4.2.2. Network Appliances and Firewalls

💡 First Principle: Network security appliances inspect, filter, and control traffic at various layers of the network stack. The right appliance depends on what you need to inspect and where in the traffic flow you need to inspect it.

Firewall types progress from simple to sophisticated:

Loading diagram...

Each generation adds inspection depth:

• Packet filtering — inspects headers (source/destination IP, ports). Fast but easily evaded because it doesn't examine payload content.
• Stateful inspection — tracks connection state (new, established, related). Blocks packets that don't belong to an established session.
• Application-layer / Next-Generation Firewall (NGFW) — inspects application-layer content, performs deep packet inspection, integrates IPS, URL filtering, and malware scanning. Most comprehensive but most resource-intensive.
• Web Application Firewall (WAF) — specifically protects web applications against OWASP Top 10 attacks (SQLi, XSS, CSRF). Sits in front of web servers.

IDS/IPS — Intrusion Detection System monitors and alerts; Intrusion Prevention System monitors, alerts, and blocks. IDS is passive (out-of-band). IPS is inline (in the traffic path). Signature-based detection identifies known attacks; anomaly-based detection identifies deviations from baseline behavior.

Network Access Control (NAC) — evaluates devices before granting network access. Checks for updated antivirus, OS patches, disk encryption, and configuration compliance. Non-compliant devices are quarantined or given limited access.

Port security — limits the number of MAC addresses allowed on a switch port, preventing unauthorized device connections and MAC flooding attacks.

⚠️ Exam Trap: IDS detects and alerts only (passive). IPS detects, alerts, AND blocks (active). If the question says "the device blocked the attack," it's IPS. If it says "the device alerted but the attack succeeded," it's IDS.