Firewalls and Intrusion Prevention Systems (IPS)

Firewalls and Intrusion Prevention Systems (IPS) – A Complete Guide for ISC2 CC Exam

Why Are Firewalls and Intrusion Prevention Systems (IPS) Important?

Firewalls and Intrusion Prevention Systems (IPS) are foundational components of network security. They serve as the primary line of defense between trusted internal networks and untrusted external networks (such as the internet). Without these technologies, organizations would be fully exposed to unauthorized access, malicious traffic, data exfiltration, and a wide variety of cyberattacks. Understanding firewalls and IPS is essential not only for real-world security operations but also for success on the ISC2 Certified in Cybersecurity (CC) exam, where network security concepts are heavily tested.

What Is a Firewall?

A firewall is a network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It establishes a barrier between a trusted internal network and untrusted external networks.

Types of Firewalls:

1. Packet-Filtering Firewalls
These are the most basic type of firewall. They inspect individual packets of data and compare them against a set of rules based on source/destination IP addresses, ports, and protocols. They operate at Layer 3 (Network) and Layer 4 (Transport) of the OSI model. They are fast but have limited ability to detect sophisticated attacks because they do not examine packet contents or track connection states.

2. Stateful Inspection Firewalls
Also known as dynamic packet-filtering firewalls, these track the state of active connections and make decisions based on the context of the traffic (e.g., whether a packet is part of an established session). They operate at Layers 3 and 4 and maintain a state table. This makes them more secure than simple packet-filtering firewalls because they can detect and block packets that are not part of a legitimate, established connection.

3. Proxy Firewalls (Application-Level Gateways)
These firewalls act as intermediaries between internal users and external services. They operate at Layer 7 (Application Layer) of the OSI model. A proxy firewall receives requests from internal clients, inspects them, and then forwards them to the destination on behalf of the client. This breaks the direct connection between internal and external systems, providing deep content inspection and enhanced security. However, they can introduce latency.

4. Next-Generation Firewalls (NGFW)
NGFWs combine the features of traditional firewalls with additional capabilities such as deep packet inspection (DPI), application awareness and control, integrated intrusion prevention, threat intelligence feeds, and SSL/TLS inspection. They operate across multiple OSI layers and are the standard in modern enterprise environments.

5. Web Application Firewalls (WAF)
WAFs are specifically designed to protect web applications by filtering and monitoring HTTP/HTTPS traffic. They defend against attacks such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats. They operate at Layer 7.

What Is an Intrusion Prevention System (IPS)?

An Intrusion Prevention System (IPS) is a network security technology that monitors network traffic in real time, detects malicious activity, and takes automated action to prevent or block threats. An IPS sits inline with network traffic, meaning all traffic passes through it. This is a critical distinction from an Intrusion Detection System (IDS), which only monitors and alerts but does not block traffic.

IDS vs. IPS – Key Differences:

- IDS (Intrusion Detection System): Monitors traffic passively, generates alerts, does NOT block traffic. It is a detective control.
- IPS (Intrusion Prevention System): Monitors traffic inline and actively, generates alerts AND blocks malicious traffic. It is a preventive control.

This distinction is frequently tested on the CC exam.

Types of IPS:

1. Network-Based IPS (NIPS)
Deployed at strategic points within the network (e.g., behind the firewall) to monitor all traffic flowing through that segment. It inspects traffic for known attack signatures, anomalous behavior, or policy violations.

2. Host-Based IPS (HIPS)
Installed on individual hosts or endpoints. It monitors activity on that specific device, including system calls, file modifications, and application behavior. It provides protection even when the host is not connected to the corporate network.

3. Wireless IPS (WIPS)
Monitors wireless network traffic for unauthorized access points, rogue devices, and wireless-specific attacks.

How Do Firewalls Work?

Firewalls work by applying a set of rules (often called an Access Control List or ACL) to network traffic. Each rule specifies criteria such as:
- Source IP address
- Destination IP address
- Source port
- Destination port
- Protocol (TCP, UDP, ICMP, etc.)
- Action (Allow, Deny, Drop, Log)

Firewalls typically follow one of two default philosophies:

Implicit Deny (Deny All): All traffic is blocked by default unless explicitly permitted by a rule. This is the most secure and recommended approach.

Implicit Allow (Allow All): All traffic is allowed by default unless explicitly blocked. This is less secure and generally not recommended.

The implicit deny principle is a critical concept for the CC exam. Always remember: if traffic does not match any rule, it should be denied.

Rules are processed top-down, meaning the firewall checks rules sequentially and applies the first rule that matches the traffic. Rule order matters significantly.

How Does an IPS Work?

An IPS analyzes network traffic using several detection methods:

1. Signature-Based Detection
Compares network traffic against a database of known attack signatures (patterns). It is highly effective against known threats but cannot detect zero-day attacks or novel threats. Requires regular signature updates.

2. Anomaly-Based Detection (Behavioral)
Establishes a baseline of normal network behavior and flags deviations from that baseline. It can detect unknown or zero-day attacks but may produce more false positives than signature-based detection.

