Understanding Firewalls: State Filtering, Deep Packet Inspection, and Security Zones

A firewall is a barrier between trusted and untrusted networks, typically placed between LAN and WAN, where all packets must be inspected and either allowed or dropped according to policies.

In the illustrated setup, a LAN host and a switch connect to a router (R1) that links to the ISP router (ISP1); the firewall sits between them to protect the LAN. A router is optional and depends on the WAN connection type (cable modem, wireless, etc.). Most firewalls support basic routing options such as static routes, default routes, and sometimes RIP, OSPF, or EIGRP.

We are discussing hardware firewalls here; software firewalls (e.g., Windows built‑in firewall) provide similar functionality.

1. State Filtering

Firewalls can use access control lists (ACLs) to check source/destination addresses and ports. When a packet arrives, the firewall matches it against the ACL and either permits or discards it. Each packet is processed independently without remembering previous packets—this is called stateless filtering.

The opposite is stateful filtering, where the firewall tracks all inbound and outbound connections. Examples:

A computer in the LAN accesses an email server on the Internet. After the TCP three‑way handshake passes through the firewall, the firewall records the connection state and automatically allows the server’s response traffic back to the client.

A busy web server behind the firewall receives about 20 new TCP connections per second from different IPs. If any source IP exceeds 10 new connections per second, the firewall drops all traffic from that IP to prevent a DoS attack.

2. Packet Inspection

Most firewalls support deep packet inspection. Simple ACLs only examine layer 3 (IP) and layer 4 (TCP/UDP) information. Deep inspection allows the firewall to inspect layer 7 (application) data and payloads.

In the example, network (IP) and transport (TCP) layers are highlighted in red, while the application layer is highlighted in green. This capture shows a web‑browser request packet.

3. Security Zones

By default, a Cisco router forwards all packets that match its routing table. To restrict traffic, you must configure ACLs, which can become complex on devices with many interfaces.

A better solution is to combine firewalls with security zones. The diagram below shows two zones:

inside: the LAN zone (high security level).

outside: the WAN zone (low security level). Interfaces are assigned to the correct zone, and two simple rules apply:

Allow traffic from a higher‑security zone to a lower‑security zone.

Reject traffic from a lower‑security zone to a higher‑security zone.

Because the firewall is stateful, outbound connections are tracked and their return traffic is allowed. Exceptions (e.g., allowing specific WAN‑to‑LAN traffic) are handled with ACLs.

Many organizations place public‑facing servers (mail, web, etc.) in a DMZ (demilitarized zone) that sits between inside and outside. The DMZ has a security level between INSIDE and OUTSIDE, with the following rules:

Allow traffic from INSIDE to OUTSIDE.

Allow traffic from INSIDE to DMZ.

Allow traffic from DMZ to OUTSIDE.

Reject traffic from DMZ to INSIDE.

Reject traffic from OUTSIDE to DMZ.

Reject traffic from OUTSIDE to INSIDE.

To ensure that traffic from OUTSIDE can reach DMZ servers, an ACL permits only the IP addresses and ports used by those servers, providing strong isolation even if a DMZ server is compromised.

4. Summary

You now understand the basics of firewalls. They use stateful filtering to track all inbound and outbound connections and, depending on the model, can inspect layer 7 application payloads. Firewalls also employ security zones that allow traffic from higher‑security zones to lower‑security zones while blocking the opposite direction, with ACLs used for special cases.