Network Firewall
& Screen Technologies
Inter-Network Screens · Additional Options · Zone-Based Policy
A comprehensive guide to firewall architectures,
inter-network protection mechanisms, and policy-based
network access control
Network Security · Firewall Architecture · Access Control Policy
Table of Contents
Topics covered in this presentation
01
Network Firewall Technologies
Overview and evolution
02
Packet Filtering Firewalls
Rules, ACLs, stateless inspection
03
Stateful Inspection Firewalls
Connection tracking, state tables
04
Application Layer (Proxy) Firewalls
Deep inspection, ALG proxies
05
Next-Generation Firewalls (NGFW)
IPS, app-ID, user-ID, SSL inspection
06
Inter-Network Screen Technologies
Core architecture, DMZ, screening
07
Inter-Network Screen — Add. Options
NAT, VPN, IDS/IPS, URL filter, logs
08
Advanced Additional Options
QoS, HA, DPI, bandwidth mgmt
09
Zone-Based Policy — Concept
Zones, zone pairs, policies
10
Zone-Based Policy — Configuration
Rules, actions, implementation
Network Firewall Technologies · Inter-Network Screens · Zone-Based Policy
Network Firewall Technologies
What is a firewall and why does it matter?
Definition
A firewall is a network security system — hardware, software, or both — that monitors and controls incoming and outgoing network traffic based on predefined security rules.
It establishes a barrier between a trusted internal network and untrusted external networks (such as the Internet), deciding which traffic to permit or deny based on a configured rule set.
Firewalls are the cornerstone of network perimeter security and are deployed at every boundary between network segments of differing trust levels.
1st Gen
1988
Packet Filters
Simple ACL rules on IP/port. No state tracking.
2nd Gen
1990
Stateful Inspection
Tracks TCP/UDP session state — connection-aware.
3rd Gen
1994
Application Proxies
Deep content inspection at the application layer.
4th Gen
2004
NGFW
IPS, app/user identity, TLS inspection, threat intel.
Network Firewall Technologies · Inter-Network Screens · Zone-Based Policy
Packet Filtering Firewalls
Stateless inspection — the first line of network defence
How It Works
Packet filtering examines each packet in isolation and decides whether to allow or block it based purely on header fields — without tracking connection state.
Inspected fields:
• Source and destination IP address
• Source and destination port number
• Protocol (TCP, UDP, ICMP)
• TCP flags (SYN, ACK, FIN)
• Network interface (ingress/egress)
Rule
Src IP
Dst Port
Proto
Action
1
Any
80
TCP
PERMIT
2
Any
443
TCP
PERMIT
3
Any
22
TCP
DENY
4
Any
Any
Any
DENY
Advantages
Limitations
Network Firewall Technologies · Inter-Network Screens · Zone-Based Policy
Stateful Inspection Firewalls
Connection-aware traffic analysis — tracking session state
State Table — Active Connection Entries
Src IP
Src Port
Dst IP
Dst Port
Proto
State
Action
192.168.1.5
51234
8.8.8.8
443
TCP
ESTABLISHED
PERMIT
192.168.1.12
60012
1.1.1.1
80
TCP
SYN_SENT
PERMIT
10.0.0.3
54321
93.184.216.34
443
TCP
TIME_WAIT
PERMIT
192.168.1.7
53128
203.0.113.1
22
TCP
CLOSED
BLOCK
State Tracking
Every TCP/UDP connection is recorded in a state table. Responses automatically permitted without separate rules.
Session Integrity
Validates TCP sequence numbers, flags, and handshake flow to block spoofed or malformed packets mid-session.
Dynamic Rules
Auto-creates temporary permit entries for return traffic. Closes entries when sessions terminate or time out.
Network Firewall Technologies · Inter-Network Screens · Zone-Based Policy
Application Layer (Proxy) Firewalls
Full content inspection at the application layer
How Proxies Work
An application proxy firewall acts as an intermediary — it terminates the client connection, inspects the full application-layer payload, then (if permitted) creates a new connection to the server on behalf of the client.
