Firewalls, IDS, and IPS: Network Security Devices Explained

Firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) are the foundation of network security. Each serves a distinct role in protecting enterprise networks.

What is a Firewall?

A firewall is a network security device that monitors and controls incoming and outgoing traffic based on predetermined security rules. Firewalls create a barrier between trusted internal networks and untrusted external networks (like the internet).

Firewalls can be hardware appliances, software running on servers, or cloud-based services. They inspect traffic at various layers of the OSI model depending on the type.

  • Firewalls enforce security policies by permitting or denying traffic
  • Can be hardware, software, or cloud-based (FWaaS)
  • Rules are based on source/destination IP, port, protocol, or application
  • Default-deny policy: block everything, then allow only what's needed

Types of Firewalls

Packet Filter Firewall — the simplest type, inspects packets individually at the network layer. Makes decisions based on source/destination IP, port, and protocol. Stateless — it doesn't track connection state.

Stateful Firewall — tracks the state of active connections. If a packet matches an established connection, it's allowed through without re-checking rules. Stateful firewalls are more secure than stateless because they understand the context of traffic.

Next-Generation Firewall (NGFW) — combines traditional firewall capabilities with application awareness, intrusion prevention, and deep packet inspection. NGFWs can identify applications regardless of port or protocol.

Web Application Firewall (WAF) — specifically protects web applications by filtering and monitoring HTTP/HTTPS traffic. WAFs defend against SQL injection, XSS, and other application-layer attacks.

Unified Threat Management (UTM) — combines multiple security functions (firewall, IDS/IPS, antivirus, VPN, content filtering) in a single appliance.

  • Packet filter: stateless, inspects individual packets (fast, basic)
  • Stateful: tracks connection state, more secure than stateless
  • NGFW: application-aware, includes IPS and deep packet inspection
  • WAF: protects web applications from application-layer attacks
  • UTM: all-in-one security appliance for small/medium businesses

IDS vs IPS

Intrusion Detection System (IDS) — monitors network traffic for suspicious activity and generates alerts. IDS is passive: it detects threats and notifies administrators but does not take action to stop them. Can be network-based (NIDS) monitoring all traffic or host-based (HIDS) monitoring a single system.

Intrusion Prevention System (IPS) — builds on IDS capabilities but actively blocks threats in real-time. IPS sits inline with traffic flow and can drop malicious packets, block offending IP addresses, and reset connections.

The key difference: IDS alerts, IPS prevents. IDS uses a tap or SPAN port (out of band), while IPS sits inline with traffic. Both use signature-based detection (matching known attack patterns) and anomaly-based detection (comparing against a baseline of normal behavior).

  • IDS: passive monitoring — detects and alerts, does not block
  • IPS: active prevention — sits inline, blocks threats in real-time
  • Signature-based: matches known attack patterns (fast, misses zero-days)
  • Anomaly-based: compares to baseline behavior (detects novel attacks, more false positives)
  • Both can be network-based (NIDS/NIPS) or host-based (HIDS/HIPS)

DMZ and Network Segmentation

A DMZ (Demilitarized Zone) is a network segment that sits between the internal network and the internet. Public-facing services (web servers, email servers, DNS) are placed in the DMZ so that if compromised, the attacker still can't reach internal systems.

A typical DMZ design uses three interfaces on the firewall: outside (internet), DMZ (public servers), and inside (internal network). Traffic flows are tightly controlled: internet → DMZ (allowed for specific services), DMZ → Internet (controlled outbound), DMZ → Inside (restricted or blocked), Inside → DMZ (allowed for management).

  • DMZ isolates public-facing servers from the internal network
  • Compromise of a DMZ server does not grant access to internal systems
  • Often implemented with a three-legged firewall architecture
  • Screened subnet is another term for DMZ

Exam Tip

Know the firewall types: packet filter (stateless), stateful, NGFW, WAF, UTM. Understand IDS vs IPS: IDS alerts, IPS blocks. WAF protects web apps (Layer 7). DMZ design is a common exam scenario.