Understanding Firewalls: Stateful Filtering, Deep Packet Inspection, and Security Zones

Firewalls act as a barrier between trusted and untrusted networks, typically placed between LAN and WAN so that every packet must be inspected before being allowed or dropped.

1. Stateful Filtering

Firewalls (or routers) can use access‑control lists (ACLs) to match source/destination addresses and ports. A stateless filter checks each packet independently without remembering previous packets. In contrast, a stateful filter tracks all inbound and outbound connections, allowing return traffic automatically.

A client in the LAN initiates a TCP three‑way handshake to an external mail server; the firewall records the connection state and automatically permits the server’s response.

A web server behind the firewall receives many new TCP connections per second; the firewall can detect an IP that exceeds a threshold (e.g., more than 10 new connections per second) and drop all traffic from that source to mitigate DoS attacks.

2. Packet Inspection

Most firewalls support deep packet inspection (DPI). Simple ACLs operate at OSI layers 3 and 4 (IP and TCP/UDP). DPI extends inspection to layer 7, allowing the firewall to examine application data and payloads.

In the illustration, network (IP) and transport (TCP) fields are highlighted in red, while the application layer is highlighted in green, showing a captured web‑browser request.

3. Security Zones

By default, a Cisco router forwards all packets that match its routing table. To impose restrictions, administrators must configure ACLs, which can become cumbersome on devices with many interfaces.

A better approach is to group interfaces into security zones. Example zones:

inside : the trusted LAN.

outside : the untrusted WAN.

Typical zone policies:

Allow traffic from a higher‑security zone to a lower‑security zone.

Deny traffic from a lower‑security zone to a higher‑security zone.

Because the firewall is stateful, outbound connections are automatically allowed to return.

For special cases, administrators can create exceptions using ACLs.

Many organizations place public‑facing servers (e.g., mail or web servers) in a DMZ (demilitarized zone) that sits between inside and outside zones.

DMZ security level is intermediate. Typical DMZ rules:

Allow traffic from INSIDE to OUTSIDE.

Allow traffic from INSIDE to DMZ.

Allow traffic from DMZ to OUTSIDE.

Deny traffic from DMZ to INSIDE.

Deny traffic from OUTSIDE to DMZ.

Deny traffic from OUTSIDE to INSIDE.

To let external users reach DMZ servers, an ACL permitting only the necessary IP addresses and ports is applied, ensuring that a compromise of a DMZ host does not expose the internal network.

4. Summary

You now understand the fundamentals of firewalls: they use stateful filtering to track connections, can perform layer‑7 deep packet inspection, and employ security zones (inside, outside, DMZ) to enforce traffic policies. ACLs provide fine‑grained exceptions when needed.