Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

5.5.1. Firewalls, IDS/IPS, and Web Filters

šŸ’” First Principle: These technologies control and inspect network traffic at different layers and points in the network. Each serves a distinct purpose, and understanding when to use each ā€” and how they complement each other ā€” is essential.

Firewall rule management ā€” rules should follow the principle of least privilege: deny by default, allow only what's explicitly needed. Rules are processed top-to-bottom; the first match applies. Rule ordering matters ā€” a broad allow rule above a specific deny rule renders the deny rule useless. Regular rule reviews prune stale rules that accumulate over time. Implicit deny at the bottom blocks everything not explicitly permitted.

IDS vs. IPS ā€” IDS detects and alerts; IPS detects and blocks. IDS is passive (monitors a copy of traffic), while IPS sits inline (traffic passes through it). IPS can stop attacks in real time but introduces a potential single point of failure.

IDS/IPS deployment modes:
  • Network-based (NIDS/NIPS) ā€” monitors network traffic at strategic points (network taps, SPAN ports). Sees all traffic passing through that network segment but can't inspect encrypted traffic.
  • Host-based (HIDS/HIPS) ā€” installed on individual systems. Sees all activity on that host, including encrypted traffic after decryption. Provides deeper visibility into individual system behavior.

Web filtering ā€” controls web access by category (block gambling, social media during work hours) or reputation (block known-malicious domains). Prevents users from reaching phishing sites, drive-by download pages, and command-and-control servers.

Content filtering ā€” inspects the content of web traffic (not just the URL) for malicious scripts, embedded malware, or policy violations. Goes deeper than URL filtering by examining what's inside the page.

URL filtering ā€” blocks or allows access based on the specific URL or domain. Uses categorized databases of millions of websites updated in real time.

āš ļø Exam Trap: IDS detects and alerts; IPS detects and blocks. Firewall rules process top-to-bottom ā€” the first matching rule applies. If you see a question about a rule that should block traffic but doesn't, check if a broader allow rule above it matches first.

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications