Skip Links

Cisco subnet: An independent Cisco community

Chapter 1: Types of Firewalls

Cisco Press

By Ray Blair, Arvind Durai, Network World
May 21, 2009 03:30 PM ET


By definition, a firewall is a single device used to enforce security policies within a network or between networks by controlling traffic flows.

The Firewall Services Module (FWSM) is a very capable device that can be used to enforce those security policies. The FWSM was developed as a module or blade that resides in either a Catalyst 6500 series chassis or a 7600 series router chassis. The "tight" integration with a chassis offers increased flexibility, especially with network virtualization and the incredible throughput that is not only available today but will increase significantly with the introduction of the 4.x code train.

The look and feel of the FWSM is similar to that of the PIX and ASA. These products are all part of the same family, originating with the PIX and the "finesse" operating system. If you have had any experience with either the PIX or ASA, you will find comfort in not having to learn another user interface.

Having a good understanding of the capabilities offered by the different types of firewalls will help you in placing the appropriate type of firewall to best meet your security needs.


Understanding Packet-Filtering Firewalls

Packet-filtering firewalls validate packets based on protocol, source and/or destination IP addresses, source and/or destination port numbers, time range, Differentiate Services Code Point (DSCP), type of service (ToS), and various other parameters within the IP header. Packet filtering is generally accomplished using Access Control Lists (ACL) on routers or switches and are normally very fast, especially when performed in an Application Specific Integrated Circuit (ASIC). As traffic enters or exits an interface, ACLs are used to match selected criteria and either permit or deny individual packets.



The primary advantage of packet-filtering firewalls is that they are located in just about every device on the network. Routers, switches, wireless access points, Virtual Private Network (VPN) concentrators, and so on may all have the capability of being a packet-filtering firewall.

Routers from the very smallest home office to the largest service-provider devices inherently have the capability to control the flow of packets through the use of ACLs.

Switches may use Routed Access-Control Lists (RACLs), which provide the capability to control traffic flow on a "routed" (Layer 3) interface; Port Access Control Lists (PACL), which are assigned to a "switched" (Layer 2) interface; and VLAN Access Control Lists (VACLs), which have the capability to control "switched" and/or "routed" packets on a VLAN.

Other networking devices may also have the power to enforce traffic flow through the use of ACLs. Consult the appropriate device documentation for details.

Packet-filtering firewalls are most likely a part of your existing network. These devices may not be the most feature rich, but when you need to quickly implement a security policy to mitigate an attack, protect against infected devices, and so on, this may be the quickest solution to deploy.



The challenge with packet-filtering firewalls is that ACLs are static, and packet filtering has no visibility into the data portion of the IP packet.

Tip - Packet-filtering firewalls do not have visibility into the payload.

Because packet-filtering firewalls match only individual packets, this enables an individual with malicious intent, also known as a "hacker," "cracker," or "script kiddie," to easily circumvent your security (at least this device) by crafting packets, misrepresenting traffic using well-known port numbers, or tunneling traffic unsuspectingly within traffic allowed by the ACL rules. Developers of peer-to-peer sharing applications quickly learned that using TCP port 80 (www) would allow them unobstructed access through the firewall.

Note - The terms used to describe someone with malicious intent may not be the same in all circles.

  • A cracker refers to someone who "cracks" or breaks into a network or computer, but can also define someone who "cracks" or circumvents software protection methods, such as keys. Generally it is not a term of endearment.

  • A hacker describes someone skilled in programming and who has an in-depth understanding of computers and/or operating systems. This individual can use his or her knowledge for good (white-hat hacker) or evil (black-hat hacker). Also, it describes my golf game.

  • A script kiddie is someone who uses the code, methods, or programs created by a hacker for malicious intent.

Figure 1-1 shows an example of a packet-filtering firewall, a router using a traditional ACL in this case, access-list 100. Because the ACL is matching traffic destined for port 80, any flows destined to port 80, no matter what kind, will be allowed to pass through the router.

Figure 1-1
Packet-Filtering Firewall

Given the issues with packet filtering and the fact that they're easy to circumvent, you may dismiss using them entirely. This would be a huge mistake! Taking a holistic approach and using multiple devices to provide defense in depth is a much better strategy. An excellent use of packet filtering is on the border of your network, preventing spoofed traffic and private IP addresses (RFC 1918) from entering or exiting your network. In-depth ACL configuration is beyond the scope of this book, but a good reference is RFC 2827.


Understanding Application/Proxy Firewalls

The following section uses the Open System Interconnection (OSI) model in the description of application/proxy firewalls and warrants a brief review. The OSI model describes how information is transmitted from an application on one computer to an application on another. Each layer performs a specific task on the information and passes it to the next layer. This model helps explain where functions take place.

The seven layers of the OSI model are as follows:

  • Layer 7 is the application layer: It is the user interface to your computer (the programs), for example, word processor, e-mail application, telnet, and so on.

  • Layer 6 is the presentation layer: It acts as the translator between systems, converting application layer information to a common format understandable by different systems. This layer handles encryption and standards such as Motion Picture Experts Group (MPEG) and Tagged Image File Format (TIFF).

  • Layer 5 is the session layer: It manages the connections or service requests between computers.

  • Layer 4 is the transport layer: It prepares data for delivery to the network. Transmission Control Protocol is a function of Layer 4, providing reliable communication and ordering of data. User Datagram Protocol is also a role of Layer 4, but it does not provide reliable delivery of data.

  • Layer 3 is the network layer: It is where IP addressing and routing happen. Data at this layer is considered a "packet."

  • Layer 2 is the data-link layer: It handles the reliable sending of information. Media Access Control is a component of Layer 2. Data at this layer would be referred to as a "frame."

  • Layer 1 is the physical layer: It is composed of the objects that you can see and some that you cannot, such as electrical characteristics.

Tip - Use the following mnemonic to remember the OSI model: All People Seem To Need Data Processing.

Application firewalls, as indicated by the name, work at Layer 7, or the application layer of the OSI model. These devices act on behalf of a client (aka proxy) for requested services. For example, open a web browser and then pen a web page to The request is sent to the proxy firewall, and then the proxy firewall acting on your behalf opens a web connection to That information is then transmitted to your web browser for your viewing pleasure.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News