Firewalls, IDS/IPS & Network Security Devices
TΖ°α»ng lα»a, IDS/IPS & ThiαΊΏt bα» BαΊ£o mαΊt MαΊ‘ng
Firewall Evolution β Packet Filter to WAF
Firewalls evolved from simple packet matching to deep application inspection. Each generation adds intelligence at a higher OSI layer. The exam tests knowing which firewall type is appropriate for which threat.
| Type | Intelligence Level | Tracks State? | Example / Use Case |
|---|---|---|---|
| Packet Filter (Stateless) | IP address and port only β no context | No β each packet evaluated in isolation | iptables basic rules; ACLs on routers; GCP firewall rules (stateless mode) |
| Stateful Inspection | IP/port + TCP connection state tracking | Yes β tracks SYN, SYN-ACK, established | Most enterprise firewalls (Cisco ASA, pfSense); GCP VPC firewall (stateful mode) |
| Application-Layer Proxy | Full protocol understanding β reads application data | Yes β acts as a full relay | Squid proxy; SMTP gateway; breaks and re-establishes connections |
| NGFW (Next-Gen Firewall) | App awareness + IPS + DPI + user identity | Yes β plus application signatures | Palo Alto Networks, Fortinet FortiGate, Check Point β used at network perimeter |
| WAF (Web Application Firewall) | HTTP content inspection β OWASP rules | Yes β session-aware HTTP inspection | CloudFlare WAF, AWS WAF, ModSecurity β protects web apps from SQLi, XSS, CSRF |
IDS vs IPS β Passive vs Active
The most common exam trap: IDS alerts but cannot block; IPS actively blocks but risks disrupting legitimate traffic. Deployment position determines capability.
| Feature | IDS (Intrusion Detection System) | IPS (Intrusion Prevention System) |
|---|---|---|
| Network Position | Out-of-band (passive tap β monitors a copy of traffic) | Inline (sits directly in the traffic path) |
| Primary Action | Alerts only β sends logs/alerts to SIEM | Blocks traffic AND alerts β drops malicious packets |
| Risk of False Positives | Low operational risk β cannot disrupt traffic | High risk β false positives block legitimate users |
| Performance Impact | Minimal β does not sit in traffic path | Adds latency β every packet must be inspected inline |
| Best For | Visibility, compliance logging, forensics β when false positive risk is high | Active threat prevention β when accuracy is high and false positives are tuned |
Detection Methods
- β’ Matches traffic against known attack patterns (signatures)
- β’ Low false positive rate β high accuracy for known threats
- β’ Cannot detect zero-day attacks (no signature exists yet)
- β’ Requires regular signature updates
- β’ Establishes a baseline of "normal" behavior
- β’ Alerts on deviations from the baseline
- β’ High false positive rate β tuning is critical
- β’ Can detect zero-day and unknown attacks (behavioral)
DMZ Architecture & Network Segmentation
A DMZ (Demilitarized Zone) is a semi-trusted network segment between the internet and the internal network. It hosts services that must be publicly accessible while protecting internal systems.
Honeypots & Honeynets
A decoy system designed to attract attackers. Logs attacker behavior for intelligence gathering. No legitimate users should ever access it β any access is by definition suspicious.
A network of multiple honeypots. Simulates a full network environment to study attacker techniques, lateral movement, and tools.
Entrapment concern applies if you actively lure attackers with deceptive promises of gain. Passive honeypots (deployed on your own network, visible to scanners) are generally legal. Consult legal counsel before deploying honeypots in regulated environments. Collect evidence properly for any prosecution.
NAC (Network Access Control) β 802.1X
802.1X is a port-based NAC standard that authenticates devices before granting network access. Prevents unauthorized devices from connecting to the network.
- Supplicant presents credentials (certificate, password) to the Authenticator
- Authenticator forwards to RADIUS server β does not make auth decisions itself
- RADIUS grants or denies access β can also assign VLAN based on identity
- Used for both wired Ethernet ports and wireless access points
- Can enforce endpoint health checks (patch level, AV status) before granting access
Key Terms
Evaluates each packet independently using IP/port rules. No memory of previous packets or connection state.
Tracks TCP connection state. Allows return traffic automatically for established connections. Operates at Layer 4.
Next-Generation Firewall β adds application identification, user identity, IPS, and deep packet inspection to stateful inspection.
Web Application Firewall β inspects HTTP/HTTPS content at Layer 7. Blocks SQLi, XSS, CSRF based on OWASP ruleset.
Intrusion Detection System β passive, out-of-band. Monitors traffic and alerts. Cannot block traffic.
Intrusion Prevention System β active, inline. Detects and blocks malicious traffic in real time. Risk of false positives disrupting legitimate traffic.
Matches against known attack patterns. Low false positives but cannot detect zero-days or new attack variants.
Detects deviations from baseline behavior. High false positive rate but can catch unknown threats.
Demilitarized Zone β semi-trusted network segment for public-facing servers. DMZ must NOT initiate connections to internal network.
Network Access Control β verifies device identity and health before granting network access. Requires RADIUS authentication server.
Decoy system to detect and study attackers. Any access to a honeypot is suspicious by definition.
Remote Authentication Dial-In User Service β centralized authentication server used by 802.1X, VPN, and wireless access points.
- IDS = passive (alerts only); IPS = active (blocks). If a question asks what CAN disrupt legitimate traffic, the answer is IPS β not IDS. IDS cannot block anything.
- Anomaly-based = high false positive rate but catches unknown threats including zero-days. Signature-based = low FP rate but misses new attacks with no signature.
- DMZ critical rule: DMZ servers must NOT initiate connections to the internal network. Web servers in the DMZ should push data to internal systems via a pull mechanism (internal polls the DMZ), never direct DMZ β internal connections.
- NGFW adds application awareness on top of stateful inspection β it can block "Facebook" or "BitTorrent" by application name, not just by port. Traditional stateful firewalls only know ports.
- Honeypot is passive deception β it detects attackers but cannot block them. IPS actively blocks. Both are valid controls but serve different purposes.
- Partner C (PH) β CloudFlare WAF: This is an Application-layer WAF + CDN at edge β equivalent to NGFW at Layer 7. Blocks OWASP Top 10 attacks before they reach GCP. Verify WAF rulesets are reviewed quarterly and custom rules exist for Partner C-specific endpoints (loan application, document upload).
- Platform B Payment Cluster: Network-isolated in GCP β equivalent to a DMZ. Payment services cannot initiate connections to other Platform C namespaces (enforced by Kubernetes NetworkPolicies). This is the correct DMZ pattern.
- Partner D B2B API: Fixed-IP allowlist at GCP firewall layer = stateless packet filter as first control. HMAC validation = application-layer control. Two-layer defense.
- Recommendation: Add IDS capability using GCP Cloud IDS for anomaly detection across all Platform C namespaces. Currently there is no out-of-band traffic monitoring for lateral movement detection inside GKE. Cloud IDS provides Palo Alto Networks threat detection inline with GCP traffic mirroring β low operational risk, high visibility.
Practice Quiz β Firewalls & IDS/IPS
Q1. Which security device can potentially disrupt legitimate network traffic?
Q2. Which traffic flow is NOT allowed in a correctly configured DMZ architecture?
Q3. What is the key capability that distinguishes an NGFW from a traditional stateful firewall?
Q4. What is the main advantage of anomaly-based IDS over signature-based IDS?
Q5. 802.1X network access control requires which server component?