Module 17: Firewalls & Security Groups Network security is implemented at multiple layers. This module covers traditional firewalls, cloud security groups, and network access control strategies.
Estimated Time : 3-4 hoursDifficulty : IntermediatePrerequisites : Module 4 (Network Layer), Module 7 (Security basics)
17.1 What is a Firewall? A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
Firewall Positioning Internet │ ▼ ┌────────────────┐ │ Firewall │ ← First line of defense └────────┬───────┘ │ ┌────────────┼────────────┐ │ │ │ ▼ ▼ ▼ ┌───────┐ ┌───────┐ ┌───────┐ │ DMZ │ │ Web │ │ App │ │ │ │ Tier │ │ Tier │ └───────┘ └───────┘ └───────┘
17.2 Types of Firewalls 1. Packet Filtering Firewall (Stateless) Inspects each packet independently based on header information.
Rule evaluation (each packet individually): ┌─────────────────────────────────────────────────────────┐ │ Rule │ Action │ Protocol │ Src IP │ Dst Port │ │ ├─────────────────────────────────────────────────────────┤ │ 1 │ ALLOW │ TCP │ Any │ 80 │ │ │ 2 │ ALLOW │ TCP │ Any │ 443 │ │ │ 3 │ DENY │ ALL │ Any │ Any │ │ └─────────────────────────────────────────────────────────┘
Pros : Fast, low overhead
Cons : Cannot track connection state, must allow return traffic explicitly2. Stateful Inspection Firewall Tracks the state of active connections.
Connection Table: ┌────────────────────────────────────────────────────────────┐ │ Src IP │ Src Port │ Dst IP │ Dst Port │ State│ ├────────────────────────────────────────────────────────────┤ │ 192.168.1.10 │ 52431 │ 93.184.216.34│ 443 │ EST │ │ 192.168.1.11 │ 54321 │ 8.8.8.8 │ 53 │ EST │ └────────────────────────────────────────────────────────────┘ Outbound: Allow → Connection tracked Return traffic: Automatically allowed (matches established connection)
Advantage : Only need to allow outbound; return traffic is automatically permitted.3. Application Layer Firewall (WAF) Inspects the actual application data (Layer 7).
HTTP Request Analysis: ┌────────────────────────────────────────────────────────────┐ │ POST /login HTTP/1.1 │ │ Host: example.com │ │ Content-Type: application/x-www-form-urlencoded │ │ │ │ username=admin&password=' OR '1'='1 │ │ ↑ │ │ SQL Injection detected! → BLOCK │ └────────────────────────────────────────────────────────────┘
Protects Against:
SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Bot attacks
DDoS at application layer
4. Next-Generation Firewall (NGFW) Combines multiple security functions:
Stateful inspection
Deep packet inspection
Intrusion prevention (IPS)
Application awareness
SSL/TLS inspection
URL filtering
17.3 Firewall Rules Rule Structure ┌──────┬────────┬──────────┬───────────┬───────────┬──────────┬────────┐ │Order │ Action │ Protocol │ Source │ Dest │ Dst Port │ Notes │ ├──────┼────────┼──────────┼───────────┼───────────┼──────────┼────────┤ │ 1 │ ALLOW │ TCP │ 10.0.1.0/24│ Any │ 22 │ SSH │ │ 2 │ ALLOW │ TCP │ Any │ Any │ 80, 443 │ HTTP(S)│ │ 3 │ ALLOW │ TCP │ 10.0.0.0/8│ DB Server │ 5432 │ DB │ │ 4 │ DENY │ ALL │ Any │ Any │ Any │Default │ └──────┴────────┴──────────┴───────────┴───────────┴──────────┴────────┘
Rule Order Matters! Packet: TCP from 10.0.1.5 to 10.0.2.10:22 Rules evaluated top to bottom: Rule 1: Source 10.0.1.0/24, Port 22 → MATCH → ALLOW If rules were reversed: Rule 1: DENY ALL → MATCH → DENY (SSH would be blocked!)
Always put specific rules before general rules. The first matching rule wins.
