Firewalls and IDS
[!NOTE] This module explores the core principles of Firewalls and IDS, deriving solutions from first principles and hardware constraints to build world-class, production-ready expertise.
1. Firewalls
A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
Types of Firewalls
- Packet Filtering (Stateless): Inspects individual packets in isolation.
- Rule: “Allow Port 80 from any IP.”
- Flaw: Doesn’t know if the packet is part of an established request or a random attack.
- Stateful Inspection: Maintains a state table of active connections.
- If you send a request to Google, the firewall remembers and automatically allows the reply back in.
- Next-Generation (NGFW) / Application Layer: Can look deep into the payload.
- Rule: “Allow HTTP, but block any file uploads to Dropbox.”
2. IDS vs. IPS
Network monitoring tools that look for suspicious patterns (Signatures).
| Feature | IDS (Intrusion Detection) | IPS (Intrusion Prevention) |
|---|---|---|
| Action | Detect & Alert | Detect & Block |
| Placement | Out-of-band (Observer) | In-line (Traffic must pass through it) |
| Analogy | Security Camera | Security Guard |
3. Interactive: Stateful vs Stateless
Watch the firewall handle a reply.
🏠
Internal Network
Firewall
State: EMPTY
🌍
Public Internet
Waiting...
4. DMZ (Demilitarized Zone)
A physical or logical subnetwork that contains an organization’s external-facing services (Web servers, DNS) to an untrusted, usually larger, network such as the Internet.
- If a server in the DMZ is compromised, the internal firewall still protects the private network.