Exercises: Firewalls, IDS/IPS, and Network Access Control
These exercises move from recall to design. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — attempt every problem before you read one.
Use documentation IP ranges only (10/8, 172.16/12, 192.168/16, 192.0.2.0/24,
198.51.100.0/24, 203.0.113.0/24). Where an exercise asks you to write a rule or signature, the
reasoning — why this scope, why this default — matters more than perfect syntax. Work on systems you
own or are authorized to manage; never test a firewall change on a machine you depend on remotely
without a console fallback.
Part A — Firewall types & core vocabulary ⭐
1.† In one sentence each, define a stateless firewall, a stateful firewall, and a next-generation firewall, then state the single capability each adds over the one before it.
2. Classify each as a property of a stateless, stateful, or next-generation firewall: (a) tracks a connection-state table; (b) matches on application identity and user; (c) evaluates each packet in isolation; (d) permits return traffic without a pre-opened inbound port; (e) integrates a threat-intelligence feed; (f) is exactly what a router ACL does.
3. Explain why a stateless firewall must open wide ranges of high-numbered inbound ports to let replies return, and why a stateful firewall does not. What attack does the stateless approach invite?
4.† Define an access control list and explain what "first match wins" means for the order of rules. Give a two-rule example where swapping the order changes the outcome.
5. A colleague says, "We have a next-generation firewall, so we have a WAF and don't need anything else for our web app." Identify two things wrong with this statement. (Recall what a WAF is and which chapter owns it.)
Part B — Default-deny & writing rules ⭐⭐
6.† Explain the difference between default-deny and default-allow. For each, state precisely what happens when a brand-new, un-anticipated service appears on the network, and which one "fails safe."
7. Write the rule. Meridian needs a firewall rule allowing only its web-application server
(10.40.0.10) to reach an external payment-processor API at 198.51.100.20 on TCP 443, and nothing
else from that server outbound. Write the permit rule (any reasonable firewall syntax) and the
deny-and-log rule that should follow it. Annotate each field.
8.† Find the misconfiguration. Audit this ruleset (evaluated top to bottom, first match wins). Identify every problem and rewrite it correctly for a corporate→CDE boundary.
iptables -P FORWARD ACCEPT
iptables -A FORWARD -s 10.20.0.0/16 -d 10.30.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.20.9.10 -d 10.30.0.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp --dport 5432 -j ACCEPT
9. Find the misconfiguration. A team fixed a production outage at 2 a.m. by adding
permit ip any any near the top of the firewall ruleset, and never removed it. Explain in concrete
terms what this single rule does to every carefully written rule below it, and what process would have
caught it.
10.† Why must a sound default-deny ruleset include an explicit deny-and-log rule at the bottom even when the firewall already has an implicit deny-all? What investigative capability does the explicit version provide that the implicit one does not?
11. Rank these three firewall rules from most to least privileged (most to least permissive) and
justify the ranking: (a) permit tcp 10.40.0.10 -> 10.30.0.50 dport 5432; (b) permit tcp 10.40.0.0/24
-> 10.30.0.0/24 dport any; (c) permit ip any -> 10.30.0.0/24.
Part C — IDS/IPS, signatures & anomalies ⭐⭐
12.† State the core difference between an IDS and an IPS in terms of placement and authority. For a critical, actively-exploited vulnerability you must block in real time, which do you choose, and what operational risk does that choice introduce?
13. Compare signature-based and anomaly-based detection across four axes: what each catches, what each misses, its noise level, and its maintenance burden. Then name one threat each is uniquely well-suited to catch.
14. Tune the IDS. Your anomaly model fires a "large outbound data transfer" alert every night at
1 a.m. Investigation shows it is the scheduled off-site backup from server 10.20.4.5 to the backup
target 198.51.100.30. List three different ways you could stop this false positive, and state the
risk of each (especially the risk of suppressing too broadly).
15.† Write the signature. Write a Suricata/Snort-style rule (alert, not block) that detects an
outbound HTTP GET request from your internal network to any external host for the URI path
/etc/passwd (a classic file-disclosure indicator). Include msg, flow, http_method, http_uri,
a locally-assigned sid, and rev. Then state how you would convert it to an inline block, and why
you might hesitate to.
16. An attacker fragments an exploit across several packets so that no single packet matches an IDS signature. Explain why this can evade a naive signature engine, and what capability a competent IDS needs to defeat the evasion.
17.† A signature-based IPS is described by management as "complete protection." Using the concept of zero-days and one realistic "low-and-slow" scenario, explain why no signature-only system is complete, and what you would add to cover the gap.
18. Analyze this log. You are handed this (illustrative) IDS alert excerpt; the source is in
203.0.113.0/24. Interpret it.
