Two firewalls you'll see everywhere
If you're studying this material, you're almost certainly going to run into two specific pieces of software: pfSense and iptables (or its modern successor, nftables). pfSense is a complete, open-source router/firewall operating system built on FreeBSD — you install it on a dedicated box, and it gives you a friendly web-based interface (a WebGUI) for managing rules, instead of memorizing command-line syntax. iptables and nftables, by contrast, are the built-in firewall tools on Linux systems — no separate box needed, but you're working from the command line.
Neither one is "better" in an absolute sense — pfSense is great when you want a dedicated, easy-to-manage firewall appliance; iptables/nftables make sense when you're already administering a Linux server and want firewall rules baked directly into it. Knowing both tells you a lot about how flexible someone's security background actually is.
Drawing the map: zones, perimeters, and the DMZ
A network isn't one big trusted blob — it's divided into zones with different levels of trust. A zone of trust is an area where traffic is assumed to be safe and gets less scrutiny (think: your internal office network). A zone of risk is the opposite — more exposed, more likely to be targeted (think: a public Wi-Fi network or an internet-facing web server).
Between those two extremes sits the perimeter network, often called a DMZ — a buffer zone that holds anything the outside world needs to reach (like a public web server) without giving external traffic a direct path into your trusted internal network. If an attacker compromises something in the DMZ, they still have another wall to get through before reaching anything truly sensitive. This layout is a direct, physical expression of the "defense in depth" idea from firewall fundamentals — you're not relying on one boundary, you're nesting them.
The everyday toolbox
A handful of small, unglamorous tools show up constantly once you're actually managing a network, and this is where a lot of students get tripped up because the tools sound simple but the concepts behind them aren't always obvious:
- Ping — sends a small signal to another device and waits for a reply, the fastest way to check "is this thing even reachable?"
- Traceroute — shows you every router (hop) a packet passes through on its way to a destination, which is invaluable for figuring out where a connection is failing, not just that it's failing
- ipconfig — displays a Windows machine's current network configuration (IP address, gateway, etc.)
- Secure Shell (SSH) — lets you securely log into and control a remote machine over an encrypted connection
- Telnet — does almost the same thing as SSH, except with zero encryption, which is exactly why it's considered obsolete for anything sensitive today
Notice the SSH vs. Telnet pairing — it's a perfect, concrete example of how security evolves. Telnet did the job for decades. It just did it insecurely, and once people realized attackers could read a Telnet session in plain text, SSH became the standard replacement almost everywhere.
Encryption in transit: SSL, TLS, and the padlock icon
You've almost certainly heard of SSL and its modern replacement, TLS — the protocols responsible for that little padlock icon in your browser. Both exist to encrypt data as it travels across a network so that anyone intercepting the traffic just sees scrambled noise instead of your actual information. SSL is the older, now-deprecated version; TLS is what's actually running behind the scenes on virtually every secure website today, even though a lot of people (and even some documentation) still say "SSL" out of habit.
Key takeaways
- pfSense = dedicated firewall appliance with a GUI; iptables/nftables = built into Linux, command-line driven
- Networks are divided into zones of trust and zones of risk — the DMZ sits between them
- Ping and traceroute answer "is it reachable?" and "where's it breaking?"
- SSH replaced Telnet because encryption matters — the same upgrade path shows up throughout security history
- TLS is the modern standard for encrypting traffic in transit; SSL is its retired predecessor