1
Next-Gen Firewall Fundamentals
You may be familiar with conventional network firewalls, host-based firewalls, network access control lists, AWS security groups, and Azure network security groups. However, next-gen firewalls differ significantly from these in order to address the unique challenges organizations face in identifying and securing traffic in today's networks.
To develop a robust firewall security policy, you must understand how firewalls identify network protocols and applications, the cybersecurity risks that modern enterprise networks encounter, the core firewall security features, and how all of this correlates with business requirements.
This chapter's objective is to establish a technical foundation that will enable you to better understand what next-gen firewalls can do in the network security domain and how they accomplish this. It will also lay the essential groundwork for studying the building blocks that PAN-OS provides for creating a security policy.
We will establish requirements and create the policy in the subsequent chapters; however, now, let us focus on the following key topics:
- Networking 101 in a firewall context
- How next-gen firewalls perceive all network traffic
Technical requirements
Access to a Palo Alto Networks firewall would be beneficial, but not necessary.
Networking 101
This section provides an overview of networking to the extent required to fully understand all network-related building blocks of the security policy of the next-gen firewalls.
If you have a solid networking and firewall background, feel free to skip most of this section but read the last subsection on load-balancing and name resolution. If you have some practical knowledge but prefer a brief theory refresher or are a beginner, please read on.
The Open Systems Interconnection (OSI) model
At the high level required to understand networking in the context of a next-gen firewall security policy, the way modern networks operate is relatively simple.
First, let us start by introducing the OSI reference model, a sound conceptual framework for understanding how network communication works. The model breaks down the process of sending and receiving data into seven distinctive layers of abstraction. Each layer serves a specific purpose, relies on the layer below, and provides a foundation for the layer above. At the top of this model, we have very high-level protocols that directly interface with applications (for example, HTTP - the bread and butter of web browsers). As we go down the model, we eventually reach the Physical layer - electronic circuits, cables, and wireless media.
Here are all these layers in a table with a firewall context. Glance through the table; then, we will elaborate on the essential aspects:
Layer name
Description
Examples
Recognized by a Palo Alto Networks firewall security policy?
Recognized by a traditional firewall security policy?
Application (Layer 7)
Interacts with software applications that implement a communication component.
HTTP, SMTP, DNS, BGP
Yes
No
Presentation
(Layer 6)
Responsible for data representation.
Performs encoding, compression, and encryption of data.
SSL, TLS, MIME
Session
(Layer 5)
Creates, manages, and terminates sessions between two network nodes.
RPC, NetBIOS, SOCKS
Transport
(Layer 4)
Provides end-to-end communication services for higher layers. The services may include connection-oriented communication, reliability, flow control, multiplexing, and so on.
TCP, UDP, SCTP
Yes
Yes
Network
(Layer 3)
Provides logical addressing and network path determination
IPv4, IPv6, ICMP, IGMP
Yes
Yes
Data Link
(Layer 2)
Provides physical addressing and peer-to-peer data transfer within the same physical network segment.
Ethernet, ARP, LLDP, CDP;
Wi-Fi,
Zigbee
No
No
Physical
(Layer 1)
Provides an electrical, mechanical, and procedural interface to the transmission medium.
Electronic circuits and chips, transceivers
No
No
Table 1.1 - OSI model in a firewall policy context
Layers 1 to 3 are known as media layers, and layers 4 to 7 are known as host layers.
As you can see from the table, the difference between next-gen firewalls and traditional firewalls is their ability to distinguish traffic attributes specific to all host layers. While traditional firewalls can see only one (Transport), the next-gen firewalls can recognize all four layers - Transport, Session, Presentation, and Application.
The OSI model is somewhat theoretical. In practice, distinguishing layers 5 to 7 from each other is often difficult, if at all possible. All programming logic of these three layers is commonly baked into a single software application - a web browser, for instance. Therefore, for the purpose of this book, we will collectively call layers 5 to 7 the Application layer - by the name of the top layer in the stack of host layers.
Now, let us elaborate on the Network, Transport, and Application layers because of their significance in the context of firewall security policy.
OSI layer 3 - Network layer
The vast majority of network communications between computer systems these days is done by means of the Internet Protocol (IP). A protocol is the equivalent of a language in the human world. Subsequently, all networks where computers "speak" IP are called IP networks. The computer industry uses the terms network and IP network as synonyms.
All data transmitted from a hypothetical computer A to computer B is broken into small chunks called packets. Each packet is delivered through the network independently from other packets. Therefore, to find its way, each packet must have the following (at a minimum):
- The address of the destination (the address of computer B)
- The address of the source (computer A) so that a response packet can be sent if required
The IP addresses can be in two formats - IPv4 and IPv6. The former uses a 32-bit/4-byte addressing scheme (traditionally written in the so-called dotted-decimal form of 4 period-separated decimal numbers from 0 to 255 - for example, 198.51.100.1). When referenced, each address is often (but not always) accompanied by a network mask that effectively divides the address into two parts - the host's address and the address of the network that the host belongs to. The mask, in turn, can be written either in the same dotted-decimal notation or in a so-called Classless Inter-Domain Routing (CIDR) notation.
For example, the address 198.51.100.1 with the mask...
