Domain 7 of 8 · Chapter 7 of 15

Detective & Preventive Controls

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • Detective vs. preventive: the one frame for every device
  • Firewalls: climbing the OSI stack
  • IDS, IPS, and the listing controls
  • Sandboxing, honeypots, MSSPs, and ML/AI tools
  • Exam-pattern recognition

Firewall generations: inspection depth and OSI layer

Firewall typeOSI layer inspectedWhat it examinesStateful?Primary use
Packet-filteringLayer 3–4 (network/transport)Source/dest IP, port, protocol flags in each packet headerNo (stateless)Fast, coarse perimeter ACLs; cannot validate session context
Stateful inspectionLayer 3–4 + connection stateHeaders plus a state table of active connectionsYesDefault modern perimeter; permits only return traffic for known sessions
Application proxy / gatewayLayer 7 (application)Full payload of a specific protocol; terminates and re-originates the connectionYesDeep per-protocol inspection and internal-host hiding; slower
Next-generation (NGFW)Layer 3–7 + identityStateful inspection plus application awareness, integrated IPS, user identityYesConsolidated app-aware policy with built-in intrusion prevention
Web application firewall (WAF)Layer 7 (HTTP/HTTPS only)HTTP requests/responses for app-attack patternsYes (HTTP session)Protects a web application from SQL injection, XSS, and similar

Decision tree

Stop the action, orobserve and alert?Stop (preventive)Observe (detective)Target is a web app?YesNoWeb app firewallblocks SQLi / XSS (L7)Block any unapprovedprogram?YesNoAllowlistingdefault-deny app controlInline IPS / firewallstateful or NGFW drops itStudy an unknown,or just monitor?Detonate fileLure attackerSandboxisolated detonationHoneypotentice, not entrapIDS on passive tapalerts; packet still arrivesAlways: layer preventive + detective controls (defense in depth)outsourcing to an MSSP shifts operation, never accountability

Cheat sheet

  • A control's category is the job it does, not its label: preventive stops, detective notices
  • A firewall can only stop what its inspection layer lets it see
  • Packet-filtering firewalls are stateless and cannot tell a real reply from a forged one
  • Stateful inspection tracks connections so it admits only return traffic it saw begin
  • An application proxy terminates and re-originates the connection at Layer 7, hiding internal hosts
  • A WAF reads HTTP bodies to block app attacks a network firewall is blind to
  • A next-generation firewall consolidates app awareness, IPS, and identity into one device
  • IDS detects and alerts; IPS sits inline and blocks
  • Allowlisting is default-deny and blocks the unknown; denylisting is default-allow and fails open
  • Signature-based anti-malware is fast but blind to anything not yet in its database
  • Heuristic catches variants by structure; behavior-based catches the novel by watching it run
  • A sandbox contains and observes an unknown; a honeypot lures and studies an attacker
  • A honeypot may entice but never entrap
  • You can outsource the security operation to an MSSP, but never the accountability
  • ML/AI security tools detect by baseline deviation, and can themselves be attacked
  • Layer preventive and detective controls because no single control suffices

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-41 Rev. 1: Guidelines on Firewalls and Firewall Policy Whitepaper
  2. NIST SP 800-94: Guide to Intrusion Detection and Prevention Systems (IDPS) Whitepaper