A firewall is the best example of an appliance that can sit between network segments and permit or deny traffic flows based on security policy. In Network+ terms, firewalls enforce segmentation controls by applying rules that match on items such as source/destination IP, ports, protocols, and (with next-generation firewalls) even applications. This makes a firewall a common choice for directing allowed traffic between specific segments (for example, allowing users in a workstation VLAN to reach only certain ports on a server VLAN, while blocking everything else). This function is core to network security architecture and is frequently paired with concepts like network segmentation, ACL-style rule sets, and creating security zones.

An IDS (intrusion detection system) primarily monitors traffic and generates alerts on suspicious activity; it does not typically control or “direct allowed traffic” unless it is specifically an IPS (prevention) with inline blocking. An unmanaged switch operates at Layer 2 and forwards frames within a broadcast domain; it does not provide policy-based filtering between security segments. Therefore, the correct answer is Firewall.