A firewall is a critical component of any network. It is important to prevent unauthorized access while still allowing legitimate traffic into and out of your network.
Firewall Overview (16.3.1)
A firewall prevents undesirable traffic from entering protected areas of the network. It is one of the most effective security tools available for protecting internal network users from external threats. A firewall is usually installed between two or more networks and controls the traffic between them; it also helps to prevent unauthorized access. Firewall products use various techniques for determining which devices are permitted or denied access to a network.
Firewall Operation (16.3.2)
Firewalls can be implemented in software that is installed on PCs, networking devices, or servers. Firewalls may also be hardware devices that are installed for the single purpose of protecting areas within the network. A hardware firewall is a freestanding unit that does not use the resources of the computers it is protecting, so there is no impact on processing performance. The firewall can be configured to block multiple individual external devices by IP address, to permit or deny packets matching the range of TCP or UDP ports that you specify (as shown in Figure 16-13), or even traffic that is specific to an application such as a multiplayer video game.
![](https://hurumwhite.com/wp-content/uploads/2024/07/3-2.png)
Figure 16-13 Firewall Filtering Based on TCP and UDP Ports
Typically, a hardware firewall passes two different types of traffic into your network:
- Responses to traffic that originates from inside your network
- Traffic that originated from outside the organization that is destined for a port that you have intentionally permitted
Additionally, firewalls often perform Network Address Translation (NAT). NAT translates an internal private address or group of addresses into registered IP addresses that can be sent across the Internet. This allows internal IP addresses to be concealed from outside users.
The DMZ (16.3.3)
Many home network devices, such as wireless routers, frequently include multifunction firewall software. This firewall typically provides NAT in addition to IP, application, and website filtering capabilities. It also supports demilitarized zone (DMZ) capabilities, as shown in Figure 16-14.
![](https://hurumwhite.com/wp-content/uploads/2024/07/2-4.png)
Figure 16-14 Home Wireless Router Firewall and DMZ Services
In computer networking, a DMZ refers to an area of the network that is accessible and controlled for both internal and external users. It is more secure than the external network but not as secure as the internal network. With the wireless router, a simple DMZ can be set up that allows an internal server to be accessible by outside hosts. To accomplish this, the server requires a static IP address that must be specified in the DMZ configuration. The wireless router isolates traffic destined to the IP address specified. This traffic is then forwarded only to the switch port where the server is connected. All other hosts are still protected by the firewall. Game servers and other devices that need to be accessed directly by users located on the Internet may need to be configured in the DMZ network.
Port Forwarding (16.3.4)
One of the ways that you can permit other users to reach devices on your network through the Internet is a function called port forwarding. Port forwarding is a rule-based method of directing traffic between devices on separate networks. This method of exposing your devices to the Internet is much safer than using a DMZ.
When incoming traffic from the Internet reaches your router, the firewall in the router determines if the traffic should be forwarded to a certain device based on the port number found with the traffic. Port numbers are associated with specific services, such as FTP, HTTP, HTTPS, and POP3. The rules that you configure in the firewall settings determine which traffic is permitted on the LAN. For example, a router might be configured to forward port 80, which is associated with HTTP. When the router receives a packet with the destination port of 80, the router forwards the traffic to the device inside the network that serves web pages.
Figure 16-15 shows a single port forwarding rules table on a Cisco CVR100W Wireless-N VPN router.
![](https://hurumwhite.com/wp-content/uploads/2024/07/1-2.png)
Figure 16-15 Single Port Forwarding on a Cisco CVR100W Wireless-N VPN Router
Note
You can interact with an emulation of the CVR100W Wireless-N VPN router by searching for it on the Internet.