Firewalls And Access Control Lists

Category: Network Security
Type: Network Concepts
Generated on: 2025-07-10 09:04:23
For: Network Engineering, Administration & Technical Interviews

Firewalls and Access Control Lists (ACLs) - Cheat Sheet

What are Firewalls and ACLs?

Firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and an untrusted external network (e.g., the Internet). Can be hardware, software, or a combination.
Access Control List (ACL): A set of rules used to filter network traffic based on various criteria, such as source/destination IP addresses, port numbers, and protocols. ACLs are commonly implemented on routers and switches to control access to network resources.

Why are they Important?

Security: Protect networks from unauthorized access, malware, and other threats.
Compliance: Meet regulatory requirements (e.g., PCI DSS, HIPAA) related to data security.
Control: Enforce network usage policies and prioritize traffic.
Segmentation: Divide networks into smaller, more secure segments.
Packet Filtering: Examining individual packets and making decisions based on their headers.
Stateful Inspection: Tracking the state of network connections to make more informed decisions (e.g., allowing return traffic for established connections).
Proxy Firewall: Intermediary server that hides the internal network from the outside world.
Next-Generation Firewall (NGFW): Advanced firewalls that include features like intrusion prevention systems (IPS), application control, and user identification.
Rule-Based System: Firewalls and ACLs operate based on a set of rules that define which traffic is allowed or denied.
Implicit Deny: A default rule that blocks all traffic not explicitly permitted. This is a fundamental security principle.
Ingress vs. Egress: Ingress refers to traffic entering an interface, while egress refers to traffic leaving an interface.
Permit/Allow: Allows traffic to pass through the firewall/ACL.
Deny/Drop: Blocks traffic from passing through the firewall/ACL.
Log: Records information about traffic that matches a specific rule.
Match Criteria: The conditions that a packet must meet for a rule to be applied (e.g., source IP address, destination port).
Direction: The direction in which the ACL is applied (e.g., inbound, outbound).
Order of Operations: ACLs are processed in the order they are configured. The first rule that matches a packet is applied.

Firewall Operation (simplified):

[Internet] --(Traffic)--> [Firewall] --(Rules)--> [Internal Network]
        ^                       |
        |                       | Packet Inspection
        |                       V
        -----------------------

Packet Arrival: A packet arrives at the firewall.
Rule Evaluation: The firewall examines the packet and compares it against its configured rules.
Match Found: If a rule matches the packet’s characteristics (e.g., source IP, destination port), the action specified in the rule is taken (permit or deny).
No Match: If no rule matches, the firewall typically applies the default policy (usually deny).
Action Taken: The packet is either forwarded to the internal network (permit) or dropped (deny). Logging may also occur.

ACL Operation (simplified):

[Network Device (Router/Switch)] --(Interface)--> [Network]
                                    ^
                                    | ACL Applied
                                    |
                                    V
                                [ACL Rules]

Traffic Flow: Traffic flows through an interface on a network device.
ACL Application: The ACL configured on that interface is applied to the traffic.
Rule Matching: The device evaluates the packet against each rule in the ACL, in order.
Action: When a matching rule is found (permit or deny), the corresponding action is taken.
Implicit Deny: If no rule matches, the implicit deny rule is applied, and the traffic is blocked.

This section focuses on TCP/IP, the dominant protocol suite.

IP Header: Contains source and destination IP addresses, protocol type (e.g., TCP, UDP, ICMP).
TCP Header: Contains source and destination port numbers, sequence numbers, acknowledgment numbers, and flags (SYN, ACK, FIN, RST).
UDP Header: Contains source and destination port numbers and length.
ICMP Header: Contains type and code fields, used for error reporting and network diagnostics (e.g., ping).

Example: TCP Handshake and ACL impact

SYN: Client sends a SYN packet to initiate a connection. ACL must permit this.
SYN-ACK: Server responds with a SYN-ACK packet. ACL must permit this.
ACK: Client sends an ACK packet to complete the handshake. ACL must permit this.

