5.2. Network Segmentation and Components

💡 First Principle: Network security devices are control points — they sit at boundaries between network zones of different trust levels and enforce policy on traffic crossing those boundaries. The value of each device type is precisely defined by which traffic attributes it can inspect and which enforcement actions it can take. A device that can only inspect headers cannot enforce content policy; a device that only filters by IP cannot prevent application-layer attacks.

Choosing the wrong device for a boundary is a common architectural error that creates false confidence — an organization with a traditional stateful firewall at the perimeter believes they're protected, but SQL injection attacks in HTTP traffic sail right through because the firewall only reads IP headers, not HTTP payloads.

Why this matters: Device selection questions are a major Category 4 exam theme. Scenarios will describe a security requirement and ask which device type addresses it. The answer requires matching the device's inspection capability to the threat — not just recognizing the device names.

⚠️ Common Misconception: "Firewalls and IDS/IPS do the same thing." Firewalls enforce access control — they allow or block traffic based on rules. IDS/IPS inspect traffic for attack patterns — they detect or block attacks within allowed traffic. Both are needed: a firewall stops unauthorized traffic; an IDS/IPS finds attacks in authorized traffic. A web server behind a firewall that permits port 443 is still vulnerable to SQL injection — the firewall allowed the HTTPS traffic, and the IDS/IPS is needed to detect the malicious payload within it.