Home » Firewall Deep Dive: Stateful Inspection, NGFW, WAF, IPS/IDS, Firewall Policies และ Best Practices
Firewall Deep Dive: Stateful Inspection, NGFW, WAF, IPS/IDS, Firewall Policies และ Best Practices
Firewall Deep Dive: Stateful Inspection, NGFW, WAF, IPS/IDS, Firewall Policies และ Best Practices
Firewall เป็น cornerstone ของ network security Stateful Inspection ติดตาม connection state เพื่อ filter traffic อย่างชาญฉลาด, NGFW (Next-Generation Firewall) เพิ่ม application awareness และ threat intelligence, WAF (Web Application Firewall) ป้องกัน web attacks, IPS/IDS detect และ prevent intrusions, Firewall Policies กำหนดกฎที่ต้องออกแบบอย่างดี และ Best Practices ช่วยให้ firewall ทำงานได้อย่างมีประสิทธิภาพ
Firewalls มีวิวัฒนาการจาก simple packet filters สู่ NGFW ที่ inspect application layer: packet filter (L3/L4 only) → stateful inspection (connection tracking) → NGFW (L7 application awareness + IPS + TLS inspection) → cloud-native firewall (FWaaS, microsegmentation) แต่ firewall ที่ดีที่สุดก็ไม่มีประโยชน์ถ้า policies ออกแบบไม่ดี: 80% ของ firewall breaches เกิดจาก misconfiguration ไม่ใช่ firewall bypass
Firewall Types
| Type |
Inspection |
Use Case |
| Packet Filter |
L3/L4: src/dst IP, port, protocol → stateless |
Simple ACLs on routers — basic filtering |
| Stateful Inspection |
L3/L4 + connection state tracking → allow return traffic automatically |
Traditional firewall — Cisco ASA, iptables |
| NGFW |
L3-L7: application ID, user ID, TLS inspection, IPS, URL filtering, threat intelligence |
Enterprise perimeter — Palo Alto, Fortinet, Cisco FTD |
| WAF |
HTTP/HTTPS: SQL injection, XSS, CSRF, OWASP Top 10 |
Web application protection — F5, Cloudflare, AWS WAF |
| Cloud Firewall (FWaaS) |
NGFW capabilities delivered as cloud service |
SASE, cloud-first — Zscaler, Palo Alto Prisma |
| Distributed Firewall |
Per-VM/per-workload firewall (microsegmentation) |
Data center — VMware NSX, Illumio |
Stateful Inspection
| Feature |
รายละเอียด |
| Connection Table |
Track ทุก active connection: src/dst IP, ports, protocol, state, timeout |
| TCP States |
Track SYN, SYN-ACK, ESTABLISHED, FIN, RST → only allow packets matching valid state |
| Return Traffic |
Outbound allowed → return traffic automatically allowed (no explicit rule needed) |
| UDP/ICMP |
Pseudo-stateful: track based on src/dst + timeout (UDP no connection state) |
| Advantage |
More secure than packet filter: blocks packets not matching active connection |
| Limitation |
ไม่เห็น application layer → can’t distinguish HTTP from tunnel-over-HTTP |
NGFW Features
| Feature |
Description |
Benefit |
| Application ID |
Identify applications regardless of port (e.g., detect Skype on port 443) |
Control: allow Zoom but block TikTok |
| User ID |
Map traffic to Active Directory users (via agent, LDAP, syslog) |
Policy per user/group (not just IP) |
| TLS Inspection |
Decrypt TLS → inspect content → re-encrypt → forward |
See encrypted threats (80%+ of traffic is encrypted) |
| IPS |
Inline intrusion prevention: signature + anomaly-based detection |
Block exploits, malware, C2 communication |
| URL Filtering |
Allow/block websites by category (gambling, malware, social media) |
Enforce acceptable use policy |
| Sandboxing |
Send unknown files to cloud sandbox → execute → analyze behavior |
Detect zero-day malware |
| Threat Intelligence |
Auto-update: known malicious IPs, domains, file hashes |
Block known threats without manual rules |
IPS vs IDS
| Feature |
IDS (Detection) |
IPS (Prevention) |
| Mode |
Passive (mirror/tap) — copies traffic |
Inline — sits in traffic path |
| Action |
Alert only → admin decides |
Alert + block (drop, reset, quarantine) |
| Risk |
No impact on traffic (can’t block) |
False positive = legitimate traffic blocked |
| Latency |
None (out-of-band) |
Small (inline processing) |
| Deployment |
Monitoring, compliance, forensics |
Active protection (most NGFWs include IPS) |
| Modern |
Standalone IDS rare → mostly built into NGFW/SIEM |
IPS built into every NGFW |
WAF (Web Application Firewall)
| Feature |
รายละเอียด |
| คืออะไร |
Protect web applications: inspect HTTP/HTTPS → block malicious requests |
| OWASP Top 10 |
Protect against: SQL injection, XSS, CSRF, broken authentication, SSRF, etc. |
| Positive Model |
Whitelist: only allow known-good patterns → strict but may block legitimate |
| Negative Model |
Blacklist: block known-bad patterns (signatures) → easier but can miss new attacks |
| Deployment |
Reverse proxy (inline), cloud WAF (Cloudflare, AWS WAF), appliance (F5) |
| Bot Protection |
Detect/block bots: scraping, credential stuffing, DDoS — CAPTCHA, rate limiting |
| API Protection |
Protect APIs: validate schema, rate limit, authentication check |
Firewall Policy Best Practices
| Practice |
Detail |
| Default Deny |
Block everything by default → explicitly allow only needed traffic (whitelist model) |
| Least Privilege |
Allow only minimum required: specific IP, specific port, specific direction |
| Rule Order |
Most specific rules first → general rules last → deny all at bottom |
| No “Any-Any” |
Never allow any-source any-destination any-port → always specify at least 2 of 3 |
| Rule Review |
Review rules quarterly → remove unused rules → document purpose of each rule |
| Logging |
Log all deny actions + critical allow actions → send to SIEM for analysis |
| Change Management |
Every rule change through change management → approve, test, document, rollback plan |
| TLS Inspection |
Enable for outbound traffic → decrypt, inspect, re-encrypt → exempt banking/healthcare if needed |
ทิ้งท้าย: Firewall = First Line of Defense, Policies = Its Strength
Firewall Deep Dive Types: packet filter (L3/L4), stateful (connection tracking), NGFW (L7 + IPS + TLS), WAF (web), cloud (FWaaS) Stateful: connection table, TCP state tracking, auto-allow return traffic NGFW: app ID + user ID + TLS inspection + IPS + URL filtering + sandboxing + threat intel IPS vs IDS: IPS inline (block), IDS passive (alert) — IPS built into every NGFW now WAF: protect web apps (OWASP Top 10), positive/negative models, bot/API protection Best Practices: default deny, least privilege, rule order (specific first), no any-any, quarterly review, logging Key: 80% of firewall breaches = misconfiguration — proper policies + regular review > expensive hardware
อ่านเพิ่มเติมเกี่ยวกับ Network Segmentation Micro-Segmentation Zero Trust และ SSL/TLS Deep Dive Certificate Chain Handshake ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
