Lesson 6: Network Security — Firewalls and Intrusion Detection Systems

What You Will Learn in This Lesson

• How firewalls work and the differences between stateless, stateful, and next-generation firewalls (NGFW)
• The role of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) in identifying malicious traffic
• How to design network segmentation that limits lateral movement after a breach
• Practical firewall rule-writing principles and common misconfigurations to avoid

The Perimeter Is Not a Wall — It Is a Checkpoint

Think of your network perimeter not as a solid wall that keeps everything out, but as an airport security checkpoint: it inspects what comes through, decides what is allowed, and flags what looks suspicious. A firewall sits at this checkpoint. It examines packets of network traffic against a set of rules and either permits, drops, or logs them. Without a properly configured firewall, every service running on your internal network is directly exposed to the internet — and to every attacker scanning it.

Most Saudi financial institutions operate hybrid environments today: on-premises core banking systems, cloud-hosted customer portals, and third-party API integrations for payment gateways. Each of these connection points is a boundary that needs a firewall policy. A single misconfigured rule — say, allowing unrestricted inbound traffic on port 443 to an internal application server — can turn a "secured" network into an open door.

Types of Firewalls: From Packet Filters to NGFW

Firewalls have evolved significantly over the past three decades. Understanding what each generation does helps you choose the right tool for each boundary in your network.

Stateless Packet Filters examine each packet in isolation. They check the source IP, destination IP, port number, and protocol against a rule table. They are fast but blind to the context of a connection. A stateless filter cannot tell whether a packet is part of a legitimate established session or a spoofed probe.

Stateful Firewalls track the state of active connections. When an internal host initiates a TCP handshake with an external server, the firewall records that session. Return traffic is only allowed if it matches an existing, established session. This prevents attackers from injecting unsolicited packets into your network by forging source addresses.

Next-Generation Firewalls (NGFW) combine stateful inspection with deep packet inspection (DPI), application-layer awareness, and integrated threat intelligence feeds. An NGFW from vendors like Palo Alto Networks, Fortinet, or Check Point can identify that a packet on port 443 is actually carrying a Tor tunnel or a file transfer disguised as HTTPS traffic. NGFWs also integrate with identity providers, so you can write rules like "allow finance department users to access the SWIFT gateway, deny all others" rather than relying solely on IP addresses.

Practical Example: A mid-size Saudi bank discovered during a penetration test that their legacy stateless firewall allowed any internal IP to reach the SWIFT payment server on port 7500. After replacing it with an NGFW integrated with Active Directory, they restricted access to only 12 authorized treasury workstations — identified by user identity, not just IP. This single change eliminated an entire class of insider threat scenarios and directly addressed SAMA CSCC Domain 3 (Technology Operations) requirements.

Intrusion Detection and Prevention: Your Network's Security Camera

A firewall enforces policy — it allows or blocks traffic based on rules you define. But what about malicious traffic that looks legitimate? An employee clicking a phishing link generates outbound HTTPS traffic that most firewalls will permit. This is where Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) step in.

An IDS monitors network traffic passively. It compares traffic patterns against a database of known attack signatures (signature-based detection) and against a baseline of normal behavior (anomaly-based detection). When it detects something suspicious — a port scan, a SQL injection payload inside an HTTP request, or a command-and-control beacon — it generates an alert. The IDS does not block traffic; it reports it.

An IPS sits inline in the traffic flow and can actively drop or modify malicious packets before they reach their destination. Think of the IDS as a security camera and the IPS as a security guard who can physically intervene.

Modern deployments often use both. Suricata and Snort are widely used open-source IDS/IPS engines. Commercial solutions like Cisco Firepower, Palo Alto Threat Prevention, and Fortinet IPS integrate directly into NGFW appliances.

Network Segmentation: Containing the Blast Radius

Even the best firewall and IDS combination cannot guarantee that no attacker will ever get inside your network. Network segmentation limits what an attacker can reach once inside. The principle is simple: divide your network into zones, and enforce strict access controls between them.

A typical segmentation model for a Saudi financial institution includes:

• DMZ (Demilitarized Zone): Public-facing services like the corporate website and customer portal. Isolated from internal systems.
• Internal User Zone: Employee workstations and business applications. Segmented by department where possible.
• Server Zone: Application and database servers. Only accessible from specific internal subnets and management hosts.
• Payment Zone: SWIFT, payment card processing, and ATM controller networks. The most restricted segment, with logging on every connection.
• Management Zone: Network devices, firewalls, and monitoring systems. Accessible only from dedicated jump servers with multi-factor authentication.

VLANs provide Layer 2 separation, but true segmentation requires Layer 3 firewall rules between zones. Micro-segmentation, using tools like VMware NSX or Cisco ACI, takes this further by enforcing policies between individual workloads inside the same zone.

Writing Effective Firewall Rules

A firewall is only as good as its ruleset. Here are principles that keep your policies clean and auditable:

Default Deny: Start with a rule that drops all traffic. Then add explicit allow rules only for what is needed. Never start with "allow all" and try to block the bad — you will always miss something.

Least Privilege: Each rule should be as specific as possible. Instead of allowing an entire /16 subnet to reach a database server, allow only the three application servers that need the connection, on the specific port they use.

Rule Documentation: Every rule should have a comment explaining who requested it, why it exists, and when it should be reviewed. Undocumented rules accumulate and become impossible to audit.

# Example: Palo Alto-style rule logic (pseudocode)

# Rule 1 — Allow treasury users to SWIFT gateway
Source Zone: Internal-Finance
Source User: group "Treasury-Operators"
Destination Zone: Payment-Zone
Destination: 10.50.1.10
Application: swift-fin
Action: Allow
Log: Yes (log at session end)
Comment: "Treasury SWIFT access — approved by CISO 2026-01-15, review Q3 2026"

# Rule 2 — Allow web servers to database (read-only port)
Source Zone: DMZ
Source: 10.10.1.0/28
Destination Zone: Server-Zone
Destination: 10.30.2.5
Service: tcp/3306
Action: Allow
Log: Yes
Comment: "Web app to MySQL read replica — change request CR-2891"

# Final Rule — Default deny all
Source: any
Destination: any
Action: Deny
Log: Yes
Comment: "Implicit deny — do not remove"

Linking This to the Saudi Regulatory Context

Network security is not optional for regulated Saudi institutions — it is explicitly mandated. SAMA CSCC Domain 3 (Technology Operations and Communications Management) requires organizations to implement network segmentation, deploy intrusion detection capabilities, and maintain documented firewall policies with regular reviews. NCA ECC Control 2-3 (Network Security Management) requires continuous monitoring of network traffic and timely response to detected anomalies. PCI-DSS Requirement 1 specifically mandates installing and maintaining network security controls, including firewall configurations that restrict traffic to the cardholder data environment. For institutions handling payment card data, failure to segment the payment zone properly can expand PCI scope to the entire network — dramatically increasing both compliance cost and audit complexity.

Common Mistakes to Avoid

• Overly broad "any-any" rules left from initial deployment: These rules are often created during system setup for testing and never removed. Audit your ruleset quarterly — every "any" in a source or destination field is a red flag that needs justification or removal.
• Running IDS without anyone monitoring the alerts: An IDS that generates 10,000 alerts per day with no analyst reviewing them provides zero security value. Tune your signatures, reduce false positives, and ensure alerts feed into a SIEM with defined escalation procedures.
• Flat network architecture with no segmentation: If a compromised employee workstation can directly reach the core banking database because everything sits on one network segment, your firewall at the perimeter becomes irrelevant. Invest in internal segmentation — it is the single most effective control for limiting breach impact.

Lesson Summary

• Firewalls evolved from simple packet filters to NGFWs that inspect applications, integrate with identity systems, and leverage threat intelligence — choose the right type for each network boundary.
• IDS passively detects threats while IPS actively blocks them; both are essential complements to firewalls and are required by SAMA and NCA frameworks.
• Network segmentation with strict inter-zone firewall rules limits lateral movement and reduces the blast radius of any breach — and keeps your PCI-DSS scope manageable.

Next Lesson

In the next lesson we will cover: Encryption: Core Concepts and Practical Applications — you will learn how symmetric and asymmetric encryption work, when to use TLS vs. IPSec, and how Saudi regulations mandate encryption for data at rest and in transit.

Ready to apply these concepts in your organization? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment.