Firewalls and IDS
This module explores the core principles of Firewalls and IDS, deriving solutions from first principles and hardware constraints to build world-class, production-ready expertise.
1. Firewalls: The Network Bouncer
Imagine a nightclub. The Firewall is the bouncer at the door, equipped with a strict guest list (Access Control Lists or ACLs). A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It establishes a barrier between a trusted internal network and an untrusted external network (like the Internet).
Types of Firewalls
- Packet Filtering (Stateless): The basic bouncer. They look at your ID (IP address and Port number) and check it against the list.
- How it works: Inspects individual packets in isolation without context of the session.
- Rule Example: “Allow TCP Port 80 (HTTP) from any IP.”
- The Flaw: It has no memory. It doesn’t know if a packet is a legitimate reply to a request you made, or a random attack packet spoofing a return address.
- Stateful Inspection: The smart bouncer. They remember who went outside to take a phone call and let them back in without checking ID again.
- How it works: Maintains a state table of active connections. It understands the TCP handshake (SYN, SYN-ACK, ACK).
- Example: If your internal IP
192.168.1.10sends an outbound request to Google on Port 443, the firewall records this session. When Google replies, the firewall dynamically allows the inbound traffic only because it matches an established session.
- Next-Generation Firewall (NGFW) / Application Layer: The bouncer who also checks your pockets and listens to your conversation.
- How it works: Performs Deep Packet Inspection (DPI). It doesn’t just look at IPs and Ports; it looks deep into the application payload itself (Layer 7).
- Rule Example: “Allow HTTP traffic on Port 80, but block any file uploads to Dropbox or restrict Facebook chat.”
2. IDS vs. IPS: Signatures and Anomalies
While firewalls block traffic based on rules, they are blind to the intent of allowed traffic. If port 80 is open, a firewall lets the traffic through. But what if that traffic contains a SQL injection attack? This is where Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) come in. They are network monitoring tools that look for suspicious patterns.
- Signature-Based Detection: Compares traffic against a database of known attack patterns (like an antivirus scanner).
- Anomaly-Based Detection: Uses machine learning to establish a baseline of “normal” behavior. If traffic suddenly spikes at 3 AM, it raises an alert.
| Feature | IDS (Intrusion Detection) | IPS (Intrusion Prevention) |
|---|---|---|
| Core Action | Detect & Alert | Detect & Block |
| Network Placement | Out-of-band (Observer). Traffic is copied (mirrored) to it. | In-line (Chokepoint). Traffic must pass through it. |
| Impact on Latency | None. It analyzes traffic passively. | Adds slight latency. A failure can drop network traffic completely. |
| Analogy | Security Camera (Records the crime and alerts security) | Armed Security Guard (Actively tackles the intruder) |
3. Interactive: Stateful vs Stateless
Watch the firewall handle a reply.
4. DMZ (Demilitarized Zone): The Anteroom
A DMZ is a physical or logical subnetwork that contains and exposes an organization’s external-facing services (like Web servers, DNS servers, and Email servers) to an untrusted network, usually the Internet.
Think of it like the lobby of a high-security corporate building. The public is allowed in the lobby to speak to the receptionist (the web server), but they cannot pass the locked doors into the actual offices (the internal network) without a badge.
- The Architecture: Typically involves two firewalls. An external firewall allows traffic from the internet into the DMZ. An internal firewall strictly blocks traffic from the DMZ into the private internal network.
- The Benefit: If a hacker exploits a vulnerability in your public web server located in the DMZ, they are still isolated. The internal firewall prevents them from pivoting and attacking internal databases or employee workstations.
Real-World Example
A company hosts its own website.
- Internet -> (External Firewall allows Port 443) -> Web Server in DMZ.
- The Web Server needs data from the database.
- Web Server in DMZ -> (Internal Firewall allows Port 3306 only from the Web Server IP) -> Database Server in Internal Network.
- If the Web Server is compromised, the hacker cannot directly access internal employee laptops because the internal firewall blocks all traffic originating from the DMZ except the specific database port.