topic 4B : networks and security Flashcards
Basics of a firewall (1)
What is a firewall?
- a network device; hardware, software, or a combination, that controls access between your private network (LAN) and an external network (Internet)
- enforces security policy across its connections
security policy : a set of rules defines what traffic is permissible and what traffic is to be blocked/denied
Basics of a firewall (2)
- border firewall :
firewalls places between an organization’s internal trusted network and an external untrusted network, usually the internet - ingress filtering :
examines packets coming into the organization - egress filtering :
examines packets going out of the organization
Security zones
firewalls are used to create security zones and enforce security policies
different zones provide Layers of defense:
- outermost layer provides basic protection
- innermost layers provide the highest level of protection
Different zones in security zones
1) untrusted zone
- the outermost zone (Internet)
2) trusted zone
- internal network (inner secured corporate network)
3) semi-trusted zone
- demilitarized zone (DMZ), also known as perimeter network
- lies between the internal network (trusted zone) and the internet (untrusted zone)
Demilitarized zone (DMZ)
purpose : to add an additional layer of security to an organization’s LAN
outside users can access the DMZ but cannot access the secure internal network
any services that are being provided to Internet users are placed in the DMZ
most common services :
- web servers
- mail servers
- FTP (file transfer protocol) servers
- DNS (domain name system) servers
Intrusion detection system (IDS)
- a device/software application that monitors network and/or system activities for possible incidents
incidents can be malicious activities or policy violations
examples :
- malware (worms, spyware etc)
- attackers gaining unauthorized access to systems from the Internet
- authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorized
Purposes of IDS
1) identify suspicious/malicious activities
2) note activity that deviates from normal behavior
3) catalog and classify the activity
4) respond to the activity
False positives and negatives of IDS
false positives : IDS matches a pattern and generates an alarm for non-hostile traffic
false negatives : hostile activity that does not match an IDS signature and goes undetected
Two main categories of IDS
1) Host-based IDS
- monitors the activities based on an individual system but has no visibility of the activities on the network or systems around it
2) Network-based IDS
- monitors the traffic crossing the network link but has no idea of what is happening on individual systems
Host-based IDS (HIDS)
What is HIDS?
- consists of an agent installed on a host (server or computer)
- monitors system integrity, application activity, file changes, system logs and application logs
- uses local system resources to operate
Pros and cons of HIDS
advantages :
- can analyze activities at a high level of detail
- examines data after decryption
- reduces false positives rates
disadvantages :
- consume local resources (eg processing time, storage & memory)
- high cost of ownership (in terms of deployment and maintenance)
- focused view and cannot relate to activity around it
Network-based IDS (NIDS)
What does NIDS do?
- reside on network segment and monitor traffic on that network segment
examines network traffic as it passes by :
- bits and bytes travelling through cables interconnecting the systems
- analyzes traffic by protocol, type, size, source, destination, content etc
Pros and cons of NIDS
advantages :
- lower cost of ownership, deployment and maintenance
- NIDS are mostly passive devices = minimum overheads on network
- has visibility into all network traffic and can correlate attacks among multiple systems
disadvantages :
- ineffective when traffic is encrypted
- must be able to handle high volumes of traffic
Activites that HIDS and NIDS can monitor
activities which HIDS can monitor :
- login at odd hours
- login authentication failures
- add new user accounts (especially with admin rights)
- modification/access of critical system files (eg registry, where official records and documents are kept)
- start or stop processes (eg antivirus)
- privilege escalation
activities that NIDS can monitor :
- DoS attacks
- port scans/sweeps
- malicious content in data payload of packets
- vulnerability scanning
Are IDS and Firewall the same?
firewall :
- device/software that sits between a local network and the internet.
- main function is to block unauthorized access while permitting authorized communications
IDS :
- device/software installed on the network (NIDS) or host (HIDS). main function is to detect and report intrusion attempts inside the host or network
conclusion : firewall is like a security guard while IDS is a security camera inside the compound
