Various Security Devices For Network Security

security devices for network security
>Various Security Devices For Network Security

In my previous article, I have talked about how traffic travels through a network. In this article, I want to look at some of the security devices for Network Security. Follow me as we will look at that in this article.

 

A firewall is a system, or group of systems, that enforces an access control policy between networks.

 

The animation shows a firewall between a globe representing the internet and a server representing an internal network. The globe is attempting to send traffic to the internal network. Rules are shown allowing and denying traffic. The traffic that is allowed is traffic from any external address to the web server, traffic to the FTP server, traffic to the S M T P server, and traffic to the internal I M A P server. Traffic that is denied is all inbound traffic with network addressing matching internal-registered I P addresses, all inbound traffic to a server from external addresses, all inbound I C M P echo-request traffic, all inbound MS Active Directory queries all inbound traffic to M S S Q L server queries, and all M Domain Local Broadcasts.

Firewall Operation

#1 Packet Filtering Firewall

Packet filtering firewalls are usually part of a router firewall, which permits or denies traffic based on Layer 3 and Layer 4 information. They are stateless firewalls that use a simple policy table look-up that filters traffic based on specific criteria.

For example, SMTP servers listen to port 25 by default. An administrator can configure the packet filtering firewall to block port 25 from a specific workstation to prevent it from broadcasting an email virus.

#2 Stateful Firewall

Stateful firewalls are the most versatile and the most common firewall technologies in use. Stateful firewalls provide stateful packet filtering by using connection information maintained in a state table. Stateful filtering is a firewall architecture that is classified at the network layer. It also analyzes traffic at OSI Layer 4 and Layer 5.

#3  Application Gateway Firewall 

An application gateway firewall (proxy firewall), as shown in the figure, filters information at Layers 3, 4, 5, and 7 of the OSI reference model. Most of the firewall control and filtering is done in software. When a client needs to access a remote server, it connects to a proxy server. The proxy server connects to the remote server on behalf of the client. Therefore, the server only sees a connection from the proxy server.

#4 Next-Generation Firewall

Next-generation firewalls (NGFW) go beyond stateful firewalls by providing:

  • Integrated intrusion prevention
  • Application awareness and control to see and block risky apps
  • Upgrade paths to include future information feeds
  • Techniques to address evolving security threats

 

Deny all inbound traffic with network addresses matching internal-registered IP addresses.

Click each button to learn more about firewalls.

Common Firewall Properties
Firewall Benefits
Firewall Limitations

All firewalls share some common properties:

  • Firewalls are resistant to network attacks.
  • Firewalls are the only transit point between internal corporate networks and external networks because all traffic flows through the firewall.
  • Firewalls enforce the access control policy.

Firewall Type Descriptions

It is important to understand the different types of firewalls and there specific capabilities so that the right firewall is used for each situation.

Packet Filtering (Stateless) Firewall
Stateful Firewall
Application Gateway Firewall
Next-Generation Firewall

Packet filtering firewalls are usually part of a router firewall, which permits or denies traffic based on Layer 3 and Layer 4 information. They are stateless firewalls that use a simple policy table look-up that filters traffic based on specific criteria.

For example, SMTP servers listen to port 25 by default. An administrator can configure the packet filtering firewall to block port 25 from a specific workstation to prevent it from broadcasting an email virus

The packet filtering (stateless) firewall figure shows the 7 layers of the o s i model with layers 3 and 4 highlighted. Coming out of these two rows are the following: source i p address, destination i p address, protocol source port number, destination port number, synchronize/start (S Y N) packet receipt.

Other methods of implementing firewalls include:

  • Host-based (server and personal) firewall – A PC or server with firewall software running on it.
  • Transparent firewall – Filters IP traffic between a pair of bridged interfaces.
  • Hybrid firewall – A combination of the various firewall types. For example, an application inspection firewall combines a stateful firewall with an application gateway firewall.

Intrusion Prevention and Detection Devices

A networking architecture paradigm shift is required to defend against fast-moving and evolving attacks. This must include cost-effective detection and prevention systems, such as intrusion detection systems (IDS) or the more scalable intrusion prevention systems (IPS). The network architecture integrates these solutions into the entry and exit points of the network.

 

When implementing IDS or IPS, it is important to be familiar with the types of systems available, host-based and network-based approaches, the placement of these systems, the role of signature categories, and possible actions that a Cisco IOS router can take when an attack is detected.

 

The figure shows a user in the top right corner connected and sending traffic into a cloud. The cloud connects to a router and sends the traffic through that router. The cloud connects to an IPS enabled sensor that connects to another router that also has connections to a management console and a laptop labelled target. There is also an icon for a bit bucket to the side of the iIPS enabled sensor. Characteristics of IDS and IPS include both technologies are deployed as sensors, both technologies use signatures to detect patterns of misuse in network traffic, and both can detect atomic patterns (single packet) or composite patterns (multi-packet).

IDS and IPS Characteristics

IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor can be in the form of several different devices:

  • A router configured with Cisco IOS IPS Software
  • A device specifically designed to provide dedicated IDS or IPS services
  • A network module installed in an adaptive security appliance (ASA), switch, or router

IDS and IPS technologies use signatures to detect patterns in network traffic. A signature is a set of rules that an IDS or IPS use to detect malicious activity. Signatures can be used to detect severe breaches of security, to detect common network attacks, and to gather information. IDS and IPS technologies can detect atomic signature patterns (single-packet) or composite signature patterns (multi-packet).

