Lesson 12: Perimeter Defense — Firewalls, WAF, DMZ, and IDS/IPS
In the previous lesson we mapped how attackers hit the application directly — XSS, SQL injection, buffer overflow, and credential theft. This lesson moves to the defense side: the tools that sit on the boundary between the open internet and the organization's network, stopping much of that threat la
In brief: packet filtering checks each packet alone against fixed rules; stateful remembers the whole conversation and checks whether the packet belongs to it — but precisely because it 'remembers,' an attacker can flood it and fill up its memory (SYN flood). A WAF guards the application against attacks like SQL injection and XSS. A DMZ puts internet-exposed servers in an isolated area so a breach there doesn't reach the internal network directly. IDS alerts; IPS also blocks. A VPN encrypts traffic through a tunnel over an untrusted network. NACL filters already at the subnet level, remembering nothing.
- Packet Filtering Firewall
- Filters packets at the network layer (Layer 3) and transport layer (Layer 4) against predefined static rules (ACLs) — IP address, port, protocol, and direction — without any regard to connection state.
- Stateful Firewall & State Table
- A firewall that analyzes conversation context rather than treating each packet in isolation: when a SYN packet is approved, a row opens in the State Table (a log held in RAM) with the IP, ports, and expected sequence number (SEQ); future packets are checked only against that row. The same table that lets it spot a forged connection also exposes the firewall to a SYN flood that fills up its RAM.
- WAF (Web Application Firewall)
- A security component that filters HTTP/S traffic at the application layer, analyzes the full request content (not just protocol details), and specifically protects against attacks such as SQL injection, XSS, and CSRF from the OWASP Top 10.
- DMZ (Demilitarized Zone)
- An isolated area hosting services that must be internet-accessible (Web, mail, DNS), so a breach there confines the attacker to the DMZ alone. In a single-firewall configuration, one device manages all the traffic; in a dual-firewall configuration, two separate devices — one between the internet and the DMZ, one between the DMZ and the internal network — raise the cost of a breach.
- IDS vs IPS
- IDS monitors traffic and system events (via signature-based or anomaly-based methods) and only alerts, without blocking. IPS combines that same detection capability with active, real-time blocking.
- VPN (Virtual Private Network)
- Enables an encrypted, secure connection over an untrusted public network, via an encrypted virtual 'tunnel' and identity authentication — so even as data passes through the open internet, it remains undecipherable.
- Network ACL (NACL)
- An additional, stateless defense layer at the subnet/VLAN level, filtering inbound and outbound traffic via static Allow/Deny rules based on IP addresses and ports — before traffic even reaches the main firewall.