Compare Firewall Operations

Packet Filtering, Stateful Inspection, Application Firewalls & IDS/IPS

Week 4 TOPIC 4.2 — Network Security Devices

Why Firewalls Matter

Firewalls are the gatekeepers of network traffic. They examine packets entering and leaving the network and make allow/deny decisions based on rules. Every organization has firewalls, and every SOC analyst reads firewall logs daily. Understanding HOW firewalls make decisions determines whether you can interpret their alerts correctly.

The Evolution of Firewalls

Firewalls evolved through generations, each adding deeper inspection capabilities:

GenerationTechnologyInspectsLimitation
1st Gen (1988) Packet Filtering IP addresses, ports, protocol No session awareness — each packet evaluated independently
2nd Gen (1994) Stateful Inspection Connection state + headers Cannot inspect encrypted payload or application content
3rd Gen (2000s) Application Layer / Proxy Full application payload (HTTP, FTP, DNS) High performance cost, limited protocol support
NGFW (2010s) Next-Gen Firewall Everything + user identity + threat intel + SSL inspection Expensive, complex to manage, SSL inspection has privacy concerns
Source: Shield House > Network > Firewalls Open Source Content

Firewall Types — Deep Comparison

Packet Filtering (Stateless)

How It Works

Examines each packet independently against an ACL (Access Control List). Checks source/destination IP, source/destination port, and protocol (TCP/UDP/ICMP). No knowledge of connection state.

ACL Rule Example

# Permit web traffic, deny everything else permit tcp any host 10.0.1.100 eq 443 permit tcp any host 10.0.1.100 eq 80 deny ip any any log
Security Weakness

Stateless firewalls cannot distinguish between a legitimate response packet and an attacker-crafted packet with the ACK flag set. An attacker can bypass rules by sending packets that appear to be part of an existing connection.

Stateful Inspection

How It Works

Maintains a state table tracking every active connection (source IP:port, dest IP:port, protocol, state). Return traffic is automatically allowed if it matches an established session. No ACL entry needed for return traffic.

State Table Example

# Active connections SRC: 192.168.1.50:49832 → DST: 93.184.216.34:443 Protocol: TCP State: ESTABLISHED Timeout: 3600s SRC: 192.168.1.51:52441 → DST: 8.8.8.8:53 Protocol: UDP State: ESTABLISHED Timeout: 30s

Application Layer (Proxy / WAF)

How It Works

Terminates the connection and creates a new one to the destination. Full visibility into application payload — can inspect HTTP headers, URLs, POST bodies, SQL queries. Acts as a man-in-the-middle (by design).

What It Can Block

SQL injection attempts in URLs, XSS payloads in form data, malicious file uploads, directory traversal attempts, unauthorized HTTP methods (PUT, DELETE). A packet filter cannot see any of this.

Next-Generation Firewall (NGFW)

Additional Capabilities

User identity awareness (ties rules to Active Directory users, not just IPs), application identification (recognizes Slack vs generic HTTPS), integrated threat intelligence (auto-blocks known malicious IPs), SSL/TLS inspection (decrypts, inspects, re-encrypts).

Common NGFW Vendors

Palo Alto Networks (PA series), Fortinet (FortiGate), Cisco (Firepower), Check Point, Juniper (SRX). Each has its own management interface and log format — SOC analysts must learn vendor-specific log parsing.

IDS vs IPS — Detection vs Prevention

FeatureIDS (Intrusion Detection)IPS (Intrusion Prevention)
DeploymentPassive — connected to SPAN/mirror portInline — sits in the traffic path
ActionAlert only — sends notification to SIEMAlert + Block — drops malicious packets
RiskMay miss blocking threats (detection delay)May block legitimate traffic (false positive = outage)
PerformanceNo impact on traffic flowAdds latency (must process every packet)
Failure modeFail-open: if IDS fails, traffic flows normallyConfigurable: fail-open (risky) or fail-closed (safe but causes outage)

Detection Methods

Signature-Based

Matches traffic against a database of known attack patterns. Example Snort rule:

alert tcp any any -> $HOME_NET 80 ( msg:"SQL Injection Attempt"; content:"' OR '1'='1"; nocase; sid:1000001; rev:1; )

Strength: Very accurate for known attacks. Weakness: Cannot detect zero-days or novel attacks.

Anomaly-Based

Builds a baseline of "normal" traffic and flags deviations. Example: a workstation that normally transfers 50 MB/day suddenly sends 5 GB to an external IP.

Strength: Can detect zero-days and novel attacks. Weakness: Higher false positive rate, requires tuning period.

Policy-Based

Alerts when traffic violates defined policies. Example: "No FTP traffic allowed from DMZ to internal network" or "No DNS queries to external servers from database subnet."

Strength: Directly enforces organizational policy. Weakness: Requires comprehensive policy definition.

Common IDS/IPS Platforms

Snort

Open-source, signature-based, maintained by Cisco Talos. Industry standard for rule syntax. Output formats: Unified2, Syslog, CSV. 30,000+ community rules available.

Suricata

Open-source, multi-threaded (faster than Snort on modern hardware). Supports Snort rules + has its own enhanced rule language. Native JSON output (EVE log) — excellent for SIEM integration.

Zeek (formerly Bro)

Not signature-based — generates structured logs of all network activity. Produces conn.log, dns.log, http.log, files.log, etc. Best for forensic analysis and threat hunting rather than real-time blocking.

SOC Application — Reading Firewall Logs

What Firewall Logs Tell You

As a Tier 1 SOC analyst, you will see firewall alerts in your SIEM every shift. Here is how to read them:

# Example: Palo Alto firewall log (simplified) Time: 2026-03-20 03:17:45 Action: DENY Source: 10.0.5.102:49832 (ACME-WS-0102, user: jsmith) Destination: 185.234.72.18:443 Application: unknown-tcp Rule: Block-Unknown-Outbound Threat: Command and Control Traffic Category: malware Bytes: 1,247 sent / 0 received

Analyst Decision Matrix

Log IndicatorLikely MeaningYour Action
Repeated DENY to same external IPMalware trying to reach C2 but blockedEscalate — infected host needs remediation even though traffic is blocked
ALLOW to known-bad IPFirewall rule gap — malicious traffic is flowingImmediate escalation — create block rule, begin IR
High volume DNS queries to new domainPossible DNS tunneling or DGA beaconingInvestigate source host, check domain reputation, correlate with EDR
Internal-to-internal DENYPossible lateral movement attempt blocked by segmentationInvestigate source — why is a workstation trying to reach server subnet?
Outbound traffic on unusual port (4444, 8888)Possible reverse shell or custom C2 channelImmediate investigation — these ports have no legitimate business use
Common Mistake

A DENY log does not mean you are safe. If a host is generating blocked C2 traffic, the malware is already on the endpoint. The firewall stopped the communication but did not remove the infection. Always investigate the source host when you see repeated blocks to suspicious destinations.

Knowledge Check

1. What is the main advantage of a stateful firewall over a packet filter?

2. An IPS is deployed inline and configured to fail-closed. What happens if the IPS hardware fails?

3. You see repeated firewall DENY logs from an internal workstation to an external IP flagged as C2. What should you do?

4. Which detection method can identify zero-day attacks that have no known signature?

5. What is the key difference between Snort/Suricata and Zeek?