Network Security Devices

Firewall

It works based on IP address and Port Numbers

Intro

• We can say Firewall is a Network Security Device.

• It acts as a barrier between the trusted and untrusted network, --> analyses the network traffic --> and filters it so that the unsecured and suspicious networks cannot attack the system. and only allows the secured network to send or receive data.

• Precisely, a Firewall ensures that all the data is secure and any malicious data trying to enter the internal network is not allowed to pass through.

• Some firewalls also offer visibility into the source and type of traffic coming into this environment.

The logging feature records how the firewall manages traffic types. The logs provide organizations with information about, for example, source and destination IP addresses, protocols, and port numbers and can be used by a SIEM to help investigate an attack.

Types of Firewalls:

1 - Packet Filters

It works in the network layer of the OSI Model. It applies a set of rules (based on the contents of IP and transport header fields) on each packet and based on the outcome, decides to either forward or discard the packet.

For example, a rule could specify to block all incoming traffic from a certain IP address or disallow all traffic that uses UDP protocol. If there is no match with any predefined rules, it will take default action. The default action can be to ‘discard all packets’ or to ‘accept all packets’.

Security threats to Packet Filters:

1. IP address Spoofing: In this kind of attack, an intruder from the outside tries to send a packet towards the internal corporate network with the source IP address set equal to one of the IP address of internal users. Prevention: Firewall can defeat this attack if it discards all the packets that arrive at the incoming side of the firewall, with source IP equal to one of the internal IPs.

2. Source Routing Attacks: In this kind of attack, the attacker specifies the route to be taken by the packet with a hope to fool the firewall. Prevention: Firewall can defeat this attack if it discards all the packets that use the option of source routing aka path addressing.

3. Tiny Fragment Attacks: Many times, the size of the IP packet is greater than the maximum size allowed by the underlying network such as Ethernet, Token Ring etc. In such cases, the packet needs to be fragmented, so that it can be carried further. The attacker uses this characteristic of TCP/IP protocol. In this kind of attack, the attacker intentionally creates fragments of the original packet and send it to fool the firewall. Prevention: Firewall can defeat this attack if it discards all the packets which use the TCP protocol and is fragmented. Dynamic Packet Filters allow incoming TCP packets only if they are responses to the outgoing TCP packets.

Click Here

2 - Application Gateways

It is also known as Proxy server. It works as follows:

1. Step-1: User contacts the application gateway using a TCP/IP application such as HTTP.

2. Step-2: The application gateway asks about the remote host with which the user wants to establish a connection. It also asks for the user id and password that is required to access the services of the application gateway.

3. Step-3: After verifying the authenticity of the user, the application gateway accesses the remote host on behalf of the user to deliver the packets.

3 - Stateful Inspection Firewalls

It is also known as ‘Dynamic Packet Filters’. It keeps track of the state of active connections and uses this information to decide which packets to allow through it, i.e., it adapts itself to the current exchange of information, unlike the normal packet filters/stateless packet filters, which have hardcoded routing rules.

4 - Circuit-Level Gateways

It works at the session layer of the OSI Model. It is the advanced variation of Application Gateway. It acts as a virtual connection between the remote host and the internal users by creating a new connection between itself and the remote host. It also changes the source IP address in the packet and puts its own address at the place of source IP address of the packet from end users. This way, the IP addresses of the internal users are hidden and secured from the outside world.

Click Here

➖ IDS & IPS Overview

An IDS is a technical Detective control.

An IPS is a technical Preventative control.

An Anti-Virus program is a technical Preventative control.

Preventative Control : Spans administrative, technical, and physical controls to stop threats and risk to a system before it occurs. An IPS and an anti-virus program are preventative controls because they prevent unauthorized access or modification to the network or host.

The concept of preventative control is that they are supposed to stop a threat from exploiting a risk, before any damage is done.

Detective Control: A security control that is used after an incident has occurred. It is not meant to prevent attacks, it is meant to investigate incidents after they have occurred. Real world examples of detective controls include CCTV, firewall logs, job rotation, guest sign-in books and actual police detectives.

