IDS Firewall Flashcards
What is a firewall?
A network security system that monitors and controls incoming/outgoing network traffic based on predetermined security rules.
= barrier between trusted network and outside (untrusted network)
Why is a firewall important?
(3)
- prevents services to be accessed from outside the network
- segments networks
- reduces attack surface
Types of firewalls
By implementation:
- software - slow, easy to deploy on single machines
- hardware - faster, safer, expensive
By the amount of network layers they process:
- packet size (data link layer)
- MAC (data link) and IP (IP layer) filtering
- port filtering (transport)
- Deep packet (application layer)
What are the 4 types of firewalls covered in this course?
- packet filtering firewall
- stateful inspection firewall
- application-level gateway
- circuit-level gateway
Packet filtering firewall - characteristics
Pros:
- simplest - compares packet header info to a given set of rules
- very fast
- allows access to services based on network data
Cons:
- it needs many rules => hard to maintain, prone to human error
- does not allow blocking of specific app commands
Stateful inspection firewall - characteristics
- maintains state between packets => more complex rules
- similar to packet filtering + remembers past events (allows for rules that allow traffic from outside IF the connection was started from inside network) ( lmao thats a mouthful)
- more expensive than packet filtering
Application-level gateway - characteristics
- AKA application proxy
- relays app layer data between user and app
- can block specific app features that u dont want used
- requires lots of processing
- does NOT scale well
Circuit-level gateway - characteristics
- AKA circuit-level proxy
- relays app layer data between user and app
- not parsing app layer contents, but
determines which connections are allowed - e.g. SOCKS proxy
Describe the SOCKS proxy behaviour / algorithm
- User authenticates with proxy (TCP Handshake client-proxy)
- User requests specific IP and port (SOCKS Handshake client-proxy)
- IF user allowed to make that connection (TCP Handshake proxy-server), proxy sets up connection to IP and port and relays the app layer data
=> all data requests go through proxy now
What type of firewall can we use to detect and stop TCP SYN scan?
Stateful firewall
- blocks excessive scanning (eg put a limit of requests that can be made)
- BUT if attackers are slow enough, they are still able to scan network)
What is a DMZ?
= De-Militarized Zone
- allows some services to be reached from the Internet
- DMZ is separated from Internal Network using a second firewall (can be used for more stringent filtering)
What is a VPN?
= Virtual Private Network
- a way to link networks/provide a way for employees to work from home
- used to encrypt data on lower layers to create “transparent” tunnel that allows users to connect securely to LAN network over the Internet
What is an IDS?
= Intrusion Detection System
- device/software that monitors network for malicious activity or policy violations
Types of IDS?
- Host-based (HIDS) - monitors events on a host (eg system logs)
- Network-based (NIDS) - monitors network data, can use deep-packet inspection to find malicious activity
- Heuristic - match data to rules
- Signature - match data to known indicators (eg. flagged IP addresses)
- Anomaly - determines ‘normal data’ and ids data that deviates from the norm
Describe Anomaly detection IDS
- gathers base-line data that is considered “normal”
- classifies data using diff approaches:
1. statistical
2. Knowledge based - rely on expert knowledge
3. Machine-learning - automatically done
What is Alert fatigue? How does it influence IDS?
= too many alarms lead to a situation when analysts dont have enough time to investigate all of them
- hard to balance nb of FalsePositives with sensitivity of IDS
- some insurances dont cover attacks that were id’ed but not investigated
=> too much noise can be a liability
Describe a Host-Based IDS and its data sources (4)
- monitors activity on system (eg virus scanner)
data sources:
- system call traces
- log files
- integrity checksums
- registry access patterns
Describe a Distributed HIDS
- collects all data of various systems in the same place to create a more effective IDS
- requires devices to run programs which collect telemetry and forward it to a central location
=> privacy concerns of collecting info about employees’ systems
Describe Network-based IDS
- monitors activity on network
- types of sensors - inline, passive
- location of sensors matters loads
What is a Honeypot?
- decoy system designed to lure potential attackers away from critical systems
- Goals:
1. Divert attacks away from real systems
2. Collect info about attackers’ goals
3. Alert Admins of strange behaviour - set up such that there is no reason to EVER contact them, so if you do, reasonable chance that its malicious
Where can sensors be placed?
- behind/ at level of border firewall
- in dmz
- in specific parts of network
