DEV Community

TiltedLunar123
TiltedLunar123

Posted on

Why a stateful firewall won't stop SQL injection, and what Security+ wants you to say instead

When I started drilling Security+ practice questions, firewalls felt like the easy points. A firewall blocks bad traffic, done. Then I hit a question that went something like this: a web application is getting hammered with SQL injection, there is already a stateful firewall in front of it, and the exam asks what would actually stop the attack. I picked "tune the firewall rules." Wrong.

That question taught me the thing Security+ really tests about firewalls. Not the vendor or the brand, but the layer the firewall works at and the kind of traffic it can actually see. Once that clicked, a whole category of questions stopped being guesswork.

Here is the breakdown I wish I had at the start.

Packet-filtering (stateless) firewalls

The oldest and simplest kind. It looks at each packet on its own and checks it against a rule list: source IP, destination IP, port, protocol. Allow or deny. It has no memory of what came before, so it does not know whether a packet is part of an existing conversation or a random probe. On the exam, "filters by IP and port," "no session awareness," and "fast but basic" all point here.

Stateful firewalls

This one keeps a state table. It tracks active connections, so when your machine opens a session to a web server, the firewall knows the return traffic belongs to a conversation you started and lets it back in. That is a real upgrade over stateless filtering. But notice what it is still doing: making decisions about connections, addresses, and ports. It is not reading the actual content of your web requests. So when the exam describes SQL injection or cross-site scripting, a stateful firewall is the wrong answer, because that attack rides inside allowed traffic on an allowed port, usually 443. The firewall waves it through because, at its layer, nothing looks wrong.

Proxy firewalls

A proxy sits in the middle and terminates the connection, then makes its own request on your behalf. Clients never talk directly to the destination. A forward proxy protects and controls outbound user traffic, think content filtering and hiding internal clients, while a reverse proxy sits in front of servers. Proxies can inspect more than a packet filter and add a layer of separation, which is usually the detail the question is rewarding.

Web application firewalls (WAF)

Here is the answer to my SQL injection question. A WAF operates at the application layer and actually inspects HTTP and HTTPS requests. It understands what a web request looks like, so it can spot and block SQL injection, cross-site scripting, and other web-specific attacks that lower-layer firewalls never see. If the question mentions a web app and attacks against it, your eye should go straight to WAF.

Next-generation firewalls (NGFW)

The all-in-one. An NGFW combines stateful filtering with deep packet inspection, application awareness, and usually built-in intrusion prevention. It can make decisions based on the application in use, not just the port number. When a question describes something that needs to identify traffic by application, do deep inspection, and block threats in one appliance, NGFW is the intended answer.

The trick the exam keeps using

The pattern is almost always the same. The question describes an attack, tells you what is already in place, and asks what you need. Your job is to match the attack to the layer where it lives. A port scan or a spoofed source address is a lower-layer problem, so a stateless or stateful firewall is relevant. An attack hidden inside legitimate web requests is an application-layer problem, so the answer is a WAF or an NGFW doing deep packet inspection. The wrong answers usually hand you a firewall that operates below the layer the attack is actually on. It sounds reasonable, which is exactly why it is there.

A quick way to check yourself: ask what the device can actually see. If it can only see addresses and ports, it cannot stop something hiding in the payload. That one question resolves a surprising number of these.

I built these distinctions into the practice questions and lessons on my study site, secplusmastery.com, because reading the definitions once never made them stick for me. What made them stick was getting the layer-matching question wrong a few times in a row and finally seeing the pattern. If you want to find out which of these you actually understand versus which you only recognize, there is a free diagnostic exam at secplusmastery.com/diagnostic that surfaces your weak domains fast.

Firewalls are not the hard part of Security+. Reading the question closely enough to spot which layer the attack lives on is. Build that habit, and the firewall questions turn back into the easy points they looked like at the start.

Top comments (0)