Firewalls, IDS/IPS, VPNs, segmentation, zero trust โ the controls that protect traffic while it's moving through a network.
Network defence layers: Firewalls (stateful or next-gen) filter traffic at boundaries. IDS alerts on suspicious activity; IPS actively blocks it. VPNs extend trusted networks over untrusted ones. Segmentation (VLANs, subnets) contains breaches by limiting lateral movement โ reducing the blast radius. Zero trust abandons "trusted inside, untrusted outside" and requires verification for every access, regardless of source. All these combine under defence in depth โ no single control, several layers.
14.1 Firewalls
A firewall is a filter that sits at a network boundary and decides which traffic gets through. Introduced in Chapter 3; now we dig into how they actually work.
Three generations of firewall
Generation
How it decides
Strengths
Limits
Packet-filter (stateless)
Looks at each packet in isolation โ source/dest IP, port, protocol
Fast, simple, cheap
Can't tell "response to a request I made" from "unsolicited incoming attack"
Stateful
Tracks ongoing connections. Remembers that you sent a request and allows the matching reply.
Modern baseline; smarter than stateless; handles legitimate reply traffic correctly
Doesn't inspect packet contents โ can't block "HTTPS with known malware" distinct from "HTTPS with normal traffic"
Next-Generation (NGFW)
Looks into packet contents at Layer 7 โ recognises applications, inspects content
Can block specific apps (Facebook but not LinkedIn), detect known attack signatures, integrate threat intel
Slower, more expensive, requires ongoing tuning and updates
Stateless vs stateful โ the classic exam distinction
Almost all serious firewalls today are stateful at minimum. "Stateless" survives in small roles like router ACLs but not as the main boundary defence.
Web Application Firewall (WAF)
A specialised firewall specifically for web applications. Sits between users and your web server and inspects HTTP/HTTPS traffic for known attack patterns โ SQL injection strings, XSS payloads, suspicious requests. Essential for any public-facing web application. Cloudflare, AWS WAF, and Akamai offer these as managed services.
LAYERING: You wouldn't rely on just one firewall in a serious design. Typical enterprise: a perimeter firewall at the internet edge, internal firewalls between security zones (e.g., user network โ server network), and a WAF in front of public web applications. Each firewall has specific rules appropriate to its position.
14.2 Intrusion Detection & Prevention (IDS / IPS)
Firewalls work on rules โ "allow this, block that." IDS and IPS look for suspicious patterns in traffic โ things that match known attack signatures or deviate from normal behaviour.
IDS (Detection)
IPS (Prevention)
What it does
Monitors and alerts
Monitors AND blocks
Placement
Can watch a copy of traffic (out-of-line)
Must be in-line with traffic to block it
If it's wrong (false positive)
Wasted analyst time
Blocks legitimate traffic โ business impact
If it's wrong (false negative)
Attack missed
Attack missed, and slightly worse โ because trust was placed in the IPS
How they detect threats
Signature-based โ matches against a database of known attack patterns. Fast and accurate for known threats. Useless against novel attacks.
Anomaly-based โ builds a profile of "normal" traffic and alerts on deviations. Catches new threats but prone to false positives.
Behavioural / heuristic โ looks for behaviour that resembles known attack tactics (e.g., "multiple failed logins followed by a success from a new geography")
Machine learning โ increasingly common; learns your environment's patterns and flags unusual events
IDS/IPS PLACEMENT: Network-based (NIDS/NIPS) inspect traffic flowing through network segments. Host-based (HIDS/HIPS) monitor activity on a specific server or endpoint. Modern enterprise defences use both: network-level to catch traffic-borne attacks, host-level to catch things that happen on individual machines (e.g., a user running a malicious PowerShell script).
EDR / XDR โ where detection is heading
Endpoint Detection and Response (EDR) is effectively a modern host-based IDS/IPS combined with response capabilities. An EDR agent runs on every endpoint, collects detailed telemetry, and can react (isolate infected hosts, kill processes). XDR (Extended Detection and Response) correlates EDR data with network, cloud, and identity signals for a unified view. Leading products: CrowdStrike Falcon, Microsoft Defender, SentinelOne. Chapter 15 covers how these feed into monitoring and incident response.
14.3 Virtual Private Networks (VPNs)
A VPN creates an encrypted tunnel over an untrusted network (like the internet) that behaves like a direct private connection. Two main uses:
Remote-access VPN
Used when an individual needs to connect securely to an office network from elsewhere โ a salesperson working from home, a student accessing school resources from a cafe. Their device establishes an encrypted tunnel to the VPN concentrator at the office; all traffic between them is encrypted and invisible to any party in between.
Remote-access VPN = private tunnel between one user and a corporate network. Site-to-site VPN is similar but between whole networks.
Site-to-site VPN
Used to connect two entire networks securely over the internet โ e.g., a Sydney office to a Melbourne office without needing a dedicated physical cable. Each network's VPN gateway talks to the other; users at either end see one unified network.
