CyberCode Academy

Course 10 - Network Security Fundamentals | Episode 3: Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS)

Listen Later
In this lesson, you’ll learn about:
  • Firewall fundamentals and their evolution across generations
  • The role of firewalls in network perimeter defense
  • Intrusion Detection and Prevention Systems (IDS/IPS) and how they operate
  • Deployment models and detection methods for IDS/IPS
  • Best practices for modern perimeter security
I. Network Perimeter Defense Overview Perimeter defense protects the boundary between an organization’s private network and the public internet. Although external attackers are the main focus, insider threats must also be considered. Firewalls and IDS/IPS systems form critical components of this defense. II. Firewalls: Purpose, Operation, and Evolution What a Firewall Does A firewall filters traffic entering or leaving a private network, blocking malicious or unauthorized traffic while allowing legitimate communication. Firewalls are placed at the network perimeter, between internal systems and the public internet. A firewall is only one layer within a defense-in-depth strategy, where multiple controls work together so that no single point of failure exposes the entire system. Evolution of Firewall Technology 1. First Generation — Packet Filtering Firewall Filters traffic based on simple criteria:
  • IP addresses
  • Protocols (TCP/UDP)
  • Port numbers
    Also known as screening routers.
2. Second Generation — Circuit-Level Gateway Focuses on the validity of a communication session (“circuit”).
Monitors connections to ensure they are legitimate but without inspecting full content. 3. Third Generation — Stateful Inspection Firewall Tracks the state of connections:
  • Remembers which internal device initiated a session
  • Allows only expected return traffic
    Provides more contextual filtering than earlier generations.
4. Application-Level Firewall (Proxy Firewall) Operates at Layer 7 of the OSI Model.
Filters based on specific applications or internet services (e.g., HTTP, FTP, SMTP).
Often used to inspect and regulate user behavior within applications. 5. Next Generation Firewall (NGFW) The modern standard offering advanced, combined capabilities:
  • Packet filtering
  • Stateful inspection
  • Deep Packet Inspection (DPI)
  • TLS proxy and web filtering
  • Quality of Service (QoS) controls
  • Anti-malware integration
  • Built-in IDS/IPS
    Organizations today are strongly advised to deploy NGFWs due to their comprehensive feature set.
Firewall Logging All firewalls should:
  • Log events such as configuration changes and reboots
  • Send logs to a central Security Information and Event Monitoring (SIEM) system
    This ensures proper monitoring, auditing, and investigation of suspicious activity.
III. Intrusion Detection and Prevention Systems (IDS/IPS) IDS/IPS technologies monitor network or host activity for signs of malicious behavior. They may be part of a Next Generation Firewall or separate devices. 1. Intrusion Detection System (IDS) A passive monitoring device.
  • Scans for malicious traffic
  • Generates alerts (email, SMS, console alerts)
  • Allows administrators to investigate manually
2. Intrusion Prevention System (IPS) An active security device.
  • Detects malicious activity
  • Automatically takes action (e.g., blocks ports, drops traffic, changes rules)
  • Essential for mitigating fast-moving attacks like DDoS or ICMP-based floods
Critical note: IPS sensitivity must be configured carefully to prevent attackers from tricking the IPS into shutting down legitimate services. Security as a Service (SECaaS) Organizations may outsource IDS/IPS monitoring to cloud providers.
Strong SLAs (Service Level Agreements) are required to ensure:
  • Prompt alerting
  • Accurate monitoring
  • Proper response times
IV. IDS/IPS Categories A. Location-Based Systems 1. Host-Based (HIDS/HIPS) Protects individual systems (e.g., critical servers).
Monitors:
  • Local firewall logs
  • System changes
  • Suspicious local activity
2. Network-Based (NIDS/NIPS) Protects the entire network.
Monitors traffic flowing through switches, routers, and firewalls.
Ideal for detecting lateral movement or perimeter attacks. B. Detection Styles 1. Signature-Based Detection
  • Compares traffic to known attack signatures
  • Effective against well-known malware or attack patterns
  • Requires frequent signature updates
2. Heuristics / Anomaly-Based Detection
  • Establishes a baseline of “normal” network behavior
  • Uses statistical analysis or machine learning
  • Flags deviations that may indicate attacks
    Useful for detecting zero-day threats and unknown malware.
V. Selecting and Deploying IDS/IPS Tools Organizations choose solutions such as:
  • Snort
  • OSSEC
  • SolarWinds SEM
Selection depends on:
  • Risk assessments
  • Organizational security goals
  • Network architecture
  • Compliance requirements


You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
...more
View all episodesView all episodes
Download on the App Store
CyberCode AcademyBy CyberCode Academy