Chapter 89 · Concepts

Firewalls — Concepts Map

Six reference tables: traditional vs. NGFW comparison, NGFW alternative names, port-to-protocol mapping, firewall rule evaluation logic, screened subnet architecture, and IPS detection method comparison.

Traditional Firewall vs. Next-Generation Firewall
DimensionTraditional FirewallNext-Generation Firewall (NGFW)
OSI LayerLayer 3/4 (Network and Transport)Layer 7 (Application)
Decision basisPort numbers and protocolsApplication identity + port numbers
Web traffic controlAllow/deny TCP/80 and TCP/443Allow/deny specific web applications by name
GranularityAll TCP/80 traffic treated the sameDistinguish between specific apps on same port
Packet processingHeader inspection onlyFull payload decode and categorization
IPS integrationNot includedTypically integrated
Processing demandLow — header read onlyHigh — every packet decoded
VPN / NAT / routingYes (standard features)Yes (standard features)
NGFW Alternative Names — All Mean the Same Thing
NameWhat the Name EmphasizesExam Relevance
Next-Generation Firewall (NGFW)Evolution beyond traditional port filteringPrimary term; most common
Application Layer GatewayOperates at OSI Layer 7 (Application Layer)Synonym on the exam
Stateful Multilayer InspectionTracks connection state across multiple OSI layers simultaneouslySynonym on the exam
Deep Packet Inspection (DPI)Reads inside the packet payload, not just headersSynonym on the exam
Layer 7 FirewallApplication-layer decision makingInformal synonym; same technology
Port and Protocol Reference — What the Firewall Sees
ServiceProtocolPortTraditional RuleNGFW Rule
HTTP (web)TCP80Allow TCP/80Allow "web server" application
HTTPS (secure web)TCP443Allow TCP/443Allow "HTTPS" application
SSHTCP22Allow TCP/22Allow "SSH" application
RDP (Remote Desktop)TCP3389Allow TCP/3389Allow "Microsoft RDP" application
DNSUDP53Allow UDP/53Allow "DNS" application
NTP (Network Time)UDP123Allow UDP/123Allow "NTP" application
Ping (ICMP)ICMPN/A (no port)Deny ICMPDeny ICMP
Firewall Rule Evaluation Logic
ConceptHow It WorksWhy It Matters
Top-to-bottom evaluationRules checked in order from rule 1 downward; first match wins and evaluation stopsRule order determines outcome; wrong order silently breaks policy
Specific rules firstMore specific matching criteria placed above broader rulesPrevents broad rules from overriding intended exceptions
Implicit denyHidden deny-all rule at the bottom; drops unmatched traffic automaticallyDefault-secure; no need to write explicit deny for every undesired flow
ACL parametersSource IP, destination IP, port, protocol, application, user, time of day, web categoryMore parameters = more precise matching = finer-grained policy
ICMP has no portICMP (ping) uses neither TCP nor UDP; firewall rules for ICMP specify protocol onlyCommon exam fact; ICMP rules cannot reference port numbers
Screened Subnet (DMZ) Architecture
ZoneContentsWho Can Reach ItWho Cannot Reach It
InternetExternal untrusted networksScreened subnet (via allowed ports)Internal network (blocked by firewall)
Screened Subnet (DMZ)Web servers, email servers, DNS servers, public-facing servicesInternet (specific ports); Internal network (specific management)Direct internal network browsing blocked from internet
Internal NetworkConfidential data, employee workstations, internal serversInternal hosts; screened subnet management trafficInternet traffic — cannot reach internal from outside
Security benefitCompromise of screened subnet does not enable internal accessAttacker in DMZ still blocked from internal by firewall
IPS Detection Method Comparison
DimensionSignature-BasedAnomaly-Based
How it detectsMatches traffic against known attack patterns (signatures)Flags deviations from a baseline of normal behavior
Known attacksExcellent — exact match on known exploits and malwareAdequate — can detect generic attack classes
Zero-day / novel attacksCannot detect — no signature exists for unknown threatsCan detect — deviation from baseline triggers alert
False positive rateLow for well-written signaturesHigher — legitimate unusual traffic may appear anomalous
Maintenance requiredSignature database must be kept currentBaseline must reflect true normal traffic patterns
Exam scenarioConficker worm byte sequence matched and blockedGeneric SQL injection pattern blocked without specific CVE signature