Firewalls and Intrusion Detection Systems

Once a network is in place, the next priority is controlling what traffic enters and exits it, and monitoring for suspicious activity. Two tools handle this: firewalls and intrusion detection systems. Together, they act as the security checkpoint and the surveillance camera of a network.

What Is a Firewall?

A firewall is a security device — hardware, software, or both — that monitors incoming and outgoing network traffic and decides whether to allow or block each connection based on a defined set of rules. It sits between a trusted internal network and an untrusted external network (like the internet).

Think of a firewall as a security guard at the entrance of a building. Every person who wants to enter must show identification. The guard checks the ID against a list of approved visitors. If the name is on the list, entry is allowed. If not, entry is denied.

FIREWALL PLACEMENT:

INTERNET
    │
    │  ← All traffic from outside passes through here
    ▼
┌──────────┐
│ FIREWALL │  ← Checks each packet against rules
│  (Guard) │     Allow? → Pass through
│          │     Block? → Drop packet
└──────────┘
    │
    ▼
INTERNAL NETWORK (Computers, Servers, Databases)

How Firewall Rules Work

A firewall uses a ruleset — a list of conditions — to evaluate every packet. Rules are checked in order, from top to bottom. The first matching rule decides the outcome: allow or deny. If no rule matches, a default rule applies (usually deny all).

SAMPLE FIREWALL RULES (Top to Bottom Priority):

Rule 1: ALLOW traffic on Port 443 (HTTPS) from ANY source
Rule 2: ALLOW traffic on Port 80 (HTTP) from ANY source
Rule 3: ALLOW traffic on Port 22 (SSH) from IP 192.168.1.5 only
Rule 4: DENY traffic on Port 23 (Telnet) from ANY source
Rule 5: DENY ALL other traffic (default deny)

EXAMPLE SCENARIOS:
- User visits a website (Port 443) → Rule 1 ALLOWS it
- Attacker tries SSH from unauthorized IP → Rule 3 blocks → Rule 5 DENIES it
- Anyone tries Telnet → Rule 4 DENIES it immediately

Types of Firewalls

Packet Filtering Firewall

This is the most basic type. It inspects each packet individually and checks the source IP address, destination IP address, port number, and protocol. It does not look at the content of the packet. Rules are simple: allow or deny based on header information only.

PACKET FILTERING CHECK:
Packet arrives: [Source: 192.168.1.5] [Dest Port: 443] [Protocol: TCP]
Firewall checks rules → Port 443 is allowed → PASS

Stateful Inspection Firewall

A stateful firewall tracks the state of active network connections. It remembers which connections were established and allows return traffic automatically for those sessions. This is smarter than simple packet filtering because it understands the context of traffic.

STATEFUL INSPECTION:
User opens connection to bank website (HTTPS)
Firewall records: Session established [User ↔ Bank]
Bank sends response → Firewall sees it belongs to an existing session → ALLOW

Unsolicited packet arrives from unknown server → Not part of any session → DENY

Application Layer Firewall (Proxy Firewall)

This type inspects traffic at the application level — it actually reads the content of packets to understand what the application is doing. It can detect attacks hidden inside allowed traffic, such as SQL injection inside an HTTP request. This is the most thorough but also the slowest type of firewall.

Next-Generation Firewall (NGFW)

A Next-Generation Firewall combines traditional firewall features with additional capabilities like intrusion prevention, deep packet inspection, application awareness, and user identity tracking. NGFWs are the standard in modern enterprise environments.

What Firewalls Cannot Do

Firewalls are powerful but not perfect. Understanding their limitations explains why additional security tools are necessary.

• A firewall cannot stop threats that arrive over allowed channels (an infected file downloaded via HTTPS passes right through).
• A firewall cannot stop insider threats from employees already inside the network.
• A firewall cannot decrypt and inspect encrypted malicious traffic (without special SSL inspection features).
• A firewall cannot stop a user from deliberately sharing sensitive data.

What Is an Intrusion Detection System (IDS)?

An Intrusion Detection System monitors network or system activity and alerts security teams when it detects suspicious behavior or known attack patterns. Unlike a firewall, which blocks traffic, an IDS does not stop the attack — it detects and reports it. Think of an IDS as a smoke alarm. It does not put out the fire. It tells someone that there is a fire.

IDS PLACEMENT IN NETWORK:

INTERNET ──► FIREWALL ──► INTERNAL NETWORK
                               │
                               ▼
                           [ IDS SENSOR ]
                          Monitors all traffic
                          inside the network
                               │
                               ▼
                        Security Team Alert:
                        "Suspicious activity detected
                         from device 192.168.1.14"

How an IDS Detects Threats

Signature-Based Detection

The IDS compares network traffic against a database of known attack patterns (signatures). If a packet matches a known attack signature, an alert fires. This method is fast and accurate for known attacks but cannot detect brand-new, unknown attacks.

SIGNATURE-BASED DETECTION:

Known signature: "SELECT * FROM users WHERE 1=1" (SQL Injection pattern)
Traffic arrives with this pattern → MATCH FOUND → ALERT

Anomaly-Based Detection

The IDS establishes a baseline of what normal behavior looks like on the network. Any activity that deviates significantly from that baseline triggers an alert. This method can catch new, unknown attacks but also generates more false positives — alerts triggered by legitimate unusual behavior.

ANOMALY-BASED DETECTION:

Normal baseline: Server receives 1,000 requests/hour
Actual traffic: Server receives 50,000 requests/hour
→ ANOMALY DETECTED → ALERT (possible DDoS attack)

IDS vs. IPS: What Is the Difference?

An Intrusion Prevention System (IPS) is the active version of an IDS. An IDS detects and alerts. An IPS detects and automatically blocks the suspicious traffic. An IPS is placed inline in the network traffic path, while an IDS typically monitors a copy of the traffic.

Firewall + IDS/IPS Together

COMPLETE DEFENSE ARCHITECTURE:

INTERNET
    │
    ▼
[OUTER FIREWALL] ── Blocks obviously bad traffic
    │
    ▼
   [DMZ] ── Web Servers, Email Servers
    │
    ▼
[INNER FIREWALL] ── Protects internal network
    │
    ▼
[INTERNAL NETWORK]
    │
    ▼
[IDS / IPS SENSOR] ── Monitors internal traffic
                       Detects suspicious patterns
                       IPS also blocks suspicious traffic
    │
    ▼
[SECURITY OPERATIONS CENTER (SOC)] ── Receives all alerts
                                       Human analysts investigate

A Practical Example: E-Commerce Website

SCENARIO: Attack on an Online Store

Attack Attempt 1: Attacker floods the site with 100,000 fake requests (DDoS)
  Firewall: DDoS protection rule triggers → Blocks flood traffic → STOPPED

Attack Attempt 2: Attacker sends SQL injection via a contact form (HTTPS)
  Firewall: HTTPS is allowed → Firewall passes it through
  IPS: Detects SQL injection pattern in packet content → BLOCKED + ALERT

Attack Attempt 3: Insider employee copies customer database at midnight
  Firewall: Internal traffic → Not blocked
  IDS: Detects large data transfer at unusual time → ALERT sent to security team

RESULT: Firewall stops bulk attacks. IDS/IPS catches sophisticated ones.
Both tools together provide layered defense.

Understanding firewalls and IDS/IPS shows how traffic gets controlled and monitored. The next essential layer of security operates at the data level rather than the network level — that is cryptography, the science of encoding information so that only the right people can read it.