05
17 min read · 5 briefings

Firewalls, Segmentation & Network Defense

Where defenders draw their lines — and why one wall is never enough.

01 Three generations of firewall

A firewall enforces a policy about which traffic may cross a boundary. They've evolved through three broad generations, each seeing more than the last.

  • Packet-filtering (stateless): the original. It judges each packet in isolation against rules on source/destination IP, port, and protocol. Fast, cheap, and simple — but it has no memory, so it can't tell a legitimate reply from an unsolicited packet that merely looks like one.
  • Stateful inspection: the leap forward. It maintains a state table of active connections, so it knows a given inbound packet belongs to a connection your side actually initiated. It can allow return traffic automatically and drop packets that don't fit any known session.
  • Next-generation firewall (NGFW): stateful plus application awareness. Via deep packet inspection it can tell that traffic on port 443 is really BitTorrent, block specific apps, decrypt and inspect TLS, and integrate an intrusion prevention system, user identity, and threat intelligence.
GenerationSeesBlind spot
Packet filterIP, port, protocolConnection context
StatefulConnection stateApplication content
NGFWApps, users, payloadsCost, complexity, TLS blind spots

02 NAT: sharing and hiding

Network Address Translation (NAT) rewrites IP addresses as packets cross a boundary. Its everyday job is to let many devices on a private network (using non-routable ranges like 192.168.0.0/16 or 10.0.0.0/8) share a single public IP address — the reason IPv4 hasn't fully run out despite there being far more devices than addresses.

The common form is PAT (Port Address Translation, or "NAT overload"): the router keeps a translation table mapping each internal device+port to a unique external port, so replies can be sent back to the right machine. Your laptop's 192.168.1.5:51234 becomes the router's 203.0.113.7:40001 on the way out, and back again on the way in.

A frequent misconception: NAT is not a firewall. It happens to hide internal addresses and drop unsolicited inbound traffic as a side effect, which provides some obscurity — but it enforces no security policy and shouldn't be relied on as protection.

Insight IPv6, with its effectively unlimited address space, removes the need for NAT-as-address-sharing. That surprises people who assumed NAT was a security feature — under IPv6 the firewall, not NAT, does the guarding.

03 DMZ, VLANs, and segmentation

Flat networks — where everything can talk to everything — are a gift to attackers: breach one machine and you can pivot to all the others. Segmentation is the discipline of carving a network into zones with controlled crossings, so a compromise stays contained.

A DMZ (demilitarized zone) is a semi-trusted subnet for public-facing servers — web, mail, DNS. It sits between the hostile internet and the trusted internal network, so that if a public server is breached, the attacker is still outside the internal network and must cross another firewall to go deeper.

VLANs (virtual LANs, via 802.1Q tagging) let one physical switch host multiple logically isolated networks — putting, say, guest Wi-Fi, VoIP phones, payment terminals, and staff laptops on separate segments that can't freely reach each other. Traffic between VLANs must pass through a router or firewall where policy applies.

The modern extreme is microsegmentation — policy enforced down to individual workloads — a core building block of Zero Trust architecture, which assumes the internal network is already hostile.

Pro tip Regulations lean on segmentation: PCI DSS, for example, effectively requires isolating systems that handle cardholder data so the rest of the network is out of audit scope.

04 IDS and IPS

Firewalls decide what's allowed. Intrusion detection and prevention systems ask a different question: is allowed traffic actually malicious?

  • An IDS (intrusion detection system) monitors traffic and raises alerts. It typically sits out of band (on a mirror/SPAN port), so it can watch everything but not stop it — a smoke detector.
  • An IPS (intrusion prevention system) sits inline in the traffic path and can drop or block malicious packets in real time — a sprinkler system. The tradeoff: a false positive can block legitimate traffic, and being inline adds latency and a potential failure point.

Both detect threats in two main ways. Signature-based detection matches known-bad patterns (fast and precise, but blind to novel attacks). Anomaly-based detection flags deviations from a learned baseline (can catch the unknown, but generates more false positives). Open-source tools like Snort and Suricata are the classic workhorses here.

Watch out An IDS/IPS that everyone ignores is worse than none — it creates false confidence. Alert fatigue is a real operational failure; tuning out the noise is as important as the detection itself.

05 Proxies and defense in depth

A proxy is an intermediary that terminates and re-originates connections, giving a control point to inspect and filter. A forward proxy sits in front of clients (employees browsing out), enforcing content policy and logging. A reverse proxy sits in front of servers (users coming in), handling TLS termination, load balancing, caching, and — as a WAF (web application firewall) — filtering malicious web requests.

No single control is sufficient, which is the whole thesis of defense in depth: layer independent controls so that any one failing doesn't mean total compromise. At the network layer that looks like:

  1. A perimeter firewall filtering the obvious.
  2. A DMZ isolating public services.
  3. Internal segmentation (VLANs / microsegmentation) limiting lateral movement.
  4. IDS/IPS watching for malicious behavior inside allowed traffic.
  5. Proxies/WAFs inspecting application content.

The mindset shift for defenders is to assume breach: plan not just to keep attackers out, but to slow, detect, and contain them once they're in. A single wall stops the lazy; layers exhaust the determined.

Field Glossary

Stateful firewall
A firewall that tracks active connections in a state table, so it can distinguish legitimate return traffic from unsolicited packets — unlike a stateless packet filter.
NGFW
Next-generation firewall — a stateful firewall with application awareness, deep packet inspection, integrated IPS, user identity, and often TLS inspection.
NAT / PAT
Network (and Port) Address Translation — rewriting IP addresses so many private devices share one public IP. It aids address conservation but is not itself a security control.
DMZ
A semi-trusted subnet between the internet and the internal network where public-facing servers live, so a breach of them doesn't immediately expose internal systems.
VLAN
Virtual LAN — a logically isolated network segment on shared physical switches (via 802.1Q tagging); traffic between VLANs must pass a router or firewall.
IDS vs. IPS
An IDS detects and alerts on malicious traffic out of band; an IPS sits inline and can actively block it, at the cost of latency and false-positive risk.
Defense in depth
The strategy of layering multiple independent security controls so that the failure of any one does not lead to total compromise.

Knowledge Check

Field Assessment

0 / 3

01 What can a stateful firewall do that a stateless packet filter cannot?

02 Why is it a mistake to treat NAT as a security feature?

03 An IDS and an IPS both detect malicious traffic. What is the key operational difference?

ESC
↑↓ navigate jack in