If the ACL blocks the SYN packet, the connection will fail. Stateful firewalls automatically allow return traffic for established connections (SYN-ACK and subsequent packets), simplifying the rules.

Example: HTTP Request

Source IP: Client’s IP address.
Source Port: Ephemeral port (e.g., 49152-65535).
Destination IP: Server’s IP address.
Destination Port: 80 (HTTP) or 443 (HTTPS).

An ACL to allow HTTP traffic might look like: permit tcp any host <server_ip> eq 80

Home Router Firewall: Protects your home network from unauthorized access from the Internet. Typically, it’s a stateful firewall that allows outbound connections and blocks unsolicited inbound connections.
Corporate Firewall: Protects a company’s internal network from external threats. It can be configured to block access to specific websites, prevent malware from entering the network, and control access to sensitive data.
DMZ (Demilitarized Zone): A network segment that sits between the internal network and the Internet. It hosts publicly accessible servers (e.g., web servers, email servers) while protecting the internal network.
```
[Internet] --(Firewall)--> [DMZ] --(Firewall)--> [Internal Network]
```
Web Application Firewall (WAF): Protects web applications from attacks like SQL injection and cross-site scripting (XSS).
Cloud Firewalls: Security services offered by cloud providers (e.g., AWS, Azure, GCP) to protect cloud-based resources.

Example Scenario: Allowing SSH access from a specific IP address:

A common scenario is to allow SSH access (port 22) to a server only from a specific administrative workstation.

Goal: Allow SSH access to server 192.168.1.100 only from workstation 192.168.1.20.
ACL Rule: permit tcp host 192.168.1.20 host 192.168.1.100 eq 22
Implicit Deny: All other SSH traffic is blocked.
Overly Permissive Rules: Allowing too much traffic can create security vulnerabilities.
Incorrect Rule Order: Rules are evaluated in order, so an incorrect order can lead to unintended consequences.
Performance Issues: Complex firewall rules can impact network performance.
Misconfigured Logging: Insufficient logging can make it difficult to troubleshoot security incidents.
Stateful Firewall Issues: Problems with connection tracking can lead to dropped connections.
ACL Confusion: Forgetting which direction the ACL is applied (inbound/outbound).
Forgetting the Implicit Deny: Accidentally blocking legitimate traffic because you haven’t explicitly allowed it.

Troubleshooting Tips:

Use network monitoring tools (e.g., Wireshark, tcpdump) to capture and analyze traffic. This is crucial.
Check firewall logs for dropped packets.
Test connectivity with ping or traceroute.
Simplify rules and test incrementally.
Verify rule order and direction.
Ensure that the firewall or ACL is enabled and applied to the correct interface.

Solution Example: Blocked HTTP Traffic:

Problem: Users cannot access a specific website.
Possible Cause: Firewall rule blocking HTTP/HTTPS traffic.
Troubleshooting:
- Check firewall logs for dropped packets destined for the website’s IP address on ports 80 or 443.
- Verify that a rule exists to allow HTTP/HTTPS traffic to the website.
- Check for misconfigured DNS resolution.
Solution: Add or modify a firewall rule to allow HTTP/HTTPS traffic to the website.

These examples are based on Cisco IOS, a common networking OS. Syntax varies by vendor.

ACL Configuration (Cisco IOS):

! Standard ACL (filters based on source IP address)
access-list 10 permit 192.168.1.0 0.0.0.255  ! Allow traffic from 192.168.1.0/24
access-list 10 deny any                      ! Deny all other traffic

! Extended ACL (filters based on source/destination IP, port, protocol)
access-list 100 permit tcp host 192.168.1.20 host 10.0.0.1 eq 22 ! Allow SSH from 192.168.1.20 to 10.0.0.1
access-list 100 deny ip any any log                                 ! Deny all other IP traffic and log it

! Apply ACL to an interface (inbound)
interface GigabitEthernet0/0
 ip access-group 100 in