Consumer VPNs โ different thing, same name
Services like NordVPN, Mullvad, and ExpressVPN are "VPNs" in name but are really encrypted proxies โ they tunnel your traffic through their servers, giving you:
Encryption on untrusted Wi-Fi
IP address that appears to come from the VPN provider's server, not your home
Bypass of geo-restrictions (access content from other countries)
These are useful but have limits. They don't make you anonymous (the provider can see your traffic), they don't protect against malware or phishing, and you're trusting the VPN provider with everything your ISP would otherwise see.
VPN protocols to know (by name)
Protocol
Status
IPsec
Old but still widely used for site-to-site and some remote-access VPNs
OpenVPN
Flexible, widely supported, slightly heavier than newer options
WireGuard
Modern, fast, simple โ increasingly the default for new deployments
PPTP
Legacy, insecure โ do not use
14.4 Network Segmentation โ The "Blast Radius" Control
Segmentation is the strategic use of subnets and VLANs to divide a network into zones with different trust levels, controlled by firewall rules at the boundaries.
The idea is simple: if an attacker compromises one zone, they should not automatically have access to others. They must overcome additional controls to move laterally โ giving defenders more time and opportunities to detect and respond.
VLANs โ logical segmentation on physical switches
A VLAN (Virtual LAN) is a logical network that behaves as a separate network even though it shares physical switches and cables. Managed switches (Chapter 3) support VLANs; unmanaged ones don't.
Typical VLAN setup for a school:
VLAN 10 โ Staff devices
VLAN 20 โ Student devices
VLAN 30 โ IoT (printers, sensors, smart TVs)
VLAN 40 โ Guest Wi-Fi
VLAN 50 โ Servers
The firewall enforces rules between VLANs:
From โ
Staff
Student
IoT
Guest
Servers
Staff
โ
Deny
Deny
Deny
Allow (specific ports)
Student
Deny
โ
Deny
Deny
Allow (LMS only)
IoT
Deny
Deny
โ
Deny
Deny (IoT shouldn't reach servers)
Guest
Deny
Deny
Deny
โ
Internet only โ no internal
WHAT SEGMENTATION BUYS YOU: A guest Wi-Fi user's compromised laptop can only attack the internet, not the staff network or servers. A compromised student device can access the LMS but can't reach the payroll server. A rogue IoT device can't pivot to admin systems. Every horizontal arrow the attacker can't cross is a win. This dramatically reduces the blast radius compared to one flat network.
TRAP: VLANs are a security control, not a security boundary. Misconfigured switches can be tricked into "VLAN hopping" attacks. Critical segmentation (e.g., between internet and production systems) should be enforced by a real firewall, not just a VLAN tag. Serious defenders use VLANs + firewalls + access control lists โ defence in depth.
14.5 Zero Trust โ A Philosophy Shift
Traditional network security assumed "inside the firewall = trusted, outside = untrusted." Zero trust abandons that distinction. Instead: verify every access, every time, regardless of where it comes from.
Why zero trust emerged
Modern networks don't have a clean perimeter. Users work from home. Cloud services run everywhere. Partners and contractors need access. Devices come and go. The "castle walls" model doesn't match reality anymore.
When the Medibank attacker had a contractor's valid credential, the network treated them as trusted internal user and let them reach many systems. Zero trust would have required that same credential to be verified again at each internal boundary, with additional factors like device health, user behaviour, and access justification.
Core principles of zero trust
Never trust, always verify โ no implicit trust based on network location
Least privilege โ every access grant is minimum and specific
Assume breach โ design as if attackers are already inside; limit what they can do
Verify explicitly โ every access uses identity, device health, context
Continuous monitoring โ trust is revalidated continuously, not once at login
ZERO TRUST IS A JOURNEY: Big organisations don't "switch to zero trust" overnight. It's a shift in philosophy reflected in many smaller changes: MFA for internal apps, device health checks before granting access, fine-grained segmentation, identity-aware proxies, service-to-service mutual authentication. The ACSC's "Security of Critical Infrastructure" guidance increasingly reflects zero-trust principles. US CISA mandates zero-trust architectures for federal agencies; Australia is following.
14.6 Other Network Defences
Proxy servers and URL filtering
Schools and businesses often route web traffic through a proxy that filters based on category (block gambling, adult content, malware sites) and can log usage. At schools this is typically required to comply with duty-of-care obligations when minors are using the network.
DNS filtering
Rather than let any DNS query go through, organisations use filtered DNS (Cloudflare Gateway, Cisco Umbrella, or self-hosted options) that refuse to resolve known-malicious domains. Cheap and highly effective โ a lot of attacks rely on the victim's device successfully connecting to attacker infrastructure; breaking that first DNS lookup stops the attack.
Network Access Control (NAC)
Verifies a device before letting it join the network. Is the OS patched? Is antivirus running? Is it a corporate-managed device? If it fails checks, the device is either denied entry or placed in a quarantine network with limited access. Common in schools and enterprises using 802.1X.
