RSS Feed

Network Devices Types

Created: 02.06.2023

Host-based IDS look for local system configurations and behaviour, while network-based IDS look for network connections and looks for anomalies and common signatures.

IDS and IPS as firewall’s filters. There are Control Plane (looks after the OS and routing table) and the Forwarding Plane (makes decisions on routing and discarding). If something happens to the Control Plane, the device will still forward the traffic (really???).

By default IDS only listens 👂 the traffic. It’s usually connected to the span port on a switch. Looks for anomalies and sends alerts. Won’t take any actions by default, but can be configured in such a way. If the IDS is down, nothing is changed for the rest of the network, it’s still operating.

IPS takes actions on its own. It is not connected to the span port, but rather is a gateway. Before it inspects and allows a packet through, nothing can move forward. So, if IPS is down, everyone is down (unless there is some load balancing enabled or may be some policy for such cases). Positioned right after the router, edge device or a firewall.

On Linux, IPTables plays the role of a firewall.

Checkpoint Firewall NGX allows backup files to be saved locally on the SecurePlatform device hard drive, or remotely using SCP or TFTP. The backup file can be saved to a specific directory on the local hard drive or to a remote server using SCP or TFTP. The backup file can also be named according to user preferences or saved using the default name. Therefore, options A, B, and C are correct. Option D is not a valid location for the backup files.

Stateless Inspection

Each packet is inspected one at a time with no knowledge of the previous ones. Firwall 🔥 reads the IP and determines if it’s allowed according to the ACL. The destination port is also checked. Benefits: faster, troubleshooting, useful for routers with virtualization (control traffic routing through the use of routing instances?), control traffic, QoS and CoS (quality of service switches for traffic prioritisation).

Stateful Inspection

Every packer is inspected in the context of a stream/conversation. Sessions for this type of machines are defined by: src and dst IPs, src and dst ports, optionally vlan (in case of virtualization). 🔥 Firewall will keep a DB of sessions and associated policy names it’s assigning.


First, the stateless inspection is performed first. Juniper firewall example. If the session is in the DB, evaluate the screens, see the traffic type and match against the session, NAT and other sevices required (AppTrack, AppDoS, AppQoS, AppFW, IDP stream, SSL Rev Proxy?, AppID stream, SSL Frd Proxy, TCP Proxy, IDP packet, AppID packet).

If there is no such session ID, apply screen first anyway (filters against flow or DoS), Static NAT applied*, Dest NAT* (if configured), Route, Zones, Policy, Reverse Static NAT, Source NAT, Services, Session.

XML Gateway

All XML passes through the ordinary firewall without inspection. Then, XML gateway inspects the XML for validity, no code, IP src/dst.

Example 1. Block all in-out datagrams with IP protocol field 17 and src/dst port=23. Means blocking all telnet.

Example 2. Block all inbound traffic with ACK=0. Prevents external users to initiate TCP connections with internal ones. But allows the later to connect to the outside.

Packet filtering firewalls only look at packet layer. Application layer firewalls look at the both.

Proxy Firewall

Two TCP handshakes.

Next generation Firewalls (NGFW)

Juniper, for example. Firewall + other filtering device. Firewall + deep packet inspection = DPI. Firewall + IPS. Minds sessions. Can inspect encrypted traffic. Traditional firewalls don’t understand business policies and cannot distinguish between different types of traffic (business and non-business). When the first packet is arriving, it’s inspected. But all further requests within this session are not inspected. Layers 2-7. You can not only block/allow HTTP traffic, for example, but also decide which application is using HTTP in this case and decide. For example, block YouTube HTTP, but allow Facebook HTTP.



Cannot protect itself from IP spoofing. Each app might have its own gateway. Client software must know how to contact gateway. Usually use all or nothing policy for UDP.

Tradeoff - performance, level of security.


Expand… Something here