Firewalls, WAF, IDS, IPS, and Proxies
Key Takeaways
- Firewalls enforce traffic policy based on criteria such as address, port, protocol, state, application, user, or content.
- A WAF protects web applications by inspecting HTTP and HTTPS application-layer traffic for web attack patterns.
- IDS detects and alerts; IPS can block or modify traffic inline.
- Forward proxies protect users going out; reverse proxies protect services being accessed from outside.
- Rule order, default deny behavior, logging, and exact source/destination scope are common exam traps.
Firewalls, WAF, IDS, IPS, and Proxies
Network security devices are often tested by placement and function. Read whether the scenario needs to allow, block, inspect, alert, proxy, or protect a web application.
Control Comparison
| Control | Main purpose | Typical placement |
|---|---|---|
| Packet-filtering firewall | Filter by IP, port, protocol | Network boundary or router ACL |
| Stateful firewall | Track connection state | Network perimeter or segmentation boundary |
| Next-generation firewall | Add app/user/content awareness | Edge or internal segmentation point |
| WAF | Inspect web requests and responses | In front of web applications |
| IDS | Detect and alert on suspicious activity | Sensor span port, tap, or host |
| IPS | Detect and block inline | Inline network path |
| Forward proxy | Control user web access | Between users and internet |
| Reverse proxy | Front-end and protect servers | Between clients and internal web services |
Firewall Rule Anatomy
A firewall or ACL rule should identify:
- Direction or interface.
- Source.
- Destination.
- Service or port.
- Action.
- Logging.
- Rule order.
Example for a public website with an internal database:
| Order | Source | Destination | Service | Action |
|---|---|---|---|---|
| 10 | Internet | Reverse proxy | TCP 443 | Allow/log |
| 20 | Reverse proxy | Web app | TCP 443 | Allow/log |
| 30 | Web app | Database | TCP 5432 | Allow/log |
| 40 | Internet | Database | Any | Deny/log |
| 99 | Any | Any | Any | Deny/log |
Common trap: an allow-any rule placed above a deny rule makes the deny rule ineffective. Firewalls typically process rules in order until a match is found.
WAF Use Cases
A WAF is the better answer when the scenario mentions:
- SQL injection attempts in web requests.
- Cross-site scripting payloads.
- Malicious HTTP headers.
- Path traversal attempts.
- Bot or rate-limit behavior against web endpoints.
- Virtual patching for a known web vulnerability while code is fixed.
A WAF is not a replacement for secure coding, parameterized queries, patching, or authentication. It is a compensating and detective/preventive layer for web traffic.
IDS vs IPS
| Feature | IDS | IPS |
|---|---|---|
| Traffic path | Usually out of band | Inline |
| Main action | Alert | Block, drop, reset, or alert |
| Failure concern | Missed detection | Blocking legitimate traffic |
| Best clue | "Detect without disrupting traffic" | "Prevent malicious traffic in real time" |
If a question says the business cannot risk accidental blocking, IDS is often safer. If the requirement is to stop known malicious traffic inline, IPS is stronger.
Proxy Scenarios
Forward proxy:
- Users connect to the proxy.
- Proxy fetches internet resources for users.
- Enforces URL filtering, malware scanning, authentication, and logging.
Reverse proxy:
- External clients connect to the proxy.
- Proxy forwards to internal web services.
- Can provide TLS termination, load balancing, authentication, caching, and hiding server details.
PBQ-Style Rule Fix
Current rules:
| Order | Source | Destination | Service | Action |
|---|---|---|---|---|
| 1 | Any | Any | Any | Allow |
| 2 | Internet | Database | Any | Deny |
| 3 | Internet | Web | TCP 443 | Allow |
Problem: Rule 1 allows everything before later rules are checked.
Fix:
- Remove or move the broad allow rule.
- Add specific allow rules for required flows.
- Add explicit denies for prohibited high-risk flows if needed.
- Keep a final default deny and log rule.
Exam rule: specific allow rules should be above broad deny rules when needed, and broad allow rules should not defeat the policy.
A company wants to detect suspicious traffic but cannot risk the control blocking legitimate production packets. Which deployment best fits?
A web application is receiving SQL injection and cross-site scripting attempts. Which control is most directly designed to inspect and block these HTTP-layer attacks?
Which firewall rule qualities are important in a secure design? Choose three.
Select all that apply