Further Reading: Firewalls, IDS/IPS, and Network Access Control

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order; you do not need to read everything before the next chapter.

Suggested order

  1. Read the NIST SP 800-41 firewall guidelines to ground the firewall types and default-deny posture in an authoritative source. (🏗️📜)
  2. Skim NIST SP 800-94 on intrusion detection and prevention to formalize IDS vs. IPS and signature vs. anomaly. (🛡️📜)
  3. Browse the Suricata (or Snort) rule documentation and read ten real community rules until the signature syntax in §7.3 feels readable. (🛡️🏗️)
  4. Read the NIST SP 800-207 introduction to see where "the perimeter that doesn't exist anymore" leads — zero trust — which Chapter 32 develops. (🏗️)

Standards & primary documents (Tier 1)

  • NIST SP 800-41 Rev. 1, Guidelines on Firewalls and Firewall Policy. 🏗️📜 The authoritative treatment of firewall types, rulebase design, and the default-deny posture this chapter is built on. The clearest free statement of "deny by default, permit by exception."
  • NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS). 🛡️📜 Formalizes everything in §7.3: signature vs. anomaly vs. stateful-protocol analysis, IDS vs. IPS placement, and the management/tuning lifecycle. Read it after the chapter to deepen, not before.
  • NIST SP 800-207, Zero Trust Architecture. 🏗️ Where this chapter points: once you accept the perimeter is gone, ZTA is the design that replaces it. Read the tenets now; master it in Chapter 32.
  • IEEE 802.1X-2020, Port-Based Network Access Control. 🏗️📜 The standard behind §7.4. You don't need the full text, but the overview clarifies the supplicant/authenticator/authentication-server model and the EAP relationship.
  • PCI-DSS v4.0 (Requirements 1 and on network segmentation). 📋📜 Why a bank like Meridian must default-deny between the CDE and everything else, and why segmentation reduces audit scope. The most concrete regulatory driver for this chapter's controls.
  • MITRE ATT&CK — Lateral Movement and Command and Control tactics. 🛡️ The attacker behaviors that microsegmentation and detection target. Maps the "what does an attacker do once inside?" that §7.5 and Case Study 2 revolve around.
  • CISA guidance on network segmentation and securing remote access. 🛡️📋 Practical, defender-oriented advisories that echo this chapter's "assume breach, segment, monitor" stance with real-world urgency.

Books (Tier 1)

  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide. 📜 Exam-aligned coverage of firewall types, IDS/IPS, NAC, and 802.1X at the depth Security+ tests. An excellent companion for certification candidates working through Part II.
  • Stallings, W., Network Security Essentials. 🏗️📜 A rigorous treatment of firewalls and intrusion detection with more depth on the underlying mechanisms than a cert guide; good for engineers who want the "why," not just the "what."
  • Sanders, C., & Smith, J., Applied Network Security Monitoring. 🛡️ The practitioner's bible for the detection half of this chapter — collection, detection, and analysis — and the closest book to the mindset of Case Study 2. Highly recommended for the SOC track.
  • Anderson, R., Security Engineering (3rd ed.). 🏗️ The chapters on network attack and defense place firewalls and detection in the broader picture of how real systems fail. Dip in now, return for life.

Free online & talks (Tier 1 / Tier 2)

  • Suricata documentation and the Emerging Threats (ET) open ruleset. 🛡️🏗️ The actual engine and rules a real SOC runs. Reading real signatures is the fastest way to make §7.3 concrete; the ET ruleset shows how the community names and classifies threats. (Tier 1 docs; specific rules evolve.)
  • Snort documentation and rule-writing guide. 🛡️ The other dominant open detection engine; its rule syntax is the lingua franca that the §7.3 signature borrows. Write one rule of your own in a lab.
  • The Zeek (formerly Bro) project. 🛡️🏗️ Turns traffic into rich logs rather than just signature alerts — the bridge from this chapter's detection to Chapter 10's traffic analysis. Preview it now.
  • Vendor NGFW and NAC architecture guides (e.g., from major firewall/NAC vendors). 🏗️ Read two or three with a skeptical eye to see how the concepts here are productized — and to separate genuine capability from marketing. (Tier 2: vendor docs; verify claims against the NIST guidance above.)

Tools to explore (in your own lab only)

  • iptables / nftables (Linux) or pf (BSD/macOS). 🏗️ Build the §7.2 default-deny ruleset on a VM you own. Add a LOG rule before DROP and watch denied packets appear. The safest possible firewall lab — the only thing you can break is your own VM (keep a console fallback).
  • Suricata or Snort in a home lab, IDS mode. 🛡️ Run it against your own captured traffic, load the §7.3 signature, and trigger it deliberately with a benign request to that URI. Watch the alert fire.
  • A small 802.1X test setup (a managed switch + FreeRADIUS). 🏗️ Stand up the supplicant/authenticator/ server triangle from §7.4 and watch a port stay closed until authentication succeeds. The single best way to internalize NAC.

⚖️ Authorization & Ethics reminder: Every tool here is for systems you own or are explicitly authorized to defend. Capturing traffic, probing ports, or testing firewall rules on networks you do not control can be unlawful even when your intent is to learn — build a home lab instead. The book's closing chapters return to the legal and ethical landscape in full.