DDoS mitigation
Specialised services that absorb large-scale traffic floods. Cloudflare, Akamai, AWS Shield sit in front of your web application and filter out botnet traffic, passing only legitimate requests to your servers. Essential for anything with a public profile that might attract attention.
14.7 Defence In Depth โ Putting It All Together
No single network control stops all attacks. The goal is layers: even if an attacker bypasses one control, the next one catches them.
No single ring stops every attack โ but attacks that get through one are usually caught by another, or slowed enough to be detected.
A concrete example of defence in depth saving the day: in the 2021 Kaseya incident, organisations that had segmented their networks and restricted outbound traffic had far less damage than those running flat networks, even though the initial attack was equally successful.
14.8 The Network Defence Design Checklist
For an exam design question, a well-rounded network defence includes:
Perimeter defence โ firewall at the internet edge, WAF for web apps, DDoS mitigation if public-facing
Detection โ IDS/IPS or EDR monitoring for threats; DNS filtering for early indicators
Remote access โ VPN or zero-trust access for users off-network; MFA required
Assume-breach controls โ least privilege (Chapter 13), logging and monitoring (Chapter 15), response plan
EXAM TEMPLATE for "design the network security for [organisation]":
"The network is divided into zones by function โ [list zones]. A stateful firewall at the internet boundary permits only necessary inbound traffic (typically HTTPS on 443 to public web services). A web application firewall protects any internet-facing application from OWASP-class attacks. Between internal zones, VLANs enforce segmentation; a second firewall controls inter-zone traffic under least-privilege rules (e.g., the guest VLAN cannot reach the server VLAN). Remote workers connect via VPN or zero-trust access, authenticated with MFA. Endpoint detection agents run on all endpoints. DNS is filtered to block known-malicious domains. Logs from each layer feed to a central SIEM (covered in Ch 15) for correlation and alerting. These layers work together โ defence in depth โ so that the compromise of any single control doesn't breach the whole environment. This also contains the blast radius of any successful attack by limiting lateral movement."
14.9 Quiz Time
What's the difference between a firewall and an IDS?
A firewall is a policy-based filter โ it has rules ("allow port 443 in, block everything else") and decides whether to pass or block each packet based on those rules. An IDS is a pattern detector โ it doesn't necessarily have yes/no rules; it looks for suspicious behaviour (signatures of known attacks, unusual patterns) and alerts a human analyst. An IPS is an IDS that also blocks.
They're complementary: the firewall enforces what should be possible, the IDS/IPS catches what shouldn't โ including things the firewall would allow under its rules but that turn out to be malicious (e.g., a legitimate-looking HTTPS session carrying SQL injection payloads).
Why does segmentation with VLANs reduce the impact of a breach?
Segmentation contains lateral movement โ the attacker's ability to move from one compromised system to others. If the network is flat (no segmentation), a foothold anywhere gives the attacker reach to everywhere. If the network is segmented, a compromise in one VLAN is contained by firewall rules at the VLAN boundaries, forcing the attacker to find additional vulnerabilities to cross zones.
In the Medibank incident, the attacker moved freely after initial access. In a well-segmented network, they would have had to compromise additional controls at each boundary โ giving the security team more time to detect and respond, and limiting the data exposed. In exam terms: segmentation reduces blast radius by creating enforcement points that confine an attacker.
A small business uses a $50 home-grade router as their perimeter firewall. Is this adequate?
Probably not. Home-grade routers provide basic stateful firewalling suitable for consumer needs but usually lack:
โ Enterprise logging (needed for incident investigation and NDB compliance)
โ Advanced threat detection (IPS, web filtering)
โ VPN concentrator capability for remote access
โ Regular security updates (many home routers stop receiving updates after a few years)
โ Throughput and connection capacity for business traffic
โ Support and warranty beyond consumer-level
For a small business, a dedicated small-business firewall/UTM appliance (Fortinet, SonicWall, Meraki, WatchGuard, or cloud-managed options) is a modest investment that significantly upgrades visibility and control. Relying purely on a home router for business-scale risk is exactly the kind of shortcut that shows up in post-breach analyses.
Explain why "zero trust" is more than just "turn on MFA for everything."
MFA is one component of zero trust, but zero trust is a whole architectural philosophy. Key elements beyond MFA:
โ Continuous verification โ access is re-evaluated continuously, not just at login. If your device falls out of compliance mid-session, access can be dropped.
โ Device posture checks โ access depends on the device meeting security standards (patched, encrypted, running EDR).
โ Micro-segmentation โ granular network controls down to the application or workload level, not just VLAN level.
โ Context-aware policies โ access decisions factor in time of day, location, device, user behaviour, resource sensitivity.
โ Service-to-service authentication โ even internal systems authenticate to each other; there's no implicit trust between them.
โ Assume-breach mindset โ design as if attackers are already inside; focus on detection and containment alongside prevention.
MFA is necessary but not sufficient. Zero trust is about removing the "once you're inside, you're trusted" assumption entirely, which takes organisational work beyond any single control.