What are the three additional services that a network-based firewall commonly provides beyond traffic filtering?
1. VPN termination — acts as VPN endpoint or concentrator for site-to-site and remote access tunnels. 2. NAT (Network Address Translation) — translates internal private IPs to public IPs. 3. Layer 3 routing — acts as a router at the ingress/egress boundary, including dynamic routing protocols. These are standard features on most network firewalls.
What OSI layer does an NGFW operate at, and what is the fundamental difference from a traditional firewall?
NGFW operates at OSI Layer 7 (Application Layer). The fundamental difference: a traditional firewall makes decisions based on port numbers and protocols (TCP/80, UDP/53). An NGFW identifies the specific application in the traffic stream, allowing policy to be applied to the application itself regardless of what port it uses. Every packet must be decoded, categorized, and evaluated.
What are the four alternative names for NGFW technology, and what does each name emphasize?
Application layer gateway — operates at OSI Layer 7. Stateful multilayer inspection — tracks connection state across multiple OSI layers. Deep packet inspection (DPI) — reads inside the payload, not just headers. Layer 7 firewall — informal term for application-layer decision making. All four names describe the same technology on the Security+ exam.
Match each service to its port/protocol: SSH, HTTP, HTTPS, RDP, DNS, NTP.
SSH → TCP/22. HTTP → TCP/80. HTTPS → TCP/443. RDP (Remote Desktop) → TCP/3389. DNS → UDP/53. NTP (Network Time Protocol) → UDP/123. ICMP (ping) → No port (not TCP or UDP).
How does a firewall evaluate its rule base, and why must specific rules appear before general rules?
Rules are evaluated top to bottom; the first matching rule wins and evaluation stops. Specific rules must appear above general rules because a broad rule placed first will match traffic intended for a specific exception below it, and the specific rule will never be reached. Example: a "deny all SSH" rule above a "allow SSH from admin subnet" rule blocks admins too.
What is implicit deny and why is it important?
Implicit deny is a default-deny rule enforced automatically at the bottom of every firewall rule base. Any traffic that does not match any explicit rule is automatically dropped — even if the administrator never wrote a deny rule. Implements the security principle: "everything not explicitly permitted is forbidden." This is why firewalls are secure by default: any traffic the admin forgot to allow is blocked, not permitted.
What is a screened subnet, what does it contain, and what security problem does it solve?
A screened subnet (DMZ) is a network zone between the internet and the internal network that hosts public-facing services (web servers, email servers, DNS). It solves the problem of exposing public services: internet traffic can reach the screened subnet but cannot pass into the internal network. If a public server is compromised, the attacker is contained in the DMZ — the firewall still blocks access to internal systems.
What is the difference between signature-based and anomaly-based IPS detection? What can each one catch that the other cannot?
Signature-based: matches traffic against known attack patterns; excellent on known threats; cannot detect zero-day or novel attacks without a signature. Anomaly-based: flags deviation from a normal baseline; can detect zero-days and unknown attacks; generates more false positives because legitimate traffic can look anomalous. Best practice: use both together for layered IPS coverage.
How are IPS rules organized into groups, and why does this matter?
IPS rule groups are collections of related rules managed by a single policy setting. Groups are often pre-created by the vendor (database rules, web app rules, OS exploit rules) or defined by the administrator. A single policy decision — "block all database injection rules" — applies to thousands of individual signatures simultaneously. Groups make managing thousands of IPS rules practical without requiring individual rule-by-rule configuration.
What is the fundamental trade-off in IPS tuning, and why is tuning never complete?
The trade-off: too aggressive = false positives block legitimate traffic and generate alert fatigue; too permissive = false negatives let real attacks through. Why never complete: new applications introduce traffic patterns that trigger rules; new attacks require new rules; business changes alter what "normal" looks like. IPS tuning is a continuous process that must adapt to the constantly changing network environment.