17.4 AWS Security Groups Security Groups act as virtual firewalls for EC2 instances.
Key Characteristics Feature Behavior Stateful Return traffic automatically allowed Instance level Attached to ENI (network interface) Allow only No explicit deny rules Default Deny all inbound, allow all outbound
Security Group Example ┌─────────────────────────────────────────────────────────────┐ │ web-server-sg │ ├─────────────────────────────────────────────────────────────┤ │ INBOUND RULES: │ │ ┌─────────┬──────────┬──────────────┬────────────────────┐ │ │ │ Type │ Protocol │ Port Range │ Source │ │ │ ├─────────┼──────────┼──────────────┼────────────────────┤ │ │ │ HTTP │ TCP │ 80 │ 0.0.0.0/0 │ │ │ │ HTTPS │ TCP │ 443 │ 0.0.0.0/0 │ │ │ │ SSH │ TCP │ 22 │ 10.0.1.0/24 │ │ │ │ Custom │ TCP │ 8080 │ sg-12345 (app-sg) │ │ │ └─────────┴──────────┴──────────────┴────────────────────┘ │ │ │ │ OUTBOUND RULES: │ │ ┌─────────┬──────────┬──────────────┬────────────────────┐ │ │ │ Type │ Protocol │ Port Range │ Destination │ │ │ ├─────────┼──────────┼──────────────┼────────────────────┤ │ │ │ All │ All │ All │ 0.0.0.0/0 │ │ │ └─────────┴──────────┴──────────────┴────────────────────┘ │ └─────────────────────────────────────────────────────────────┘
Security Group Chaining Reference other security groups instead of IP addresses:
┌───────────────┐ │ ALB-SG │ │ Inbound: 443 │ │ from 0.0.0.0/0│ └───────┬───────┘ │ ▼ ┌───────────────┐ │ Web-SG │ │ Inbound: 8080 │ │ from ALB-SG │ ← Reference by SG, not IP └───────┬───────┘ │ ▼ ┌───────────────┐ │ DB-SG │ │ Inbound: 5432 │ │ from Web-SG │ ← Only web servers can connect └───────────────┘
17.5 AWS Network ACLs (NACLs) NACLs are subnet-level firewalls.
Security Groups vs NACLs Aspect Security Group NACL Level Instance (ENI) Subnet State Stateful Stateless Rules Allow only Allow and Deny Evaluation All rules evaluated Rules evaluated in order Default Deny inbound, Allow outbound Allow all
NACL Rule Structure ┌─────────────────────────────────────────────────────────────┐ │ INBOUND RULES │ ├───────┬────────┬──────────┬───────────────┬────────┬────────┤ │ Rule# │ Type │ Protocol │ Port Range │ Source │ Action │ ├───────┼────────┼──────────┼───────────────┼────────┼────────┤ │ 100 │ HTTP │ TCP │ 80 │ 0.0.0.0│ ALLOW │ │ 110 │ HTTPS │ TCP │ 443 │ 0.0.0.0│ ALLOW │ │ 120 │ Custom │ TCP │ 1024-65535 │ 0.0.0.0│ ALLOW │ ← Ephemeral! │ * │ ALL │ ALL │ ALL │ 0.0.0.0│ DENY │ └───────┴────────┴──────────┴───────────────┴────────┴────────┘ ┌─────────────────────────────────────────────────────────────┐ │ OUTBOUND RULES │ ├───────┬────────┬──────────┬───────────────┬────────┬────────┤ │ Rule# │ Type │ Protocol │ Port Range │ Dest │ Action │ ├───────┼────────┼──────────┼───────────────┼────────┼────────┤ │ 100 │ HTTP │ TCP │ 80 │ 0.0.0.0│ ALLOW │ │ 110 │ HTTPS │ TCP │ 443 │ 0.0.0.0│ ALLOW │ │ 120 │ Custom │ TCP │ 1024-65535 │ 0.0.0.0│ ALLOW │ ← Ephemeral! │ * │ ALL │ ALL │ ALL │ 0.0.0.0│ DENY │ └───────┴────────┴──────────┴───────────────┴────────┴────────┘
Why Ephemeral Ports? NACLs are stateless - return traffic needs explicit rules.
