Firewalls, WAF, IDS, IPS, and Proxies

Key Takeaways

Firewalls enforce traffic policy based on criteria such as address, port, protocol, state, application, user, or content.
A WAF protects web applications by inspecting HTTP and HTTPS application-layer traffic for web attack patterns.
IDS detects and alerts; IPS can block or modify traffic inline.
Forward proxies protect users going out; reverse proxies protect services being accessed from outside.
Rule order, default deny behavior, logging, and exact source/destination scope are common exam traps.

Last updated: April 2026

Network security devices are often tested by placement and function. Read whether the scenario needs to allow, block, inspect, alert, proxy, or protect a web application.

Control Comparison

Control	Main purpose	Typical placement
Packet-filtering firewall	Filter by IP, port, protocol	Network boundary or router ACL
Stateful firewall	Track connection state	Network perimeter or segmentation boundary
Next-generation firewall	Add app/user/content awareness	Edge or internal segmentation point
WAF	Inspect web requests and responses	In front of web applications
IDS	Detect and alert on suspicious activity	Sensor span port, tap, or host
IPS	Detect and block inline	Inline network path
Forward proxy	Control user web access	Between users and internet
Reverse proxy	Front-end and protect servers	Between clients and internal web services

Firewall Rule Anatomy

A firewall or ACL rule should identify:

Direction or interface.
Source.
Destination.
Service or port.
Action.
Logging.
Rule order.

Example for a public website with an internal database:

Order	Source	Destination	Service	Action
10	Internet	Reverse proxy	TCP 443	Allow/log
20	Reverse proxy	Web app	TCP 443	Allow/log
30	Web app	Database	TCP 5432	Allow/log
40	Internet	Database	Any	Deny/log
99	Any	Any	Any	Deny/log

Common trap: an allow-any rule placed above a deny rule makes the deny rule ineffective. Firewalls typically process rules in order until a match is found.

WAF Use Cases

A WAF is the better answer when the scenario mentions:

SQL injection attempts in web requests.
Cross-site scripting payloads.
Malicious HTTP headers.
Path traversal attempts.
Bot or rate-limit behavior against web endpoints.
Virtual patching for a known web vulnerability while code is fixed.

A WAF is not a replacement for secure coding, parameterized queries, patching, or authentication. It is a compensating and detective/preventive layer for web traffic.

IDS vs IPS

Feature	IDS	IPS
Traffic path	Usually out of band	Inline
Main action	Alert	Block, drop, reset, or alert
Failure concern	Missed detection	Blocking legitimate traffic
Best clue	"Detect without disrupting traffic"	"Prevent malicious traffic in real time"

If a question says the business cannot risk accidental blocking, IDS is often safer. If the requirement is to stop known malicious traffic inline, IPS is stronger.

Proxy Scenarios

Forward proxy:

Users connect to the proxy.
Proxy fetches internet resources for users.
Enforces URL filtering, malware scanning, authentication, and logging.

Reverse proxy:

External clients connect to the proxy.
Proxy forwards to internal web services.
Can provide TLS termination, load balancing, authentication, caching, and hiding server details.

PBQ-Style Rule Fix

Current rules:

Order	Source	Destination	Service	Action
1	Any	Any	Any	Allow
2	Internet	Database	Any	Deny
3	Internet	Web	TCP 443	Allow

Problem: Rule 1 allows everything before later rules are checked.

Fix:

Remove or move the broad allow rule.
Add specific allow rules for required flows.
Add explicit denies for prohibited high-risk flows if needed.
Keep a final default deny and log rule.

Exam rule: specific allow rules should be above broad deny rules when needed, and broad allow rules should not defeat the policy.

Test Your Knowledge

A company wants to detect suspicious traffic but cannot risk the control blocking legitimate production packets. Which deployment best fits?

IDS connected to a tap or span port

Inline IPS in blocking mode only

Public storage bucket

Unmanaged hub in the DMZ

Test Your Knowledge

A web application is receiving SQL injection and cross-site scripting attempts. Which control is most directly designed to inspect and block these HTTP-layer attacks?

WAF

NTP server

NAC switch port

Disk encryption

Test Your KnowledgeMulti-Select

Which firewall rule qualities are important in a secure design? Choose three.

Select all that apply

Specific source and destination

Required service or port only

Logging for important allow or deny events

An allow-any rule at the top

No final deny rule

Up Next

VPN, Remote Access, and NAC

Continue learning

CompTIA Security+

1Introduction & Exam Overview

2Domain 1: General Security Concepts (12%)

3Domain 1: Identity, Trust, and Cryptography Basics

4Domain 2: Threat Actors, Vectors, and Social Engineering

5Domain 2: Threats, Vulnerabilities, and Mitigations - Attacks

6Domain 2: Threats, Vulnerabilities, and Mitigations - Vulnerabilities

7Domain 3: Security Architecture - Secure Architecture Models

8Domain 3: Security Architecture - Network Security Architecture

9Domain 3 Part C: Data Protection and Resilience

10Domain 4 Part A: Secure Operations for Hosts, Cloud, Mobile, and IoT

11IAM Operations and Access Control

12Logging, Monitoring, and Detection

13Incident Response

14Digital Forensics and Investigation

15Vulnerability, Patch, Asset, and Automation Operations

16Governance, Policies, and Risk Management

17Third-Party Risk, Compliance, and Privacy

18Audits, Penetration Testing, and Awareness

19Final Review and PBQ Labs