Network Security Essentials

Firewalls and Network ACLs

0:00

0% complete

LearnStep 1 of 3

Network Perimeter Security: Firewalls and ACLs

Learning Objectives

•Distinguish between stateful and stateless packet filtering mechanisms and their use cases
•Implement basic firewall rules using iptables while adhering to the default deny principle
•Design effective security group and NACL strategies for cloud-based network segmentation
•Configure egress filtering rules to mitigate data exfiltration and C2 communication risks

Lesson Outline

LearnStep 1/3

Network Perimeter Security: Firewalls and ACLs

For senior engineers, understanding network access control goes beyond simply opening ports. It requires a deep understanding of connection tracking, the state of network packets, and defense-in-depth strategies.

Stateful vs. Stateless Filtering

Network filters generally fall into two categories:

Stateless (ACLs): Evaluates each packet in isolation based on static headers (Source IP, Dest IP, Port, Protocol). It does not remember previous packets. If you allow inbound traffic on port 80, you must explicitly allow the outbound return traffic from ephemeral ports.
Stateful (Firewalls): Tracks the state of active connections (NEW, ESTABLISHED, RELATED). If an inbound request is allowed, the firewall automatically permits the return traffic associated with that connection.

iptables: The Linux Firewall

iptables is the user-space utility for configuring the Linux kernel firewall. It uses chains (INPUT, OUTPUT, FORWARD) to process packets.

Key Concept: Connection Tracking
Using the conntrack module allows rules based on connection state.

bash

Cloud Security: Security Groups vs. NACLs

In cloud environments (like AWS/Azure/GCP), these concepts manifest as:

Security Groups (Stateful): Applied at the instance/interface level. Rules usually permit traffic; return traffic is automatically handled.
Network ACLs (Stateless): Applied at the subnet level. Acts as a second layer of defense. You must manage both inbound and outbound rules, including ephemeral port ranges for return traffic.

Egress Filtering

Most organizations filter inbound traffic stricty but leave outbound (egress) traffic wide open. This is a vulnerability.

Why Filter Egress?

Stops reverse shells from connecting back to an attacker.
Prevents malware from downloading payloads or communicating with Command & Control (C2) servers.
Limits data exfiltration opportunities.

Example Egress Policy: Allow 53 (DNS) UDP/TCP to specific resolvers, 443 (HTTPS) to internet, and block everything else.