Firewalls & Network Security in Practice

What a Firewall Does

• Policy enforcement: Allow/deny flows based on tuples (src/dst IP, port, protocol) and context.
• Segmentation: Boundaries between zones (e.g., Corp, Guest, DMZ) to reduce blast radius.
• Observability: Produce logs/metrics for investigation and tuning.

Common Firewall Types

• Packet-filtering: Stateless; matches individual packets.
• Stateful: Tracks connection state (SYN/ACK/FIN) and higher-level flows.
• Application/Proxy (L7): Understands protocols (HTTP/HTTPS), can enforce headers, methods, or content rules.
• Next-Gen (NGFW): App ID, user ID, threat intel, and integrated IPS features.
• Host firewall: Local OS controls (e.g., Windows Defender Firewall, iptables/nftables).

Policy Strategy

• Default deny, explicit allowlists.
• Zone-to-zone matrices (who may talk to whom, on what ports).
• Separate inbound, outbound, and inter-VLAN/inter-subnet rule sets.
• Change control with testing and time-boxed maintenance windows.

Typical Edge + DMZ

Internet
   │
[ Edge Router + Stateful FW ]
   │
   ├──►  [ DMZ ] ──► [ Reverse Proxy / WAF ] ──► [ App Tier ] ──► [ DB ]
   │
   └──►  [ Inside / Corp LAN ] ──► VLAN10 (Corp), VLAN20 (Guest), VLAN30 (IoT)

DMZ hosts public-facing services behind a reverse proxy or WAF. Inside networks are segmented by VLANs with inter-VLAN rules.

Internal Segmentation (East/West)

[ L3 Core Switch ]
      │
  ┌───┴────┬─────────┐
VLAN10  VLAN20    VLAN30
(Corp)  (Guest)    (IoT)
  │        │          │
[ACL/FW] [ACL/FW]  [ACL/FW]

Deploy firewalls/ACLs between internal segments to limit lateral movement and isolate sensitive systems.

Microsegmentation (Host/Workload)

             
             ┌────────────┐       ┌────────────┐
Workload A ─▶│ Host FW /  │◀────▶│ Host FW /  │◀─ Workload B
             │ Agent PDP  │       │ Agent PDP  │
             └────────────┘       └────────────┘
       Policies enforced per-process / per-label; identity-aware.

Host-based policies enforce fine-grained rules close to workloads (on servers or containers).

Web Application Firewall (WAF)

• Inspects HTTP/S to mitigate OWASP Top 10 risks (injection, auth issues, etc.).
• Applies request/response policies (methods, headers, size limits, rate limits).
• Often deployed with a reverse proxy and TLS termination.

IDS / IPS

• IDS: Detects suspicious patterns; sends alerts to SIEM/SOAR.
• IPS: Active prevention (drops/blocks) inline.
• Signature, behavior, and anomaly detection models; tune to reduce false positives.

Outbound Controls

• Deny-by-default for server egress; allow only required destinations/ports.
• DNS filtering and DoH/DoT strategy; block known-malicious domains.
• Alert on unexpected protocols (e.g., outbound SMB, IRC, TOR).

When to Consider It

• High-risk environments needing malware/phishing inspection inside HTTPS.
• DLP, threat intel, or policy checks that need plaintext content visibility.

Risks & Mitigations

• Privacy and legal considerations; document scope and consent.
• Certificate management complexity; pinning exceptions for sensitive apps.
• Performance overhead; size and place inspection capacity carefully.
• Prefer bypass for health/financial portals; log minimally and protect keys.

Cloud (IaaS/PaaS)

• Use security groups / NACLs for least-privilege flows.
• Centralize ingress with managed gateways; apply WAF at the edge.
• Private subnets for app/DB; egress via NAT gateways with allowlists.
• Log flow logs, WAF events, and gateway access logs to centralized storage.

Containers & Kubernetes

• NetworkPolicies to restrict pod-to-pod traffic.
• Ingress controllers + WAF; mutual TLS within the mesh if using a service mesh.
• Limit hostPath mounts, run as non-root; image scanning in CI/CD.

What to Log

• Accept/deny decisions with rule IDs, zones, src/dst, ports, and usernames (if available).
• Config changes, admin auth events, firmware updates.
• WAF rulings, IDS/IPS alerts, DNS queries/blocks.

How to Use the Logs

• Forward to SIEM; create alert rules for high-risk events.
• Correlate firewall data with endpoint detections and identity logs.
• Practice investigations and maintain an incident runbook.

Baseline Hardening

• Change defaults; unique admin creds; MFA on management access.
• Restrict management plane (out-of-band or jump host, IP allowlists).
• Time sync (NTP), backups of configs, and tested restore.
• Disable unused services; lock down SNMP; rotate keys/certs.

Policy & Rules Hygiene

• Document zone matrix; default deny; narrow allowlists.
• Review rules quarterly; remove stale/temporary entries.
• Separate inbound, outbound, inter-zone policies; avoid “any-any.”
• Tag rules with owners/tickets; require peer review for changes.

Zero Trust Alignment

• Strong identity (MFA, device posture) at access points.
• Continuous evaluation (context, risk) for sensitive flows.
• Prefer application-layer access (ZTNA/SDP) over broad network VPNs.