Firewalls, IDS and IPS

Firewalls, IDS and IPS

MIS5214

Midterm Study Support Materials

Agenda

• Firewalls

• Intrusion Detection Systems
• Intrusion Prevention Systems

Firewalls are used to Implement Network Security

Policy

• Firewalls support and enforce an organization’s network security policy

• High-level directives on acceptable an unacceptable actions to protect critical assets

• Firewall security policy:

• What services can be accessed
• What IP addresses and ranges are restricted
• What ports can be accessed

[pic 1]

Firewalls are security architecture “choke points” in

an IT network

• All communication should flow through and be inspected and restricted by firewalls

• Are used to restrict access to one network from another

• Restrict access from the internet to access corporate networks
• Restrict access between internal network segments

• Restrict access

• Between origin and destination[pic 2]
• Based on determination of acceptable traffic type(s)

Firewalls are used to Implement Network Security

Policy

• Firewalls support and enforce an organization’s network security policy

• High-level directives on acceptable and unacceptable actions to protect critical assets

• Firewall security policy identifies:

• What services can be accessed
• What IP addresses and ranges are restricted
• What ports can be accessed

[pic 3]

• May be implemented as a

• Software product running on a server
• Specialized hardware appliance

• Monitors data packets coming into and out of the network it is protecting

• Packets are filtered by:

• Source and destination addresses and ports
• Header information
• Protocol type
• Packet type
• Service
• Data content – i.e. application and file data content

[pic 4]

Firewalls are installed to construct DMZ areas

• Network segments which are located between protected and unprotected networks
• Provides a buffer zone between the dangerous Internet and valuable assets the organization

seeks to protect[pic 5]

• Usually 2 firewalls are installed to form a DMZ

• May contain mail, file, and DNS (Domain Name System) servers
• Usually contain an Intrusion Detection System sensor which listens for suspicious and malicious behavior
• Servers in DMZ must be hardened to serve as the first line of protection against attacks coming from the internet

1. Packet filtering

2. Dynamic packet filtering

3. Stateful inspection

4. Proxy Firewall

5. Kernal Proxy

[pic 6][pic 7]

• “First-generation” firewall technology – most basic and primitive

• Capabilities built into most firewalls and routers

• Configured with access control lists (ACLs) which dictate the type of traffic permitted into and out of the network
• Filters compare protocol header information from network and transport layers with ACLs

Packet-filtering Firewalls

Compares ACLS with network protocol header values to determine permit/deny network access based on:

1. Source and destination IP addresses
2. Source and destination port numbers

1. Protocol types
2. Inbound and outbound traffic direction

Network Layer 3

[pic 8][pic 9][pic 10]

TCP format        UDP format[pic 11][pic 12]

Transport Layer 4

TCP/IP Port numbers

Ports 0 to 1023 are Well-Known Ports

Ports 1024 to 49151 are Registered Ports – Often registered by a software developer to designate a particular port

for their application

Ports 49152 to 65535 are Public Ports[pic 13][pic 14][pic 15][pic 16][pic 17]

Example ACL Rules

• Router configuration allowing SMTP (Simple Mail Transfer Protocol) traffic to travel from system 10.1.1.2 to system 172.16.1.1:

permit tcp host 10.1.1.2 host 172.16.1.1 eq smtp

• Allow UDP traffic from 10.1.2 to 172.16.1.1:

permit udp host 10.1.1.2 host 172.16.1.1

• Block all ICMP (Internet Control Message Protocol) i.e. router error messages and operational information traffic from entering through a certain interface:

deny icmp any any

• Allow standard web traffic ( to a web server listening on port 80) from system 1.1.1.1 to system 5.5.5.5:

permit tcp host 1.1.1.1 host 5.5.5.5 eq www

Packet-filtering firewalls

Packet filtering firewalls: monitor traffic and provide “stateless inspection” of header attribute

values (i.e. delivery information) of individual packets

and after the decision to permit or deny access to the network is made the firewall forgets about

the packets

• Weakness: No knowledge of data moving between applications communicating across the network

• Cannot protect against packet content, e.g. probes for specific software with vulnerabilities and exploit a

buffer overflow for example

...