Beginner Networks Updated on Jun 25, 2025

Firewall, IDS, and IPS — differences, rules, and limitations

Firewall, IDS, and IPS are complementary layers of network defense. Each has a different purpose — using them together increases defense-in-depth.

Firewall — controlling traffic

A firewall decides what enters and leaves the network based on rules. It can operate per packet (stateless) or per connection (stateful).

Stateless: analyzes each packet in isolation (source, destination, port)
Stateful:  tracks TCP connection state — knows if a packet belongs to a legitimate session

Example rules (iptables — Linux)

# Allow SSH from a specific IP
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.10 -j ACCEPT

# Block everything else on port 22
iptables -A INPUT -p tcp --dport 22 -j DROP

# Allow established outbound traffic back in
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Default policy: drop everything not explicitly allowed
iptables -P INPUT DROP
iptables -P FORWARD DROP

Firewall limitations

Cannot inspect content inside encrypted packets without SSL inspection
Does not detect attacks within allowed traffic (e.g., SQLi over port 80)
Misconfigured rules create silent gaps

IDS — Intrusion Detection System

An IDS monitors traffic and alerts when it detects suspicious patterns. It does not block — it only observes and reports.

Passive mode: receives a copy of traffic (SPAN/mirror port on switch)
Analyzes against signatures or behavioral baseline
Generates alert → security team investigates

Example IDS alerts:

Port scan detected (e.g., nmap -sS)
Known exploit attempt (signed CVE)
Traffic to a known C2 (Command & Control) domain

Popular tools: Snort and Suricata (open source).

IPS — Intrusion Prevention System

An IPS is an IDS that acts — it blocks suspicious traffic in real time, sitting inline on the network.

Traffic → [IPS] → Internal network
              ↓
         Suspicious traffic: blocked and logged

IPS risk: false positives block legitimate traffic. Signature tuning is required.

Comparison

Tool        | Monitors | Blocks | Network position
------------|----------|--------|------------------
Firewall    | Yes      | Yes    | Edge / segment
IDS         | Yes      | No     | Passive (SPAN)
IPS         | Yes      | Yes    | Inline

Next-Generation Firewall (NGFW)

Combines stateful firewall + IPS + application inspection (layer 7) + SSL inspection:

Identifies the application (not just the port): blocks BitTorrent even on port 80
Inspects TLS: decrypts, analyzes, re-encrypts
User/group control (Active Directory integration)

Where each tool falls short

Tool	Main limitation
Firewall	Cannot see attacks inside allowed traffic
IDS	Generates alerts but does not act — needs humans
IPS	False positives block legitimate services
NGFW	SSL inspection requires certificate trust

Defense in depth: layer all of them together.