This article focuses on the division of responsibilities and collaborative relationships among mainstream network security devices. It explains how firewalls, security gateways, IDS/IPS, WAFs, and security auditing cover boundary protection, application protection, and compliance traceability. It is well suited for security architecture planning and device selection. Keywords: network security devices, security gateway, WAF.
Technical Specifications Snapshot
| Parameter | Information |
|---|---|
| Domain | Network security infrastructure |
| Language | Chinese |
| Devices Covered | Firewall, Security Gateway, IDS/IPS, WAF, Security Audit |
| Key Protocols | TCP/IP, HTTP, HTTPS |
| Applicable Scenarios | Enterprise perimeter, data center, classified networks, web services |
| Compliance References | MLPS 2.0, Xinchuang, EAL certification |
| Stars | N/A (the original article is knowledge-focused, not an open-source project) |
| Core Dependencies | Deep packet inspection, signature databases, log collection, AI-based anomaly detection |
Mainstream network security devices form a layered defense model rather than a replacement relationship
As digital business expands, the attack surface has extended from the network perimeter to application interfaces, lateral traffic, and data exchange links. A single device cannot cover every risk, so enterprises need a combined architecture built around perimeter control, deep inspection, business protection, and audit traceability.
Firewalls handle basic access control, security gateways provide high-security isolation, IDS/IPS handles threat detection and blocking, WAF protects web applications, and audit devices retain logs for compliance review. Understanding the boundaries of these devices is the prerequisite for avoiding duplicate purchases and security gaps.
A minimal layered security model helps clarify device responsibilities quickly
Internet -> Firewall -> IPS/Core Switching Zone -> WAF -> Web/Application Servers
|
-> Audit Platform
Classified Network <-> Security Gateway <-> Business Exchange ZoneThis diagram shows the typical combination of perimeter protection, application protection, and high-security isolation in an enterprise environment.
Firewalls are the foundation of perimeter access control
A firewall is essentially a security policy enforcement point. It controls traffic based on source address, destination address, port, protocol, and session state. Traditional firewalls focus on Layer 3 and Layer 4 filtering, while next-generation firewalls further integrate application awareness, intrusion prevention, user identity association, and content inspection.
At enterprise internet exits, branch interconnections, and data center entry points, the firewall is usually the first device that must be deployed. Its value does not lie in being an all-purpose defense mechanism, but in first reducing exposure and then passing high-risk traffic to more specialized devices for deeper handling.
The core of firewall policy is not quantity, but the principle of least privilege
# Only allow ports 80/443 to expose web services externally
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Allow HTTP
iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Allow HTTPS
iptables -A INPUT -j DROP # Deny all other inbound traffic by defaultThis example illustrates the basic idea of perimeter control: define what is allowed first, then deny everything else by default.
Security gateways provide physical isolation and controlled exchange for high-security scenarios
The fundamental difference between a security gateway and a firewall lies in the isolation model. A firewall emphasizes logical isolation while the network remains connected. A security gateway emphasizes physical disconnection and controlled transfer, with the goal of reducing penetration risk and reverse data leakage at the link level.
In highly sensitive environments such as government, defense, and energy, security gateways often use a “2+1” architecture and rely on dedicated hardware to shuttle data. They transmit only rule-filtered data rather than full sessions. This makes them especially suitable for file exchange across security domains, database synchronization, and one-way data publishing.
One-way transfer mode is commonly used in strict anti-leakage scenarios
def data_transfer(direction, payload):
if direction != "inside_to_outside":
return "blocked" # Allow only one-way transmission from the internal network to the outside
filtered = payload.strip()
return filtered # Output only filtered business dataThis pseudocode expresses the core idea of one-way transmission through a security gateway: exchange is allowed, but arbitrary bidirectional communication is not.
IDS and IPS together create a closed loop from detection to blocking
An IDS behaves more like an out-of-band monitor. It inspects mirrored traffic, identifies anomalies, and raises alerts without directly changing production traffic. An IPS is deployed inline on critical links and blocks attacks immediately after detection. The former emphasizes visibility, while the latter emphasizes real-time response.
In practice, IPS capabilities are often integrated into next-generation firewalls, while standalone IDS still fits lateral traffic analysis, attack forensics, and unknown threat observation. These two should not be treated as a simple either-or decision. They should be deployed in combination based on link value and tolerance for false positives.