12:14:02 [1:9000017:1] MERIDIAN POLICY Outbound cleartext request for credentials file
src=10.20.5.55 dst=203.0.113.77 proto=TCP dport=80 uri=/.aws/credentials
12:14:02 scan: 10.20.5.55 -> 10.30.0.0/24 ports 22,3389,5432 (47 SYN, 0 ACK)
12:14:09 conn: 10.20.5.55 -> 203.0.113.77:80 bytes_out=1820 bytes_in=140
(a) Tell the story these three lines describe in sequence. (b) Which single internal host should you isolate, and why? (c) Would a SIEM that correlated these three events be more useful than three separate alerts? Explain.
Part D — NAC & 802.1X ⭐⭐
19.† Name the three roles in 802.1X (supplicant, authenticator, authentication server), state which real device plays each at Meridian, and explain why the authenticator is called a gatekeeper that does not itself decide identity.
20. Return to the chapter's branch-jack attack: an attacker plugged a rogue laptop into a lobby network jack and received a working internal IP. Explain, step by step, how 802.1X NAC would have changed the outcome, including what would happen to the rogue device.
21.† Why is certificate-based 802.1X more resistant to spoofing than MAC Authentication Bypass (MAB)? Describe the specific attack that defeats MAB and why the certificate approach is immune to it. What should you do about devices (printers, cameras) that genuinely cannot run a supplicant?
22. Design it. A new branch has three kinds of device on its switches: employee laptops (802.1X-capable), a networked printer (no supplicant), and a guest tablet at the front desk. Design the NAC policy: which authentication method for each, which VLAN each lands in, and what each VLAN is permitted to reach. Justify the segmentation.
Part E — Microsegmentation, bastions & the vanishing perimeter ⭐⭐–⭐⭐⭐
23.† Distinguish coarse VLAN segmentation (Chapter 6) from microsegmentation. Which attacker behavior does microsegmentation specifically defeat that VLAN zoning does not, and what makes microsegmentation a "project, not a checkbox"?
24. Explain why routing all administrative access to the CDE through a single bastion host reduces risk rather than dangerously concentrating it. Then name two controls you would place on the bastion to justify that trust.
25. Design it. Sketch (words or a simple diagram) a microsegmentation policy for four Meridian workloads: a teller workstation, the banking application server, the loan database, and an HR database. State, for each, exactly which other workloads it may communicate with and on which ports. Anything not listed is denied. Defend your choices.
26.† The chapter insists you must "observe first, then enforce" when introducing microsegmentation. Explain what goes wrong when a team enables default-deny between workloads without first mapping real traffic, and which earlier-chapter capability provides the map.
27. ⭐⭐⭐ "Inside the network must stop meaning trusted." Write half a page connecting this chapter's controls (NAC, microsegmentation, bastions) to that single sentence. Which assumption did the old perimeter model make, and how does each control dismantle it?
Part F — Tuning & the false-positive problem ⭐⭐
28.† An IDS alerts on 99% of real attacks and false-alarms on only 0.1% of benign traffic. In a day of 1,000,000 connection events of which 100 are truly malicious, compute the number of true alerts, the number of false alerts, and the probability that any given alert is real. Explain what this "base-rate problem" implies for the claim "our IDS is 99.9% accurate."
29. List four distinct tuning techniques from the chapter for reducing false positives, and for each give a concrete Meridian example. Which one shifts the work from the sensor to the SIEM, and why is it the most powerful?
30. A sophisticated attacker deliberately generates a burst of loud, obvious scanning. Explain the likely purpose of the noise and how a well-run SOC should respond without simply chasing every alert.
Part G — CTF-style challenge ⭐⭐⭐
31.† The rule that lies. An administrator is certain the CDE database (10.30.0.50, TCP 5432) is
fully protected because the firewall has exactly one permit rule for it: permit tcp 10.40.0.10 ->
10.30.0.50 dport 5432 (the payment app server). A penetration tester nonetheless reaches the database.
Given that NAC is not deployed and the payment app server itself is reachable from the corporate
network on its admin port, explain the most likely path the tester used, identify which of this
chapter's controls would each have broken the chain, and rewrite the protection as a layered design
rather than a single rule.
Part H — Interleaved & forward-looking ⭐⭐
32. Interleaved (Ch. 6). Define east-west and north-south traffic. Which of this chapter's controls governs each, and why is east-west the harder problem once you "assume breach"?
33. Interleaved (Ch. 3). Default-deny is an application of least privilege. Name the related foundational principle that says an unspecified or failed condition should default to the secure state, and show how the explicit deny-all rule embodies it.
34. Interleaved (Ch. 1). Use the risk model (likelihood × impact) to argue for funding 802.1X NAC across Meridian's branches before an incident. What likelihood and impact would you cite for the branch-jack risk, and what residual risk remains after NAC?
35. ⭐⭐⭐ Forward-looking. This chapter's controls (NAC, microsegmentation, "verify before access") are described as the seeds of zero trust. In two or three sentences, predict what zero trust must add beyond the network to fully realize "never trust, always verify" — and which kind of signal (network location, identity, device health) you expect it to rely on least.
Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group, a lab, or your instructor.