Firewall:-
Firewall is a network security system that
monitors and controls the incoming and outgoing network traffic based on
predetermined security rules. Firewalls are often categorized as either network
firewalls or host-based firewalls.
Host-based Firewall
Network Firewall
Host-based
firewall provide a layer of software on one host that controls network
traffic in and out of that single machine.
Network-based
firewall or Packet filter are a software appliance running on
general purpose hardware or hardware-based firewall computer
appliances that filter traffic between two or more networks.
Firewall appliances may also offer other functionality to
the internal network they protect such as acting as a DHCP or VPN server
for that network.
Network layer firewalls generally fall into two
sub-categories, stateful and stateless.
Stateful Firewall
Stateless Firewall
Stateful firewall filter uses
connection state information derived from other applications and past
communications in the data flow to make dynamic control decisions. Stateful
inspection monitors incoming and outgoing packets over time, as well as the
state of the connection, and stores the data in dynamic state tables. This
cumulative data is evaluated, so that filtering decisions would not only be
based on administrator-defined rules, but also on context that has been built
by previous connections as well as previous packets belonging to the same
connection.
In order to prevent the state table from filling up,
sessions will time out if no traffic has passed for a certain period. These
stale connections are removed from the state table
Stateless firewall filter,
also known as an access control list (ACL), does not state fully inspect
traffic. Instead, it evaluates packet contents statically and does not keep
track of the state of network connections.
Application Firewall can
"understand" certain applications and protocols (such as File
Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext
Transfer Protocol (HTTP)). This is useful as it is able to detect if an
unwanted protocol is attempting to bypass the firewall on an allowed port,
or detect if a protocol is being abused in any harmful way.
Proxy Firewall provide
complete, process-aware security research for the protocols they support.
Evasion Techniques:
IDPS:-
Intrusion prevention systems (IPS), also
known as intrusion detection and prevention systems (IDPS), are network
security appliances that monitor network and/or system activities for
malicious activity. The main functions of intrusion prevention systems are to
identify malicious activity, log information about this activity, attempt to
block/stop it, and report it.
An IPS can also correct Cyclic Redundancy Check (CRC) errors,
unfragment packet streams, prevent TCP sequencing issues
Classifications:
Network-based
intrusion prevention system (NIPS): monitors the entire network for
suspicious traffic by analyzing protocol activity.
Wireless intrusion
prevention systems (WIPS): monitor a wireless network for suspicious
traffic by analyzing wireless networking protocols.
Network behavior
analysis (NBA): examines network traffic to identify threats that
generate unusual traffic flows, such as distributed denial of service (DDoS)
attacks, certain forms of malware and policy violations.
Host-based
intrusion prevention system (HIPS): an installed software package which
monitor a single host for suspicious activity by analyzing events occurring
within that host.
Detection Methods:
Signature-Based
Detection: Signature based IDS monitor packets in the Network and
compares with pre-configured and pre-determined attack patterns known as
signatures.
Statistical
anomaly-based detection: A statistical anomaly-based IDS determines the
normal network activity —like what sort of bandwidth is generally used, what
protocols are used, what ports and devices generally connect to each other— and
alerts the administrator or user when traffic is detected which is anomalous
(not normal).
Stateful Protocol
Analysis Detection: This method identifies deviations of protocol
states by comparing observed events with “predetermined profiles of generally
accepted definitions of being activity.
HIPS solutions attempt to stop the suspicious activity from
happening in the first place. Like NIPS appliances, HIPS solutions can use
signature-or behavioral-based approaches. HIPS solution will review the system
call and compare it to either a list of signatures or a list of known good behaviors.
Intrusion Detection System (IDS) are network security appliances monitors network or
system activities for malicious activities or policy violations and produces
reports to a management station.
NIDS is a
network intrusion detection system are focusing on the attacks that come from
the inside of the network (authorized users).
HIDS
monitors the inbound and outbound packets from the device only and will alert
the user or administrator if suspicious activity is detected. It takes a
snapshot of existing system files and matches it to the previous snapshot. If
the critical system files were modified or deleted, an alert is sent to the
administrator to investigate.
In a passive system, the intrusion detection system (IDS)
sensor detects a potential security breach, logs the information and signals an
alert on the console or owner.
In a reactive system, also known as an intrusion
prevention system (IPS), the IPS auto-responds to the suspicious activity
by resetting the connection or by reprogramming the firewall to block network
traffic from the suspected malicious source.
Evasion Techniques:
Differences:
Firewall -
A device or application that analyzes packet headers and enforces policy based
on protocol type, source address, destination address, source port, and/or
destination port. Packets that do not match policy are rejected.
Intrusion
Detection System - A device or application that analyzes whole
packets, both header and payload, looking for known events. When a known event
is detected a log message is generated detailing the event.
Intrusion
Prevention System - A device or application that analyzes whole
packets, both header and payload, looking for known events. When a known event
is detected the packet is rejected.
Proxy:-
A proxy server is a dedicated computer or a software system
running on a computer that acts as an intermediary between an endpoint devices.
- An advantage of a proxy server is that its cache can
serve all users
- A proxy can also log its interactions
- A proxy server is used to facilitate security,
administrative control or caching services
- Proxy servers are used to enable user privacy
and anonymous surfing
- Access control, URL filtering, caching and content scanning
Forward proxy provides
proxy services to a client or a group of clients. A forward proxy is typically
used in tandem with a firewall to enhance an internal network's security by
controlling traffic originating from clients in the internal network.
Forward proxy is primarily aimed at enforcing security on client
computers in your internal network.
Reverse Proxy basically is on the web server end
which will cache all the static answers from the web server and reply to the
clients from its cache to reduce the load on the web server.
DLP:-
Data loss prevention solution is a system that is designed
to detect potential data breach and prevent them by monitoring, detecting and
blocking sensitive data while in-use (endpoint
actions), in-motion (network traffic), and at-rest (data
storage). Data loss prevention is a strategy for making sure that end
users do not send sensitive or critical information outside the corporate
network and help a network administrator to control what data end
users can transfer.
In order to classify certain information as sensitive, these
solutions use mechanisms, such as exact data matching, structured data
fingerprinting, statistical methods, rule and regular expression matching,
published lexicons, conceptual definitions, and keywords.
Network DLP
typically a software or hardware solution that is installed at network egress
points near the perimeter. It analyzes network traffic to detect sensitive data
that is being sent in violation of information security policies.
Endpoint DLP
can monitor and control access to physical devices (such as mobile devices with
data storage capabilities) and in some cases can access information before it
has been encrypted. Some endpoint-based systems can also provide application
controls to block attempted transmissions of confidential information, and
provide immediate feedback to the user. They have the disadvantage that they
need to be installed on every workstation in the network, cannot be used on
mobile devices.