Firewalls
- specialized software modules running on computer or dedicated network
- filter packets coming in and out of network
What is the most basic feature of a firewall?
packet filtering
What are some characteristic rules for packet filtering?
source IP, destination IP, protocol, source port, destination port
How do packet filters work?
the inspect the header of every packet and then make a decision how to treat it
Most common packet filtering actions
- Allow
- Drop (no notification)
- Deny (notifies source host)
Application Layer (7) Firewalls
check all OSI 7 layers
- inspect actual content of packet
- prevent users from visiting a site
- drop peer2peer application packet
IDS: Intrusion Detection Systems
- inspect app payload to detect potential attack
What does an IDS check for?
ongoing intrusions: ping sweeps, port scans, SQL injections, buffer overflows, etc
- identify traffic generated by virus/worm
How does IDS detect risky traffic?
signatures
Can IDS detect something it does not already know?
No
- sometimes false positives
Detection sensors
- software components that inspect network traffic
- passively intercept intrusions and comms to IDS manager
IDS Manager
software in charge fo maintaining policies
2 main categories of IDS
- Network Intrusion Detection Systems (NIDS)
2. Host Intrusion Detection Systems (HIDS)
NIDS: Network Intrusion Detection Systems
inspect network traffic w/ sensors placed on router or DMZ
HIDS: Host Intrusion Detection Systems
monitor logs, file-system changes, OS config changes
IPS: Intrusion Prevention Systems
- drop malicious requests when the threat has a risk classification above a pre-defined threshold
How to spot an obstacle like firewall/IDS/etc?
TCP SYN is sent:
- no TCP SYN/ACK reply
- TCP RST/ACK reply is received
NAT: Network Address Translation
technique used to provide access to a network from another network
- masquerades client’s IP address to external internet