The client never communicates directly with the server. All traffic must pass through and be decoded by the proxy.
Proxy types by protocol:
• HTTP/HTTPS proxy — web traffic
• SMTP proxy — email filtering
• FTP proxy — file transfer
• SOCKS proxy — generic TCP/UDP
• DNS proxy — query inspection
Deep Content Inspection
Reads full HTTP headers, body, MIME types. Blocks malicious payloads, scripts, and dangerous file types.
User Authentication
Forces authentication before traffic is forwarded. Ties connections to user identity for auditing.
SSL/TLS Interception
Decrypts HTTPS, inspects plaintext content, re-encrypts. Detects malware hidden in encrypted channels.
Content Caching
Caches frequently requested content — reduces bandwidth and improves response time for users.
Network Firewall Technologies · Inter-Network Screens · Zone-Based Policy
Next-Generation Firewalls (NGFW)
Integrated security platform beyond port/protocol inspection
Application Identification
Identifies 3000+ applications regardless of port, protocol or encryption. Policies based on app, not port number.
User Identity Awareness
Links traffic to specific AD/LDAP users. Apply per-user policies — "Allow Finance group access to banking apps".
Integrated IPS
Inline intrusion prevention engine analyses traffic against CVE signatures and behavioural patterns in real time.
SSL/TLS Deep Inspection
Decrypts and inspects encrypted traffic (HTTPS, SMTPS). Prevents malware from hiding in TLS tunnels.
Threat Intelligence Feed
Connects to live cloud-based threat databases. Blocks IPs, URLs and domains linked to malware, C2, botnets.
Unified Management & Logging
Single pane of glass for policy management, traffic analytics, compliance reporting and incident response.
Network Firewall Technologies · Inter-Network Screens · Zone-Based Policy
Inter-Network Screen Technologies
Protecting boundaries between networks of different trust levels
Internet
(Untrusted)
Screening
Router
DMZ
(Semi-trusted)
Firewall
Internal LAN
(Trusted)
Inter-Network Screen Role
An inter-network screen is a security control placed at the boundary between two networks to enforce access policy. It inspects, filters, and monitors all inter-network traffic.
Unlike a simple firewall, an inter-network screen is a layered architecture — combining packet filtering, stateful inspection, and optional application proxies in a coordinated deployment.
DMZ Architecture
The DMZ (Demilitarised Zone) is a perimeter network segment hosting public-facing services (web, email, DNS) that must be accessible from the internet but isolated from the internal LAN.
Two-firewall DMZ: Outer firewall → DMZ → Inner firewall → LAN. Each firewall has independent rules — compromise of the outer perimeter still cannot reach internal assets.
Network Firewall Technologies · Inter-Network Screens · Zone-Based Policy
Inter-Network Screen — Additional Options
Extending firewall capabilities beyond basic filtering
Network Address Translation (NAT)
Translates private internal IPs to a public IP before forwarding to the internet. Types: Static NAT (1:1), Dynamic NAT (pool), PAT/Masquerade (many:1). Provides implicit hiding of internal topology from external observers.
VPN Gateway Integration
The inter-network screen terminates IPsec or SSL VPN tunnels, providing encrypted remote access and site-to-site connectivity. Policies govern which VPN users access which internal resources after authentication.
Intrusion Detection & Prevention (IDS/IPS)
Inline IPS engine analyses traffic against signatures of known exploits, CVEs, and attack patterns. IDS passively detects and alerts; IPS actively blocks malicious traffic in real time before it reaches the destination.
URL / Web Content Filtering
Classifies web destinations against category databases (malware, adult, social media, gambling). Blocks or logs access to unwanted categories. Integrates with reputation feeds to block known malicious domains.
