IB DP Computer Science DP
SL & HL  ·  2027 first-exam curriculum
A2.3.4 Explain how static routing and dynamic routing move data across local area networks. (HL only) A2.4.2 Describe common network vulnerabilities. (HL only)

A2.4.1 Discuss the effectiveness of firewalls at protecting a network.

A2.4.1 Discuss the effectiveness of firewalls at protecting a network. 
• The function of firewalls in inspecting and filtering incoming and outgoing traffic based on whitelists, blacklists and rules 
• The strengths and limitations of firewalls 
• The role of NAT to enhance network security

Big Idea
A firewall enforces a security boundary between network segments by inspecting and controlling packet flows according to a defined policy. It can be implemented as dedicated hardware, a standalone appliance placed at the edge of the LAN, or as software, running on general-purpose servers or even individual endpoints. 

Both forms apply the same core principles—examining packets and enforcing rules—to reduce the attack surface of the protected network . Each and every packet is :

  1. captured and inspected
  2. compared to rules 
  3. allowed or dropped (disregarded)

1. Types of Firewalls and Traffic Inspection

1.1 Hardware Firewalls

  • Deployment: A standalone device—often with specialized network processors—installed at a network’s perimeter.
  • Strengths: High throughput, isolation from host OS vulnerabilities, centralized management for entire LAN.
  • Use Cases: Enterprises and data centers requiring line-rate performance and strong segregation between zones.

1.2 Software Firewalls

  • Deployment: Software agents or applications running on servers, workstations, or virtual machines.
  • Strengths: Granular control at the host level, visibility into process-based traffic, easier to deploy on remote or mobile devices.
  • Use Cases: Protecting individual endpoints, segmenting traffic between virtual machines, enabling policy enforcement on devices outside the corporate perimeter.

Both hardware and software firewalls inspect and filter traffic using:

  • Whitelists: Only explicitly permitted IPs, ports, or protocols are allowed.
  • Blacklists: Explicitly denied addresses or services are dropped.
  • Rule Sets: Ordered “if-then” conditions evaluated in priority sequence, potentially with stateful tracking of connection flows.

2. Strengths of Firewalls

  1. Centralized Control (Hardware)
    • A single appliance enforces policy at the LAN edge, simplifying management of inbound and outbound flows.
  2. Host-Based Granularity (Software)
    • Rules can reference local processes or user contexts, blocking suspicious applications even if they evade network defenses.
  3. Traffic Segmentation
    • Both types enable creation of network zones (e.g., DMZ vs. internal LAN), limiting lateral threat movement.
  4. Integration with Other Defenses
    • Modern hardware and software firewalls often include intrusion prevention, antivirus modules, and secure-VPN gateways for layered security.

3. Limitations of Firewalls

  1. Rule Complexity & Misconfiguration
    • Large rule bases—whether on a hardware chassis or across multiple host agents—can become inconsistently applied or overly permissive.
  2. Insider Threats
    • Once inside the perimeter (or on an endpoint), a compromised user or process can bypass the firewall unless host-based software rules are in place.
  3. Encrypted Traffic Blind Spot
    • Without SSL/TLS inspection (more common—and resource-intensive—in hardware appliances), encrypted payloads may carry threats undetected.
  4. Performance Constraints
    • Hardware firewalls may hit throughput limits under heavy traffic; software firewalls compete with host resources and may degrade endpoint performance.
  5. Zero-Day and Application-Layer Attacks
    • Novel exploits encapsulated in permitted protocols can evade packet-filtering rules unless deep packet inspection is enabled.

4. Network Address Translation (NAT) for Security

While NAT conserves IPv4 addresses, it also enhances security in both hardware and software implementations by:

  • Address Hiding: Internal hosts use private IP ranges; external observers see only the firewall’s public IP.
  • Implicit Filtering: By default, only responses to outbound connections are returned; unsolicited inbound packets are dropped.
  • Controlled Port Mapping: Administrators define static or dynamic port-forwarding rules—further restricting which services are reachable externally.

By understanding the distinctions between hardware and software firewalls—as well as their shared inspection and filtering mechanisms—network designers can craft layered defenses that balance performance, manageability and granularity while leveraging NAT’s obfuscation to further harden the network perimeter .

Last Edited: May 23 2025 (one year ago)
Categories:
Theme A: Concepts of computer science Networks A2.4 Network security