Key Takeaways: Firewalls, IDS/IPS, and Network Access Control

A one-page reference. Reread before an exam or before moving on. Dense by design.

Firewall types (the capability ladder)

Type Sees Decides on Blind to Use
Stateless / ACL One packet at a time IP, port, protocol Connection state, payload Router ACLs; fast, coarse
Stateful Connections (state table) + connection state Application content The baseline boundary/inter-zone firewall
Next-gen (NGFW) Connections + app + user + application, user, threat intel Encrypted payloads it can't decrypt Internet edge; user-aware policy; integrated IPS
  • Stateful permits return traffic because it matches a recorded connection — not because a port was pre-opened. This closes the stateless hole (a forged "reply" has no state-table entry → dropped).
  • NGFW can bundle a WAF, but a WAF is a web-app firewall and is owned by Chapter 13. Don't conflate the network firewall with the application firewall.
  • An ACL is an ordered permit/deny list, first match wins → rule order is semantically significant.

Default-deny: least privilege on the wire

  • Default-deny = deny everything except explicitly justified flows. Fails safe (new/unknown flow is blocked). Default-allow fails open (new flow is permitted until someone notices).
  • Ruleset structure: stateful-return rule → specific permits → explicit deny-and-log at the bottom.
  • Always add an explicit deny-and-log even if there's an implicit deny — silent drops leave no evidence; investigations need the log line.
  • Attacker abuse: the broad permit ip any added in an outage and never removed; allowed channels (outbound 443) reused for C2/exfil. Counters: minimize, review (re-justify every rule), log denies.

Rule-writing checklist

  • [ ] Default policy is DROP/deny.
  • [ ] Stateful ESTABLISHED,RELATED return rule present.
  • [ ] Each permit is the narrowest that works (single host/port, not a /16 or any).
  • [ ] Every permit has a documented business justification (rule register).
  • [ ] Final explicit deny-and-log rule for visibility.
  • [ ] Rules reviewed periodically; orphans deleted.

IDS vs IPS · Signature vs Anomaly

IDS IPS
Placement Out of band (sees a copy via SPAN/tap) In-line (traffic flows through it)
Authority Alert only Drop in real time
Risk Can't stop the live packet False positive blocks legit traffic; outage breaks the path
Signature Anomaly
Detects by Matching known-bad patterns Deviation from a learned baseline
Catches Known attacks, precisely Novel/unknown attacks, fuzzily
Misses Zero-days, mutations (false negatives) Attacks that look normal (low-and-slow)
Noise Low High (false positives)
Best for Known threats, compliance, fast triage Insider misuse, novel C2, the unknown
  • Use both. Each covers the other's blind spot. The most damaging real intrusions are credential-based / "living off the land" → no signature fires; anomaly + correlation catch them.
  • Evasions: encryption (inspect metadata/behavior), fragmentation (sensor must reassemble), low-and-slow (longer baselines + correlation).

NAC & 802.1X

  • NAC = authenticate/authorize the device before it gets network access; can assess posture and assign a VLAN; unverified → quarantine segment.
  • 802.1X roles: supplicant (device) → authenticator (switch/AP gatekeeper, relays) → authentication server (RADIUS + directory, decides). Port stays closed until auth succeeds.
  • Prefer certificate-based (EAP-TLS) over MAB (MAC-only): a MAC is plaintext and spoofable; a cert needs a private key never transmitted. Put non-802.1X devices (printers, cameras) in restricted segments so impersonating them gains little.

Microsegmentation, bastions & the vanishing perimeter

  • Assume the attacker is already inside. Boundary firewall sees north-south; the inside threat moves east-west — which the boundary firewall can't see.
  • Microsegmentation = default-deny between individual workloads → strangles lateral movement; a foothold becomes a dead end.
  • Jump host / bastion = the single hardened, monitored path into a sensitive zone (concentrates admin risk on one well-defended, recorded box).
  • Observe first, then enforce. Map real flows (Chapter 10 monitoring) → write least-privilege policy from evidence → enforce. Default-deny without a flow map breaks production. Project, not a checkbox.

Tuning & the false-positive problem

  • False positive = alert on benign activity. False negative = real attack, no alert. They trade off; no setting kills both.
  • Base-rate problem: attacks are rare, so even a 0.1% false-positive rate × huge benign volume buries the few true alerts. "99.9% accurate" is meaningless without the base rate.

$$P(\text{real}\mid\text{alert}) = \frac{\text{true alerts}}{\text{true} + \text{false alerts}} \quad\text{e.g., } \frac{99}{99+1000}\approx 9\%$$

  • Tuning playbook: baseline before enforcing · suppress noisy rules · allowlist known-good · prioritize by asset · correlate (don't isolate) · feedback loop.
  • Correlation (the bridge to Chapter 21's SIEM) turns weak signals into one high-confidence alert — the single most powerful move. Never delete a noisy-but-valuable rule; tune and correlate it.

When to use what (decision aids)

You need to… Reach for
Filter traffic between zones Stateful firewall, default-deny
Identify the app/user behind encrypted flows NGFW
Be told about attacks (no blocking risk) IDS (out of band)
Block a known exploit in real time IPS (in-line), high-confidence signatures only
Catch a novel / credential-based intrusion Anomaly detection + correlation
Stop unknown devices from connecting NAC / 802.1X with quarantine
Contain an attacker who's already inside Microsegmentation + bastion
Make a noisy detection trustworthy Tune + correlate (don't suppress)

Certification crosswalk

Concept CompTIA Security+ (ISC)² CISSP domain
Firewall types (stateless/stateful/NGFW) 3.0 Security Architecture Communication & Network Security
IDS vs IPS; signature vs anomaly 3.0; 4.0 Security Operations Security Operations; Network Security
NAC, 802.1X, port security 3.0; 4.0 Communication & Network Security; IAM
Microsegmentation / segmentation 3.0 Security Architecture Security Architecture & Engineering
Default-deny / least privilege on wire 1.0; 3.0 Security Architecture & Engineering
Tuning / false positives / base rate 4.0 Security Operations Security Operations

Project additions this chapter

  • Meridian program: perimeter & segmentation controls — default-deny inter-zone firewall standard (with justification register), edge IPS + internal IDS, 802.1X NAC with quarantine, CDE microsegmentation behind a bastion.
  • bluekit toolkit: extended netfilter.pyrule_matches(pkt, rule) and default_deny(pkt, rules) (first-match-wins evaluation with a final implicit deny).

Common pitfalls

  • Treating the firewall as the security program (the branch-jack lesson).
  • Default-allow rulesets that rot — broad permit ip any added in an outage, never reviewed.
  • Implicit-only deny (no log) → no evidence of blocked attempts.
  • Trusting signatures alone → blind to zero-days and credential-based "living off the land" attacks.
  • MAC-only NAC (spoofable); exception lists for non-802.1X devices left unsegmented.
  • Enabling microsegmentation without observing flows first → broken production, then defeating-broad exceptions.
  • Deleting a noisy detection rule instead of tuning and correlating it.
  • In-line IPS blocking on low-confidence signatures → outages on legitimate traffic.