Firewalls, IDS, IPS, Security Zones, and Screened Subnets
Key Takeaways
- Stateful firewalls track connection state, while stateless filters evaluate packets against rules without session awareness.
- NGFW platforms add application awareness, identity-aware policy, content inspection, and threat intelligence features.
- IDS detects and alerts; IPS can block, reset, or drop traffic inline.
- Proxy servers and load balancers can improve control, visibility, availability, and traffic steering when placed correctly.
- Security zones and screened subnets separate public, internal, management, and partner traffic by trust level.
Security Devices and Zone Design
Network+ expects security controls to be placed for a reason. A firewall rule, IDS sensor, IPS device, proxy, or load balancer is useful only when it sees the right traffic and enforces the right policy. The exam often describes a business need, a traffic path, or a symptom, then asks which device or design best fits.
Firewall Types
| Firewall type | How it decides | Common use | Limitation |
|---|---|---|---|
| Stateless firewall | Evaluates each packet against rules such as source, destination, port, and protocol | Simple router ACLs, high-speed edge filtering | Does not understand whether traffic belongs to an established session |
| Stateful firewall | Tracks sessions and connection state | Perimeter, internal segmentation, data center zones | Needs state table capacity and correct asymmetric routing design |
| NGFW | Adds application awareness, user identity, URL filtering, malware inspection, and threat intelligence | User Internet edge, data center, cloud perimeter | More complex policy and higher resource cost |
| Host-based firewall | Runs on an endpoint or server | Protects a host even when it moves networks | Must be managed consistently across devices |
Stateless filtering is still useful. For example, a router ACL can drop obviously unwanted inbound traffic before it reaches a stateful firewall. Stateful firewalls are usually better for policy between zones because they can allow return traffic for established sessions without opening broad inbound access.
Proxy, IDS, IPS, and Load Balancer Roles
| Control | Traffic position | Primary function |
|---|---|---|
| Forward proxy | Between clients and external services | Controls and logs outbound user access |
| Reverse proxy | In front of internal web applications | Publishes applications and hides internal server details |
| IDS | Out of band or passive tap/SPAN | Detects suspicious traffic and alerts |
| IPS | Inline | Detects and blocks or resets suspicious traffic |
| Load balancer | In front of service pool | Distributes client traffic and supports availability |
An IDS can be safer to deploy because it does not sit inline, but it cannot directly block traffic. An IPS can block traffic, but poor tuning can interrupt legitimate service. A load balancer is not automatically a firewall, but it can terminate TLS, perform health checks, support persistence, and send traffic only to healthy application nodes.
Security Zones
Security zones group systems by trust level and policy. A common design uses an untrusted Internet zone, a screened subnet for public services, an internal user zone, a server zone, a management zone, and sometimes partner or guest zones.
| Zone | Typical contents | Policy idea |
|---|---|---|
| Untrusted | Internet or external networks | Never trusted by default |
| Screened subnet | Public web, VPN, reverse proxy, mail relay, DNS services | Permit limited inbound flows from Internet and limited outbound flows to internal services |
| Internal user | Managed laptops and desktops | Permit business services, restrict direct server administration |
| Server | Application, database, directory, file services | Permit required app flows, deny unnecessary user access |
| Management | Admin workstations, jump hosts, monitoring, backup | Highly restricted access to management interfaces |
| Guest | Visitor devices | Internet access only, no internal access |
A screened subnet, sometimes called a DMZ, reduces exposure by preventing public-facing systems from sitting directly on the internal LAN. If a public web server is compromised, the attacker should still face firewall policy before reaching database, directory, management, or user systems.
Placement Examples
| Requirement | Good placement |
|---|---|
| Block malicious inbound traffic before it reaches web servers | IPS or NGFW inline before screened subnet services |
| Alert on suspicious east-west traffic without risking outage | IDS sensor on a tap or SPAN port near internal server traffic |
| Control employee web browsing | Forward proxy or NGFW egress policy at the Internet edge |
| Publish internal web app to the Internet | Reverse proxy or load balancer in the screened subnet |
| Restrict administration of routers and switches | Management zone with firewall rules and named admin access |
Common Traps
- A firewall rule that allows any source to any destination is not meaningful segmentation.
- A stateless ACL may block return traffic unless explicit rules are included.
- An IDS alert is not the same as prevention.
- An IPS must be tuned to avoid blocking legitimate business traffic.
- A screened subnet should have limited paths to internal systems, not unrestricted access.
- A load balancer improves service distribution, but it does not replace zone policy.
A company wants to publish a public web application while limiting direct exposure of the internal application servers. Which placement best fits?
Which device can detect suspicious traffic but normally cannot block it because it is deployed out of band?
Match each control to the most accurate description.
Match each item on the left with the correct item on the right