Network Security Principles: Firewalls, VPNs, and Intrusion Detection
Network security controls form the technical and policy layer that separates trusted internal systems from hostile external environments. This page covers three foundational control categories — firewalls, virtual private networks (VPNs), and intrusion detection systems (IDS) — examining how each operates, where each applies, and how practitioners distinguish between them when designing layered defenses. These topics sit within the broader discipline addressed on the Cybersecurity Fundamentals reference page and are grounded in frameworks published by NIST, the IETF, and other recognized standards bodies.
Definition and scope
Network security encompasses the hardware, software, configurations, and policies that control traffic flow across computer networks and detect unauthorized activity. The three primary control types covered here occupy distinct but overlapping roles in defense-in-depth architectures.
Firewalls are access control enforcement points that filter traffic based on defined rule sets. NIST Special Publication 800-41 Rev. 1, "Guidelines on Firewalls and Firewall Policy" classifies firewalls into four major types: packet-filtering firewalls, stateful inspection firewalls, application-layer gateways (proxy firewalls), and dedicated proxy servers. Each type operates at a different layer of the OSI model, from Layer 3 packet filtering up to Layer 7 application inspection.
Virtual Private Networks encrypt and tunnel traffic across untrusted networks, creating a logically private channel between endpoints. The IETF documents the two dominant VPN protocol suites: IPsec (RFC 4301) and Transport Layer Security (TLS), the latter underlying SSL VPN implementations. IPsec operates at Layer 3; TLS-based VPNs typically operate at Layer 4–7.
Intrusion Detection Systems monitor network traffic or host activity for patterns indicating malicious behavior, policy violations, or known attack signatures. NIST SP 800-94, "Guide to Intrusion Detection and Prevention Systems" defines two primary IDS deployment models: network-based IDS (NIDS), which inspects traffic at key network segments, and host-based IDS (HIDS), which monitors activity on individual endpoints. When detection is coupled with automated blocking responses, the system is classified as an Intrusion Prevention System (IPS).
Together these 3 control families address confidentiality, integrity, and availability across the network stack, the foundational triad codified in NIST FIPS 199.
How it works
Firewall operation
A stateful inspection firewall maintains a connection tracking table — recording source IP, destination IP, source port, destination port, and protocol — and permits return traffic only when it matches an established session. This contrasts with a stateless packet filter, which evaluates each packet in isolation against static rules without tracking session context. Next-generation firewalls (NGFWs) extend stateful inspection with deep packet inspection (DPI), capable of identifying application-layer protocols regardless of port number, enabling granular policy enforcement at Layer 7.
VPN operation: IPsec vs. TLS
IPsec VPNs operate in two modes:
- Transport mode — encrypts only the payload of the original IP packet, preserving the original IP header.
- Tunnel mode — encapsulates the entire original IP packet within a new IP packet with a new header, the standard mode for site-to-site VPN deployments.
IPsec uses the Internet Key Exchange protocol (IKEv2, defined in RFC 7296) to negotiate cryptographic parameters and authenticate endpoints before data transmission begins. TLS-based VPNs, by contrast, operate through standard HTTPS ports (TCP 443), making them more traversable across restrictive firewalls — an operational advantage in environments where IPsec is blocked.
IDS detection mechanisms
NIDS sensors analyze packet headers and payloads at network capture points, using two core detection methods:
- Signature-based detection — matches traffic patterns against a database of known attack signatures. The open-source Snort engine, maintained under Cisco's stewardship, uses this model with a published rule set updated by the community.
- Anomaly-based detection — builds a statistical baseline of normal network behavior and flags deviations beyond defined thresholds. This method can identify zero-day attacks but produces a higher rate of false positives than signature-based detection.
Common scenarios
Enterprise perimeter defense deploys a firewall at the boundary between the internal network and an ISP uplink, with a demilitarized zone (DMZ) segment hosting public-facing servers such as web and mail infrastructure. A NIDS sensor is placed on a tap or span port inside the perimeter to capture all inbound and outbound traffic for analysis without creating a chokepoint.
Remote workforce access uses a VPN gateway — typically supporting IKEv2/IPsec or TLS — to authenticate remote employees and encrypt traffic before it enters the corporate network. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Advisory AA20-073A recommending that organizations using VPNs apply available patches rapidly, noting that threat actors actively exploited vulnerabilities in unpatched VPN appliances (CISA AA20-073A).
Zero-trust segmentation replaces traditional perimeter-only models with micro-segmented network zones where firewall policy enforces least-privilege communication between workloads. NIST SP 800-207, "Zero Trust Architecture" establishes the architectural principles underlying this approach, in which no traffic — including east-west traffic between internal hosts — is implicitly trusted.
Understanding these scenarios requires broader context about how networks are structured, which the Computer Networking Fundamentals page addresses in detail. The Cryptography in Computer Science page covers the encryption algorithms underlying VPN implementations, including AES-256 and ChaCha20.
For practitioners mapping these controls to career pathways, the Computer Science Career Paths page describes roles in network security engineering and security operations. The /index page provides the full reference map of topics covered across the domain.
Decision boundaries
Selecting among firewall types, VPN protocols, and IDS deployment models involves discrete tradeoffs:
Firewall type selection:
| Firewall Type | OSI Layer | Session Awareness | Application Visibility |
|---|---|---|---|
| Packet-filtering | Layer 3–4 | No | No |
| Stateful inspection | Layer 3–4 | Yes | Limited |
| Application-layer gateway | Layer 7 | Yes | Full |
| NGFW with DPI | Layer 3–7 | Yes | Full |
As inspection depth increases, so does latency and hardware cost per-unit throughput. NGFW platforms capable of 10 Gbps throughput with full DPI enabled carry significantly higher hardware costs than stateful-only appliances at the same rated throughput, a tradeoff documented in NIST SP 800-41.
VPN protocol selection — IPsec vs. TLS:
- IPsec is preferred for site-to-site tunnels where both endpoints are under administrative control and UDP 500/4500 is permitted.
- TLS-based VPNs are preferred for remote client access where diverse endpoint environments and restrictive upstream firewalls make IPsec traversal unreliable.
IDS vs. IPS placement:
An IDS operates out-of-band — it copies traffic via a network tap and cannot block packets in real time, producing no availability risk if the sensor fails. An IPS operates inline, introducing a single point of failure; if the IPS crashes, traffic is either dropped or bypassed depending on fail-open vs. fail-closed configuration. NIST SP 800-94 recommends that organizations assess availability requirements before placing IPS devices on high-priority traffic paths.
References
- NIST SP 800-41 Rev. 1 — Guidelines on Firewalls and Firewall Policy
- NIST SP 800-94 — Guide to Intrusion Detection and Prevention Systems (IDPS)
- NIST SP 800-207 — Zero Trust Architecture
- NIST FIPS 199 — Standards for Security Categorization of Federal Information and Information Systems
- IETF RFC 4301 — Security Architecture for the Internet Protocol (IPsec)
- IETF RFC 7296 — Internet Key Exchange Protocol Version 2 (IKEv2)
- CISA Advisory AA20-073A — Enterprise VPN Security