🔒Network Security and Forensics Unit 3 – Firewalls & Intrusion Detection Systems

Key Concepts

• Firewalls act as a barrier between trusted internal networks and untrusted external networks (internet) to protect against unauthorized access
• Firewalls enforce security policies by controlling incoming and outgoing network traffic based on predetermined rules
• Packet filtering examines each packet passing through the firewall and accepts or rejects it based on rules defined by the network administrator
  • Stateless packet filtering doesn't keep track of the state of connections, treating each packet independently
  • Stateful packet filtering maintains a state table to track the state of network connections (new, established, or related)
• Application-level gateways (proxies) act as intermediaries between two hosts, analyzing the application-level protocols (HTTP, FTP, SMTP) to determine if the traffic should be allowed
• Intrusion Detection Systems (IDS) monitor network traffic for suspicious activities or policy violations and generate alerts when detected
• Intrusion Prevention Systems (IPS) extend IDS capabilities by actively preventing or blocking detected intrusions in real-time
• Security policies define the rules and procedures governing the use of an organization's IT assets and resources to protect against unauthorized access and data breaches

Types of Firewalls

• Packet-filtering firewalls operate at the network layer (Layer 3) of the OSI model, examining packets and making allow/block decisions based on predefined rules
  • Rules can be based on IP addresses, port numbers, protocols (TCP, UDP, ICMP), or other packet attributes
  • Advantages include low cost, minimal impact on network performance, and transparency to users
  • Disadvantages include lack of application-level awareness and vulnerability to certain attacks (IP spoofing)
• Stateful inspection firewalls maintain a state table to track the state of network connections and make decisions based on the packet's context within the connection
  • Provides better security than stateless packet filtering by considering the connection state and preventing certain attacks (TCP SYN flooding)
• Application-level gateways (proxies) operate at the application layer (Layer 7), acting as intermediaries between clients and servers
  • Proxies can perform deep packet inspection, examining the application-level protocols and payloads for malicious content or policy violations
  • Provides granular control over application-specific traffic (web, email, file transfers) but may impact network performance due to the additional processing overhead
• Next-generation firewalls (NGFW) combine the features of traditional firewalls, IDS/IPS, and application-level inspection to provide comprehensive security
  • NGFWs can identify and control applications, users, and content, providing advanced threat protection and visibility

Firewall Configurations

• Screened host (single-homed) firewall consists of a single firewall between the internal network and the internet, with a demilitarized zone (DMZ) for public-facing servers
  • Provides a basic level of protection but has a single point of failure and limited scalability
• Screened subnet (dual-homed) firewall uses two firewalls to create an isolated DMZ between the internal network and the internet
  • Offers better security and flexibility than a single-homed firewall by separating public servers from the internal network
• Multi-layered firewall architecture employs multiple firewalls at different network layers (perimeter, core, and internal) to provide defense-in-depth
  • Perimeter firewalls control access to the organization's network from the internet
  • Core firewalls segment the internal network into separate security zones based on different trust levels or business functions
  • Internal firewalls protect critical assets (databases, servers) within each security zone
• Distributed firewall architecture involves deploying firewalls at multiple locations (branch offices, remote sites) to enforce consistent security policies across the organization
  • Centralized management allows for efficient policy updates and monitoring of distributed firewalls

Intrusion Detection Systems (IDS)

• Network-based IDS (NIDS) monitor network traffic at strategic points within the network (core switches, routers) to detect suspicious activities
  • NIDS analyze network packets in real-time or near real-time to identify attacks, malware, or policy violations
  • Can detect a wide range of network-based attacks (DoS, port scans, malware propagation) but may struggle with encrypted traffic
• Host-based IDS (HIDS) monitor activities on individual hosts (servers, workstations) by analyzing system logs, file changes, and application activities
  • HIDS can detect local attacks that may not be visible to NIDS (privilege escalation, unauthorized file access)
  • Provides detailed information about the attacked host but requires deployment and management on each protected system
• Signature-based detection compares network traffic or system activities against a database of known attack patterns (signatures) to identify threats
  • Effective against known attacks but requires frequent signature updates and may miss novel or variant attacks
• Anomaly-based detection establishes a baseline of normal behavior and identifies deviations from the baseline as potential threats
  • Can detect previously unknown attacks but may generate false positives due to benign deviations from the baseline
• IDS placement should consider network topology, critical assets, and potential attack vectors to maximize coverage and minimize blind spots

Intrusion Prevention Systems (IPS)

