8.5.1. Firewalls, IPS, and Next-Gen Detection
💡 First Principle: Firewalls enforce network access policy by filtering traffic based on defined rules. The evolution from stateless packet filtering to next-generation firewalls (NGFWs) reflects the reality that attackers have moved up the protocol stack — blocking by IP and port is insufficient when malicious payloads travel inside legitimate HTTPS sessions to approved cloud services. Modern detection must inspect application-layer content, decrypt TLS traffic, and incorporate threat intelligence to identify sophisticated attacks.
Firewall evolution and capabilities:
| Generation | Inspects | Decides Based On | Limitation |
|---|---|---|---|
| Stateless packet filter | Individual packets | Source/dest IP, port, protocol | No session awareness; easily evaded by fragmentation |
| Stateful inspection | Connection state | Packet context within established sessions | Cannot inspect encrypted traffic or application content |
| Application proxy | Full application data | Application-layer protocol compliance | Performance bottleneck; limited protocol support |
| NGFW | Application + user + content | App identification, user identity, threat signatures, TLS decryption | Requires TLS decryption (privacy/legal implications); high cost |
IDS/IPS deployment considerations:
| Factor | IDS | IPS |
|---|---|---|
| Placement | Passive (span port or tap) | Inline (traffic passes through) |
| Action on detection | Alert only | Block, drop, or reset connection |
| False positive impact | Analyst investigates unnecessary alert | Legitimate traffic blocked — potential outage |
| Best for | Broad visibility; environments where blocking risk is too high | Critical choke points; known-bad signature blocking |
Detection methods:
| Method | How It Works | Strength | Weakness |
|---|---|---|---|
| Signature-based | Matches traffic against known-bad patterns | Very low false positives for known threats | Cannot detect novel attacks (zero-days) |
| Anomaly-based | Establishes behavioral baseline; alerts on deviations | Can detect unknown threats | High false positive rate; requires training period |
| Heuristic | Applies rules about suspicious behavior patterns | Detects attack categories rather than specific signatures | Must be tuned; generic rules generate noise |
Web Application Firewalls (WAF):
WAFs operate at Layer 7, inspecting HTTP/HTTPS traffic for application-layer attacks: SQL injection, cross-site scripting, command injection, and OWASP Top 10 categories. Unlike network firewalls, WAFs understand the application protocol and can block requests that contain malicious payloads within apparently normal web traffic. WAFs can also provide virtual patching — blocking exploitation of a known vulnerability while the application team develops and tests a permanent code fix.
⚠️ Exam Trap: SSL/TLS inspection (decrypting encrypted traffic for inspection, then re-encrypting) enables NGFWs and IPS to inspect traffic that would otherwise be opaque. However, it raises significant privacy and legal concerns: the organization is performing a man-in-the-middle on employee communications. Legal review is required, and certain categories of traffic (banking, healthcare portals) are typically excluded from decryption policies.
Reflection Question: An organization deploys IPS inline at the internet perimeter and experiences a production outage when the IPS blocks legitimate API traffic from a cloud vendor due to a signature false positive. The network team proposes removing the IPS and replacing it with IDS-only monitoring. As the security architect, what is your response — and what alternative architecture would balance the need for inline blocking with the risk of false-positive disruption?
