Network Security Basics Cheat Sheet

Network security fundamentals — firewalls, IDS/IPS, zero trust architecture, NAC, DDoS mitigation, and security zones explained.

Last Updated: July 15, 2025

Firewall Types

Type	OSI Layer	What It Filters
Packet Filter	3-4	IP addresses, ports, protocols (iptables, ACLs)
Stateful	3-4	Tracks connection state — only allows established sessions
Application (WAF)	7	HTTP payloads, SQL injection, XSS patterns
Next-Gen (NGFW)	3-7	DPI, application awareness, threat intelligence

IDS vs IPS

Feature	IDS	IPS
Placement	Out of band (monitor)	Inline (blocks traffic)
Action	Alerts only (passive)	Blocks/drops (active)
Latency	Zero impact	Adds microsecond latency
False Positive Risk	Low (no disruption)	High (legit traffic blocked)
Examples	Snort (passive), Zeek	Snort (inline), Suricata IPS

Zero Trust Principles

Principle	Description
`Never Trust, Always Verify`	No implicit trust based on network location — authenticate every request
`Least Privilege`	Grant minimum access needed — JIT (just-in-time) access where possible
`Microsegmentation`	Segment workloads — east-west traffic also inspected
`Assume Breach`	Design as if perimeter is already compromised — encrypt, monitor, segment

Common Attack Mitigations

Attack	Layer	Mitigation
DDoS (volumetric)	3-4	Anycast scrubbing, rate limiting, BGP blackhole
DDoS (application)	7	WAF, CAPTCHA, rate limiting per endpoint
Port Scanning	3-4	IDS detection, port knocking, default-deny firewall
MITM (ARP spoofing)	2	Dynamic ARP inspection, static ARP entries
DNS Poisoning	7	DNSSEC, DNS over HTTPS/TLS

Pro Tip: Security is about layers — no single control is sufficient. Combine firewalls, IDS/IPS, segmentation, and zero-trust principles for defense in depth.