12.2.6

Advantages and Disadvantages of IDS and IPS

IDS Advantages and Disadvantages

The table lists the advantages and disadvantages of IDS and IPS.

Solution Advantages Disadvantages
IDS
  • No Impact on a network (latency, jitter)
  • No Network impact if there is a sensor failure
  • No network impact if there is sensor overload
  • Response action cannot stop trigger packets
  • Correct tuning required for response actions
  • More vulnerable to network security evasion techniques
IPS
  • Stops trigger packets
  • Can use stream normalization techniques
  • Sensor issues might affect network traffic
  • Sensor overloading impacts the network
  • Some impact on the network (latency, jitter)

Click on each button to learn more about IDS and IPS sensors

IDS Advantages and Disadvantages
IPS Advantages and Disadvantages
Deployment Considerations

IDS Advantages

An IDS is deployed in offline mode and therefore:

  • The IDS does not impact network performance. Specifically, it does not introduce latency, jitter, or other traffic flow issues.
  • The IDS does not affect network functionality if the sensor fails. It only affects the ability of the IDS to analyze the data.

IDS Disadvantages

Disadvantages of an IDS include:

  • An IDS sensor cannot stop the packets that have triggered an alert and are less helpful in detecting email viruses and automated attacks, such as worms.
  • Tuning IDS sensors to achieve expected levels of intrusion detection can be very time-consuming. Users deploying IDS sensor response actions must have a well-designed security policy and a good operational understanding of there IDS deployments.
  • An IDS implementation is more vulnerable to network security evasion techniques because it is not in line.

Types of IPS

There are two primary kinds of IPS available: host-based IPS and network-based IPS.

Host-based IPS

Host-based IPS (HIPS) is software installed on a host to monitor and analyze suspicious activity. A significant advantage of HIPS is that it can monitor and protect operating system and critical system processes that are specific to that host. With detailed knowledge of the operating system, HIPS can monitor abnormal activity and prevent the host from executing commands that do not match typical behaviour. This suspicious or malicious behaviour might include unauthorized registry updates, changes to the system directory, executing installation programs, and activities that cause buffer overflows. Network traffic can also be monitored to prevent the host from participating in a denial-of-service (DoS) attack or being part of an illicit FTP session.

HIPS can be thought of as a combination of antivirus software, antimalware software, and a firewall. Combined with a network-based IPS, HIPS is an effective tool in providing additional protection for the host.

A disadvantage of HIPS is that it operates only at a local level. It does not have a complete view of the network or coordinated events that might be happening across the network. To be effective in a network, HIPS must be installed on every host and have support for every operating system. The table lists the advantages and disadvantages of HIPS.

Advantages Disadvantages
  • Provides protection specific to a host operating system
  • Provides operating system and application-level protection
  • Protects the host after the message is decrypted
  • Operating system dependent
  • Must be installed on all hosts

Network-based IPS

A network-based IPS can be implemented using a dedicated or non-dedicated IPS device. Network-based IPS implementations are a critical component of intrusion prevention. There are host-based IDS/IPS solutions, but these must be integrated with a network-based IPS implementation to ensure a robust security architecture.

Sensors detect malicious and unauthorized activity in real-time and can take action when required. As shown in the figure, sensors are deployed at designated network points. This enables security managers to monitor network activity while it is occurring, regardless of the location of the attack target.

The figure shows a cloud labeled untrusted network connected to a firewall. The firewall has a connection to a sensor that has a web server and d n s server attached to it. The firewall also connects to another sensor that has a management server and router attached. The router has another connection to another sensor that connects to laptops. The router, sensor, and laptops are within a box labelled corporate network.

Sample IPS Sensor Deployment

Specialized Security Appliances

There are a variety of specialized security appliances available. Here are a few examples.

Cisco Advanced Malware Protection (AMP) is an enterprise-class advanced malware analysis and protection solution. It provides comprehensive malware protection for organizations before, during, and after an attack:

  • Before an attack, AMP strengthens defences and protects against known and emerging threats.
  • During an attack, AMP identifies and blocks policy-violating file types, exploit attempts, and malicious files from infiltrating the network.
  • After an attack, or after a file is initially inspected, AMP goes beyond point-in-time detection capabilities and continuously monitors and analyzes all file activity and traffic, regardless of disposition, searching for any indications of malicious behaviour. If a file with an unknown or previously deemed “good” disposition starts behaving badly, AMP will detect it and instantly alert security teams with an indication of compromise. It than provides visibility into where the malware originated, what systems were affected, and what the malware is doing.

AMP accesses the collective security intelligence of the Cisco Talos Security Intelligence and Research Group. Talos detects and correlates threats in real time using the largest threat-detection network in the world.

 

Action Point

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

Download Our App.

Follow Us On Telegram
CEHNigeria On Google Playstore

 

GET SEOPOZ . OUTSMART YOUR BLOG COMPETITORS

 

Joint Our Whatsapp Group

Follow Us On Twitter and I will Follow Back

Follow Us On Twitter

Kindly follow me on Twitter and I promise I will follow back. Aside you will get updated when we post new articles.

About Adeniyi Salau 734 Articles
I am an IT enthusiast and a man of many parts. I am a Certified Digital Marketer, Project Manager and a Real Estate Consultant. I love writing because that's what keeps me going. I am running this blog to share what I know with others. I am also a Superlife Stem Cell Distributor. Our Stem Cell Products can cure many ailments.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


CommentLuv badge