INAP IS NOW HORIZONIQ.
Click here to LEARN more.

Apr 11, 2024

Firewalls 102: Understanding Basic Filtering and ACL Rules

Paul Painter, Director, Solutions Engineering

To continue our firewall series, we are delving into the fundamentals of basic filtering, a cornerstone of network security. Be sure to check out Part 1 for a deep dive into Network Address Translation (NAT).

Firewalls act as guardians, meticulously examining data packets traveling between your secure internal network and the wild world of the internet. Basic filtering allows authorized traffic to flow freely while blocking unwanted connections.

Demystifying Firewall Rules and ACLs

To control this traffic flow, firewalls leverage Access Control Lists (ACLs), essentially a set of rules dictating which traffic is allowed and which is denied. Each data packet carries information like source and destination IP addresses, along with the designated service (port) it uses. The firewall meticulously compares this information against each ACL rule, one by one. Here’s why the order of these rules is critical.

Breaking Down a Simplified ACL Rule:

  • Source IP: Specifies the sender’s IP address (or a range of addresses).
  • Destination IP: Specifies the recipient’s IP address (or a range of addresses).
  • Service/Port: Defines the type of traffic (e.g., web browsing – port 80, secure browsing – port 443).
  • ALLOW/DENY: Determines whether to permit or block the traffic.
  • Comment: Provides a brief explanation for the rule’s purpose.

The below example shows a basic firewall rule set enabling a web server to communicate securely:

Source IP  Destination IP  Service/Port  ALLOW/DENY  Comment 
ANY  WebServer  Hypertext transfer protocol (http) / 80  ALLOW  Allows anything to use unencrypted web protocol traffic to talk to the web server 
ANY  WebServer  Hypertext transfer protocol secured (https) / 443  ALLOW  Allows anything to use encrypted web protocol traffic to talk to the web server 
ANY  ANY  ANY  DENY  Denies any traffic that isn’t defined above.  AKA “implicit deny” 

 

A misplaced rule can have unintended consequences, highlighting the importance of order. Additionally, the final “deny” rule acts as a safety net, blocking any unrecognized traffic.

Stateful Inspection: A Powerful Tool with Nuances

Beyond ACLs, firewalls utilize stateful inspection to track connection information, ensuring data flows consistently in and out of the same interface. This feature, while powerful, demands careful configuration. We share a real-world scenario highlighting the significance of order in rule application.

Stateful inspection, despite occasional challenges, is a crucial tool to thwart hacking attempts. Our experienced technical staff at HorizonIQ specializes in optimizing rules and order, ensuring your managed firewall operates securely and efficiently.

Empower Your Network Security with HorizonIQ

Partner with HorizonIQ to leverage our managed firewall services and benefit from our dedicated technical support team. Learn best practices and implement a robust security posture for your organization. 

Stay tuned for future articles in this series where we explore firewalls and their functions, helping you make informed network security decisions.

Looking for more IT solutions? Explore our comprehensive suite of services.

Explore HorizonIQ
Bare Metal

LEARN MORE

About Author

Paul Painter

Director, Solutions Engineering

Read More
Mar 28, 2024

Firewalls 101: Network Address Translation (NAT)

Paul Painter, Director, Solutions Engineering

As a solutions engineer guiding clients through diverse technologies, I believe the firewall remains a commonly misconstrued element. Its basic functions and the added benefits of advanced features often elude understanding. That’s why we are embarking on a comprehensive series where we delve into the intricate world of firewalls, discussing their fundamental concepts and extensive benefits.

Network Address Translation (NAT) – The Digital Cloak for Your Network

Our first installment explores the crucial role of Network Address Translation (NAT). Unlike a traditional traffic filter, NAT acts as a digital cloak for devices on your private network. It hides their actual IP addresses, preventing direct access from the internet. This protection works by modifying the source or destination IP addresses of data packets traveling through your router or firewall.

Understanding Private IP Addresses

The Internet Engineering Task Force (IETF) in RFC1918 defines three private IP address ranges that are non-routable over the public internet:

10.0.0.0  –  10.255.255.255  (10.0.0.0  /8 prefix)

172.16.0.0 – 172.31.255.255  (172.16.0.0  /12 prefix)

192.168.0.0 – 192.168.255.255 (192.168.0.0  /16 prefix)

Using these ranges for server and device numbering ensures their IPs remain inaccessible from the public internet, necessitating the ability to translate private to public IPs.

The NAT Analogy

Think of this in terms of your office phone system. Each desk phone likely has a public number for external calls. But internally, colleagues use extension numbers to reach each other. The phone system acts like a NAT table, managing the connection between public numbers and internal extensions.

How NAT Works with Firewalls

Similarly, firewalls maintain a NAT table that tracks assignments of public IP addresses to private IP addresses on your network. Each device receives a private IP address (often through Static NAT, a fixed table linking public and private addresses).

However, there might be situations where a server on your network needs to initiate outgoing connections, like downloading patch updates, but doesn’t require incoming communication. Firewalls can dynamically track these internal IPs without assigned public addresses. This allows the server to initiate communication while the firewall translates the private IP for the outgoing traffic.

HorizonIQ: Your Partner in Firewall Management

HorizonIQ, equipped with a skilled technical team, offers consultation and maintenance of your NAT table within managed firewalls. Understanding NAT’s nuances is pivotal for fortifying internet security, and HorizonIQ stands ready to provide expert guidance tailored to your needs.

Stay tuned for further installments in this series where we delve deeper into firewalls and their functionalities, empowering you to make informed decisions about your network security. HorizonIQ is committed to helping you understand the technology that safeguards your valuable digital assets.

Navigate your digital journey with HorizonIQ. Explore our comprehensive suite of solutions.

Explore HorizonIQ
Bare Metal

LEARN MORE

About Author

Paul Painter

Director, Solutions Engineering

Read More