2.2 Identify the types of data provided by these technologies
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
A traditional stateful firewall is a network security device that controls the flow of traffic between networks. It works by inspecting traffic and making decisions about whether to allow or block it based on stateful inspection.
Let’s go step by step.
1. What “stateful” means
- Stateful inspection means the firewall keeps track of the state of active network connections.
- For example, it records whether a TCP connection is new, established, or related.
- Unlike stateless firewalls that only look at individual packets, a stateful firewall understands the context of traffic.
Key takeaway for the exam:
Stateful firewalls track connection states to make smarter decisions about traffic.
2. How a traditional stateful firewall works
A traditional stateful firewall operates mainly at Layer 3 (Network) and Layer 4 (Transport) of the OSI model.
Steps in operation:
- Packet arrives at the firewall.
- Firewall checks its access control rules (ACLs):
- Source IP
- Destination IP
- Protocol (TCP, UDP, ICMP)
- Port numbers
- Firewall checks its state table:
- Is this connection part of an existing session?
- Is it a new connection? If yes, does it comply with rules?
- Decision is made:
- Allow the traffic
- Block the traffic
- Update state table if the connection is new or ongoing.
Important: Stateful firewalls do not inspect the actual data (payload) beyond what is needed to maintain state.
3. Types of data provided by stateful firewalls
In the context of CyberOps, a stateful firewall gives security analysts valuable data about network traffic. The types of data include:
- Connection logs
- Source and destination IP addresses
- Source and destination ports
- Protocol (TCP/UDP/ICMP)
- Timestamp of when the connection started and ended
- Action taken (allowed or denied)
- Traffic statistics
- Number of allowed or blocked connections
- Bandwidth usage per connection or protocol
- Active connections currently in the state table
- Alerts
- Attempts to connect to blocked ports
- Suspicious connection attempts (like scanning attempts)
- Violations of firewall policies
Example in IT terms:
If a host inside the network tries to connect to an unauthorized external server, the firewall will block the connection and log the source IP, destination IP, port, and time. This log helps security analysts see patterns of unauthorized access attempts.
4. Limitations of traditional stateful firewalls
While useful, traditional stateful firewalls have some limitations:
| Limitation | Explanation |
|---|---|
| No deep packet inspection | Cannot look into application-level content (like web traffic content). |
| Cannot detect modern threats | Cannot identify malware, ransomware, or encrypted threats inside allowed traffic. |
| Limited visibility | Only tracks sessions and basic network traffic patterns. |
| No user-based policies | Policies are usually IP-based, not identity-based. |
Key exam point:
Traditional stateful firewalls are good for blocking or allowing traffic based on network parameters but cannot analyze traffic content deeply.
5. Why security analysts need firewall data
In a CyberOps environment, firewall data helps analysts:
- Investigate intrusion attempts or network attacks.
- Monitor network usage and suspicious connections.
- Correlate firewall logs with other sources like NetFlow, SIEM, or TCP dumps.
- Generate reports for security compliance.
Data visibility summary:
- IP addresses
- Ports
- Protocols
- Connection states (new, established, terminated)
- Timestamps
- Actions (allowed/denied)
6. Key points for the exam
When studying this subtopic for 200-201 CBROPS, remember:
- A traditional stateful firewall works at Layer 3/4.
- It tracks the state of connections (stateful inspection).
- It controls traffic based on ACLs and connection states.
- It provides logs of connections: IP, port, protocol, action, and timestamps.
- Limitations: Cannot inspect application payload or detect modern threats.
- Data is useful for incident investigation and monitoring.
✅ Tip for students:
Think of it as a gatekeeper: it remembers which connections are allowed, checks each new request against its rules, and logs what happens. Analysts use these logs to detect suspicious or malicious activity.
