cyber revision

Firewalls, IDS/IPS, VPNs and segmentation

The defensive infrastructure of a network: how firewalls filter, how detection works, what a VPN actually protects, and why segmentation matters.

~4 min read

Firewalls

A firewall controls traffic between networks against a rule set, the textbook example of a preventive control. Generations differ in how much they understand:

  • Packet filtering (stateless): judges each packet alone on IP, port and protocol. Fast, but can't tell a legitimate reply from an unsolicited packet.
  • Stateful inspection: tracks the state of connections (the TCP handshake and beyond), so it can allow return traffic for connections it saw start, and drop packets that don't belong to any. The standard baseline.
  • Next-generation firewall (NGFW): adds application awareness (it can identify and filter specific apps regardless of port), integrated intrusion prevention, and often TLS inspection.
  • WAF (Web Application Firewall): a layer-7 firewall specifically for HTTP, filtering web attacks like injection and XSS. Complements, not replaces, a network firewall.
  • Proxy firewall: terminates connections and makes them on the client's behalf, hiding internal hosts and allowing deep inspection.

Two rule philosophies: default-deny (block everything, allow only what's needed, an application of fail-safe defaults) versus default-allow (asking for trouble). Firewall rules are evaluated in order, and a permissive rule above a restrictive one quietly defeats it, a common misconfiguration.

Placement matters: a DMZ (demilitarised zone) is a segment between two firewalls where internet-facing services (web, mail) live, so a compromise there doesn't directly reach the internal network.

IDS and IPS

Detection complements prevention: firewalls block known-bad, but something has to notice what slips through.

  • An IDS (Intrusion Detection System) monitors and alerts on suspicious activity. It sits out of band (on a mirror port), so it can't stop an attack, only report it.
  • An IPS (Intrusion Prevention System) sits inline and can block in real time. The trade-off: a false positive now drops legitimate traffic, and being inline makes it a potential bottleneck or failure point.

By scope: NIDS/NIPS watch network traffic; HIDS/HIPS watch a single host (file changes, processes, logs).

Detection methods (a frequent exam contrast):

Method How it works Strength Weakness
Signature-based Matches known attack patterns Accurate on known threats, few false positives Blind to novel/zero-day attacks
Anomaly-based Flags deviation from a learned baseline Can catch unknown attacks Noisier; more false positives; baseline must be sound

In practice both are used together. Snort and Suricata are well-known signature-based engines.

VPNs

A VPN (Virtual Private Network) creates an encrypted tunnel across an untrusted network, so traffic inside it is confidential and integrity-protected even over public Wi-Fi or the internet. Two common uses:

  • Remote access: an individual connects securely to a corporate network from outside.
  • Site-to-site: two offices' networks are joined over the internet as if local.

Protocols: IPsec (operates at the network layer; AH provides integrity/authentication, ESP adds encryption) and TLS-based VPNs like OpenVPN and WireGuard (WireGuard being the modern, lean, fast option).

Be precise about what a VPN protects: it secures data in transit between the endpoints of the tunnel. It does not make you anonymous, does not protect data once it leaves the far end, and does not stop malware on your device. The VPN provider can see your traffic where the tunnel terminates; you've moved trust, not eliminated it.

Segmentation and zero trust

Network segmentation divides a network into zones with controlled traffic between them, using VLANs, subnets and internal firewalls. The point is to contain blast radius: if an attacker compromises one segment, segmentation stops easy lateral movement to the crown jewels. Flat networks are why a single phished laptop sometimes leads to domain-wide ransomware, with nothing standing in the way.

Microsegmentation takes this to the level of individual workloads, and is the network expression of zero trust: traffic between internal systems is authenticated and authorised rather than trusted by virtue of being "inside". The slogan: never trust, always verify; the network location of a request grants it nothing.

Other defensive pieces

  • NAC (Network Access Control): checks a device's identity and posture (patched? AV running?) before granting network access; 802.1X is the port-based authentication standard behind it.
  • Honeypots: deliberately vulnerable decoy systems that have no legitimate use, so any interaction is suspicious. Excellent high-signal detection and a way to study attacker behaviour.
  • Network monitoring / SIEM: aggregating logs and flow data centrally so detection has the full picture (covered in forensics).

Quick recall

  • Firewalls: stateless → stateful → NGFW; WAF is layer-7 for web. Use default-deny; rule order matters; put exposed services in a DMZ.
  • IDS alerts (out of band); IPS blocks (inline). Signature-based catches known attacks; anomaly-based catches novel ones at the cost of false positives.
  • A VPN encrypts traffic in transit between tunnel endpoints; it isn't anonymity and protects nothing past the far end. IPsec and WireGuard/OpenVPN.
  • Segmentation contains blast radius and blocks lateral movement; microsegmentation is zero trust applied to the network.
  • Honeypots are pure-signal decoys; NAC/802.1X gate device access.
Previous