Firewall, Next-generation firewalls and IPS

📘 CCNA 200-301 v1.1

1.1.c Next-generation firewalls and IPS

1. What is a Firewall? (Quick recap)

  • A firewall is a network security device that controls traffic between trusted (inside) and untrusted (outside) networks.
  • Traditional firewalls (pre-NGFW) mainly filtered traffic based on:
    • Source IP
    • Destination IP
    • Port numbers
    • Protocols (TCP, UDP, ICMP, etc.)

⚠️ Limitation: Traditional firewalls couldn’t inspect what’s inside the packet. They only worked at Layer 3 (Network) and Layer 4 (Transport) of the OSI model.

2. Next-Generation Firewall (NGFW)

An NGFW is an advanced firewall that can do everything a traditional firewall does PLUS much more.

Key Features of NGFW:

Deep Packet Inspection (DPI): Looks inside packets, not just headers.
Application Awareness: Can identify applications (e.g., Facebook, YouTube, Dropbox) even if they use the same port (e.g., port 443 HTTPS).
User Identity Awareness: Integrates with Active Directory / LDAP to enforce rules based on users and groups, not just IP addresses.
Intrusion Prevention System (IPS) Integration: Can detect and block attacks (SQL injection, DoS, worms, etc.).
SSL/TLS Inspection: Can inspect encrypted HTTPS traffic.
Advanced Threat Protection (ATP): Blocks malware and integrates with threat intelligence feeds.
URL Filtering & Content Control: Can block websites by category (e.g., gambling, adult content).

NGFW Placement

  • Typically sits at the perimeter of the network (between LAN and Internet).
  • Can also be used in data centers for east-west traffic inspection.

💡 Think of NGFW as a firewall + IDS/IPS + Application Control + Threat Intelligence in one box.

3. Intrusion Prevention System (IPS)

An IPS is a network security tool designed to detect and block malicious traffic.

  • IDS (Intrusion Detection System): Only detects suspicious activity, alerts admins, but does not block.
  • IPS (Intrusion Prevention System): Detects and blocks malicious traffic in real time.

How IPS works:

  1. Traffic Monitoring – Analyzes packets as they pass through.
  2. Signature-based Detection – Uses known attack patterns (like antivirus).
  3. Anomaly-based Detection – Detects unusual behavior (e.g., sudden traffic spikes).
  4. Action – Drops packets, resets connections, or alerts the admin.

Examples of Attacks an IPS Can Stop:

  • DoS / DDoS attacks
  • Buffer overflows
  • Malware communication
  • SQL injection / XSS (cross-site scripting)
  • Exploits of unpatched systems

4. NGFW vs IPS – How They Work Together

  • An NGFW often includes an IPS as one of its features.
  • If a network only has an IPS (without NGFW), it can’t control normal traffic flow like a firewall does.
  • If a network only has an NGFW (without IPS), it might miss zero-day attacks unless it has integrated IPS features.

👉 Best practice: Modern enterprises use NGFW with built-in IPS (sometimes called NGIPS).

5. Exam-Level Key Points (What to Remember for CCNA)

🔑 Firewall Basics: Controls access between networks using rules (ACLs).
🔑 Traditional Firewalls: Operate at Layer 3 & 4 (IP addresses, ports).
🔑 NGFW: Adds Layer 7 (application layer) inspection, user-based policies, threat intelligence, and integrated IPS.
🔑 IPS: Monitors traffic in real-time, detects, and blocks malicious activities.
🔑 IDS vs IPS: IDS = Detect only, IPS = Detect + Block.
🔑 Placement: NGFW usually at network edge, IPS inline with traffic.

6. Real-World Example (Simple for Students)

Imagine you’re at a school:

  • A traditional firewall can block students from accessing port 21 (FTP) or from using a banned IP address.
  • A next-generation firewall (NGFW) can block Facebook even though it uses HTTPS (port 443) – because it recognizes the application.
  • An IPS will detect and block a student who tries to launch a DoS attack on the school’s Wi-Fi or run malware on the network.

Explained in plain, real-world IT terms for CCNA:

What a normal firewall does (old style)

  • Think of a firewall like a security guard at the building door.
  • The guard checks who you are (IP address) and what you want to do (port/service) before letting you in.
  • Example:
    • “Only staff (10.10.0.0/24 network) can go to the admin server.”
    • “Block anyone from using FTP (port 21).”

👉 The old firewalls only check basic info: IP addresses, ports, and protocols.

What a Next-Generation Firewall (NGFW) does

Today, attackers hide inside normal-looking traffic. For example:

  • A student uses HTTPS (port 443) to visit Facebook during class. To the old firewall, this just looks like “web browsing” because it’s all on port 443.
  • Malware can also use HTTPS to talk to its hacker.

