Network Protection -- Firewalls and Zero Trust

NAT and Packet Filtering

Network Address Translation (NAT): A method that lets internal devices use private IP addresses by rewriting outbound traffic and blocking unsolicited inbound connections.
Packet Filter (Screening Router): A firewall that makes per-packet decisions based on IP addresses, ports, protocols, and interfaces.
Access Control List (ACL): An ordered rule list that determines how a packet is handled based on its header fields.
Ingress Filtering: Blocking unwanted inbound packets, often using a default-deny policy.
Egress Filtering: Restricting outbound traffic to limit the actions of compromised hosts.
Default Deny: A security posture where all traffic is blocked unless explicitly permitted.

Stateful Firewall: A firewall that tracks connection state and allows only packets that belong to legitimate, established sessions.
Connection State Table: A record of active sessions used to identify valid return traffic and related flows.

Demilitarized Zone (DMZ): A network segment that hosts public-facing services and is isolated from internal systems.
Network Segmentation: Dividing a network into separate zones to limit lateral movement and reduce attack impact.

Deep Packet Inspection (DPI): Inspection of application-layer data to validate protocols, filter content, and detect malicious activity.
Protocol-Based Detection: Identifying attacks by enforcing strict compliance with protocol rules.
Signature-Based Detection: Matching traffic against known attack patterns stored as signatures.
Anomaly-Based Detection: Identifying suspicious behavior by detecting deviations from established norms.
Intrusion Detection System (IDS): A system that monitors traffic and alerts on suspicious activity.
Intrusion Prevention System (IPS): A system that blocks malicious traffic inline.

Next-Generation Firewall (NGFW): A firewall that combines stateful inspection, DPI, intrusion prevention, and application/user awareness.
Application Proxy: A firewall component that terminates a client’s connection and creates a separate connection to the server.

Host-Based Firewall: A firewall running on an individual system that applies per-application or per-process network rules.

Zero Trust Architecture (ZTA): A model that removes implicit trust based on network location and verifies every access using identity, device posture, and context.
Deperimeterization: The loss of a clear internal/external boundary due to mobile devices, cloud services, and modern application behavior.

Least Privilege: Granting only the minimum access necessary for a user or system to perform its function.
Lateral Movement: An attacker’s attempt to move from one compromised system to others inside a network.
Defense in Depth: Using multiple layers of security controls so no single failure compromises the environment.