Network Security and Forensics

🔒Network Security and Forensics Unit 3 – Firewalls & Intrusion Detection Systems

Firewalls and Intrusion Detection Systems (IDS) are crucial components of network security. They protect against unauthorized access, enforce security policies, and monitor for suspicious activities. These tools act as barriers between trusted internal networks and untrusted external networks, controlling traffic flow and detecting potential threats. Firewalls come in various types, including packet-filtering, stateful inspection, and application-level gateways. IDS and Intrusion Prevention Systems (IPS) extend security by monitoring network traffic and actively preventing detected intrusions. Together, these technologies form a comprehensive defense strategy against common attacks and evolving threats.

Key Concepts

  • Firewalls act as a barrier between trusted internal networks and untrusted external networks (internet) to protect against unauthorized access
  • Firewalls enforce security policies by controlling incoming and outgoing network traffic based on predetermined rules
  • Packet filtering examines each packet passing through the firewall and accepts or rejects it based on rules defined by the network administrator
    • Stateless packet filtering doesn't keep track of the state of connections, treating each packet independently
    • Stateful packet filtering maintains a state table to track the state of network connections (new, established, or related)
  • Application-level gateways (proxies) act as intermediaries between two hosts, analyzing the application-level protocols (HTTP, FTP, SMTP) to determine if the traffic should be allowed
  • Intrusion Detection Systems (IDS) monitor network traffic for suspicious activities or policy violations and generate alerts when detected
  • Intrusion Prevention Systems (IPS) extend IDS capabilities by actively preventing or blocking detected intrusions in real-time
  • Security policies define the rules and procedures governing the use of an organization's IT assets and resources to protect against unauthorized access and data breaches

Types of Firewalls

  • Packet-filtering firewalls operate at the network layer (Layer 3) of the OSI model, examining packets and making allow/block decisions based on predefined rules
    • Rules can be based on IP addresses, port numbers, protocols (TCP, UDP, ICMP), or other packet attributes
    • Advantages include low cost, minimal impact on network performance, and transparency to users
    • Disadvantages include lack of application-level awareness and vulnerability to certain attacks (IP spoofing)
  • Stateful inspection firewalls maintain a state table to track the state of network connections and make decisions based on the packet's context within the connection
    • Provides better security than stateless packet filtering by considering the connection state and preventing certain attacks (TCP SYN flooding)
  • Application-level gateways (proxies) operate at the application layer (Layer 7), acting as intermediaries between clients and servers
    • Proxies can perform deep packet inspection, examining the application-level protocols and payloads for malicious content or policy violations
    • Provides granular control over application-specific traffic (web, email, file transfers) but may impact network performance due to the additional processing overhead
  • Next-generation firewalls (NGFW) combine the features of traditional firewalls, IDS/IPS, and application-level inspection to provide comprehensive security
    • NGFWs can identify and control applications, users, and content, providing advanced threat protection and visibility

Firewall Configurations

  • Screened host (single-homed) firewall consists of a single firewall between the internal network and the internet, with a demilitarized zone (DMZ) for public-facing servers
    • Provides a basic level of protection but has a single point of failure and limited scalability
  • Screened subnet (dual-homed) firewall uses two firewalls to create an isolated DMZ between the internal network and the internet
    • Offers better security and flexibility than a single-homed firewall by separating public servers from the internal network
  • Multi-layered firewall architecture employs multiple firewalls at different network layers (perimeter, core, and internal) to provide defense-in-depth
    • Perimeter firewalls control access to the organization's network from the internet
    • Core firewalls segment the internal network into separate security zones based on different trust levels or business functions
    • Internal firewalls protect critical assets (databases, servers) within each security zone
  • Distributed firewall architecture involves deploying firewalls at multiple locations (branch offices, remote sites) to enforce consistent security policies across the organization
    • Centralized management allows for efficient policy updates and monitoring of distributed firewalls

Intrusion Detection Systems (IDS)

  • Network-based IDS (NIDS) monitor network traffic at strategic points within the network (core switches, routers) to detect suspicious activities
    • NIDS analyze network packets in real-time or near real-time to identify attacks, malware, or policy violations
    • Can detect a wide range of network-based attacks (DoS, port scans, malware propagation) but may struggle with encrypted traffic
  • Host-based IDS (HIDS) monitor activities on individual hosts (servers, workstations) by analyzing system logs, file changes, and application activities
    • HIDS can detect local attacks that may not be visible to NIDS (privilege escalation, unauthorized file access)
    • Provides detailed information about the attacked host but requires deployment and management on each protected system
  • Signature-based detection compares network traffic or system activities against a database of known attack patterns (signatures) to identify threats
    • Effective against known attacks but requires frequent signature updates and may miss novel or variant attacks
  • Anomaly-based detection establishes a baseline of normal behavior and identifies deviations from the baseline as potential threats
    • Can detect previously unknown attacks but may generate false positives due to benign deviations from the baseline
  • IDS placement should consider network topology, critical assets, and potential attack vectors to maximize coverage and minimize blind spots

Intrusion Prevention Systems (IPS)

