Firewalls, IDS/IPS, and Endpoint Protection

These three controls work together to prevent, detect, and respond to cyber threats across the network and endpoints.

Firewalls

A firewall is a security device or software that controls incoming and outgoing network traffic based on predefined security rules.

Think of it as the gatekeeper between trusted and untrusted networks.

Types of Firewalls

a. Packet-Filtering Firewall

• Inspects source/destination IP, port, protocol
• Fast but limited context

b. Stateful Firewall

• Tracks active connections
• Allows related traffic automatically
• More secure than packet filtering

c. Application-Layer (Proxy) Firewall

• Inspects application data (HTTP, FTP, SMTP)
• Deep inspection but slower

d. Next-Generation Firewall (NGFW)

• Application awareness
• Integrated IDS/IPS
• SSL inspection
• Threat intelligence integration

Firewall Functions

• Allow or block traffic
• Enforce network segmentation
• Reduce attack surface
• Log network activity

Firewall Limitations

• Cannot detect malicious traffic allowed by rules
• Ineffective against insider threats alone
• Limited visibility into encrypted traffic (without SSL inspection)

Intrusion Detection System (IDS)

An IDS monitors network or system activity to detect suspicious or malicious behavior and generate alerts.

It is passive — it does not block traffic.

Types of IDS

a. Network-Based IDS (NIDS)

• Monitors network traffic
• Deployed at strategic points (DMZ, core network)

b. Host-Based IDS (HIDS)

• Monitors system logs, files, processes
• Installed on individual hosts

Detection Methods

• Signature-based: Matches known attack patterns
• Anomaly-based: Detects deviations from normal behavior

IDS Strengths

• Early attack detection
• Visibility into suspicious activity
• Forensic and alerting support

IDS Weaknesses

• Cannot stop attacks automatically
• High false positives if poorly tuned

3. Intrusion Prevention System (IPS)

An IPS actively blocks or prevents detected malicious traffic in real time.

Unlike IDS, IPS is inline with network traffic.

IPS Capabilities

• Drop malicious packets
• Reset suspicious connections
• Block offending IP addresses
• Prevent exploit attempts

IDS vs IPS (Quick Comparison)

Endpoint Protection

Endpoint protection secures individual devices such as:

• Laptops
• Servers
• Mobile devices
• Virtual machines

Types of Endpoint Protection

a. Antivirus (AV)

• Signature-based malware detection
• Limited against zero-day threats

b. Endpoint Protection Platform (EPP)

• Antivirus + firewall + device control
• Preventive focus

c. Endpoint Detection and Response (EDR)

• Behavioral monitoring
• Incident investigation
• Threat hunting
• Response actions (isolate endpoint, kill process)

Key Endpoint Protection Capabilities

• Malware detection and removal
• Behavioral analysis
• Endpoint isolation
• Memory and process monitoring
• Automated response

How These Tools Work Together

Together they provide defense in depth.

Role in Incident Response

During an incident:

• Firewalls block malicious IPs/domains
• IDS identifies attack patterns and lateral movement
• IPS stops active exploitation
• EDR isolates infected endpoints and collects evidence

Common SOC Interview / Exam Tips

• Firewall = control traffic
• IDS = detect only
• IPS = detect + block
• Endpoint protection = last line of defense
• NGFW often includes IDS/IPS features
• EDR focuses on visibility and response, not just prevention

One-Line Definitions (Exam-Ready)

• Firewall: Controls network traffic based on rules
• IDS: Detects and alerts on suspicious activity
• IPS: Detects and blocks malicious traffic
• Endpoint Protection: Secures individual devices against threats