Firewalls, IDS and IPS
Résumé : Firewalls, IDS and IPS. Recherche parmi 300 000+ dissertationsPar sass89 • 27 Novembre 2023 • Résumé • 7 905 Mots (32 Pages) • 204 Vues
Firewalls, IDS and IPS
MIS5214
Midterm Study Support Materials
Agenda
Firewalls
- Intrusion Detection Systems
- Intrusion Prevention Systems
Firewalls are used to Implement Network Security
Policy
Firewalls support and enforce an organization’s network security policy
- High-level directives on acceptable an unacceptable actions to protect critical assets
Firewall security policy:
- What services can be accessed
- What IP addresses and ranges are restricted
- What ports can be accessed
[pic 1]
Firewalls are security architecture “choke points” in
an IT network
All communication should flow through and be inspected and restricted by firewalls
- Are used to restrict access to one network from another
- Restrict access from the internet to access corporate networks
- Restrict access between internal network segments
Restrict access
- Between origin and destination[pic 2]
- Based on determination of acceptable traffic type(s)
Firewalls are used to Implement Network Security
Policy
Firewalls support and enforce an organization’s network security policy
- High-level directives on acceptable and unacceptable actions to protect critical assets
Firewall security policy identifies:
- What services can be accessed
- What IP addresses and ranges are restricted
- What ports can be accessed
[pic 3]
May be implemented as a
- Software product running on a server
- Specialized hardware appliance
Monitors data packets coming into and out of the network it is protecting
- Packets are filtered by:
- Source and destination addresses and ports
- Header information
- Protocol type
- Packet type
- Service
- Data content – i.e. application and file data content
[pic 4]
Firewalls are installed to construct DMZ areas
- Network segments which are located between protected and unprotected networks
- Provides a buffer zone between the dangerous Internet and valuable assets the organization
seeks to protect[pic 5]
- Usually 2 firewalls are installed to form a DMZ
- May contain mail, file, and DNS (Domain Name System) servers
- Usually contain an Intrusion Detection System sensor which listens for suspicious and malicious behavior
- Servers in DMZ must be hardened to serve as the first line of protection against attacks coming from the internet
Packet filtering
- Dynamic packet filtering
Stateful inspection
- Proxy Firewall
Kernal Proxy
[pic 6][pic 7]
- “First-generation” firewall technology – most basic and primitive
Capabilities built into most firewalls and routers
- Configured with access control lists (ACLs) which dictate the type of traffic permitted into and out of the network
- Filters compare protocol header information from network and transport layers with ACLs
Packet-filtering Firewalls
Compares ACLS with network protocol header values to determine permit/deny network access based on:
- Source and destination IP addresses
- Source and destination port numbers
- Protocol types
- Inbound and outbound traffic direction
Network Layer 3
[pic 8][pic 9][pic 10]
TCP format UDP format[pic 11][pic 12]
Transport Layer 4
TCP/IP Port numbers
Ports 0 to 1023 are Well-Known Ports
Ports 1024 to 49151 are Registered Ports – Often registered by a software developer to designate a particular port
for their application
Ports 49152 to 65535 are Public Ports[pic 13][pic 14][pic 15][pic 16][pic 17]
Example ACL Rules
- Router configuration allowing SMTP (Simple Mail Transfer Protocol) traffic to travel from system 10.1.1.2 to system 172.16.1.1:
permit tcp host 10.1.1.2 host 172.16.1.1 eq smtp
- Allow UDP traffic from 10.1.2 to 172.16.1.1:
permit udp host 10.1.1.2 host 172.16.1.1
- Block all ICMP (Internet Control Message Protocol) i.e. router error messages and operational information traffic from entering through a certain interface:
deny icmp any any
- Allow standard web traffic ( to a web server listening on port 80) from system 1.1.1.1 to system 5.5.5.5:
permit tcp host 1.1.1.1 host 5.5.5.5 eq www
Packet-filtering firewalls
Packet filtering firewalls: monitor traffic and provide “stateless inspection” of header attribute
values (i.e. delivery information) of individual packets
and after the decision to permit or deny access to the network is made the firewall forgets about
the packets
- Weakness: No knowledge of data moving between applications communicating across the network
- Cannot protect against packet content, e.g. probes for specific software with vulnerabilities and exploit a
buffer overflow for example
...