5.2.1. Physical, Logical, and Micro-Segmentation
💡 First Principle: Each generation of firewall evolved to inspect deeper into the packet — from headers only (packet filtering), to connection state (stateful), to application content (NGFW). Each layer of inspection provides more protection but also more processing overhead and complexity. The right firewall type matches the inspection depth needed to enforce the organization's policy against realistic threats.
Firewall generations:
| Generation | Inspection Level | State | Application Awareness | Limitations |
|---|---|---|---|---|
| Packet filter | IP/TCP/UDP headers only | ❌ Stateless | ❌ None | Cannot track connections; easily bypassed; no context |
| Stateful inspection | Headers + connection state table | ✅ Yes | ❌ Limited | Can't inspect encrypted traffic or application payloads |
| Application-layer / proxy | Full application content | ✅ Yes | ✅ Deep | Breaks connection (two separate connections); latency; limited protocol support |
| NGFW (Next-Gen Firewall) | All above + IPS + app ID + user ID + SSL inspection | ✅ Yes | ✅ Full | Processing overhead; SSL inspection creates privacy/cert management complexity |
Firewall deployment architectures:
DMZ (Demilitarized Zone): A network segment between the external firewall and internal network, housing public-facing servers (web, email, DNS). Two-firewall DMZ provides defense in depth — traffic from internet must pass through Firewall 1 to reach DMZ servers; traffic from DMZ to internal network must pass through Firewall 2. Compromise of a DMZ server does not directly expose the internal network.
Screened subnet — another term for DMZ architecture; the DMZ is the "screened" (filtered) subnet between external and internal firewalls.
Bastion host — a hardened, exposed server providing a specific service to untrusted networks. Typically in the DMZ or directly internet-accessible. Minimized attack surface: only the required service runs, all unnecessary services/ports disabled.
IDS vs. IPS:
| Feature | IDS (Intrusion Detection) | IPS (Intrusion Prevention) |
|---|---|---|
| Placement | Out-of-band (passive tap or SPAN port) | Inline (traffic must pass through) |
| Response | Alert/log — cannot block | Alert/log AND block traffic |
| Impact on traffic | None — passive | Latency and potential false-positive blocking |
| Failure mode | Fails open (traffic continues, detection stops) | Fails closed (traffic blocked) or open depending on config |
| Best for | Detection without availability risk | Active prevention where false positive risk is acceptable |
Detection methods:
| Method | How | Strength | Weakness |
|---|---|---|---|
| Signature-based | Match traffic against known attack signatures | High accuracy for known attacks; low false positives | Cannot detect zero-days; requires signature updates |
| Anomaly-based (heuristic) | Establish normal baseline; alert on deviations | Can detect novel attacks; behavioral | High false positive rate; requires training period |
| Stateful protocol analysis | Compare traffic against protocol specifications | Detects protocol violations | Limited to specific protocol decoders |
Honeypots and honeynets:
- Honeypot: A decoy system designed to attract attackers, detect reconnaissance, and gather intelligence on attack tools and techniques
- Honeynet: A network of honeypots forming a realistic fake environment
- Honeytokens: Fake credentials, API keys, or data records placed in systems — when accessed, they signal a breach
- Legal consideration: Entrapment is a concern — honeypots must not actively lure attackers; they must only attract attackers who are already attempting to attack
⚠️ Exam Trap: IDS false positives (alert on legitimate traffic) are a management problem that erodes trust in the system — analysts start ignoring alerts. False negatives (miss real attacks) are a security failure. The balance between these is tuned by threshold and sensitivity settings. An IDS/IPS set too sensitive generates alert fatigue; set too loose it misses attacks. Both extremes are failures requiring different remediation.
Reflection Question: A company's NGFW logs show that an attacker has been performing port scans from an external IP for three days without triggering an alert. The IDS alert threshold was raised three months ago after security analysts complained about too many false positives. Identify the security failure, the organizational process that caused it, and the correct approach to balancing IDS sensitivity.
