Comptia Network+ Tutorial: Module 05, Part 05: Network Security | Firewall




Now we are going to discuss the methods through which we can ensure our network security. These methods can be either software or hardware based depending on the need and type of network. These methods can provide security from unauthorised access and malwares.

Software vs. Hardware Firewalls – When setting up a firewall, it is important to know the difference between hardware and a software firewall. A software firewall is installed on clients and inexpensive but also vulnerable. A hardware firewall is an actual physical device. It is more robust, configurable but also has a high cost. It is important to use a combination of hardware and software to get the best protection. Creating a firewall also offers additional security as they can monitor traffic for any malware.

Stateful Inspection vs. Packet Filtering and Firewall Rules

Packet filtering is just based on the header. However, the stateful firewall inspects traffic and only allows initiated traffic in. There are certain firewall rules, i.e. inbound versus outbound. An inbound firewall rule is one that dictates what is allowed from the public network into the private network. Outbound traffic is what is travelling from the private network to the public network. Outbound rules are more trustworthy than inbound rules. Inbound rules also have an implicit deny, which allows a packet to be denied if a rule is not known. Finally, Access Control Lists (ACL) can permit or deny traffic and are specified based on IP/Port/MAC source or destination.

NATPAT and DMZ-De-Militarized Zone

Network address translation (NAT) converts an internal IP address to an external IP address. The traffic is forwarded to the private IP and web servers. Port address translation (PAT) tracks IP/Port numbers and a private IP is assigned to a public IP and port. The demilitarized zone (DMZ) creates an area for public use with a public facing firewall than is less restrictive then the private. It is the place for VPN concentrators and web servers.