Ref: https://learn.cantrill.io/courses/2022818/lectures/45643318 [TECH-FUNDAMENTALS] =OR= https://learn.cantrill.io/courses/1820301/lectures/42087682 [SAA-C03]

YouTube: https://www.youtube.com/watch?v=-dJJqFWw88Y

• Summary:
• Contents:

Traditional Firewalls

• 🔧 Operate at layers 3, 4 and 5 of the OSI-model
• Layer 3-4 FW (stateless)
  • Sees packets and segments, IPs and ports
  • No concept of requests and responses → two flows of unrelated communication
• Layer 5 FW (stateful)
  • Understands requests and responses as one single communication flow (same session)
  • Reduces admin overhead (one rule vs two rules)
  • Allows more contextual security → requests and responses can be treated differently
• ‼️ L7 is opaque to traditional FWs!!
  • No understanding of app data (good image? bad image? malware?)
  • No understanding of L7 protocols like HTTP (headers, hosts, HTTP status…)
• Normal Firewalls: Layers 3/4 (stateless) and Layer 5 (stateful)

Layer 7 Firewalls

• 🔧 Operate at layer 7 of the OSI-model, can understand L7 protocols and app data
  • ❗ Keep all features of traditional FWs (understanding of all layers below)
• Data at L7 can be inspected, blocked, replaced or tagged
  • e.g. Adult content, spam, off-topic…
  • Can be very granular with accepted data (e.g. cat and dog images OK, sheep not OK)
• Can react to L7 elements, understanding L7 protocols
  • e.g. DNS names, rate of flow (connections per second), content of headers…
  • Can identify normal & abnormal requests (e.g. protocol-specific attacks)
  • Can block specific apps like Facebook, Dropbox…
• ‼️ L7 FWs can decrypt HTTPS to analyze data!!
  • Traffic arrives → FW decrypts → analyzes → takes action (if necessary) → FW reencrypts → sends to destination
  • Transparent to client & server → to them they have an uninterrupted HTTPS connection
• ❗ Do not necessarily understand all L7 protocols
  • A L7 FW may understand HTTP(S) but not SMTP
• Application (Layer 7) Firewalls