Firewalls, IDS/IPS & Network Segmentation¶

These are the workhorses of network defense. Each addresses a different question.

Firewalls — Controlling What Connects¶

A firewall enforces rules about which traffic may pass.

Type	Operates at	Inspects
Packet filter	L3/L4	IPs, ports, protocol
Stateful	L3/L4	Tracks connection state
Next-Gen (NGFW)	L3–L7	App awareness, IPS, TLS inspection
WAF	L7	HTTP requests (web-specific)

Default-Deny¶

The single most important firewall principle: deny everything, then explicitly allow only what's needed. A default-allow posture means every new threat is permitted until you notice it.

# Conceptual ruleset
ALLOW tcp any -> web-server:443
ALLOW tcp web-server -> db-server:5432
DENY  all                       # implicit final rule

IDS vs IPS¶

	IDS (Detection)	IPS (Prevention)
Action	Alerts	Alerts and blocks
Placement	Out-of-band (tap)	Inline
Risk	Misses fast attacks	False positive can block legit traffic

Detection Methods¶

Signature-based — matches known attack patterns. Great for known threats, blind to novel ones.
Anomaly-based — flags deviations from a learned baseline. Catches unknowns, but noisier.

Popular tools: Snort, Suricata, Zeek.

Network Segmentation¶

Divide the network into zones so a breach in one can't freely reach others.

   Internet
      │
   [ Firewall ]
      │
 ┌────┴─────┐
 │   DMZ    │  ← public web/email servers
 └────┬─────┘
   [ Firewall ]
      │
 ┌────┴─────────┐
 │ Internal LAN │  ← workstations
 └────┬─────────┘
   [ Firewall ]
      │
 ┌────┴───────┐
 │  Database  │  ← most sensitive, most isolated
 └────────────┘

DMZ (demilitarized zone): hosts that must be reachable from the internet, isolated from the internal network.
Microsegmentation: fine-grained, per-workload policies (common in cloud and zero-trust designs).
VLANs: logical segmentation at L2.

Why It Works¶

Segmentation limits blast radius and lateral movement. When an attacker compromises a workstation, segmentation forces them to cross another guarded boundary to reach the crown jewels — creating detection opportunities along the way.

Firewalls — Controlling What Connects¶

A firewall enforces rules about which traffic may pass.

Type	Operates at	Inspects
Packet filter	L3/L4	IPs, ports, protocol
Stateful	L3/L4	Tracks connection state
Next-Gen (NGFW)	L3–L7	App awareness, IPS, TLS inspection
WAF	L7	HTTP requests (web-specific)

Default-Deny¶

The single most important firewall principle: deny everything, then explicitly allow only what's needed. A default-allow posture means every new threat is permitted until you notice it.

# Conceptual ruleset ALLOW tcp any -> web-server:443 ALLOW tcp web-server -> db-server:5432 DENY all # implicit final rule

IDS vs IPS¶

	IDS (Detection)	IPS (Prevention)
Action	Alerts	Alerts and blocks
Placement	Out-of-band (tap)	Inline
Risk	Misses fast attacks	False positive can block legit traffic

Detection Methods¶

Signature-based — matches known attack patterns. Great for known threats, blind to novel ones.

Anomaly-based — flags deviations from a learned baseline. Catches unknowns, but noisier.

Popular tools: Snort, Suricata, Zeek.

Network Segmentation¶

Divide the network into zones so a breach in one can't freely reach others.

Internet │ [ Firewall ] │ ┌────┴─────┐ │ DMZ │ ← public web/email servers └────┬─────┘ [ Firewall ] │ ┌────┴─────────┐ │ Internal LAN │ ← workstations └────┬─────────┘ [ Firewall ] │ ┌────┴───────┐ │ Database │ ← most sensitive, most isolated └────────────┘

DMZ (demilitarized zone): hosts that must be reachable from the internet, isolated from the internal network.

Microsegmentation: fine-grained, per-workload policies (common in cloud and zero-trust designs).

VLANs: logical segmentation at L2.

Why It Works¶