Network-Based Firewall
An inline appliance positioned at the network ingress/egress point that inspects all traffic crossing the boundary and makes allow/deny decisions based on configured rules. Operates on port numbers (traditional) or application identity (NGFW). Also provides VPN termination, NAT, and Layer 3 routing.
NGFW (Next-Generation Firewall)
A firewall that operates at OSI Layer 7 (Application Layer), identifying specific applications in the traffic stream rather than just port numbers. Every packet is decoded, categorized by application, and evaluated against policy. Provides far more granular control than traditional port-based firewalls. Also called application layer gateway, stateful multilayer inspection, or deep packet inspection device.
Application Layer Gateway
An alternative name for an NGFW; emphasizes its ability to analyze and control traffic at the OSI Application Layer (Layer 7). Understands the specific application protocol in use rather than inferring it from port numbers. All three names — application layer gateway, stateful multilayer inspection, deep packet inspection — describe the same NGFW technology on the Security+ exam.
Deep Packet Inspection (DPI)
An analysis technique used by NGFWs that examines the payload content of network packets, not just the header fields. DPI reads inside the packet to identify the application, detect malware, find sensitive data patterns, and evaluate policy. Enables application identification, IPS threat detection, and content filtering that header-only inspection cannot provide.
Implicit Deny
A default-deny rule enforced at the bottom of every firewall rule base. Any traffic that does not match any explicit allow or deny rule is automatically dropped. The implicit deny does not need to be explicitly written — most firewalls enforce it automatically. Implements the principle that everything not explicitly permitted is forbidden.
ACL (Access Control List)
The ordered list of rules that defines a firewall's security policy. Each ACL entry specifies matching criteria (source IP, destination IP, port, protocol, application, user, time of day) and an action (allow or deny). Evaluated top to bottom; first match wins. Synonym for firewall rule base or policy list.
Screened Subnet
A dedicated network zone created between the internet and the internal private network that hosts publicly accessible services (web servers, email servers, DNS). Internet traffic can reach the screened subnet but is blocked from passing into the internal network. Contains publicly exposed resources; prevents a compromised public server from enabling access to internal systems. Also called a DMZ.
DMZ (Demilitarized Zone)
An alternative name for a screened subnet. A network zone that separates publicly accessible systems from internal sensitive systems. A firewall enforces the boundary: internet ↔ DMZ traffic is permitted for specific services; DMZ ↔ internal network traffic is blocked. Limits the blast radius of a compromised public-facing server.
IPS (Intrusion Prevention System)
A security component (commonly integrated into an NGFW) that monitors traffic in real time and blocks malicious activity. Distinct from a firewall: where the firewall controls which traffic is allowed, the IPS inspects the content of allowed traffic for attack patterns. Uses signature-based and anomaly-based detection, contains thousands of tunable rules, and can block, alert, or monitor when a match is detected.
Signature-Based Detection
An IPS detection method that compares traffic against a database of known attack patterns (signatures). A signature describes a specific byte sequence, protocol behavior, or payload pattern associated with a known exploit or malware variant. Highly accurate against known threats but cannot detect novel attacks that do not match any signature — the core weakness against zero-day exploits.
Anomaly-Based Detection
An IPS detection method that establishes a baseline of normal network behavior and flags deviations. Identifies attacks by asking whether traffic looks unusual rather than whether it matches a known pattern. Can detect zero-day exploits, novel malware, and generic attack classes (SQL injection, port scans) without specific signatures. Generates more false positives than signature-based detection because legitimate traffic can appear anomalous.
IPS Tuning
The ongoing process of adjusting IPS rules to balance security effectiveness against operational noise (false positives). Overly aggressive IPS configurations block legitimate traffic and generate excessive alerts. Overly permissive configurations miss real attacks. Tuning is never finished: new applications, traffic patterns, and threats require continuous rule adjustments. Rules can be customized individually or by group.