Request: Client:52431 → Server:443 Response: Server:443 → Client:52431 ← Needs ephemeral port rule! Ephemeral port range: 1024-65535 (or 32768-65535 on Linux)
17.6 Defense in Depth Layer multiple security controls:
┌─────────────────────────────────────────────────────────────┐ │ Internet │ └───────────────────────────┬─────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ CloudFlare / AWS Shield (DDoS Protection) │ └───────────────────────────┬─────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ WAF (SQL injection, XSS) │ └───────────────────────────┬─────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ NACL (Subnet level) │ └───────────────────────────┬─────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ Security Group (Instance level) │ └───────────────────────────┬─────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ Host Firewall (iptables, Windows Firewall) │ └───────────────────────────┬─────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ Application │ └─────────────────────────────────────────────────────────────┘
17.7 Linux iptables The Linux kernel firewall.
Basic Syntax iptables -A < chai n > -p < protoco l > --dport < por t > -j < actio n > Chains: - INPUT: Incoming to this host - OUTPUT: Outgoing from this host - FORWARD: Passing through (routing) Actions: - ACCEPT: Allow - DROP: Silently discard - REJECT: Discard with error response
Common Commands # List rules iptables -L -n -v # Allow SSH iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Block specific IP iptables -A INPUT -s 192.168.1.100 -j DROP # Allow localhost iptables -A INPUT -i lo -j ACCEPT # Default deny iptables -P INPUT DROP # Save rules (varies by distro) iptables-save > /etc/iptables.rules # Modern alternative: nftables nft list ruleset
Complete Example Script #!/bin/bash # Flush existing rules iptables -F iptables -X # Default policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Allow loopback iptables -A INPUT -i lo -j ACCEPT # Allow established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow SSH from specific network iptables -A INPUT -p tcp -s 10.0.1.0/24 --dport 22 -j ACCEPT # Allow HTTP/HTTPS iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Allow ping (optional) iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Log dropped packets iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: "
17.8 Zero Trust Network Traditional Model (Castle and Moat) Firewall │ Outside = Untrusted │ Inside = Trusted ╳ │ ✓ │ Everything blocked│ Everything allowed
Problem : Once inside, attackers move freely.Zero Trust Model "Never trust, always verify" Every request authenticated, regardless of location: - User identity verified - Device health checked - Least privilege access - Micro-segmentation - Continuous monitoring
Zero Trust Principles
Verify Explicitly Always authenticate and authorize based on all available data points.
Least Privilege Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA).
Assume Breach Minimize blast radius. Segment access. Verify end-to-end encryption.
Micro-segmentation Each workload gets its own security perimeter.
17.9 Common Firewall Mistakes
1. Overly Permissive Rules
# Bad: Allow all traffic from anywhere ALLOW TCP 0.0.0.0/0 → Any port # Good: Specific rules ALLOW TCP 0.0.0.0/0 → Port 443 only ALLOW TCP 10.0.1.0/24 → Port 22
2. Forgetting Outbound Rules
# Inbound locked down, but... # Outbound allows everything Attacker compromises server → Can exfiltrate data freely # Better: Restrict outbound too ALLOW TCP Any → 443 (updates) DENY TCP Any → Any (block reverse shells)
3. Not Using Security Group Chaining
# Bad: Hardcoded IPs ALLOW TCP 10.0.1.5 → Port 3306 # Good: Reference by security group ALLOW TCP from web-sg → Port 3306 # IP changes don't break rules
4. Ignoring Ephemeral Ports in NACLs
# Forgot return traffic ALLOW INBOUND TCP 443 ✓ ALLOW OUTBOUND TCP 443 ✓ # Return from 443 uses ephemeral port! # Missing: ALLOW INBOUND TCP 1024-65535 ← Needed for responses
17.10 Key Takeaways
Defense in Depth Multiple layers of security. Never rely on a single control.
Stateful vs Stateless Know when return traffic is automatic (SG) vs explicit (NACL).
Least Privilege Only allow what’s necessary. Block everything else.
Rule Order Matters Specific rules first, default deny last.
Next Module
Module 18: Container Networking Understand how containers communicate: Docker networking, Kubernetes services, and service mesh.