Network Firewall Technologies · Inter-Network Screens · Zone-Based Policy
Advanced Additional Options
QoS, high availability, DPI, bandwidth management, and logging
Quality of Service (QoS)
Prioritises traffic classes — VoIP and real-time streams get guaranteed bandwidth and low latency. Queuing algorithms: CBWFQ, LLQ, DSCP marking. Prevents bandwidth starvation of critical applications.
High Availability (HA)
Active/Passive or Active/Active clustering ensures continuity if one firewall fails. State synchronisation replicates session tables between nodes — seamless failover with zero dropped connections.
Deep Packet Inspection (DPI)
Analyses full payload content of packets — beyond headers — to detect protocol tunnelling, covert channels, application misuse and policy violations inside permissible protocols (e.g. malware over HTTP).
Bandwidth Management & Throttling
Sets per-user, per-group or per-application bandwidth caps. Prevents any single user or application consuming all available capacity. Enforces fair-use policies and SLAs across the organisation.
Centralised Logging & SIEM Integration
All firewall events — permit, deny, IPS alerts — forwarded to SIEM platforms (Splunk, QRadar, ELK). Enables correlation, compliance reporting, audit trails, and automated incident response workflows.
Geo-IP Filtering
Blocks or monitors traffic from specific geographic regions based on IP geolocation databases. Useful for compliance requirements, blocking known hostile source countries, and reducing attack surface.
Network Firewall Technologies · Inter-Network Screens · Zone-Based Policy
Zone-Based Policy Firewall — Concept
From interface-centric to zone-centric security model
What Is Zone-Based Policy?
Zone-Based Policy Firewall (ZPF/ZBF) is a firewall configuration model that groups router or firewall interfaces into security zones and applies policies to traffic flowing between zone pairs — rather than to individual interfaces.
Key principles:
• Interfaces belong to exactly one zone
• Traffic within the same zone is permitted by default
• Traffic between different zones is DENIED by default unless an explicit policy permits it
• Policies are directional — applied to a zone pair (source zone → destination zone)
• A self zone exists for traffic destined to the device itself
Feature
Classic ACL
Zone-Based
Policy unit
Interface
Zone pair
Default behaviour
Permit all
Deny all
State tracking
Manual
Built-in
Ease of management
Complex
Simplified
Logging granularity
Per ACL entry
Per policy class
Service policy
Limited
Class-map/Policy-map
Scalability
Low
High
Network Firewall Technologies · Inter-Network Screens · Zone-Based Policy
Zone-Based Policy — Zones & Zone Pairs
Defining security boundaries and inter-zone traffic policies
INTERNET Zone
Untrusted. All internet-facing interfaces. No inbound connections permitted by default. Only initiated outbound sessions allowed.
DMZ Zone
Semi-trusted. Public servers (web, email, DNS). Accessible from internet for specific services. Cannot initiate connections to internal zone.
INTERNAL Zone
Trusted. Internal LAN and user workstations. Full outbound access. Inbound from DMZ permitted for specific return traffic only.
MANAGEMENT Zone
Highly trusted. Out-of-band management network. Access to firewall console and admin interfaces. Strictly limited access from all other zones.
SELF Zone
Built-in. Traffic destined to the firewall device itself (SSH, SNMP, routing protocols). Separate policies govern what can reach the firewall.
Zone Pairs define traffic direction: INTERNAL→INTERNET (outbound), INTERNET→DMZ (inbound to services), DMZ→INTERNAL (blocked by default unless explicitly permitted)
Network Firewall Technologies · Inter-Network Screens · Zone-Based Policy
Zone-Based Policy — Policy Rules & Actions
Class maps, policy maps, and service policy configuration
PASS
Permits traffic matching the class map to flow between zones. No inspection is applied — traffic passes without modification or logging (unless explicitly configured).
DROP
Silently discards matching packets. No TCP RST or ICMP unreachable is sent to the source. Equivalent to implicit deny with no notification to sender.
INSPECT
Applies stateful inspection — tracks session state and permits return traffic automatically. Can trigger IPS/IDS engine, URL filter, and application identification.
