A network firewall is still considered the main security component in any network defense plan. A firewall is used to isolate internal networks from outside networks (e.g., the internet) and prevent malicious actors from accessing trusted networks. Firewalls are also used to protect individual endpoint devices from malicious software and misuse. They prevent endpoints from communicating with malware operators or spreading to other network locations if malware is successfully installed on the victim's device. For these reasons, questions related to firewalls normally arise when interviewing for any computer networking and cybersecurity role.
This article will present answers to the most frequently asked questions in an interview about Network firewalls.
What is a firewall?
A firewall is a security system that is placed between a trusted and an untrusted network. It blocks or allows traffic that enters or leaves the network based on pre-configured policies or rules. Firewalls protect inside networks from unauthorized access by users on an outside network (e.g., the internet). A firewall can also protect internal networks from each other, for example, by keeping the management network segment separated from the user's network segment.
What is the difference between a gateway and a firewall?
A Gateway joins two disparate networks to communicate, while a network firewall protects a network against unauthorized incoming or outgoing traffic. Network firewalls may be hardware devices or software programs; many antivirus programs include a software firewall for endpoint devices.
At which OSI layers do firewalls work?
Firewalls work at layers 3 (network), 4 (transport), and 7 (application).
What is the difference between a stateful and stateless firewall?
A Stateful Firewall (see Figure 1) is aware of the traffic (all active network connections) that pass through it. It adds and maintains information about a user's connections in a state table, also known as a connection table. It then uses information within the connection table to implement the security policies for users' connections. Examples of stateful firewalls are PIX, ASA, and Checkpoint. Being able to monitor all traffic makes stateful firewalls more secure.
A Stateless Firewall (i.e., packet filtering, see Figure 2), on the other hand, does not look at the state of connections but only at the packets themselves. It monitors network traffic and restricts or blocks packets based on source and destination IP addresses or other static values (e.g., specific protocol carried in the packet or the source/destination port).
What information does the Stateful Firewall maintain?
A Stateful Firewall maintains the following information in its state table:
- Source IP address
- Destination IP address
- IP protocol, like TCP or UDP
- IP protocol information such as TCP/UDP port numbers, TCP sequence numbers, and TCP Flags
How can we allow packets from a lower security level to go into a higher security level (Override Security Levels)?
We use ACLs to allow packets from lower security levels to higher security levels.
Explain a DMZ (Demilitarized Zone)?
Suppose we need some network resources such as a web server or FTP server to be available to outside users. In that case, we place these resources on a separate network behind the Firewall called a demilitarized zone, or DMZ (see Figure 3). A DMZ is also known as a perimeter network or a screened subnet. The firewall allows limited access to the DMZ. Still, because the DMZ only includes the public servers, an attack will only affect the servers within it and does not necessarily affect the internal network.
What are the default values for the timeout of a TCP session, UDP session, ICMP session?
TCP session - 60 minutes UDP session - 2 minutes ICMP session - 2 seconds
What are the different types of ACL in the Firewall?
- Standard ACL
- Extended ACL
- Ethertype ACL (Transparent Firewall)
- Webtype ACL (SSL VPN)
What is the purpose of a Transparent Firewall?
In Transparent Mode, the Firewall acts as a Layer 2 device like a bridge or switch and forwards Ethernet frames based on destination mac-address.
For example, suppose we want to deploy a new firewall into an existing network. In that case, it can be a complicated process due to various issues like IP address reconfiguration, network topology changes, current firewall, etc. We can easily insert a transparent firewall in an existing segment and control traffic between two sides without having to readdress or reconfigure the devices.
What is Policy Network Address Translation (NAT)?
Policy NAT (or conditional NAT) allows you to NAT by specifying both the source and destination addresses in an extended access list. We can also optionally specify the source and destination ports. Regular NAT can only consider the source addresses, not the destination address. In Static NAT, it is called Static Policy NAT. In Dynamic NAT, it is called Dynamic Policy NAT.
Give the order of preference between different types of NATs?
- NAT exemption
- Existing translation in Xlate
- Static NAT- Static Identity NAT- Static Policy NAT- Static NAT- Static PAT
- Dynamic NAT- NAT Zero- Dynamic Policy NAT- Dynamic NAT- Dynamic PAT
What is the difference between auto NAT and manual NAT?
Auto NAT (Network Object NAT) only considers the source address while performing NAT. Therefore, auto NAT is only used for Static or Dynamic NAT. Auto NAT is configured within an object. Manual NAT (Twice NAT) considers either the source address or the source and destination address while performing NAT. It can be used for almost all NAT, like NAT exempt, policy NAT, etc. Unlike auto NAT that is configured within an object, manual NAT is configured directly from the global configuration mode.
Summary
Network firewalls are considered the first defense against cyberattacks and protect servers, networks, and endpoint devices from cyber-attacks and misuse. This article discussed the most common firewall interview questions that one might expect to face during such an interview.
