Comparative Evaluation of the Impact of Traditional Firewalls versus IDS/IPS Based Solutions in Home Networks with IoT Devices

Residential IoT ecosystems are increasingly besieged by advanced application-level exploits capable of bypassing conventional perimeter security measures. This study quantitatively compares the defensive efficacy and computational overhead of a standard Layer 3/4 packet filter (iptables) against a Layer 7 Intrusion Prevention System (Suricata) deployed within a virtualized residential testbed. We simulated a spectrum of nine specific threat vectors targeting IoT communication standards, including MQTT DoS, HTTP fuzzing, SQL injection, and unauthorized firmware injection. Results: The traditional firewall demonstrated a complete inability to identify or mitigate application-layer incursions (yielding a TPR of 0\%), rendering the network defenseless. Conversely, the IPS configuration attained absolute mitigation success, recording a 100\% Blocking Effectiveness (PDB) across every evaluated scenario. Significantly, performance metrics revealed a paradox: during high-velocity attacks (e.g., Port Scanning and Fuzzing), the standard firewall suffered from CPU saturation (reaching 27\% due to I/O stress), while the IPS maintained operational stability (4--8\% peak load) by preemptively rejecting hostile packets at the interface level. Conclusion: We demonstrate that L3/L4 firewalls are insufficient for IoT security, not only due to their blindness toward Layer 7 threats but also their susceptibility to resource depletion under stress. Consequently, the implementation of Deep Packet Inspection (DPI) via an IPS is validated as a superior and more resource-efficient strategy for hardening domestic IoT infrastructures.