A no-nonsense guide to network security for people who don’t want a PhD to understand it.
The Internet Is a Public Road
Every time you open a browser, send a message, or use an app, your data travels across a network that was originally built for scientists to share research — not for billions of people to do their banking.
Security wasn’t the first priority. It was bolted on later.
That’s why network security today is less like a single wall and more like a series of checkpoints — each one designed to stop a different kind of threat. Three of the most important checkpoints are firewalls, VPNs, and DDoS protection. They’re often mentioned together, but they do completely different jobs.
Firewall: The Bouncer at the Door
A firewall’s job is simple in theory: look at every packet of data coming in or going out, and decide whether to let it through.
It makes this decision based on rules. A typical rule might say: “Allow traffic on port 443 (HTTPS). Block everything on port 22 (SSH) unless the source IP is in this approved list.” The firewall doesn’t read the content of your data — it checks the metadata. Who’s sending it, where it’s going, on what port, using what protocol.
Modern firewalls have evolved significantly. Early packet-filtering firewalls were simple and fast but easy to fool. Stateful firewalls track the state of each connection — they know whether a packet is part of an ongoing conversation or an unsolicited knock on the door. Next-generation firewalls (NGFWs) go further and can inspect encrypted traffic, detect applications, and apply user-specific policies.
What firewalls are good at: Blocking known bad actors by IP or port. Enforcing a security perimeter. Preventing unauthorized access to internal services.
What firewalls can’t do: Stop threats that come through permitted channels. If you allow HTTPS traffic (and you have to), a firewall won’t protect you from a malicious website, a phishing email, or a compromised CDN serving poisoned JavaScript.
VPN: The Encrypted Tunnel
A VPN — Virtual Private Network — wraps your internet traffic in encryption and routes it through a server operated by someone else before it reaches its destination.
Originally, VPNs were designed for remote workers who needed to access corporate resources securely over the public internet. A developer working from a coffee shop could tunnel into the company’s internal network as if they were physically in the office.
Consumer VPNs repurposed this idea for privacy: instead of accessing a corporate network, you’re routing your traffic through a server in, say, Amsterdam, so that websites see Amsterdam’s IP address instead of yours.
This is useful in specific situations:
- Hiding your traffic from an ISP or a hostile network (public Wi-Fi, a repressive government)
- Accessing geo-restricted content
- Masking your IP address from the services you connect to
What VPNs actually protect: The path between your device and the VPN server. Nobody on your local network or between you and that server can read your traffic.
What VPNs don’t protect: Anything that happens after the VPN server. The VPN provider can see your traffic. Websites you visit can still track you via cookies, browser fingerprinting, and login sessions. A VPN doesn’t stop malware already on your device, and it doesn’t protect against a phishing attack.
The VPN industry has done a remarkable job of marketing VPNs as a comprehensive privacy solution. They’re not. They’re a pipe that moves the trust problem from your ISP to your VPN provider.
DDoS: When the Attack Is Just… Too Many Requests
A Distributed Denial of Service attack is conceptually different from a firewall bypass or an eavesdropping risk. There’s no hacking, no stolen credentials, no malware. The attacker’s goal is simpler: make your service unavailable by overwhelming it with traffic.
Imagine your web server can handle 10,000 requests per second. A DDoS attack sends 10 million requests per second from thousands of compromised machines (a botnet) all over the world. Your server spends all its time handling garbage traffic and has nothing left for real users.
DDoS attacks are categorized by what they target:
- Volumetric attacks flood the network bandwidth (UDP floods, amplification attacks using DNS or NTP)
- Protocol attacks exploit weaknesses in TCP/IP (SYN floods, Ping of Death)
- Application-layer attacks target specific endpoints like login pages or search functions — slower but harder to distinguish from legitimate traffic
Mitigation is the right word here, because there’s no “blocking” DDoS in the firewall sense. Mitigation involves scrubbing centers (services that absorb the attack upstream), rate limiting, traffic analysis to distinguish bots from humans, and anycast routing to distribute the load. Cloudflare, AWS Shield, and Akamai are the biggest players in this space.
The hard part: A sophisticated DDoS attack using legitimate-looking HTTP requests to your most expensive API endpoint looks almost identical to an organic traffic spike. The line between mitigation and blocking legitimate users is genuinely difficult to walk.
How They Work Together
These three technologies aren’t substitutes — they’re layers.
A reasonable production infrastructure looks something like this:
- DDoS protection sits at the edge, before traffic even reaches your servers, absorbing volumetric attacks
- Firewall rules sit at the network or host level, controlling which services are exposed and to whom
- VPN (or zero-trust access) gates access to internal services for employees and developers
None of them, alone or together, constitutes “being secure.” They’re prerequisites. The threats they don’t cover — phishing, supply chain attacks, misconfigured cloud storage, insider threats, unpatched software — are responsible for the majority of real-world breaches.
What Actually Causes Most Breaches
According to most security reports, the leading causes of data breaches aren’t firewall holes or DDoS attacks. They’re:
- Phishing (tricking a human into handing over credentials)
- Credential stuffing (trying leaked username/password combinations from other breaches)
- Misconfigured infrastructure (an S3 bucket left public, an admin panel exposed to the internet)
- Unpatched vulnerabilities in software
Technical controls are necessary. But the failure mode in most real incidents is a human problem, a process problem, or a configuration problem — not an attacker who defeated a firewall.
The Bottom Line
| Technology | What it does | What it doesn’t do |
|---|---|---|
| Firewall | Controls which traffic reaches your network | Stop threats using allowed channels |
| VPN | Encrypts traffic between you and the VPN server | Protect you from sites you visit or your VPN provider |
| DDoS protection | Absorbs or filters flood traffic | Stop targeted application attacks or breaches |
Network security is a set of overlapping defenses, not a single solution. The most important question isn’t “do I have a firewall?” — it’s “what’s my actual threat model, and which controls address it?”
Start there.