Detection and Prevention

Firewalls : can be physical or software based

Filter traffic based on rules

Deny traffic

Allow traffic

Filter Criteria

Source IP

Destination IP

Protocols

Ports

Other

sits between Trusted Inside and Untrusted Outside

Hardware based Firewall is also referred to as Network Based Firewall

Software based Firewall is also known as Host Based Firewall

Packet Filtering : permits or denies traffic based on rules

Stateless

Stateful

Each packet is an isolated piece of communication

Requires less time and memory

Sessionless

Cannot make complex decisions

Understands stages of TCP connection

Can be aware of false IP Address

User sessions

Packets can flow between hosts without further checking

ALG - Application Layer Gateway : applies security mechanisms based on a certain application, like HTTP, SSL/TLS, FTP, DNS, and VoIP

Deal with protocols at layer 7

Stateful

Deep Packet Inspection - DPI : examination of packets deeply

DPI evoled to DCI - Deep Content Inspection

DCI examines entire file, email, etc.

DPI

DCI

Deep Packet Inspection

Looks into protocols and their behavior

Puts together parts of objects

Decodes and decompresses files

Deep Content Inspection

IDS - Intrusion Detection System

IPS - Intrusion Prevention System

is out of band and simply gets copies of network traffic. It can be as simple as a system getting copies of traffic to inspect through a switch configured to send all traffic to the IDS.

is in-line, so original traffic must pass through IPS.

🏴

🏴

Schema

🏁

🏁

Pros and Cons

click to edit

click to edit

Visibility Device

Control Device

click to edit

click to edit

1) Both are vulnerable to False Positives : Normal activity flagged as malicious

2) Both are vulnerable to False Negative : Malicious activity flagged as normal

HIPS & HIDS

Signature-based IDS and IPS act just like anti-virus software, trying to detect attacks by looking for patterns.

Anomaly-Based IDS & IPS compare and establish baseline to something that might be malicious. The latest version can detect malicious insiders, machines or accounts that have been compromised from outsiders.

Honeypots and Deception Software

PII - Personally Identifiable Information

Honeypot : a server with no security features by design

Honeynet : a network with no security features by design

Decoy System : Deployed on a network to fool potential attackers

Purpose

Deception Software : new wave of honeypots and decoys that can be centrally managed

To lure attackers away from critical systems

To allow administrators to refine firewall rules

To learn about hacker techniques

Designed to gather information on attackers

Social Engineering

Definition

Goals of Social Engineering

Network Intrusion

Espionage

Fraud

Identity Theft

System and Network Disruption

Potential Targets

Corporations

Financial Institutions

Answering Services

Military and Governmental Agencies

Phone Companies

Hospitals

You!

Starts with Information Gathering about Target 🏁

Dumpster Diving : A technique used for Information Gathering

Exploitation : is next step

Preventing Social Engineering

Read policies

Test users to make sure they follow policies

Teach users right from wrong

The system is hacked! 🚩

Criteria are : IP, Protocol and Port

Deals with malicious traffic that the firewall missed.

Protects hosts from malicious traffic originating on their same network

3) Both an IDS and an IPS could instruct a firewall to block certain network traffic.