servers used for payroll processing. Of course, the company does not want random Internet
users or attackers to be able to connect to their payroll server.
Security Zones
Firewalls use the concept of security zones (also called a zone for short) when defining which
hosts can initiate new connections. The firewall has rules, and those rules define which host can
initiate connections from one zone to another zone. Also, by using zones, a firewall can place
multiple interfaces into the same zone, in cases for which multiple interfaces should have the same
security rules applied.
Intrusion Prevention Systems (IPS)
Traditionally, a firewall works with a set of user-configured rules about where packets should be
allowed to flow in a network. The firewall needs to sit in the path of the packets so it can filter the
packets, redirect them for collection and later analysis, or let them continue toward their
destination.
A traditional intrusion prevention system (IPS) can sit in the path packets take through the network,
and it can filter packets, but it makes its decisions with different logic. The IPS first downloads a
database of exploit signatures. Each signature defines different header field values found in
sequences of packets used by different exploits. Then the IPS can examine packets, compare them
to the known exploit signatures, and notice when packets may be part of a known exploit. Once
identified, the IPS can log the event, discard packets, or even redirect the packets to another
security application for further examination.
A traditional IPS differs from firewalls in that instead of an engineer at the company defining rules
for that company based on applications (by port number) and zones, the IPS applies the logic based
on signatures supplied mostly by the IPS vendor. Those signatures look for these kinds of attacks: