One in five companies in Italy has suffered at least one significant cyberattack in the last three years. Yet many of these organizations had a firewall. How is that possible? Because a firewall alone is no longer enough, and what are the tools that complete the defense? In this guide we explain the role of firewalls, IDS, and IPS and how they work together to protect a modern network.

The attack surface has changed

Ten years ago, protecting a corporate network meant putting a firewall between the internet and the LAN, and that was enough. Today:

• Employees work from home, from cafes, from airports
• Applications are in the cloud, not on local servers
• IoT devices (printers, cameras, sensors) are multiplying
• The most dangerous attacks come from inside or through compromised accounts

In this scenario, the traditional firewall is necessary but not sufficient. A multi-layered strategy is required.

Firewall: the first line of defense

The firewall is the oldest and most established component of network security. Its job is to control incoming and outgoing traffic based on defined rules: packets that satisfy the rules pass through, others are blocked.

Types of firewalls

Packet filter: the simplest type. Examines each packet individually based on source/destination IP address, port, and protocol. It's fast but "blind" to context: it doesn't know whether a packet belongs to a legitimate connection or not.

Stateful firewall: tracks the state of active connections. It knows that an incoming HTTP response is expected because there was a corresponding outgoing request. It blocks "orphan" packets that don't belong to any open session — much more effective against certain types of attacks.

Application firewall (Layer 7): understands the content of traffic, not just the headers. It can block an HTTP request even if it comes on an "allowed" port if the content has suspicious characteristics (SQL injection, XSS, etc.). WAFs (Web Application Firewalls) are a specific case: they protect web applications from attacks such as those in the OWASP Top 10 list.

Next-Generation Firewall (NGFW): integrates traditional firewall functionality with deep packet inspection (DPI), application control, intrusion prevention, and in some cases sandboxing for suspicious files. Products like Palo Alto, Fortinet FortiGate, and Cisco Firepower fall into this category.

What a firewall cannot do

A firewall does not detect malicious activity within "allowed" traffic. If a user downloads an Excel file with a malicious macro, the firewall typically won't block it — the HTTPS connection to a legitimate mail site is permitted. This is where IDS and IPS come in.

IDS: Intrusion Detection Systems

An Intrusion Detection System (IDS) monitors network traffic (or the activity of a system) looking for suspicious behavior, and generates alerts when it detects them. It doesn't block anything on its own: it only reports.

Network IDS (NIDS) vs Host IDS (HIDS)

• NIDS: analyzes traffic passing through the network. It's positioned at an observation point (often after the firewall) and analyzes flows in real time.
• HIDS: runs directly on a server or endpoint. Monitors system files, logs, active processes, system calls. Tools like OSSEC and Wazuh are widely used open source HIDS solutions.

How does it detect threats?

Signature-based detection: compares traffic against a database of known attack patterns. Effective against known threats, blind against zero-days.

Anomaly-based detection: learns the normal behavior of the network (baseline) and reports significant deviations. Can detect new attacks, but generates more false positives.

Policy-based detection: verifies that traffic complies with defined company policies (e.g., "no outbound FTP traffic").

IPS: Intrusion Prevention Systems

An Intrusion Prevention System (IPS) is like an IDS, but instead of just reporting it actively intervenes: it blocks malicious traffic in real time.

The IPS is positioned "inline" in the network flow — all traffic passes through it. When it detects an attack, it can:

• Block the individual packet or connection
• Temporarily block the source IP
• Send an alert and log the event
• Dynamically reconfigure the firewall

The risk of false positives

The main disadvantage of an IPS is that a false positive blocks legitimate traffic. If the IPS erroneously blocks connections to the company's business management system, work stops. For this reason, rule calibration is critical, and many implementations start in "detection only" mode (like an IDS) before enabling automatic blocking.

How they work together

In a well-designed infrastructure, these tools integrate:

Internet → Firewall → IPS (inline) → Internal network
                         ↓
                    IDS (passive) → SIEM → Alerts

• The firewall filters traffic based on static rules
• The IPS analyzes allowed traffic looking for attacks
• The IDS monitors passively for forensic analysis and anomaly detection
• The SIEM (Security Information and Event Management) aggregates all logs and alerts, allowing event correlation and incident response

Open source tools for those who want to start

You don't need an enterprise budget to have good protection:

• pfSense / OPNsense: open source firewall/router with integrated IDS/IPS (Suricata or Snort)
• Suricata: open source IDS/IPS, very performant, with support for rule-based detection and machine learning
• Snort: the pioneer of open source IDS, still widely used
• Wazuh: open source HIDS + SIEM platform, free up to certain scales

Frequently asked questions

Do I need all three (firewall, IDS, IPS)? It depends on size and risk. For a small business or advanced home use, a router with SPI (stateful) firewall is the bare minimum. An NGFW with integrated IPS covers most cases. A separate IDS makes sense in organizations with a security team that manages alerts.

What is the difference between IDS and SIEM? The IDS detects intrusions in network traffic. The SIEM aggregates and correlates logs from multiple sources (IDS, firewall, operating systems, applications) to provide a unified view of security events and facilitate incident response.

Does a cloud firewall also protect the on-premise network? No, not directly. Cloud firewalls (like AWS Security Groups, Azure NSG) protect resources in the cloud. For the on-premise network you need a physical or virtual firewall on your own infrastructure. Some SASE (Secure Access Service Edge) solutions unify cloud and on-premise protection.