Network Security: Firewalls, VPNs, and Threat Detection

Firewalls

Firewalls control network traffic based on rules. They range from simple packet filters to application-aware systems.

# Packet Filtering (Layer 3/4):
# - Inspects: source/destination IP, port, protocol
# - Stateless: each packet evaluated independently
# - Fast, but can't detect session-based attacks
# - Example: AWS Security Groups, iptables

# Stateful Inspection (Layer 4):
# - Tracks connection state (SYN, established, FIN)
# - Only allows packets that belong to established sessions
# - Can detect half-open connection attacks

# Next-Generation Firewall (NGFW, Layer 7):
# - Deep packet inspection (reads content)
# - Application awareness (block Zoom, allow Slack)
# - Intrusion prevention, SSL inspection
# - User identity awareness
# - Example: Palo Alto, Cisco Firepower

# Web Application Firewall (WAF):
# - Layer 7, specifically for HTTP/HTTPS
# - Blocks: XSS, SQL injection, CSRF, rate limiting
# - Example: AWS WAF, Cloudflare WAF

IDS vs IPS

Intrusion Detection Systems detect attacks. Intrusion Prevention Systems detect AND block them.

# IDS (Intrusion Detection System):
# - Monitors and ALERTS on suspicious activity
# - Passive — does not block traffic
# - Can be out-of-band (copy of traffic)
# - Lower risk of false positives blocking legitimate traffic

# IPS (Intrusion Prevention System):
# - Monitors and BLOCKS suspicious activity
# - Inline — sits in traffic path
# - Can disrupt legitimate traffic if misconfigured
# - Higher security than IDS

# Detection methods:
# Signature-based: matches known attack patterns (fast, misses new attacks)
# Anomaly-based: detects deviations from baseline (catches new attacks, more false positives)
# Behaviour-based: detects unusual user/system behaviour

# Placement:
# NIDS/NIPS: monitors network traffic
# HIDS/HIPS: monitors individual host (processes, files, logs)

VPN types

VPNs create encrypted tunnels for secure communication.

# Site-to-Site VPN:
# - Connects two networks (office to data centre)
# - Always-on tunnel between gateways
# - Users don't need to do anything

# Remote Access VPN:
# - Connects individual user to corporate network
# - User installs VPN client, connects on demand
# - Example: OpenVPN, Cisco AnyConnect

# SSL/TLS VPN:
# - Uses standard HTTPS (port 443)
# - Often browser-based, no client required
# - Less likely to be blocked by firewalls

# IPSec:
# - Protocol suite for securing IP communications
# - Used in most site-to-site VPNs
# - Two modes:
#   Transport: encrypts payload only
#   Tunnel: encrypts entire IP packet (includes headers)

# Split tunneling:
# - Only corporate traffic through VPN
# - Internet traffic goes directly
# - Less bandwidth on VPN, lower security

Network segmentation and Zero Trust

Segmentation limits lateral movement after a breach. Zero Trust assumes the network is already compromised.

# Network Segmentation:
# - Divide network into zones/segments
# - Limit traffic between segments with firewalls
# - If one segment is compromised, attacker can't freely move
# - Example: put database on separate VLAN from web servers

# DMZ (Demilitarised Zone):
# - Network between internet and internal network
# - Public-facing servers (web, email) placed here
# - Internet → DMZ allowed
# - DMZ → Internal network restricted

# Zero Trust principles:
# "Never trust, always verify"
# 1. Verify every user and device (even internal)
# 2. Least privilege access
# 3. Assume breach — segment and monitor
# 4. Verify explicitly (MFA, device health, location)
# 5. Encrypt all traffic (east-west, not just north-south)

Exam tip

IDS vs IPS is always tested: IDS detects/alerts, IPS detects/blocks. Also know DMZ: the zone for public-facing servers, behind a firewall from the internet but in front of a firewall from internal systems.