Firewalls, WAF, IDS, IPS, and Proxies
Key Takeaways
- Firewalls enforce policy by address, port, protocol, connection state, application, user, or content depending on type.
- A Web Application Firewall (WAF) inspects Layer 7 HTTP/HTTPS for injection, scripting, and traversal attacks; it does not replace secure coding.
- An Intrusion Detection System (IDS) sits out of band and alerts; an Intrusion Prevention System (IPS) sits inline and can drop or reset traffic.
- A forward proxy controls outbound users; a reverse proxy fronts and protects internal servers with TLS termination and load balancing.
- Rule order, the implicit default deny, scoped source/destination, and logging are the most common SY0-701 firewall traps.
Reading the Scenario
SY0-701 tests network security devices by placement and function. Decide whether the scenario needs to allow, block, inspect, alert, proxy, or specifically protect a web application, then pick the device whose job matches that verb.
Control Comparison
| Control | Layer / focus | Main purpose | Typical placement |
|---|---|---|---|
| Packet-filtering firewall | L3/L4, stateless | Filter by IP, port, protocol | Router ACL or boundary |
| Stateful firewall | L4, tracks sessions | Track connection state, allow return traffic | Perimeter or segmentation point |
| Next-generation firewall (NGFW) | L7, app/user aware | Add application, user, and content inspection | Edge or internal segmentation |
| WAF | L7 HTTP/HTTPS | Inspect web requests/responses | Directly in front of web apps |
| IDS | Detection | Detect and alert | Tap or SPAN port (out of band) |
| IPS | Prevention | Detect and block inline | Inline in the traffic path |
| Forward proxy | Egress | Control user web access | Between users and internet |
| Reverse proxy | Ingress | Front and protect servers | Between clients and internal web |
Firewall Rule Anatomy
Every rule should specify direction/interface, source, destination, service/port, action, logging, and order. Firewalls evaluate top-down and stop at the first match, so order is policy.
| Order | Source | Destination | Service | Action |
|---|---|---|---|---|
| 10 | Internet | Reverse proxy | TCP 443 | Allow/log |
| 20 | Reverse proxy | Web app | TCP 443 | Allow/log |
| 30 | Web app | Database | TCP 5432 | Allow/log |
| 40 | Internet | Database | Any | Deny/log |
| 99 | Any | Any | Any | Deny/log |
Trap: an allow any/any placed above a deny makes the deny dead code. Specific allows go near the top; the broad logged deny anchors the bottom.
WAF Use Cases
Choose a WAF when the scenario mentions web-layer attacks:
- SQL injection (
' OR 1=1 --) in form or query parameters - Cross-site scripting (
<script>payloads) - Path or directory traversal (
../../etc/passwd) - Malicious or oversized HTTP headers
- Bot abuse or rate-limit evasion against an endpoint
- Virtual patching: shielding a known vulnerability while developers fix code
A WAF is a compensating Layer 7 control, not a substitute for parameterized queries, input validation, patching, or authentication. SY0-701 distinguishes a WAF (web-specific) from a generic NGFW (broad app awareness).
IDS versus IPS
| Feature | IDS | IPS |
|---|---|---|
| Traffic path | Out of band (tap/SPAN) | Inline |
| Primary action | Alert | Drop, reset, block, or alert |
| Failure concern | Missed detection | Blocking legitimate traffic (false positive impact) |
| Detection methods | Signature, anomaly, behavior, heuristic | Same methods, but acts in real time |
| Best exam clue | "Detect without disrupting traffic" | "Prevent malicious traffic in real time" |
If the requirement is zero risk of dropping production packets, an IDS on a SPAN port is safer. If the requirement is to stop known exploits inline, an IPS is stronger. Both rely on signature (known patterns) and anomaly/behavioral (baseline deviation) detection.
Proxy Scenarios
Forward proxy (outbound): users connect to the proxy, which fetches internet resources and enforces URL filtering, malware scanning, authentication, and logging. Reverse proxy (inbound): external clients hit the proxy, which forwards to internal web services and can provide TLS termination, load balancing, authentication, caching, and server-detail hiding. Memory aid: forward protects users going out; reverse protects servers being reached.
PBQ Rule-Fix
Current rules:
| Order | Source | Destination | Service | Action |
|---|---|---|---|---|
| 1 | Any | Any | Any | Allow |
| 2 | Internet | Database | Any | Deny |
| 3 | Internet | Web | TCP 443 | Allow |
Rule 1 shadows everything below it, so the deny on rule 2 never fires. Fix: remove the broad allow, add scoped allows for required flows, add explicit denies for high-risk paths, and close with a final logged default deny. The SY0-701 maxim: specific allows above broad denies, and never let a broad allow defeat the policy.
Firewall Generations in Depth
The exam expects you to rank firewall capability by generation:
- Packet filter: examines each packet independently against source/destination IP, port, and protocol. Fast and stateless, but it cannot tell a legitimate return packet from a forged one and is easy to evade with crafted flags.
- Stateful inspection: maintains a state table of established sessions, so it permits return traffic for connections it saw initiated and drops unsolicited packets. This is the baseline for most perimeters.
- Next-generation firewall (NGFW): adds deep packet inspection, application identification (it can allow general web traffic but block a specific app), user-identity awareness from the directory, integrated IPS, and TLS inspection.
- Unified Threat Management (UTM): bundles firewall, IPS, antivirus, content filtering, and VPN into one appliance, convenient for smaller sites but a single point of failure.
Inspection Modes and Failure Behavior
Know the failure stance terms. Fail-open keeps traffic flowing if the device fails, favoring availability; fail-closed (fail-secure) stops traffic, favoring confidentiality. An inline IPS that fails closed protects the network but can cause an outage, so high-availability designs pair inline devices or use bypass logic. TLS inspection (a man-in-the-middle break-and-inspect) lets an NGFW or WAF see inside encrypted sessions, but it requires distributing the inspection certificate to clients and can break certificate-pinned applications.
The recurring SY0-701 theme: match the device generation and its fail stance to whether the business prioritizes availability or strict blocking, and never assume a stateless filter sees what an NGFW or WAF sees.
A company must detect suspicious traffic but cannot risk a control dropping legitimate production packets. Which deployment best fits?
A web application is receiving SQL injection and cross-site scripting attempts. Which control is most directly designed to inspect and block these HTTP-layer attacks?
Which qualities make a firewall rule set secure? Choose three.
Select all that apply