(IDS) -- Intrusion Detection System

It is a network security tool that analyzes network traffic for malicious activity, vulnerability exploits or policy violations that are attempting to infiltrate or steal data from a network.

The IDS detects threats by comparing current network activity to a known threat database, looking at several key behaviors like security policy violations, malware, and port scanners. Any violation or intrusion activity is either reported to the administrator or collected using a security information and event management (SIEM) system. The SIEM can be used to distinguish malicious activity from false alarms.

Traffic flow of a hacker triggering an IDS solution

Types of IDS

Network Intrusion Detection System (NIDS)

A network intrusion detection system (NIDS) monitors packets moving into and out of a network or subset of a network. It could monitor all traffic, or just a selection, to catch security threats. A NIDS compares potential intrusions to known abnormal or harmful behavior. This option is preferred for enterprises, as it’s going to provide much broader coverage than host-based systems.

Host Intrusion Detection System (HIDS)

A host intrusion detection system lives on and monitors a single host (such as a computer or device). It might monitor traffic, but it also monitors the activity of clients on that computer. For example, a HIDS might alert the administrator if a video game is accessing private files it shouldn’t be accessing and that have nothing to do with its operations. When HIDS detects changes in the host, it will compare it to an established checksum and alert the administrator if there’s a problem.

Note: HIDS can work in conjunction with NIDS, providing extra coverage for sensitive workstations and catching anything NIDS doesn’t catch. Malicious programs might be able to sneak past a NIDS, but their behavior will be caught by a HIDS.

-----------------------------------------------------------------------------------------------------------------------------------

(IPS) -- Intrusion Prevention System

It is a network security tool that works to detect and block identified threats. In the same wheelhouse as a Firewall, the IPS actively denies network traffic if a packet represents a known security threat based on security profiles.

The IPS continuously monitors live network traffic 24/7, looking for malicious incidents and capturing information about them. These events are reported to the administrators, while taking preventative action, including blocking traffic, alternate firewall configurations or closing access points to prevent future attacks. IPS are also used to identify corporate security policy violations, combating unwitting actors or deterring employees and guests probes.

Traffic flow of a hacker triggering an IPS solution

If any malicious or suspicious packets are detected, the IPS will carry out one of the following actions:

• Terminate the TCP session that has been exploited.

• Block the offending source IP address or user account from accessing any application, target hosts or other network resources unethically.

• Reprogram or reconfigure the firewall to prevent a similar attack from occurring in the future.

• Remove or replace any malicious content that remains on the network following an attack. This is done by repackaging payloads, removing header information and removing any infected attachments from file or email servers.

Types of IPS

-----------------------------------------------------------------------------------------------------------------------------------

IDS vs IPS

The IDS and IPS both analyze network packets and compare the contents to a known threat database. The key high-level difference is that an IDS is a monitoring system, while IPS is a control system. An IDS doesn’t alter packets, it is a passive “listen-only” detection and monitoring solution that doesn’t take action on it’s own. Where an IPS is a control system that accepts or rejects packets based on the ruleset, actively preventing packet delivery based on the contents, similar to a firewall preventing traffic by IP address. IDS deployments do require admin staff or another system like a SIEM to analyze the results and take the appropriate action. The IDS cannot take automatic actions against hackers capable of exploiting these vulnerabilities once they enter the network, leaving the IDS inadequate for threat prevention. IDS typically are positioned as a post-mortem forensics tool for the SecOps or computer security incident response team (CSIRT) for security incident investigations. The IPS, on the other hand, is designed to catch dangerous packets in the act and drop them before they reach their target. Acting on its own to make decisions, which requires regularly updating the database with new threat data. There are a few things to note about both IDS and IPS — they are only as effective as their threat databases, and need to be kept updated when new attacks break out. And, why are these two different tools? The IDS was originally developed as a listen-only monitoring tool because the analysis required could not keep pace with the direct communications traffic of the network infrastructure. And that is where it has stayed, a forensics detection solution, while the IPS was developed to take it a step further to actively block. Yes, there are vendors that provide both IDS and IPS functionality in one. There are solutions that have integrated IPS systems with firewalls creating a Unified Threat Management (UTM) technology. But both IDS and IPS have found their use as the go-to tools for Modern Security Stacks.

