A
AiTechWorlds
AiTechWorlds
A corporate building's security guard does not let anyone walk in unchecked. They look at your ID, check if you are on the visitor list, and only then open the door. Tailgaters get stopped. Unknown visitors are turned away.
A firewall is that guard for your network. Every packet arriving at or leaving the network boundary passes through it. The firewall checks each one against its ruleset and decides: allow or deny.
The difference between a good security guard and a great one? The great one does not just check IDs — they understand context, recognize suspicious patterns, and look inside bags when warranted. That is the difference between a basic packet filter and a next-generation firewall.
The simplest form. Inspects each packet in isolation based on:
Limitation: No memory. It cannot tell whether a packet is a legitimate response to a previous request or an unsolicited intrusion. Each packet is judged alone.
Tracks the state of active connections in a state table. It knows which connections were initiated from inside the network and allows only corresponding response traffic.
Connection initiated from 192.168.1.5 → 8.8.8.8:443
→ State table records: (192.168.1.5, port 50234) ↔ (8.8.8.8, 443) ESTABLISHED
→ Response packet from 8.8.8.8 → 192.168.1.5 is permitted automatically
→ Unsolicited packet from 8.8.8.8 to 192.168.1.5 would be dropped
This is the standard for most enterprise perimeter firewalls.
A Web Application Firewall operates at Layer 7. It can inspect HTTP request content — URL paths, headers, body — and block specific attack patterns like SQL injection, cross-site scripting, and path traversal.
A WAF cannot see inside TLS-encrypted traffic unless it performs TLS termination (acting as a proxy).
Combines stateful inspection with:
NGFWs from vendors like Palo Alto, Fortinet, and Cisco Firepower are the modern standard for serious network security.
Firewalls and routers enforce policy through ACLs — ordered lists of permit/deny rules evaluated top-to-bottom. The first matching rule wins.
Example ACL (simplified Cisco-style):
permit tcp 192.168.1.0/24 any eq 443 # Allow HTTPS outbound from LAN
permit tcp 192.168.1.0/24 any eq 80 # Allow HTTP outbound from LAN
permit udp 192.168.1.0/24 any eq 53 # Allow DNS queries
deny ip any any # Block everything else (implicit deny)
The implicit deny at the end means: anything not explicitly permitted is blocked. This "default deny" posture is fundamental to secure firewall design.
The problem NAT solves: IPv4 provides approximately 4.3 billion addresses. The internet has far more devices than that. NAT allows an entire network of private devices to share a single public IP address.
How it works:
192.168.1.5 sends request to 93.184.216.34:80203.0.113.1:40021203.0.113.1:40021192.168.1.5The NAT table maps (public_ip:port) ↔ (private_ip:port) for every active connection.
Private IP ranges (RFC 1918):
| Range | Block |
|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 |
These addresses are not routed on the public internet — NAT is required to communicate externally.
A VPN creates an encrypted tunnel between two endpoints across an untrusted network (typically the public internet). Traffic inside the tunnel is protected from eavesdropping and tampering.
Site-to-Site VPN: Connects two entire office networks. Routers or firewalls at each site maintain the tunnel. All traffic between the offices flows through it as if they were on the same LAN.
Use case: Company headquarters connected to a branch office.
Remote Access VPN: Individual users connect to the corporate network from anywhere — home, hotel, coffee shop. A VPN client on the device establishes an encrypted tunnel to the company's VPN gateway.
Use case: Employee working from home accessing internal servers.
| Protocol | Speed | Security | Setup | Best For |
|---|---|---|---|---|
| OpenVPN | Moderate | Very high (TLS-based) | Complex | Enterprise, flexibility |
| WireGuard | Very fast | High (ChaCha20/Poly1305) | Simple | Modern deployments, performance |
| IPSec/IKEv2 | Fast | High | Moderate | Mobile clients, iOS/Android native |
| L2TP/IPSec | Moderate | Medium (depends on config) | Moderate | Legacy systems |
| PPTP | Fast | Weak (deprecated) | Easy | Do not use |
WireGuard is the current best choice for new deployments — dramatically simpler codebase (fewer vulnerabilities), faster performance, and modern cryptography by design.
A VPN secures the pipe. It does not secure the endpoints.
By default, a remote access VPN routes all traffic through the corporate tunnel — including Netflix, personal browsing, and software updates. This wastes corporate bandwidth and adds latency for non-work traffic.
Split tunneling routes only traffic destined for corporate resources through the VPN. All other traffic goes directly to the internet via the user's local connection.
Advantages:
Risks:
Most organizations implement split tunneling for performance reasons but supplement it with endpoint security controls.
Get this course's notes on Telegram!
Free cheat sheets, summaries & practice exercises