Network Security Devices


  • Isolate one network from another.
  • A network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules (CISCO).
  • Hardware (appliances), software, or both.
  • Network or host-based.

Firewall Types

  • Packet filter.
    • Passes or blocks traffic to specific ports or IP addresses based on rules.
    • Access Control List (ACL) filter.
    • Little intelligence / stateless.
    • Faster than stateful inspection.
  • Proxy firewall.
    • Acts an an intermediary.
    • Application proxy.
    • Web proxy.
  • Stateful packet inspection.

Stateful Inspection Firewalls

  • Intelligent.
  • Analyzes data flows and traffic patterns.
  • Dynamic access control decisions.
  • Records are kept using a state table that tracks every communications channel;
    • Remembers where the packet came from and where the next one should come from.

Firewall Rules

  • Configured to specify computers, programs, services, or ports/protocols.
  • Order of firewall rules matters.
  • Implicit Deny
    • Access or resource availability is restricted to only those that are explicitly granted access; all others are denied.
    • 'Deny any any' (last firewall or ACL rule).
  • Explicit Deny - denied permission that is configured explicitly for that resource.
  • Implicit Allow - an allowed permission that is implied for that resource based on another explicit or implicit permission.
  • Explicit Allow - an allowed permission that is configured explicitly for that resource.

Application Firewalls

  • Controls input, output, and/or access from, to, or by an application or service based on categories, rules, or heuristics.
  • Deep packet inspection.
  • Function at Layer 7 of the OSI model.
  • Web Application Firewall (WAF)
    • Protects web applications from known attacks (injection, buffer overflows, etc)
  • Often included in other firewall types (Proxy, IDS/IPS).


  • Intrusion - any activity or action that attempts to undermine or compromise the confidentiality, integrity, or availability of resources.
  • Intrusion Detection/Protection Systems
  • Like a burglar alarm - identify unauthorized activity, access, or anomalies.
  • Sensor - the IDS component that collects data from the data source and passes it to the analyzer.
  • Host-based (HIDS/HIPS)- on individual systems.
  • Network-based (NIDS/NIPS) - on the network borders.

IDS vs IPS - Detection vs Prevention

  • IDS - Passive response
    • Logging
    • Notification
    • Shunning / Quarantine
  • IPS - Active Response
    • Terminating process or sessions.
    • Configuration changes.
    • Deception Active Response - Attacker believes the attack is succeeding while the system monitors the activity and potentially redirects the attacker to a honeypot or logging system.

IDS / IPS Types

  • Signature Based (AKA Knowledge Based)
    • Detects known vulnerabilities.
    • Rules/updates provided by vendor.
    • Reactive
  • Behavior Based
    • Outside of normal bounds or established profile.
    • Anomaly based.
    • Potential for false positives.
  • Heuristic Based
    • Uses algorithms to analyze the activity / network traffic.
    • High initial overhead.

IDS / IPS Analytics

  • False Positive - Occurs when a typical or expected behavior is identified as irregular or malicious.
  • False Negative - Occurs when an alert that should have been generated did not happen.


  • Network Intrusion Detection / Protection Systems
  • Analysis used to be separate, now combined with firewalls.
  • Passive - traffic is mirrored to sensor.
  • Inline - with traffic flows and prevents attacks in real time. Could cause latency.

VPN Concentrators

  • A VPN allows remote access into a network.
    • site-to-site
    • user (host-to-site)
  • VPN Concentrator
    • Single device to funnel all VPN access / connects VPN nodes.
    • Encrypted tunnels.
    • Centralized authentication (RADIUS, Kerberos, Federated ID)
  • Always-on VPN
  • Network security through encryption.
    • Internet Protocol Security (IPSec)
    • Secure Sockets Layer (SSL)
  • Cannot be placed wherever they are needed.
    • Should be placed in the perimeter network near the gateway.

Internet Protocol Security (IPSec)


  • SSL (Secure Sockets Layer)
  • TLS (Transport Layer Security)
    • Replaces SSL
  • Known as a WebVPN - remote access through a website over SSL/TLS.
  • Point-to-point encrypted communications.

VPN Tunneling

  • Full Tunnel - all requests are routed and encrypted through the VPN. More secure.
  • Split Tunnel - only some (usually incoming requests) are routed and encrypted over the VPN.

Unified Threat management (UTM) & Next Generation Firewall (NGFW)

  • An all-in-one firewall appliance / single interface / single vendor.
  • Network IDS/IPS.
  • URL filtering.
    • Block websites based on category or URL.
  • Content inspection.
    • Application aware.
  • Malware inspection.

Network Access Control (NAC)

  • Uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices upon initial access (an IEEE 802.1X Standard)
  • Components:
    • Access Requestor (AR): The device that requests access. Assessment of the device can be self-performed or delegated to another system.
    • Policy Decision Point (PDP): The system that assigns a policy based on the assessment. The PDP determines access.
    • Policy Enforcement Point (PEP): The device that enforces the policy. This device can be a switch, firewall, or router.
  • Agent vs Agentless
    • Is an agent application on the end-point?
    • Yes, for corporate -devices.
  • Host Health Checks
    • "Health" of the end-point.
    • Is AV enabled?
  • Dissolvable vs Permanent

Security Information and Event Management (SIEM)

  • SIEM tools collect, correlate, and display data feeds that support response activities.
  • Functions:
    • Log aggregation on a centralized server.
    • Centrally managing security events.
    • Correlating and normalizing events for context and alerting.
    • Reporting on data gatehred from various applications.
  • Benefits:
    • Aggregation
    • Correlation
    • Automated Alerting & Triggers
    • Event Deduplication
    • Time Synchronization
    • WORM - "Write-Once, Read-Many" protection.

Data Loss Prevention (DLP)

  • AKA Data Leakage Protection
  • Prevent sensitive information from physically or logically leaving corporate systems.
  • Designed to detect and prevent unauthorized use and transmission of confidential information.
  • Network: Content-filtering (proxy).
  • System: Application white-listing.
  • Hardware: USB Blocking.
  • Cloud data.

SSL / TLS Accelerators

  • SSL Offloading - the process of shifting the burden of encrypting and decrypting traffic sent via SSL from the web server to another device.
  • Accepts SSL/TLS connections from the end-point and sends the connection to the server unencrypted.
  • Associated with load balancers.

Gateways (Mail & Media)

  • Centralization and Routing
  • Encryption
  • Spam Filters
    • Inbound
    • Outbound
  • Proxy Servers (media)

Hardware Security Module (HSM)

  • Hardware-based encryption that manages digital keys, accelerates cryptographic processes, and provides strong access authentication.
  • Trusted Platform Module (TPM) used to assist with cryptographic key generation.
Copy link
On this page
Firewall Types
Stateful Inspection Firewalls
Firewall Rules
Application Firewalls
IDS vs IPS - Detection vs Prevention
IDS / IPS Types
IDS / IPS Analytics
VPN Concentrators
Internet Protocol Security (IPSec)
VPN Tunneling
Unified Threat management (UTM) & Next Generation Firewall (NGFW)
Network Access Control (NAC)
Security Information and Event Management (SIEM)
Data Loss Prevention (DLP)
SSL / TLS Accelerators
Gateways (Mail & Media)
Hardware Security Module (HSM)