Please enable JavaScript.
Coggle requires JavaScript to display documents.
9 - Firewalls and Intrusion Prevention Systems - Coggle Diagram
9 - Firewalls and Intrusion Prevention Systems
Firewall goals
only authorized traffic will be allowed to pass
firewall is immune to penetration, using hardened system with a secure OS
all traffic, from inside-out and viceversa, must pass through the firewall
4 Firewall Techniques
Direction Control
User Control
Service Control
Behavior Control
Firewall
capabilities
provide a location for monitoring security related events
convenient platform for several Internet function (NAT), net management
define a single choke point to simplify security management
can be used to implement
VPN
limitation
it cannot protect against internal threats
improperly secured LAN may be accessed from outside, so the attacker could damage from inside the organization
it cannot protect against attacks that bypass the firewall
portable storage may carry malicious software
Types of Firewall
Stateful Inspection Firewalls
Tightens up the rules for TCP traffic by creating a directory of outbount TCP connections, there is an entry for each currently established connection
Have low known ports for server
keeps track of the state of network connections (TSP streams, UDP diagrams, ICMP message)
the packet filter
will now allow
incoming traffic for those packets that fit the profile of one of the entries in the directory
Application-Level Gateway
must have proxy code for each application
more secure than packet filter, also easier to log
act as a relay of application-level traffic
2) user authenticates
3) gateway contact application on remote host and relays TCP segments between server and user
1) user contacts gateway with remote host name
provides network security, it filters incoming node traffic
one disadvantage
: add time for processing request, since it analyze traffic from both direction
Packet Filtering Firewalls
two default policies
discard
: prohibit unless expressly permitted
forward
: permit unless expressly pohibited
weakness
limited logging functionality (just source/destination address)
doesn't support user authentication
it doesn't examine upper-layer data, it can't prevent attacks that exploits app vulnerabilities
vulnerable to
address spoofing
A firewall may act as a packet (positive/negative) filter, based on information contained in network packet
attacks
Source routing attack
Tiny fragment attack
IP address spoofing
Circuit-Level Gateway
SOCKS v5
: allow TCP/UDP application to use firewall
SOCKS client library on all internal hosts
SOCKS-ified client application
1) client app contacts SOCKS server, authenticates, send relay request
2) server evaluates & establishes relay connection
SOCKS server on firewall
when admin trust internal users, the gateway checks only inbound connection, causing overhead only from the inside
As an
Application Gateway
, doesn't permit an end-to-end TCP connection, rather set up
two
TCP connection
1) between itself and a TCP user on a inner host
2) between itself and a TCP user on an outside host
Host-Based
Firewalls
advantages
protection from both internal/external attackers
additional layer of protection for organizations firewall
filtering rules can be easily customized based on need
software used to secure an individual user, often used in servers
Bastion Host
1) run Secure OS
2) Strong authentication to access
critical strong point in the network's security, it a platform that hosts app-level or circuit-level gateways.
Characteristics
:
3) Each proxy allow access to a subset of applications
4) each proxy can restrict feature
5) each proxy small, simple, checked for security
6) each proxy is indipendent, non-privileged
7) limited disk use, hence read-only code
Intrusion Prevention System
Host-Based IPS
it can block modification of system resource (trojan, rootkit, backdors)
it can quarantine the malicious code in isolated areas to monitor its behavior
make use of signature and anomaly detection techniques to identify attacks
Network-Based IPS
techniques
Protocol anomaly
Traffic anomaly
Stateful matching
Statistical anomaly
Pattern matching
it guarantee flow data protection by looking for malicious pattern in every data packet
Firewall Locations
VPN
DIstributed Firewalls
DMZ Network