Firewall vs NDR

Introduction: 

For those of you who don’t know what a Firewall does: 

It’s your perimeter guard, anything going to & from the internet is inspected by the Firewall and is either welcomed or rejected. This is done with predefined rules so that any known attacks are automatically blocked from the Firewall which is essentially your first line of defence. But what happens when there’s an unknown attack… or a hacker is working with stolen credentials… Then what? 

Why Firewalls Miss Threats

Firewalls are great at:

• Blocking known malicious IPs/domains
• Filtering unauthorized ports and protocols
• Enforcing access control policies

But they miss:

• Threats disguised as legitimate traffic
• Insider threats or credential misuse
• Zero-day exploits with no known signature
• Lateral movement between internal hosts

They’re essentially blind once a threat’s inside.

How NDR Picks Up the Slack

While firewalls function as perimeter guards, filtering traffic at the entry and exit points, Network Detection and Response (NDR) operates inside the network. Continuously monitoring internal behavior whilst identifying subtle threats and responds quickly to suspicious activity. Here’s how NDR fills the gaps that firewalls miss:

1. Monitors East–West Traffic, Not Just North–South

Traditional security tools focus on north–south traffic, data moving in and out of the network. NDR extends visibility to east–west traffic: the internal communication between devices, applications and users.

Why it matters:
Once an attacker is inside the network, they often move laterally accessing other systems. This lateral movement is typically invisible to perimeter defenses. NDR monitors internal traffic continuously, detecting unusual movements between assets that may indicate compromise.

Example: A user workstation starts probing file servers it has never accessed before. Firewalls may allow this activity. NDR detects the deviation and raises an alert.

2. Detects Behavioral Anomalies Using Machine Learning

Firewalls rely on static rules and known threat signatures. NDR, by contrast, builds a dynamic understanding of what “normal” looks like across the network. It uses machine learning to detect anomalies in behavior, such as new communication patterns, unexpected data transfers, or unusual protocol usage.

Why it matters:
Sophisticated attackers often avoid traditional malware, instead using legitimate tools in unauthorized ways, such as remote access utilities, script-based automation or fileless attacks. These behaviors may not trigger traditional defenses but stand out to an NDR system trained on baseline network activity.

Example: A standard user account initiates an encrypted outbound connection and transfers a large volume of data overnight. NDR identifies this as an anomaly and flags it for investigation.

3. Detects Command & Control (C2) Activity, Even When Encrypted

Advanced threats often establish communication channels with external servers to receive instructions, known as command and control (C2). These channels are increasingly encrypted, making them difficult for traditional firewalls or signature-based tools to detect.

NDR doesn’t rely on decrypting traffic. Instead, it analyzes metadata, traffic flow and behavioral indicators to identify suspicious patterns consistent with known C2 techniques.

Why it matters:
Even if the payload is hidden inside encrypted traffic, the behavior, such as periodic beaconing or traffic volume anomalies, can reveal an active threat.

Example: A device on the network initiates regular outbound connections to a rarely used IP address on a non-standard port. Although the data is encrypted, NDR detects the pattern as consistent with malware C2 behavior.

4. Supports Real-Time Alerts and Retrospective Threat Hunting

NDR systems generate high-fidelity alerts as threats unfold, but they also retain historical network data for retrospective analysis. Security teams can conduct forensic investigations, trace attacker movement and understand the full scope of an incident, even if it went unnoticed initially.

Why it matters:
Many threats go undetected for days or weeks. Having the ability to review detailed network activity over time allows analysts to spot the early warning signs and understand the attack timeline in full context.

Example: After discovering an infected endpoint, analysts use NDR logs to reconstruct the attacker’s path across the network and identify other compromised systems.