Network Security Controls (Firewalls, IDS/IPS, Proxies) Explained for Security+

A stateless (packet filtering) firewall inspects each packet in isolation against a set of rules based on source IP, destination IP, port, and protocol. It has no memory of previous packets. This means it cannot distinguish a legitimate response packet from an attack packet targeting the same port. Stateless firewalls are fast but easy to evade with crafted packets that look like responses.

A stateful firewall maintains a state table that tracks active connections. When a packet arrives, the firewall checks whether it belongs to an existing approved connection. If an external packet arrives claiming to be a response but no corresponding outbound connection exists in the state table, it is blocked. Stateful firewalls are the baseline for any modern network.

Next-Generation Firewalls (NGFWs) go beyond port and IP with Layer 7 application awareness, integrated IPS, SSL/TLS inspection, and user identity-based policy. An NGFW can identify and block Tor traffic or BitTorrent regardless of what port it uses, because it can identify the application protocol even when it masquerades as legitimate web traffic.

Web Application Firewalls (WAFs) specifically protect web applications by inspecting HTTP and HTTPS traffic for OWASP Top 10 attack patterns: SQL injection, cross-site scripting, CSRF. WAFs operate at Layer 7 and sit in front of web application servers.

An IDS (Intrusion Detection System) monitors traffic and generates alerts when it detects suspicious patterns. It is passive: it does not sit in the traffic path and does not block anything. Traffic flows through regardless of what the IDS sees. A false positive generates an unnecessary alert that wastes analyst time. A false negative misses an actual attack.

An IPS (Intrusion Prevention System) is inline: traffic flows through it and it can block or drop suspicious traffic in real time. False positives now have a real cost because legitimate traffic gets blocked. This is why IPS tuning matters: an aggressively configured IPS can disrupt normal business operations.

Detection methods matter for exam questions. Signature-based detection matches traffic against a database of known attack patterns. It is fast, accurate for known threats, and produces low false positives, but it misses novel attacks and zero-days that do not match any existing signature. Anomaly-based (behavioral) detection establishes a baseline of normal traffic and alerts when behavior deviates. It can detect zero-days but generates more false positives because normal traffic occasionally looks abnormal.

Honeypots are decoy systems placed in the network with no legitimate users or legitimate purpose. Any connection to a honeypot is by definition suspicious. They attract attackers, waste their time, and provide intelligence about attack techniques and tools without exposing real systems.

A forward proxy sits between internal clients and the internet. Clients send requests to the proxy, which forwards them externally. The external server sees the proxy's IP, not the client's. Uses: content filtering, caching, URL inspection, anonymization. A forward proxy is configured on the client side.

A reverse proxy sits in front of internal servers and receives connections from external clients. External clients connect to the reverse proxy, which forwards to backend servers. Uses: load balancing, SSL termination, DDoS protection, hiding server topology. Clients never know the actual server addresses.

IDS vs IPS: detects and alerts only = IDS (passive, out of band). Detects and blocks = IPS (active, inline). Stateless vs stateful: stateless checks each packet individually. Stateful tracks connection state. NGFW vs WAF: NGFW = general network traffic. WAF = HTTP/HTTPS web application traffic specifically.

Honeypot: any activity on it is suspicious. All connections are potential threats. Used for threat intelligence and early warning of attackers inside the network.