Traditional Firewall vs. Next-Generation Firewall
| Dimension | Traditional Firewall | Next-Generation Firewall (NGFW) |
|---|---|---|
| OSI Layer | Layer 3/4 (Network and Transport) | Layer 7 (Application) |
| Decision basis | Port numbers and protocols | Application identity + port numbers |
| Web traffic control | Allow/deny TCP/80 and TCP/443 | Allow/deny specific web applications by name |
| Granularity | All TCP/80 traffic treated the same | Distinguish between specific apps on same port |
| Packet processing | Header inspection only | Full payload decode and categorization |
| IPS integration | Not included | Typically integrated |
| Processing demand | Low — header read only | High — every packet decoded |
| VPN / NAT / routing | Yes (standard features) | Yes (standard features) |
NGFW Alternative Names — All Mean the Same Thing
| Name | What the Name Emphasizes | Exam Relevance |
|---|---|---|
| Next-Generation Firewall (NGFW) | Evolution beyond traditional port filtering | Primary term; most common |
| Application Layer Gateway | Operates at OSI Layer 7 (Application Layer) | Synonym on the exam |
| Stateful Multilayer Inspection | Tracks connection state across multiple OSI layers simultaneously | Synonym on the exam |
| Deep Packet Inspection (DPI) | Reads inside the packet payload, not just headers | Synonym on the exam |
| Layer 7 Firewall | Application-layer decision making | Informal synonym; same technology |
Port and Protocol Reference — What the Firewall Sees
| Service | Protocol | Port | Traditional Rule | NGFW Rule |
|---|---|---|---|---|
| HTTP (web) | TCP | 80 | Allow TCP/80 | Allow "web server" application |
| HTTPS (secure web) | TCP | 443 | Allow TCP/443 | Allow "HTTPS" application |
| SSH | TCP | 22 | Allow TCP/22 | Allow "SSH" application |
| RDP (Remote Desktop) | TCP | 3389 | Allow TCP/3389 | Allow "Microsoft RDP" application |
| DNS | UDP | 53 | Allow UDP/53 | Allow "DNS" application |
| NTP (Network Time) | UDP | 123 | Allow UDP/123 | Allow "NTP" application |
| Ping (ICMP) | ICMP | N/A (no port) | Deny ICMP | Deny ICMP |
Firewall Rule Evaluation Logic
| Concept | How It Works | Why It Matters |
|---|---|---|
| Top-to-bottom evaluation | Rules checked in order from rule 1 downward; first match wins and evaluation stops | Rule order determines outcome; wrong order silently breaks policy |
| Specific rules first | More specific matching criteria placed above broader rules | Prevents broad rules from overriding intended exceptions |
| Implicit deny | Hidden deny-all rule at the bottom; drops unmatched traffic automatically | Default-secure; no need to write explicit deny for every undesired flow |
| ACL parameters | Source IP, destination IP, port, protocol, application, user, time of day, web category | More parameters = more precise matching = finer-grained policy |
| ICMP has no port | ICMP (ping) uses neither TCP nor UDP; firewall rules for ICMP specify protocol only | Common exam fact; ICMP rules cannot reference port numbers |
Screened Subnet (DMZ) Architecture
| Zone | Contents | Who Can Reach It | Who Cannot Reach It |
|---|---|---|---|
| Internet | External untrusted networks | Screened subnet (via allowed ports) | Internal network (blocked by firewall) |
| Screened Subnet (DMZ) | Web servers, email servers, DNS servers, public-facing services | Internet (specific ports); Internal network (specific management) | Direct internal network browsing blocked from internet |
| Internal Network | Confidential data, employee workstations, internal servers | Internal hosts; screened subnet management traffic | Internet traffic — cannot reach internal from outside |
| Security benefit | Compromise of screened subnet does not enable internal access | — | Attacker in DMZ still blocked from internal by firewall |
IPS Detection Method Comparison
| Dimension | Signature-Based | Anomaly-Based |
|---|---|---|
| How it detects | Matches traffic against known attack patterns (signatures) | Flags deviations from a baseline of normal behavior |
| Known attacks | Excellent — exact match on known exploits and malware | Adequate — can detect generic attack classes |
| Zero-day / novel attacks | Cannot detect — no signature exists for unknown threats | Can detect — deviation from baseline triggers alert |
| False positive rate | Low for well-written signatures | Higher — legitimate unusual traffic may appear anomalous |
| Maintenance required | Signature database must be kept current | Baseline must reflect true normal traffic patterns |
| Exam scenario | Conficker worm byte sequence matched and blocked | Generic SQL injection pattern blocked without specific CVE signature |