-----------------------------------------------------------------------------------------------------------------------------------

How to deploy and manage an IDS / IPS

With the IDS being a listen-only monitoring solution, it is placed out-of-band on the network infrastructure, meaning that it is not analyzing real-time traffic but is receiving a copy of the data.

The two ways an IDS tool access this data is through SPAN / mirror ports on the switch or through the industry best practice network TAPs. SPAN is generally used for low utilization applications and are known to drop or alter packets, possibly masking threats. The network TAP creates full duplex traffic copies that pass physical errors and provide the flexibility to send this data to multiple destinations. If the IDS is processing many network segments, a network TAP and network packet broker are used to streamline the data to optimize security detection. If you are deploying a virtual IDS systems, the same concept would incorporate a virtual traffic mirror or cloud TAP like Garland Prisms.

Traffic flow of a hacker triggering an IDS solution with Network TAP visibility

The IPS utilizes a different deployment strategy. Being an inline device means the IPS is sitting directly in the path of critical segments. This is great for its purpose of blocking threats before they get into the broader network but also pose logistical challenges like what would happen if the device failed, and how do you properly update or optimize once it is inline?

Modern IPS tools may have add-on options for internal or built-in bypass, which may be useful in some failure use cases but leaves open additional vulnerabilities like software failures and doesn’t provide the flexibility to sandbox, troubleshoot and optimize and the cost tends to outweigh the industry best practice of utilizing an external bypass. Bypass TAPs reduce network downtime with “inline lifecycle management” which allows you to easily take tools out-of-band for updates, installing patches, maintenance or troubleshooting to optimize and validate before pushing back inline. Designed to eliminate single points of failure within your network.

As a recent EMA [Enterprise Management Associates] report states, “Research found that extensive use of external bypass devices is a best practice….Bypass devices tend to prove their value once deployed. For instance, 92% of enterprises had a bypass device engage itself in the past year to prevent downtime, and 81% reported multiple engagements within the last year.”

Traffic flow of a hacker triggering an IPS solution managed with a Bypass TAP

With the growing number of security tools, we hear from IT teams looking for ways to simplify their security stack by incorporating inline hybrid devices like Garland’s EdgeLens, which allows you to manage a whole host of both inline and out-of-band tools including both the IDS, IPS and SIEM from one device, providing the reliability of a bypass TAPs with the advanced features of a packet broker.

-----------------------------------------------------------------------------------------------------------------------------------

Types at Glance

Anti-Virus

An anti-virus program is completely different from an IDS or IPS.

Anti-virus programs don't scan networks, because anti-virus programs don't scan packets, they scan files or objects.

Antivirus is a software utility program designed to protect a system from internal attacks from viruses.

An anti-virus program is also a PROGRAM. It's not a piece of hardware like an IPS or IDS. It's software, it's an application. I've never heard of a hardware based anti-virus program. Let me know if there is one!

Anti-virus programs scan FILES.

IDS/IPS devices and software scan network PACKETS, network traffic.

They do not sit inline or off to the side of a network, they are installed on a device just like any other piece of software.

IDS and IPS are usually network devices that inspect network packets.

While an anti-virus program is a piece of software that inspects malicious files on a host device.

For the most part, both use the concept of signature-based databases.

An IDS/IPS is not really comparable to an anti-virus program though, so the title of this blog post is a little misleading. They serve to perform different functions.

Also, think of an IPS/IDS as a network perimeter protection.

While an anti-virus program is for endpoint or host protection.

Thanks for reading.

EDR

Click Here

DLP

Click Here

Reference Links

Network Intrusion - IDS - IPS

https://gbhackers.com/intrusion-detection-system-ids-2/