FIREWALLS AND INTRUSION DETECTION SYSTEMS

1
Network Security

• FIREWALLS AND INTRUSION DETECTION SYSTEMS

2
Topics

• Introduction to Firewalls
• Purpose of the Firewalls
• What a firewall cannot do
• Types of firewall
• Layer 2 Firewall
• Intrusion Detection Systems

3
Introduction

• What is Firewall?
• An integral part of any enterprise network design
• Definition
• A device that filters all traffic between a
  protected (inside) network and a less
  trustworthy (outside) network
• Enhance the security of the network strongly and
  provide detail information about traffic patterns
  from core to the edge of the network vice versa

4
Introduction

• Also can create security risk complexity of
  firewall
• Before deploying look at the purpose that can
  be serve by it
• Since have deploy it need to audit fulfilling
  its design goals
• Excellent tool when used as part of an overall
  security strategy

5
The Purpose of the Firewall

• There is several different type of firewall
  have same purpose
• To separate the public and the private networks
• Prevent unwanted traffic
• A firewall consist at least 2 interface
• Public internet
• Private contain the protected data
• Can be multiple private interface depending on
  the network segments that need to be isolated
• Set up the rules to determines the type of
  traffic that can be passed.

6
The Purpose of the Firewall Contd

• Firewall is the second layer of protection within
  the network
• Router which IP address are going to be allowed
  or denied looking for malformed packet
• Firewall
• Going to look at what port are going to be
  allowed and denied
• Determines the device apply the those rules
• Sometime useful for blocking smaller network
  segments or individual IP address

7
Firewall
8
The Purpose of the Firewall Contd

• Protecting network from unwanted traffic
  denying all incoming traffic not originated
  from a machine behind the firewall
• Also can be configured to deny all traffic except
  for port 53 traffic destined to the DNS server
• Strength of firewall depending on the ability to
  filter traffic based on rules
• This can be biggest weakness incomplete rules
  set can leave openings for attackers

9
The Purpose of the Firewall Contd

• Multiple layer firewall
• Protected traffic traveling within the network
• Usually run 2 set of firewall entire network
  different network segment
• Allow SecAdmin to better control flow of
  information can restrict to access sensitive
  location and avoid burden on the primary firewall

10
What a firewall Cannot Do

• Cannot doing detailed examination of packet
• Cannot defend against attacks that do not go
  through the firewall
• Cannot tell a security administrator when the
  firewall rules are inadequate
• Not a monitoring tool
• Cannot stop the most common type of attack

11
Types of Firewall

• Generic term that covers many different types of
  devices used to separate network traffic
• Most of firewall simply a server with hardened
  OS and s/ware-based firewall providing the
  protection
• Some embedded firewall OS and Firewall
  programmed directly onto the system CPU
• 3 types of firewall
• Packet Filtering
• Stateful packet Filtering
• Application proxy

12
Types of Firewall Contd

• Packet filtering Firewall
• Most basic type
• Sit between the public and the private network
  all traffic ingress and egress, has to pass
  through the firewall
• Determines what happens to the packets based on
  one of four criteria
• Sources IP address
• Destination IP address
• Sources port
• Destination Port
• Can be combination
• Generally, destination IP address and destination
  port are the criteria used by admin but all
  external traffic being denied by firewall

13
Static Packet filtering
14
Types of Firewall Contd

• Stateful Packet Filtering
• Offers same features as packet filtering firewall
  with some extended functionality
• Keeps track of session information between two
  devices
• Maintaining a state table simply a database
  that track current connection state of that
  connection
• Unexpected state packet dropped
• Forge a response packet to a machine behind the
  firewall event not initiate the request, the
  firewall allow it trough this will giving the
  attackers access to the internal network
• This type of firewall also not understand the
  application that used by device communication
  but know about the packet structure can leave
  vulnerable to some types of the attacks

15
Stateful Filtering Firewall
16
Types of Firewall Contd

• Application Proxy
• Sit between the client and server respond to
  all request
• More powerful and able to probe much deeper into
  a packets
• Can also do pattern matching within the packet
• Disadvantage
• A lot of CPU resources and especially on busy
  networks can often be ineffective in dealing
  with large amount of traffic
• For most of SecAdmin they agree that with this
  type of firewall that - have complete security
  solution and do not take steps to secure the rest
  of the network
• To determine which type suitable firewall depends
• Experience of the staff
• Security precautions that are available within
  the network

17
Layer 2 Firewall

• Layer 2 firewall are invisible, they sit on the
  network and watch packets and filter out the
  packets never seen
• Look at traditional firewall why layer 2
  firewall needed
• Advantage of Layer 2 firewall
• Make life of attackers more difficult, because of
  he/she difficult to build a network map without
  an IP address ( not provided by firewall)
• Attacker harder to determine the type of firewall
  in place because of lack of public IP address
• Easier to add a firewall to an existing network
  do not need any change in network setting

18
Intrusion Detection System

• Popular additions to network security
• Used to search for patterns that may indicate an
  attack on a network warning
• Generally placed at the edge of the network to
  monitor all the traffic in and out of the WAN
• NIDS - monitor to device that connected to that
  server host based ISD

19
IDS
20
IDS
21
Intrusion Detection System contd

• Most of used combinations of IDS and NIDS
• NIDS have trouble processing all of the incoming
  traffic
• NIDS is used to get the state of the network in a
  big picture fashion.
• IDS is used on critical server to watch for
  potential problems on those network

22
Intrusion Detection System contd

• How does NIDS work
• place between routers and firewalls, Layer 2
  switch or even hub
• if switch used port mirroring, need to allow
  traffic from the monitored ports or VLANs to be
  mirrored on the port the NIDS is plugged into
• How NIDS process data
• basically a packet sniffed
• sort through the traffic on the network looking
  for patterns-may be representative of an attack-
  called signature

23
Intrusion Detection System contd

• Signature - set of events indicative of a
  network attack
• The way it match depends on type of NIDS
• There are 2 types of NIDS
• Signature
• Anomaly

24
Intrusion Detection System contd

• Signature
• rely on internal database with common attack
  pattern
• if one of these pattern matched, a lag is set off
  alerting administrators
• The rules consist of protocol, port, and the
  actual pattern
• Anomaly
• rely on changes in traffic patterns to determines
  whether an attack is occurring
• Generates alert when the patterns alters
  significantly
• also look at changes in the network behaviors