ZBF Configuration Structure (Cisco IOS / equivalent)
1
Define Zones
zone security INTERNAL
zone security DMZ
zone security INTERNET
2
Create Class Maps
class-map type inspect match-any WEB-TRAFFIC
match protocol http
match protocol https
3
Create Policy Maps
policy-map type inspect INT-TO-INET
class type inspect WEB-TRAFFIC
inspect
class class-default
drop
4
Apply Service Policy
zone-pair security INT→INET source INTERNAL destination INTERNET
service-policy type inspect INT-TO-INET
Network Firewall Technologies · Inter-Network Screens · Zone-Based Policy
Zone-Based Policy — Implementation Example
Enterprise three-zone deployment with complete policy matrix
Zone Pair (Src → Dst)
Permitted Traffic
Action
Notes
INTERNAL → INTERNET
HTTP, HTTPS, DNS (UDP/53)
INSPECT
Outbound web; stateful return traffic auto-permitted
INTERNAL → INTERNET
SMTP, IMAP, POP3
INSPECT
Corporate email outbound via mail relay
INTERNAL → DMZ
HTTP, HTTPS to web servers
PASS
Direct access to internal web services in DMZ
INTERNET → DMZ
TCP/80 TCP/443 (web)
INSPECT
Public web server access; IPS engine enabled
INTERNET → DMZ
TCP/25 SMTP inbound
INSPECT
Inbound email to mail gateway in DMZ
INTERNET → INTERNAL
Any
DROP
All unsolicited inbound traffic blocked silently
DMZ → INTERNAL
Any
DROP
DMZ cannot initiate connections to internal LAN
DMZ → INTERNET
DNS queries (UDP/53)
PASS
DMZ servers resolve external hostnames
MANAGEMENT → SELF
SSH TCP/22, SNMP
INSPECT
Admin access to firewall management interface
Any → SELF
All other
DROP
Protect firewall from direct attack
Network Firewall Technologies · Inter-Network Screens · Zone-Based Policy
Firewall Technology Comparison
Choosing the right type for your security requirements
Capability
Packet Filter
Stateful
App Proxy
NGFW
IP/Port filtering
✓ Full
✓ Full
✓ Full
✓ Full
Session state tracking
✗ None
✓ Full
✓ Full
✓ Full
Application identification
✗ None
✗ None
✓ Full
✓ Full
User identity awareness
✗ None
✗ None
Partial
✓ Full
IPS/Threat prevention
✗ None
✗ None
Partial
✓ Full
SSL/TLS inspection
✗ None
✗ None
✓ Full
✓ Full
Throughput (relative)
Very High
High
Medium
Med-High
Configuration complexity
Low
Medium
High
Very High
Deployment cost
Low
Low
Medium
High
Network Firewall Technologies · Inter-Network Screens · Zone-Based Policy
Summary & Key Takeaways
1
Firewall evolution spans four generations — from simple packet filters (1988) to NGFWs combining IPS, app-ID, user-ID, and SSL inspection in a single platform.
2
Stateful inspection is the minimum acceptable standard. Tracking session state prevents spoofed return-traffic attacks that bypass stateless ACL-based filters.
3
Inter-network screen architecture uses layered controls — screening router, DMZ, and inner firewall — to ensure compromise of the perimeter cannot directly reach internal assets.
4
Additional options (NAT, VPN, IDS/IPS, URL filtering, QoS, HA, DPI, geo-IP) extend the firewall from a traffic filter into a comprehensive security enforcement platform.
5
Zone-Based Policy replaces complex interface ACLs with a scalable zone pair model — default-deny between zones, explicit inspect/pass/drop policies defined per traffic class.
6
Effective firewall deployment requires proper zone design, a complete policy matrix, logging integration with SIEM, and regular review of rules to eliminate stale or overly permissive entries.
Firewall Technologies · Inter-Network Screens · Zone-Based Policy Firewall