• IPS extend IDS capabilities by actively preventing or blocking detected intrusions in real-time, rather than simply generating alerts
• Network-based IPS (NIPS) are deployed inline with network traffic, allowing them to block malicious packets before they reach the target systems
  • NIPS can terminate connections, drop packets, or modify malicious content to neutralize threats
  • Inline deployment introduces a potential single point of failure and may impact network performance
• Host-based IPS (HIPS) operate on individual hosts, monitoring and blocking malicious activities in real-time
  • HIPS can prevent unauthorized changes to system files, registry settings, or applications
  • Provides immediate protection to the host but requires deployment and management on each protected system
• IPS use a combination of signature-based and anomaly-based detection methods to identify and block threats
• IPS management involves defining and tuning security policies, monitoring alerts, and updating signatures to maintain effective protection
• False positives (blocking legitimate traffic) and false negatives (failing to block malicious traffic) are key challenges in IPS deployment and configuration

Implementation Strategies

• Identify critical assets and data that require protection based on their value, sensitivity, and regulatory requirements
• Conduct a risk assessment to identify potential threats, vulnerabilities, and the impact of successful attacks on the organization
• Define security policies that specify the rules and procedures for firewall configuration, IDS/IPS monitoring, and incident response
  • Policies should align with business objectives, industry best practices, and regulatory compliance requirements (PCI DSS, HIPAA)
• Select appropriate firewall types and IDS/IPS solutions based on the organization's network architecture, security requirements, and budget
  • Consider factors such as performance, scalability, ease of management, and integration with existing security tools
• Deploy firewalls at strategic locations (perimeter, core, internal) to control network traffic and enforce security policies
  • Configure firewall rules based on the principle of least privilege, allowing only necessary traffic and denying all else
• Implement IDS/IPS sensors at critical monitoring points to detect and prevent intrusions
  • Tune IDS/IPS rules to minimize false positives and false negatives based on the organization's risk tolerance
• Establish a centralized management and monitoring system to correlate events, generate alerts, and provide visibility into the security posture
• Develop an incident response plan that outlines the procedures for detecting, analyzing, containing, and recovering from security incidents
• Conduct regular security assessments (penetration testing, vulnerability scanning) to identify and remediate weaknesses in the firewall and IDS/IPS deployments

Common Attacks and Defenses

• Reconnaissance attacks (port scanning, network mapping) attempt to gather information about the target network and identify potential vulnerabilities
  • Firewalls can block unauthorized scans and limit the exposure of network services
  • IDS can detect and alert on scanning activities, allowing administrators to investigate and respond
• Denial-of-Service (DoS) attacks aim to overwhelm network resources and disrupt legitimate traffic
  • SYN flood attacks exploit the TCP three-way handshake by sending a high volume of SYN packets without completing the connection
  • Firewalls can limit the number of half-open connections and block traffic from suspected DoS sources
  • IPS can detect and block DoS traffic patterns in real-time
• Malware (viruses, worms, trojans) can infect systems and spread across the network, compromising data and resources
  • Firewalls can block known malware communication channels and prevent the spread of infections
  • IDS can detect malware signatures and anomalous behavior indicative of malware activity
  • Host-based IPS can prevent malware execution and unauthorized changes to system files
• Advanced Persistent Threats (APTs) are targeted, stealthy attacks that aim to establish a long-term foothold in the network for data exfiltration or sabotage
  • APTs often use zero-day vulnerabilities, social engineering, and custom malware to evade traditional defenses
  • Next-generation firewalls with application-level inspection and threat intelligence can help detect and block APT traffic
  • Anomaly-based IDS can identify unusual network behavior and lateral movement associated with APTs
• Insider threats involve malicious or negligent actions by employees, contractors, or partners with legitimate access to the network
  • Firewalls can enforce access controls and segregate sensitive resources based on user roles and permissions
  • IDS can monitor user activities and detect policy violations or suspicious behavior (data exfiltration, privilege abuse)

Real-World Applications

• E-commerce websites use firewalls and IDS/IPS to protect against web application attacks (SQL injection, cross-site scripting) and ensure the security of customer data and financial transactions
• Healthcare organizations deploy firewalls and IDS/IPS to safeguard electronic health records (EHRs) and comply with HIPAA regulations
  • Firewalls can segment medical devices and restrict access to sensitive patient data
  • IDS can detect unauthorized access attempts and monitor for potential data breaches
• Financial institutions rely on firewalls and IDS/IPS to secure online banking systems, prevent fraud, and meet PCI DSS requirements
  • Firewalls can isolate payment processing systems and control access to cardholder data
  • IPS can block known attack patterns and protect against emerging threats targeting financial systems
• Government agencies and critical infrastructure operators use firewalls and IDS/IPS to defend against cyber espionage, sabotage, and nation-state attacks
  • Next-generation firewalls with threat intelligence can detect and block advanced persistent threats (APTs)
  • Anomaly-based IDS can identify unusual network behavior and potential insider threats
• Remote workforce and cloud adoption have increased the importance of firewalls and IDS/IPS for securing remote access and protecting cloud-based assets
  • Virtual firewalls and cloud-native IDS/IPS solutions can enforce security policies across hybrid and multi-cloud environments
  • Zero Trust architectures leverage firewalls and IDS/IPS to continuously verify and secure access to resources, regardless of location