Certified: The Security+ Prepcast

Firewalls are one of the oldest and most fundamental tools in cybersecurity. They sit at the borders of networks, inspecting traffic, enforcing policy, and blocking threats before they reach critical systems. But having a firewall isn’t enough. It has to be configured carefully, updated regularly, and integrated into a broader access control strategy. In this episode, we’ll explore how to enhance firewall capabilities by focusing on rule configuration, access control lists, port and protocol filtering, and the deployment of screened subnets—also known as demilitarized zones.
Let’s begin with firewall rules. Every firewall operates based on a set of rules that determine what traffic is allowed or denied. These rules are evaluated in order, from top to bottom. Each rule checks the traffic against criteria like source and destination Internet Protocol addresses, ports, protocols, and direction—whether it’s inbound or outbound. If traffic matches a rule, the specified action is taken, and the evaluation stops.
The goal of firewall rule configuration is to allow legitimate, necessary traffic while blocking anything that poses risk or doesn’t belong. That sounds simple—but in practice, it requires detailed planning, constant review, and a deep understanding of network flows.
A good firewall rule is specific and minimal. For example, instead of allowing all web traffic, a rule might allow only HTTPS on port four four three to a specific internal web server from a defined subnet. This kind of precise rule reduces exposure and makes it harder for attackers to find a path in.
Let’s walk through a best-practice scenario. A small business wants to allow remote desktop access to a server. Rather than open port three three eight nine to the whole internet, the firewall is configured to only allow connections from a specific Internet Protocol address range used by the company’s virtual private network provider. This reduces the attack surface dramatically and limits access to authorized users.
Common mistakes with firewall rules include using overly broad rules, forgetting to implement a “deny all” default policy, or failing to document rule changes. These errors can lead to open ports, unnecessary services, or unintended traffic paths that undermine the firewall’s effectiveness. Another mistake is rule sprawl—where old or unused rules pile up over time, making the firewall harder to audit, troubleshoot, or understand.
That’s why firewall rules should be reviewed regularly, updated based on changes to the environment, and tested after deployment. Every rule should serve a clear purpose, be traceable to a documented business requirement, and be part of a least-privilege access model.
Now let’s move to access control lists, often referred to as ACLs. While firewall rules control traffic at network boundaries, ACLs are used within devices—such as routers and switches—to filter traffic at more granular levels. An ACL is essentially a list of permit and deny conditions applied to traffic based on Internet Protocol address, port, or protocol.
ACLs are powerful because they allow fine-grained traffic management close to the source or destination. For example, a router may use an ACL to restrict access to its management interface, only allowing connections from a specific administrator subnet. Or, a switch may use an ACL to block peer-to-peer traffic between user devices on the same local network.
ACLs can be applied inbound—filtering traffic as it enters a network interface—or outbound, filtering traffic as it leaves. They can also be used to prioritize traffic for quality of service, limit broadcast storms, or enforce segmentation between departments or tenants.
Let’s explore a real-world use case. A university campus wants to prevent dormitory devices from accessing administrative servers. They configure ACLs on their core switches that deny traffic from the dorm subnets to the server subnets on ports associated with database and file transfer protocols. At the same time, they allow traffic to public-facing services, like the university website and email. This setup balances security and usability by enforcing segmentation without interrupting daily operations.
Port and protocol controls are another essential piece of firewall and ACL configuration. Every service on a network communicates using a specific port and protocol. For instance, web servers use port eighty for HTTP and port four four three for HTTPS. Remote desktop uses port three three eight nine. By controlling which ports and protocols are allowed through your firewalls or ACLs, you limit what services are reachable—and reduce opportunities for exploitation.
A firewall configured to only allow specific protocols and ports creates a minimal attack surface. It becomes harder for attackers to find open doors, and easier for defenders to monitor traffic. This is especially important for services like Telnet, which transmits data in cleartext, or older versions of file sharing protocols that lack strong authentication.
One best practice is to deny all ports and protocols by default, and then allow only those that are explicitly required. This approach is known as default deny or deny by default. It ensures that new vulnerabilities or misconfigurations do not create accidental exposures.
Let’s now turn to deploying screened subnets, also known as demilitarized zones or DMZs. A DMZ is a network segment that sits between the internal network and the public internet. It hosts systems that must be accessible from outside—such as web servers, email gateways, or application proxies—while protecting the internal network from direct exposure.
The idea behind a screened subnet is simple: if a public-facing system is compromised, the attacker should not gain access to your entire internal environment. By placing that system in a DMZ, you isolate it and limit its ability to communicate with internal assets. You can also apply tighter monitoring, logging, and access controls to the DMZ, knowing that it is more exposed than other parts of the network.
DMZs are usually deployed using two or more firewalls—or a single firewall with multiple interfaces. One interface connects to the internet, one to the internal network, and one to the DMZ. The firewall is configured to allow only the necessary traffic in and out of the DMZ. For example, it might allow inbound HTTPS traffic to a web server, but block all access to internal systems except for specific management or data exchange processes.
Let’s consider an example. An e-commerce company deploys its customer-facing web server in a DMZ. The server receives HTTPS requests from users and connects to a backend database in the internal network to retrieve order information. The firewall allows web traffic into the DMZ, and only allows the web server to reach the database over a single, secured port. If the web server is compromised, the attacker cannot move laterally to other internal systems. The screened subnet contains the breach, protects sensitive assets, and allows the company to continue operations while investigating and remediating the threat.
To summarize, firewalls are more than just perimeter devices—they are dynamic, policy-driven platforms for enforcing security at every level of the network. Well-crafted firewall rules allow legitimate traffic and block harmful requests. Access control lists and port or protocol controls bring fine-grained filtering closer to the source. And deploying screened subnets—or DMZs—adds an important layer of isolation for public-facing services. Together, these practices harden the network, reduce attack surfaces, and support defense-in-depth.
For the Security Plus exam, be ready to answer questions about firewall configuration, rule order, and best practices. Know how ACLs differ from firewall rules, how port filtering enhances security, and how DMZs are deployed. Expect scenario-based questions that ask you to recommend or troubleshoot a firewall or network design. Review terms like deny by default, implicit allow, ingress filtering, and lateral movement—they’re all fair game on the exam and essential in practice.
For more episodes, study tools, and exam support, visit us at Bare Metal Cyber dot com. There you’ll find podcast archives, downloadable checklists, and our free newsletter. And when you're ready to focus your study and pass with confidence, visit Cyber Author dot me and grab your copy of Achieve CompTIA Security Plus S Y Zero Dash Seven Zero One Exam Success. It’s the most efficient and complete study guide for mastering the material and passing on your first try.