A Next-Generation Firewall (NGFW) goes deeper. It can:

  • See inside the traffic (not just the port).
  • Recognize applications like YouTube, Facebook, or Dropbox even when they all use HTTPS.
  • Block malware before it spreads.
  • Check who the user is (by username, not just IP).
  • Filter websites (block adult sites, gambling, etc.).
  • Stop new attacks using cloud threat updates.

👉 Real IT example:
In a school, you might allow Office 365 traffic but block YouTube during lessons. Both use port 443, but NGFW can tell them apart.

What an IPS (Intrusion Prevention System) does

Even with a firewall, bad traffic can sneak in. That’s where IPS comes in.

IPS = attack detector + blocker.

  • It looks at the traffic in detail.
  • If it matches a known attack pattern (like SQL injection, worm, or DDoS), it blocks it instantly.
  • It can also notice “weird” behavior, like a laptop suddenly flooding the network.

👉 Real IT example:

  • If a teacher’s laptop gets infected with ransomware, the IPS will see the unusual behavior and block it before it spreads to file servers.

IDS vs IPS (easy check)

  • IDS (Intrusion Detection System): Just reports “I see something bad!” (like a CCTV camera with no guard).
  • IPS (Intrusion Prevention System): Reports AND blocks the attack (like a guard who stops the intruder).

How NGFW and IPS fit together

  • A firewall = traffic rules (who can go where).
  • NGFW = firewall + application control + malware filtering + user awareness.
  • IPS = adds deep protection against attacks.
  • Modern firewalls (Cisco Firepower, Palo Alto, Fortinet) already include IPS.

For the CCNA exam – Key points to remember

  • Traditional firewall = Layer 3 & 4 (IP, ports).
  • NGFW = adds Layer 7 (applications, users, deep inspection).
  • IPS = blocks attacks in real time.
  • IDS = only detects, doesn’t block.
  • NGFW + IPS are usually at the network edge (where your LAN meets the internet).

✅ So in real IT:

  • Old firewall = only blocks by addresses/ports.
  • NGFW = smarter, can block YouTube but allow Office 365, can block malware.
  • IPS = acts like an attack bodyguard, blocking hackers and viruses in real time.

Firewall vs NGFW vs IDS vs IPS

(Plain IT explanation)

1. IDS (Intrusion Detection System)

  • What it does: Monitors traffic and looks for suspicious activity.
  • How it works:
    • Uses signatures (known attack patterns) or anomaly detection.
    • Sends alerts to administrators when it detects something bad.
  • Important: It does not block traffic — it only warns.
  • Where it sits:
    • Usually connected via a SPAN/mirror port on a switch.
    • That means it sees a copy of the traffic but doesn’t sit inline.

👉 Real example: Like a CCTV camera that watches the corridor but can’t physically stop a fight — it just reports it.

2. IPS (Intrusion Prevention System)

  • What it does: Same detection as IDS, but it can also block the attack.
  • How it works:
    • Sits inline with the traffic.
    • If it sees an attack, it drops the packet immediately.
  • Where it sits:
    • Between the switch and the firewall/router (inline).

👉 Real example: Like a security guard watching the CCTV — and immediately stepping in to stop the fight.

3. Firewall (basic)

  • Controls traffic using IP addresses and ports.
  • Works mainly at Layer 3 and Layer 4.
    👉 Example: “Block all FTP traffic (port 21).”

4. NGFW (Next-Generation Firewall)

  • A smarter firewall that combines:
    • Normal firewall features (IP/port rules).
    • Application control (block Facebook, allow Office 365).
    • Malware filtering.
    • User identity awareness.
    • Built-in IPS functionality.
      👉 Example: “Allow staff to use Office 365 but block students from using YouTube, even though both use HTTPS (port 443).”

CCNA Key takeaway:

  • IDS: Detects only, no blocking (out-of-band).
  • IPS: Detects and blocks (inline).
  • Firewall: Rules based on IP/ports.
  • NGFW: Firewall + application awareness + IPS + threat protection.

IDS, IPS, and firewalls all look very similar as physical devices.

  • They’re all usually rack-mounted appliances or small desktop boxes.
  • They all have:
    • Ethernet ports (for connecting to the network).
    • LED lights (status/activity).
    • Sometimes management ports (console/USB).

The difference is in how they are connected and what they do:

  • IDS (Intrusion Detection System):
    • Usually connected to a SPAN/mirror port on a switch.
    • It just receives a copy of traffic for monitoring.
    • Looks like a firewall box, but it doesn’t block traffic.
  • IPS (Intrusion Prevention System):
    • Placed inline between network segments (e.g., between LAN and firewall).
    • Can actually block packets.
  • Firewall / NGFW:
    • Controls which traffic is allowed in or out.
    • NGFW also inspects applications and includes IPS features.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by