  • IPS extend IDS capabilities by actively preventing or blocking detected intrusions in real-time, rather than simply generating alerts
  • Network-based IPS (NIPS) are deployed inline with network traffic, allowing them to block malicious packets before they reach the target systems
    • NIPS can terminate connections, drop packets, or modify malicious content to neutralize threats
    • Inline deployment introduces a potential single point of failure and may impact network performance
  • Host-based IPS (HIPS) operate on individual hosts, monitoring and blocking malicious activities in real-time
    • HIPS can prevent unauthorized changes to system files, registry settings, or applications
    • Provides immediate protection to the host but requires deployment and management on each protected system
  • IPS use a combination of signature-based and anomaly-based detection methods to identify and block threats
  • IPS management involves defining and tuning security policies, monitoring alerts, and updating signatures to maintain effective protection
  • False positives (blocking legitimate traffic) and false negatives (failing to block malicious traffic) are key challenges in IPS deployment and configuration

Implementation Strategies

  • Identify critical assets and data that require protection based on their value, sensitivity, and regulatory requirements
  • Conduct a risk assessment to identify potential threats, vulnerabilities, and the impact of successful attacks on the organization
  • Define security policies that specify the rules and procedures for firewall configuration, IDS/IPS monitoring, and incident response
    • Policies should align with business objectives, industry best practices, and regulatory compliance requirements (PCI DSS, HIPAA)
  • Select appropriate firewall types and IDS/IPS solutions based on the organization's network architecture, security requirements, and budget
    • Consider factors such as performance, scalability, ease of management, and integration with existing security tools
  • Deploy firewalls at strategic locations (perimeter, core, internal) to control network traffic and enforce security policies
    • Configure firewall rules based on the principle of least privilege, allowing only necessary traffic and denying all else
  • Implement IDS/IPS sensors at critical monitoring points to detect and prevent intrusions
    • Tune IDS/IPS rules to minimize false positives and false negatives based on the organization's risk tolerance
  • Establish a centralized management and monitoring system to correlate events, generate alerts, and provide visibility into the security posture
  • Develop an incident response plan that outlines the procedures for detecting, analyzing, containing, and recovering from security incidents
  • Conduct regular security assessments (penetration testing, vulnerability scanning) to identify and remediate weaknesses in the firewall and IDS/IPS deployments

Common Attacks and Defenses

  • Reconnaissance attacks (port scanning, network mapping) attempt to gather information about the target network and identify potential vulnerabilities
    • Firewalls can block unauthorized scans and limit the exposure of network services
    • IDS can detect and alert on scanning activities, allowing administrators to investigate and respond
  • Denial-of-Service (DoS) attacks aim to overwhelm network resources and disrupt legitimate traffic
    • SYN flood attacks exploit the TCP three-way handshake by sending a high volume of SYN packets without completing the connection
    • Firewalls can limit the number of half-open connections and block traffic from suspected DoS sources
    • IPS can detect and block DoS traffic patterns in real-time
  • Malware (viruses, worms, trojans) can infect systems and spread across the network, compromising data and resources
    • Firewalls can block known malware communication channels and prevent the spread of infections
    • IDS can detect malware signatures and anomalous behavior indicative of malware activity
    • Host-based IPS can prevent malware execution and unauthorized changes to system files
  • Advanced Persistent Threats (APTs) are targeted, stealthy attacks that aim to establish a long-term foothold in the network for data exfiltration or sabotage
    • APTs often use zero-day vulnerabilities, social engineering, and custom malware to evade traditional defenses
    • Next-generation firewalls with application-level inspection and threat intelligence can help detect and block APT traffic
    • Anomaly-based IDS can identify unusual network behavior and lateral movement associated with APTs
  • Insider threats involve malicious or negligent actions by employees, contractors, or partners with legitimate access to the network
    • Firewalls can enforce access controls and segregate sensitive resources based on user roles and permissions
    • IDS can monitor user activities and detect policy violations or suspicious behavior (data exfiltration, privilege abuse)

Real-World Applications

  • E-commerce websites use firewalls and IDS/IPS to protect against web application attacks (SQL injection, cross-site scripting) and ensure the security of customer data and financial transactions
  • Healthcare organizations deploy firewalls and IDS/IPS to safeguard electronic health records (EHRs) and comply with HIPAA regulations
    • Firewalls can segment medical devices and restrict access to sensitive patient data
    • IDS can detect unauthorized access attempts and monitor for potential data breaches
  • Financial institutions rely on firewalls and IDS/IPS to secure online banking systems, prevent fraud, and meet PCI DSS requirements
    • Firewalls can isolate payment processing systems and control access to cardholder data
    • IPS can block known attack patterns and protect against emerging threats targeting financial systems
  • Government agencies and critical infrastructure operators use firewalls and IDS/IPS to defend against cyber espionage, sabotage, and nation-state attacks
    • Next-generation firewalls with threat intelligence can detect and block advanced persistent threats (APTs)
    • Anomaly-based IDS can identify unusual network behavior and potential insider threats
  • Remote workforce and cloud adoption have increased the importance of firewalls and IDS/IPS for securing remote access and protecting cloud-based assets
    • Virtual firewalls and cloud-native IDS/IPS solutions can enforce security policies across hybrid and multi-cloud environments
    • Zero Trust architectures leverage firewalls and IDS/IPS to continuously verify and secure access to resources, regardless of location


© 2024 Fiveable Inc. All rights reserved.
AP® and SAT® are trademarks registered by the College Board, which is not affiliated with, and does not endorse this website.

© 2024 Fiveable Inc. All rights reserved.
AP® and SAT® are trademarks registered by the College Board, which is not affiliated with, and does not endorse this website.