! Apply ACL to an interface (outbound)
interface GigabitEthernet0/1
 ip access-group 10 out

Firewall Configuration (iptables - Linux):

# Allow SSH from a specific IP address
iptables -A INPUT -p tcp -s 192.168.1.20 --dport 22 -j ACCEPT

# Allow HTTP traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop all other traffic
iptables -A INPUT -j DROP

# List current rules
iptables -L

Firewall Configuration (Windows Firewall):

# Allow SSH from a specific IP address
New-NetFirewallRule -DisplayName "Allow SSH from 192.168.1.20" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 22 -RemoteAddress 192.168.1.20

# Allow HTTP traffic
New-NetFirewallRule -DisplayName "Allow HTTP" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 80

# Allow HTTPS traffic
New-NetFirewallRule -DisplayName "Allow HTTPS" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 443

# List current rules
Get-NetFirewallRule | Format-Table -AutoSize

What is the difference between a firewall and an ACL?
- Firewalls are more comprehensive security systems that often include stateful inspection, intrusion prevention, and other advanced features. ACLs are simpler rule-based systems used for basic traffic filtering. Firewalls are typically dedicated security devices, while ACLs are often implemented on routers and switches.
What is stateful inspection? How does it improve security?
- Stateful inspection tracks the state of network connections. It allows return traffic for established connections without requiring explicit rules, reducing the complexity of the firewall configuration and improving security by preventing unsolicited inbound connections.
Explain the concept of “implicit deny.”
- Implicit deny is a default rule that blocks all traffic not explicitly permitted. It’s a fundamental security principle that ensures that only authorized traffic is allowed.
How would you configure a firewall to allow SSH access only from a specific IP address?
- Create a rule that allows TCP traffic from the specific IP address to the SSH port (22) of the server. Ensure that this rule is placed before any general deny rules. Use a stateful firewall to further restrict inbound connections.
What is a DMZ, and why is it used?
- A DMZ is a network segment that sits between the internal network and the Internet. It hosts publicly accessible servers while protecting the internal network from direct exposure to external threats.
What is a WAF?
- A Web Application Firewall. It protects web applications from attacks like SQL injection, cross-site scripting (XSS), and other application-layer threats.
How do you troubleshoot a firewall rule that is blocking traffic?
- Capture network traffic using tools like Wireshark or tcpdump. Examine firewall logs for dropped packets. Verify the rule order and direction. Simplify the rules and test incrementally. Check DNS resolution.
What are some common firewall evasion techniques?
- Port scanning, IP fragmentation, tunneling, application-layer attacks (e.g., SQL injection), and using encrypted protocols like HTTPS to hide malicious traffic.
How does a next-generation firewall (NGFW) differ from a traditional firewall?
- NGFWs offer advanced features like intrusion prevention systems (IPS), application control, user identification, and deep packet inspection, providing more comprehensive security than traditional firewalls.
Intrusion Detection System (IDS): Detects malicious activity on a network.
Intrusion Prevention System (IPS): Detects and prevents malicious activity on a network.
VPN (Virtual Private Network): Creates a secure connection over a public network.
Network Segmentation: Dividing a network into smaller, isolated segments to improve security and performance.
Network Address Translation (NAT): Translates private IP addresses to public IP addresses, allowing multiple devices to share a single public IP address.
Port Forwarding: Directing traffic from a public IP address and port to a specific device on a private network.
Zero Trust Network Access (ZTNA): A security framework based on the principle of “never trust, always verify.”

Further Reading:

Cisco Documentation: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23603-confaccesslists.html
iptables Tutorial: https://www.netfilter.org/documentation/
OWASP (Open Web Application Security Project): https://owasp.org/ - For web application security information.

This cheat sheet provides a comprehensive overview of firewalls and access control lists, covering key concepts, practical examples, and troubleshooting tips. Remember to adapt the configuration examples to your specific network environment and security requirements. Good luck!