Firewalls, IDS, and IPS

Firewalls, IDS, and IPS are controls for network traffic.

They answer related but different questions. The easiest way to separate them is to ask whether the device is mainly filtering by rules, alerting after detection, or blocking suspicious traffic inline.

They answer related but different questions:

ControlQuestion
firewallShould this traffic be allowed through?
IDSDoes this traffic look suspicious enough to alert someone?
IPSDoes this suspicious traffic need to be blocked now?

Where These Controls Act

These controls sit near network traffic, not inside a user’s memory or thoughts. They are useful when the risk is connected to packets, connections, suspicious patterns, or access between network areas. They are not the same as password checking, anti-malware scanning, or secure programming.

traffic reaches boundary -> firewall applies rules
traffic is observed -> IDS may alert
traffic passes through inline device -> IPS may block

Firewall

A firewall filters network traffic according to rules.

For a beginner, think of a firewall as a checkpoint between two network areas.

packet arrives
firewall checks rule set
if allowed: forward packet
if blocked: drop packet

The rule may consider information such as:

  • source address;
  • destination address;
  • port number;
  • protocol;
  • connection state;
  • application or service, depending on firewall type.

Simple Firewall Rule Example

Suppose a school web server should accept browser requests from the internet, but the database server should only be reachable from inside the school network.

Example rule table:

RuleTrafficActionReason
1internet to web server on HTTPS port 443allowstudents need to reach the web app
2internet to database server on database portblockoutsiders should not connect directly to the database
3internal web server to internal database serverallowthe web app needs to read and write data
4all other unexpected incoming trafficblockdefault-deny reduces exposure

Beginner reasoning:

The firewall is not deciding whether a password is correct.
It is deciding whether this kind of network traffic should pass.

Host-Based and Network-Based Firewalls

TypeWhere it is usedWhat it protects
host-based firewallinstalled on one devicethat individual device
network-based firewallplaced at a network boundarydevices behind that boundary

Example:

  • A laptop’s operating system firewall is host-based.
  • A school router or dedicated firewall protecting a school network is network-based.

Hardware and Software Firewalls

TypeBeginner explanation
hardware firewalla physical device placed in the network path
software firewalla program running on a computer or server

The distinction is about implementation. The security idea is still filtering traffic according to rules.

Default-Deny Reasoning

A common secure design is to allow only traffic that is needed and block unexpected traffic by default. This is called a default-deny mindset.

Example:

Allow HTTPS to the public web server because users need it.
Allow the web server to contact the database server because the app needs it.
Block direct internet traffic to the database server because outsiders do not need it.
Block other unexpected incoming traffic unless there is a clear reason to allow it.

Default-deny does not mean blocking everything. It means every allowed path should have a reason.

Firewall Limitations

A firewall is important, but it is not magic.

It may fail to protect against:

  • traffic explicitly allowed by the rule set;
  • attacks that start inside the protected network;
  • malware that arrives through a permitted channel, such as a downloaded file;
  • users who approve unsafe firewall exceptions;
  • encrypted traffic whose content cannot be inspected without additional mechanisms;
  • new attacks that resemble normal traffic.

Good exam answers should say both what a firewall can do and what it cannot guarantee.

Example limitation:

If the firewall allows HTTPS traffic to a web application, an attacker may still send a malicious-looking request through HTTPS.
The firewall has allowed the connection because the web service is meant to be reachable.
Other controls, such as secure application code, IDS/IPS, validation, logging, and authentication, are still needed.

Firewall Does Not Mean Full Security

A firewall decision is usually about whether a connection or packet is allowed by policy. If the allowed service itself has a vulnerability, an attacker may still send harmful input through an allowed route.

For example, a web server must normally accept HTTPS requests. A firewall may allow those requests, but the web application still needs input validation, authentication, logging, and secure code.

Intrusion Detection System

An intrusion detection system monitors activity and raises alerts when it sees suspicious patterns.

IDS behavior:

observe traffic or system activity
compare against known signatures or normal behavior
raise alert if suspicious
administrator or system responds

An IDS does not usually sit in the direct forwarding path as the blocking device. Its main job is detection and alerting.

Intrusion Prevention System

An intrusion prevention system sits inline with traffic and can block suspicious activity.

IPS behavior:

traffic enters IPS
IPS inspects traffic
if acceptable: forward traffic
if suspicious: block, drop, or reset traffic

Because an IPS can block traffic, incorrect decisions can affect legitimate users. This is why false positives matter.

IDS Versus IPS

FeatureIDSIPS
main actiondetects and alertsdetects and blocks
positionoften monitors a copy of trafficinline with traffic
effect on attackmay not stop it immediatelycan stop it immediately
riskalert may be missed or too latefalse positive may block legitimate traffic

Memory aid:

IDS = Detection = tells you something may be wrong
IPS = Prevention = tries to stop it

Traffic Story

Use this story to separate the three controls.

1. A packet arrives from the internet.
2. The firewall checks whether the packet is allowed by network rules.
3. The IDS observes traffic patterns and raises an alert if something looks suspicious.
4. The IPS, if placed inline, can block traffic it classifies as malicious.
StageWhat the student should say
firewallallow or block by rule
IDSmonitor and alert
IPSinspect and block inline

If an exam asks for “detect” rather than “prevent”, IDS is usually the better answer. If it asks for stopping suspicious traffic automatically, IPS is usually the better answer.

Signature-Based and Anomaly-Based Detection

IDS and IPS tools may use different detection methods.

MethodHow it worksStrengthWeakness
signature-basedcompares traffic with known attack patternsgood for known attacksmay miss new attacks
anomaly-basedcompares activity with a normal baselinemay notice unusual behaviormay generate more false alarms

Students do not need to know vendor-specific systems. The key idea is that detection depends on comparing observed behavior with expected or known-bad behavior.

Why IDS and IPS Need Tuning

IDS and IPS decisions are not perfect. If rules are too strict, normal activity may be flagged or blocked. If rules are too loose, real attacks may pass unnoticed. This is why false positives and false negatives are part of security reasoning, not just vocabulary.

False Positives and False Negatives

TermMeaningExample
false positiveharmless activity is flagged as suspiciousa legitimate file upload is blocked
false negativeharmful activity is not detecteda new attack pattern passes through

These terms matter because security controls involve trade-offs. A very strict IPS may block more attacks but also disrupt legitimate use. A very permissive setup may avoid disruption but miss real attacks.

Worked Scenario

A school hosts an internal results system. It wants to:

  • block outside traffic to the database server;
  • allow browser traffic to the web server;
  • detect repeated suspicious login attempts;
  • stop known malicious requests before they reach the web server.

Suitable controls:

RequirementControl
block outside database accessfirewall rule
allow browser access to web serverfirewall rule allowing HTTP/HTTPS to the web server
detect repeated suspicious login attemptsIDS alerting or application logs
stop known malicious requests inlineIPS

Common Mistakes

  • Saying an IDS blocks attacks. IDS mainly detects and alerts.
  • Saying an IPS only records attacks. IPS can block traffic.
  • Describing a firewall as antivirus software. A firewall filters traffic; antivirus/anti-malware tools inspect software and files.
  • Claiming a firewall protects against all internal attacks.
  • Ignoring false positives and false negatives when discussing IDS/IPS.

Quick Check

PromptBest answer
Which control filters traffic by rule?firewall
Which control raises alerts about suspicious traffic?IDS
Which control can block suspicious traffic inline?IPS
Which security goal is harmed when an IPS wrongly blocks real users?availability

Return to Network Security.