3. Policy-Based Detection
Uses administrator-defined policies to identify traffic that violates security policies. For example, if a policy states that Telnet should not be used, the IPS will flag or block Telnet traffic.

4. Heuristic-Based Detection
Uses algorithms and rules of thumb to identify potentially malicious activity. It is similar to anomaly-based detection but relies on predefined heuristic rules.

When an IPS detects a threat, it can take various actions:
- Drop the malicious packet
- Block the source IP address
- Reset the connection
- Send an alert to the security team
- Log the event for forensic analysis

Key Concepts for the CC Exam:

Defense in Depth: Firewalls and IPS are part of a layered security approach. No single device provides complete protection. They work together alongside other controls such as antivirus, access controls, encryption, and security awareness training.

DMZ (Demilitarized Zone): A network segment that sits between the internal network and the external network. Public-facing servers (web servers, email servers) are placed in the DMZ. Firewalls are used to control traffic between the internet, the DMZ, and the internal network. This is a common exam topic.

Firewall Deployment Architectures:
- Bastion Host: A hardened server exposed to the internet, often placed in the DMZ.
- Screened Subnet (DMZ): Uses two firewalls — one between the internet and the DMZ, and one between the DMZ and the internal network.
- Dual-Homed Firewall: A firewall with two network interfaces — one connected to the external network and one to the internal network.

Firewall Rule Management Best Practices:
- Follow the principle of least privilege — allow only the minimum necessary traffic.
- Use implicit deny as the last rule.
- Review and update rules regularly.
- Log all denied traffic for analysis.
- Remove outdated or unnecessary rules.

False Positives vs. False Negatives:
- False Positive: Legitimate traffic is incorrectly flagged as malicious. This can disrupt business operations.
- False Negative: Malicious traffic is incorrectly allowed through. This is the more dangerous scenario because an actual attack goes undetected.
- Both concepts are important for the exam, especially in the context of IDS/IPS tuning.

Unified Threat Management (UTM): A single device that combines multiple security functions including firewall, IPS, antivirus, content filtering, VPN, and more. UTMs simplify management but can become a single point of failure.


Exam Tips: Answering Questions on Firewalls and Intrusion Prevention Systems (IPS)

1. Know the difference between IDS and IPS. This is one of the most commonly tested topics. Remember: IDS = detective (monitors and alerts), IPS = preventive (monitors, alerts, AND blocks). If a question asks about a device that can stop an attack in progress, the answer is IPS, not IDS.

2. Remember Implicit Deny. When a question asks about the most secure default firewall policy, the answer is implicit deny (deny all traffic unless explicitly allowed). This is a foundational principle of firewall configuration.

3. Understand firewall types and where they operate in the OSI model. Packet-filtering firewalls operate at Layers 3-4. Stateful firewalls also operate at Layers 3-4 but track connection states. Proxy firewalls and WAFs operate at Layer 7. NGFWs operate across multiple layers.

4. Focus on the concept of Defense in Depth. If a question implies that a single security control is sufficient, it is almost certainly wrong. The correct answer will emphasize layered security.

5. Know the DMZ architecture. Understand that a DMZ is used to isolate public-facing services from the internal network. Questions may ask where to place a web server (answer: in the DMZ) or how many firewalls are used in a screened subnet architecture (answer: two).

6. Understand detection methods. Signature-based detection is effective against known threats. Anomaly-based detection can identify unknown/zero-day threats but may produce more false positives. If a question asks about detecting a new, previously unseen attack, the answer points to anomaly-based or heuristic-based detection.

7. False Positives vs. False Negatives. Be clear on these definitions. A false negative (missing a real attack) is generally considered more dangerous than a false positive (incorrectly blocking legitimate traffic). However, excessive false positives can lead to alert fatigue.

8. Network-Based vs. Host-Based. NIPS protects a network segment; HIPS protects an individual host. If a question specifies protecting a critical server specifically, HIPS may be the better answer. If protecting the entire network, NIPS is more appropriate.

9. Think about the security goals. Many questions align with the CIA triad (Confidentiality, Integrity, Availability). Firewalls primarily support confidentiality and integrity by controlling access. IPS supports all three by preventing attacks that could compromise data or disrupt services.

10. Watch for keywords in questions. Words like prevent, block, and stop point to IPS or firewalls (preventive controls). Words like detect, monitor, alert, and notify point to IDS (detective controls). Words like inspect content or application layer point to proxy firewalls, WAFs, or NGFWs.

11. Inline vs. Passive Deployment. IPS is deployed inline (traffic flows through it). IDS is deployed passively (it receives a copy of the traffic, typically via a mirror port or network tap). This deployment distinction may appear in exam questions.

12. Eliminate clearly wrong answers first. On the CC exam, use the process of elimination. If you see an answer that suggests allowing all traffic by default or relying on a single control for complete protection, it is likely incorrect. Choose answers that reflect security best practices such as least privilege, defense in depth, and implicit deny.