Firewalls, IDS, IPS, Security Zones, and Screened Subnets
Key Takeaways
- Stateful firewalls track connection state, while stateless filters evaluate packets against rules without session awareness.
- NGFW platforms add application awareness, identity-aware policy, content inspection, and threat intelligence features.
- IDS detects and alerts; IPS can block, reset, or drop traffic inline.
- Proxy servers and load balancers improve control, visibility, availability, and traffic steering when placed correctly.
- Security zones and screened subnets separate public, internal, management, and partner traffic by trust level.
Security Devices and Zone Design
Domain 4, Network Security, is 14% of the N10-009 exam (down from 19% on N10-008). With a maximum of 90 questions in 90 minutes and a passing score of 720 on a 100–900 scale, expect roughly 12–13 scored security items. Network+ rewards placement reasoning: a firewall rule, IDS sensor, IPS device, proxy, or load balancer is useful only when it sees the right traffic and enforces the right policy. The exam describes a business need, a traffic path, or a symptom, then asks which device or design best fits.
Firewall Types
A firewall filters traffic between zones. The exam contrasts how each type makes its decision.
| Firewall type | How it decides | Common use | Limitation |
|---|---|---|---|
| Stateless firewall | Evaluates each packet against rules (source, destination, port, protocol) | Router ACLs, high-speed edge filtering | No awareness of established sessions |
| Stateful firewall | Tracks sessions in a state table | Perimeter, internal segmentation, data center zones | Needs state capacity and symmetric-routing design |
| Next-generation firewall (NGFW) | Adds application awareness, user identity, URL filtering, malware inspection, threat intel | User Internet edge, data center, cloud perimeter | More complex policy, higher resource cost |
| Host-based firewall | Runs on an endpoint or server | Protects a host even off-network | Must be managed consistently |
A stateless ACL can drop obviously unwanted inbound traffic before it reaches a stateful firewall, but it cannot automatically permit return traffic for an established session — you must add explicit rules. Stateful firewalls are preferred between zones because they allow return traffic for sessions they already permitted without opening broad inbound access.
Proxy, IDS, IPS, and Load Balancer Roles
| Control | Traffic position | Primary function |
|---|---|---|
| Forward proxy | Between clients and external services | Controls and logs outbound user access |
| Reverse proxy | In front of internal web applications | Publishes apps, hides internal server details |
| Intrusion detection system (IDS) | Out of band, passive tap/SPAN | Detects suspicious traffic and alerts |
| Intrusion prevention system (IPS) | Inline | Detects and blocks, resets, or drops traffic |
| Load balancer | In front of a service pool | Distributes client traffic, supports availability |
An IDS is safer to deploy because it sits out of band, but it cannot directly block traffic — an alert is not prevention. An IPS is inline and can block, but poor tuning interrupts legitimate service. A load balancer is not a firewall; however, it can terminate TLS, run health checks, support session persistence, and steer traffic only to healthy nodes.
Security Zones
A security zone groups systems by trust level and policy. A typical design uses an untrusted Internet zone, a screened subnet, an internal user zone, a server zone, a management zone, and sometimes partner or guest zones.
| Zone | Typical contents | Policy idea |
|---|---|---|
| Untrusted | Internet or external networks | Never trusted by default |
| Screened subnet | Public web, VPN, reverse proxy, mail relay, DNS | Limited inbound from Internet, limited outbound to internal |
| Internal user | Managed laptops and desktops | Permit business services, restrict server admin |
| Server | App, database, directory, file services | Permit required flows, deny unneeded user access |
| Management | Admin workstations, jump hosts, monitoring, backup | Highly restricted access to management interfaces |
| Guest | Visitor devices | Internet only, no internal access |
A screened subnet (historically a DMZ) prevents public-facing systems from sitting directly on the internal LAN. If a public web server is compromised, the attacker should still face firewall policy before reaching database, directory, management, or user systems.
Placement Examples
| Requirement | Good placement |
|---|---|
| Block malicious inbound before it reaches web servers | IPS or NGFW inline before screened-subnet services |
| Alert on east-west traffic without risking outage | IDS sensor on a tap or SPAN port near server traffic |
| Control employee web browsing | Forward proxy or NGFW egress policy at the edge |
| Publish an internal web app to the Internet | Reverse proxy or load balancer in the screened subnet |
| Restrict administration of routers and switches | Management zone with firewall rules, named admin access |
Common Traps
- A firewall rule that allows any-to-any is not segmentation.
- A stateless ACL may block return traffic unless explicit rules are added.
- An IDS alert is detection, not prevention.
- An IPS must be tuned to avoid blocking legitimate business traffic.
- A screened subnet should have limited paths into internal systems, not unrestricted access.
- A load balancer improves distribution and availability, but it does not replace zone policy.
Worked Scenario
A help-desk ticket reports that external users cannot reach a newly published web app, while internal users can. The web server sits in the screened subnet. The NGFW permits inbound TCP 443 from the Internet to the reverse proxy, and the reverse proxy forwards to the web server on TCP 8443. The web server, in turn, needs to reach a database in the server zone on TCP 1433. Tracing the path: the inbound rule works (internal users reach it through internal routing), so the failure is the screened-subnet-to-server-zone flow — the firewall is dropping TCP 1433.
Adding a tightly scoped permit from the web server's IP to the database IP on TCP 1433 (and nothing else) fixes the app while preserving zone isolation. This is the recurring Network+ pattern: identify which zone boundary the symptom crosses, then write the narrowest rule that satisfies the business need. Resist the tempting wrong answer of permitting the entire screened subnet to the entire server zone — that collapses the segmentation the screened subnet exists to provide.
A company wants to publish a public web application while limiting direct exposure of the internal application servers. Which placement best fits?
Which device can detect suspicious traffic but normally cannot block it because it is deployed out of band?
Match each control to the most accurate description.
Match each item on the left with the correct item on the right