The difference between detection and blocking logic can be abstracted as follows
def inspect(packet, mode="ids"):
malicious = "sqlmap" in packet.lower()
if mode == "ids" and malicious:
return "alert" # IDS only raises an alert and does not interrupt traffic
if mode == "ips" and malicious:
return "drop" # IPS actively drops malicious traffic
return "pass"This code summarizes the behavioral difference between IDS and IPS when handling malicious traffic.
WAF addresses application-layer attacks that traditional firewalls cannot effectively cover
A firewall can see whether a port is open, but it may not understand SQL injection, XSS, file upload bypass, or malicious API calls. The value of a WAF lies in parsing HTTP/HTTPS semantics and understanding parameters, cookies, headers, URIs, and request behavior.
For websites, app APIs, open platforms, and microservice gateways, a WAF is typically deployed at the reverse proxy or access layer. Small and mid-sized businesses can prioritize cloud WAF services, while large core systems are usually better served by hardware WAFs or localized solutions integrated with gateways.
A WAF rule is essentially a precise match against request characteristics
rules:
- id: 1001
match: "(?i)union select|or 1=1" # Detect typical SQL injection patterns
action: block # Block the request immediately when matchedThis rule example demonstrates the WAF’s targeted interception capability for application-layer attack patterns.
Security audit devices are essential for compliance and traceability
Audit devices usually do not block attacks directly, but they determine whether an incident can be reconstructed afterward. They aggregate network logs, endpoint behavior, database operations, and security alerts to provide an evidence chain for MLPS assessments, internal audits, and incident response.
If an enterprise already has firewalls, WAFs, and IPS devices but lacks a unified audit and log correlation platform, its security system is still incomplete. Protection can only reduce probability, while auditing supports post-incident analysis, accountability, and continuous improvement.
Device selection should focus on four dimensions: scenario, performance, compliance, and operations
First, for a standard enterprise perimeter, prioritize a next-generation firewall to quickly cover access control and baseline threat protection. Second, for classified environments and cross-domain exchange, prioritize a security gateway to avoid mistaking logical isolation for high-security isolation. Third, web-facing services must add a WAF, or the application-layer exposure will remain for the long term.
Fourth, when evaluating performance, do not look only at advertised throughput. Also assess real capacity after enabling deep inspection, SSL decryption, concurrent connections, and log persistence. Fifth, regulated industries should prioritize vendors that support MLPS 2.0, domestic technology adaptation, and long-term service capability.
A simplified device selection matrix looks like this
Basic internet exit -> Next-Generation Firewall
Cross-domain data exchange -> Security Gateway
Active blocking on core links -> IPS
Website/API security -> WAF
Log retention and compliance -> Audit PlatformThis matrix works well for quickly mapping devices during project initiation or solution review.
Industry trends are shifting from isolated point protection to intelligent and domestic technology collaboration
Today, network security devices are evolving in three main directions. First, AI-enhanced detection improves anomalous behavior recognition and unknown threat discovery. Second, platform-based coordination allows firewalls, WAFs, IPS, and audit systems to share intelligence. Third, domestic technology substitution is building self-controlled capabilities in critical infrastructure sectors.
As a result, future procurement should not focus only on the specifications of a single device. It should also evaluate compatibility with the existing SOC, Zero Trust architecture, situational awareness platform, and domestic hardware and software environment. The highest-value solution is one that is integrable, extensible, and sustainable to operate.
FAQ
1. Do I have to choose between a firewall and a WAF?
No. A firewall handles network perimeter and session control, while a WAF protects against HTTP/HTTPS application-layer attacks. They operate at different layers and usually need to be deployed together.
2. In what scenarios must I use a security gateway instead of a standard firewall?
When the business involves classified networks, exchange between networks with different security levels, or strict prevention of reverse data leakage, a security gateway should take priority because it provides physical isolation and controlled transfer capabilities.
3. If an audit device cannot block attacks, why is it still important?
Because security architecture must solve more than just stopping attacks. It must also support traceability, forensics, and compliance after an incident occurs. Audit devices are the foundation for incident review, regulatory inspection, and continuous improvement.
Key takeaways summarize the functional boundaries, deployment scenarios, and selection methods for mainstream security devices
This article systematically explains the functional boundaries, deployment scenarios, and selection methods for firewalls, security gateways, IDS/IPS, WAFs, and security audit devices. It helps enterprises build a layered cybersecurity defense system and provides practical recommendations aligned with domestic technology adoption, intelligent security, and compliance trends.