Firewalls

Contain or delay the spread of a fire
Part of a layered defense strategy
Dedicated appliance or application
- We can have a firewall that looks at Layer 3 and 4
- We can have a firewall for Deep Packet Inspection (DPI) this is wehre we look at the payload, web traffic, emails
- If you want an appliance for an specific web application this is called a Web Application Firewall (WAF)
Capabilities vary drastically
- Layer 3 and 4 Access Control List (ACL) is a very simple method of firewall, that router has rules to let IPs come through.
- Stateful Packet Inspection (SPI), state to for example in layer 4 to look at the TCP three-way handshake exactly and make sure eerything is acknowledge.
  - The State Table keeps track of what are the legitimate transactions.

State table

IP addresses
- Firewall is noting the IP addresses that are communicating and determine who is the source and who the destination, what are the port numbers that are in use.
  - Source IP, Destination IP, Source Port, Destination Port
  - IN order for them to communicate if its TCP, there's got to be the three-way handshake, SYN, SYN-ACK, and ACK. The whole purpose its that TCP wants sequence numbers and this is how it achieves reliable delivery.
Port numbers
Sequence numbers & flags

"What's in the box?"
- Layer 2, layer 3, layer 4, onece you reach to layer 4 this is waht we call Payload.
Payload Inspection
Protocol support
- Firewall needs to speak the language
  - Firewall needs to understand SIP if it's doing SIP inspection, this is for setting up phone calls.
  - Needs to inspect HTTP if it's going to look at web traffic.
  - Needs to inspect FTP if you are going to look at file transfers
  - etc.
Application visibility
- or Application visibility and control
Anti-virus
- I can use MD5, or different hashing algorithms to hash that payload and determine if it is recognized malware.
Data loss prevention
Intrusion prevention
- Based on Signatures