Install and configure network components, both hardware and software-based, to support organizational security.
- Firewall / UTM
- NIDS / NIPS
- VPN Concentrator
Firewalls
- Isolate one network from another
- A network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules (Cisco)
- Hardware (appliances), software or both
- Network or host-based
Firewall Types
- Packet filter
- Passes or blocks traffic to specific ports or IP addresses based on rules
- Access Control List (ACL) filter
- Little intelligence / stateless
- Faster than stateful inspection
- Proxy firewall
- Acts as an intermediary
- Application Proxy
- Web Proxy
- Stateful packet inspection
- Intelligent
- Analyzes data flows and traffic patterns
- Dynamic access control decisions
- Records are kept using a state table that tracks every communications channel;
- Remembers where the packet came from and where the next one should come from.
Firewall Rules
- Configured to specify computers, programs, services, or ports or protocols
- Order of firewall rules matters
- Implicit deny
- Access or resource availability is restricted to only those that are explicitly granted access; all others are denied
- Deny any any <- last firewall or ACL rule
Application Firewalls
- Controls input, output, and/or access from, to, or by an application or service based on categories, rules, or heuristics.
- Deep packet inspection
- Function at Layer 7 of the OSI model
- Web Application Firewall (WAF)
- Protects web applications from known attacks (Injection, Buffer Overflows, etc-)
- Often included in other firewall types (Proxy, IDS/IPS)
IDS/IPS
- Intrusion — any activity or action that attempts to undermine or compromise the confidentiality, integrity, or availability of resources
- Intrusion Detection / Protection Systems
- Like a burglar alarm — Identify unauthorized activity, access or anomalies
- Sensor— the IDS component that collects data from the data source and passes it to the analyzer
- Host-based — On individual systems
- Network-based — On the network borders
IDS vs IPS – Detection vs Protection
- Passive response
- Logging
- Notification
- Shunning/Quarantine
- Active response
- Terminating process or sessions
- Configuration changes
- Deception active response – Attacker believes the attack is succeeding while the system monitors the activity and potentially redirects the attacker to a honeypot or logging system
IDS/IPS – where to use?
- Signature based (aka knowledge-based)
- Detects known vulnerabilities
- Rules/updates provided by vendor
- Reactive
- Behavior-based
- Outside of normal bounds / establish profile
- Anomaly-based
- Potential for false positives
- Heuristic-based
- Uses algorithms to analyze the activity / network traffic
- High initial overhead
IDS/IPS Analytics
False Positive — Occurs when a typical or expected behavior is identified as irregular or malicious
False Negative — Occurs when an alert that should have been generated did not happened
VPN Concentrators
- A virtual private network (VPN) allows remote access into a network
- Site-to-Site
- User (host-to-site)
- VPN concentrator
- Single device to funnel all VPN access / Connects VPN nodes
- Encrypted tunnels
- Centralized authentication (RADIUS, Kerberos, Federated ID)
- Always-on VPN
- Network security through encryption
- Internet Protocol Security (IPsec)
- Secure Sockets Layer (SSL)
Internet Protocol Security (IPsec) VPN
- Provides authentication services and encapsulation of data through support of the Internet Key Exchange (IKE) protocol
- Functions within the IP / Network layer (layer 3)
- Three Services:
- Data verification
- Data tampering protection
- Private transactions
- Two separate (mutually exclusive) protocols
- Authentication Header (AH) – authentication and integrity checking for data packets
- Encapsulating Security Payload (ESP) — encryption services
SSL/TLS VPN
- SSL (Secure Sockets Layer) / TLS (Transport Layer Security)
- Note: TLS replaces SSL
- Known as a WebVPN — remote access through a website over SSL/TLS
- Point-to-point encrypted communications
VPN Tunneling
Full tunnel — all requests are routed and encrypted through the VPN. More secure
Split tunnel — only some (usually all incoming requests) are routed and encrypted over the VPN
Unified Threat Management (UTM) & Next Generation Firewall (NGFW)
- An All-in-one firewall appliance / Single interface I Single vendor
- Network IDS/IPS
- URL filtering
- Block websites based on category or URL
- Content inspection
- Application aware
- Malware inspection