW handles network-level filtering; the WAF handles application-input validation. Required by PCI DSS for organizations processing payment card data.
Deep Packet Inspection (DPI)
The process of fully decoding and analyzing the complete contents of a network packet β€” including the application-layer payload β€” rather than examining only the header fields. DPI is what enables NGFWs to identify applications regardless of port number, detect attack signatures within application data, and enforce content-based policies. Each packet must be decoded and categorized before a security decision is made, which requires substantially more processing power than simple header inspection. DPI makes it possible to distinguish between types of traffic that all use the same port β€” e.g., identifying whether HTTPS traffic is YouTube, Twitter, SQL Server, or malware command-and-control, all of which may use port 443.
Stateful Multilayer Inspection
A firewall inspection technique that tracks the state of active network connections and makes decisions based on the context of a connection across multiple OSI layers simultaneously. "Stateful" means the firewall remembers that a connection was established and allows the return traffic automatically (without a separate rule for inbound traffic). "Multilayer" means inspection occurs from Layer 3 (IP) through Layer 7 (application). Stateful multilayer inspection is one of the alternative terms used to describe NGFW functionality, emphasizing that it combines connection state tracking with application-layer awareness β€” a significant advance over early stateless packet filters that evaluated each packet independently without connection context.
Application Layer Gateway (ALG)
A firewall or proxy that operates at the application layer (Layer 7) and understands specific application protocols β€” acting as a full application-layer intermediary for specific protocols. An ALG for FTP, for example, understands FTP's data channel negotiation and dynamically opens the required secondary port without requiring a static rule. In the NGFW context, "application layer gateway" is used as an alternative term for NGFW functionality β€” the firewall operates at Layer 7, understands application-layer protocols, and makes access decisions based on the application's behavior, not just the transport-layer port.
URL Categorization / Content Filtering
An NGFW (and UTM) feature that maintains a database of websites organized by content category (gambling, adult content, social media, malware distribution, phishing, streaming video, etc.). Administrators write policies that allow or block access to entire categories rather than individual URLs. The NGFW checks each outbound web request against the URL category database and enforces the policy. This makes it practical to block access to categories containing thousands of sites with a single rule β€” e.g., "block: gambling" applies to every known gambling site in the category database. URL categorization databases are maintained and updated by the firewall vendor.
NAT β€” Network Address Translation (in firewall context)
A Layer 3 function performed by the firewall (or router) at the network boundary that translates private internal IP addresses to the organization's public IP address for outbound connections β€” and maintains a mapping table to translate return traffic back to the correct internal device. NAT hides the internal network's IP addressing scheme from the internet (internet hosts see only the firewall's public IP, not the internal hosts' private IPs). Every enterprise firewall at the internet edge performs NAT. Without NAT, the internet would have been exhausted of IPv4 addresses long before IPv6 became widely deployed β€” NAT is what made IPv4 last as long as it has.
PCI DSS β€” Payment Card Industry Data Security Standard
A security standard for organizations that process, store, or transmit credit card data, maintained by the Payment Card Industry Security Standards Council (PCI SSC). PCI DSS mandates a set of technical and operational security controls for protecting cardholder data, including the requirement to deploy a WAF (or code review process) to protect web-facing applications in the cardholder data environment. Failure to comply with PCI DSS can result in fines, increased transaction fees, or loss of the ability to process credit card payments. In the Security+ context, PCI DSS is specifically associated with WAF requirements β€” the WAF question that mentions a compliance mandate almost always points to PCI DSS.
SQL Injection (in WAF context)
An attack in which malicious SQL commands are inserted into input parameters of a web application β€” search fields, login forms, URL query parameters, or POST bodies β€” that are passed to a backend database query. If the application does not properly sanitize input, the injected SQL commands execute against the database and can extract data, modify records, bypass authentication, or delete data. SQL injection is one of the most common and impactful web application vulnerabilities. WAFs detect SQL syntax in HTTP request parameters and block the request before it reaches the application. Example: input "1; DROP TABLE customers;--" in a search field β€” the WAF identifies the SQL statement syntax and blocks the request.