It is a set of rules and configurations designed to protect the integrity, confidentiality and accessibility of computer networks and data using both software and hardware technologies
Network Security Model
M represents original data & E represents cipher data
Information channel
Medium of data propagation from sender to receiver
Most vulnerable for attack
Trusted Third Party (TTP) sources distribute the keys to sender and receiver
Network Security Controls
Physical
Designed to prevent unauthorized personnel from gaining physical access to network components such as routers, cabling cupboards and so on
Technical
Protect data that is stored on the network or which is in transit across, into or out of the network
Administrative
Consist of security policies and processes that control user behavior, including how users are authenticated, their level of access and also how IT staff members implement changes to the infrastructure
Digital Signature (DS)
DS Generation Algorithm takes private key and message at senders side and generates signature
DS Verification Algorithm takes public key of senders to verify and decrypt
Firewall
Firewall consists of software and hardware set up between an internal computer network and the Internet
Computer network manager sets up the rules for the firewall to filter out unwanted intrusions
Types
Packet Filtering
Set of rules based on Source address (SA), Destination address (DA), Port number, Protocols
If rule matched then forward or discard
Default action is generally to discard if it does not matches any of the rules
Data/Payload is not checked
Application-level Gateway (Proxy Server)
More secure
Processing overload
Checks data/payload
Host thinks that it is making a request to internet but in reality it is making a request to proxy and internet thinks that it is talking to host but in reality it is talking to proxy
Traffic Filtering
Traffic-filtering Rules
Determines the manner in which the incoming and outgoing traffic flows in the network will be regulated
Set of traffic-filtering rules can be adopted as an independent packet filtering policy or as a part of the information security policy
Traffic-filtering technology
That will be implemented depending on the requirements and needs
Implement defined rules
On the selected technology and optimize the performance of devices accordingly
Maintain all the components of the solution
Including not only devices, but also the policy
Intrusion Detection System (IDS)
Monitoring the operation of computer systems or networks and analyzing the processes they perform, which can point to certain incidents
Incidents are events posing a threat to or violating defined security policies, violating AUP (Acceptable Use Policy) rules, or generally accepted security norms
They appear as a result of the operation of various malware programmes, as a result of attempts at unauthorized access to a system through public infrastructure (Internet), or as a result of the operation of authorized system users who abuse their privileges
Network Intrusion Prevention (IP)
Detecting network intrusion events, but also includes the process of preventing and blocking detected or potential network incidents
IDP (Intrusion Detection and Prevention)
Identifying potential incidents, logging information about them, attempting to prevent them and alerting the administrators responsible for security
Identify problems concerning the adopted security policies, to document existing security threats and to discourage individuals from violating security rules
Intruder Types
Outside (Masquerader)
Person not having authorization
Inside (Misfeasor)
Person having authorization
Stateful Protocol Analysis
Stateful protocol analysis is a process of comparing predefined operation profiles with the specific data flow of that protocol on the network
Predefined profiles of operation of a protocol are defined by the manufacturers of IDP devices and they identify everything that is acceptable or not acceptable in the exchange of messages in a protocol
Unlike anomaly-based detection, where profiles are created based on the hosts or specific activities on the network, stateful protocol analysis uses general profiles generated by the equipment manufacturers
Testing tools are used for testing the detection, recognition and response capabilities of devices tha perform packet filtering (including those that use network address translation), such as firewalls, idses/ipses, routers and switches
These test the traffic filtering devices ability to detect and/or block dos attacks, spyware, backdoors, and attacks against applications such as IIS, SQL server and WINS
Standard traffic sessions can be used to test how packet filtering devices handle a variety of protocols including HTTP, FTP, SNMP and SMTP
Detection Methods
Signature-based Detection
The behavior of an already detected security threat, described in a form that can be used for the detection of any subsequent appearance of the same threat, is called an attack signature
Process of comparing the known forms in which the threat has appeared with the specific network traffic in order to identify certain incidents
Extremely inefficient in the detection of completely unknown threats, of threats hidden by using various techniques, and of already known threats that have somehow been modified in the meantime
Anomaly-based Detection
This method of IDP is based on detecting anomalies/deviation in a specific traffic flow in the network
Anomaly detection is performed, based on the defined profile of acceptable traffic and its comparison with the specific traffic in the network
Acceptable traffic profiles are formed by tracking the typical characteristics of the traffic in the network during a certain period of time
The greatest advantage of this detection method is its exceptional efficiency in detecting previously unknown security threats
Categories of IDS
Host-based IDS (HIDS)
Host-based IDSs are designed to monitor, detect and respond to activity and attacks on a given host
Takes snapshot of existing system vs previous system
Detects Files deleted or modified
Because attackers mainly focus on operating system vulnerabilities to break into hosts, in most cases, the host-based IDS is integrated into the operating systems that the host is running
Network-based IDS (NIDS)
Network traffic based IDSs capture network traffic to detect intruders
Matches traffic to the library of known attacks
Monitors, Capture and Analyze network traffic
Detects malicious data present into packets
NIDS analysis is very difficult in busy network
An agent is an autonomous or semi-autonomous piece of software that runs in the background and performs useful tasks for another
Relative to IDSs, an agent is generally a piece of software that senses intrusions locally and reports attack information to central analysis servers
Intrusion Prevention System (IPS)
An IPS is a network security tool that can not only detect intruders, but also prevent them from successfully launching any known attack
Intrusion prevention systems combine the abilities of firewalls and intrusion detection systems
An active response device dynamically reconfigures or alters network or system access controls, session streams or individual packets based on triggers from packet inspection and other detection devices
Active response happens after the event has occurred; thus, a single packet attack will be successful on the first attempt but will be blocked in future attempts; for example, a DDoS attack will be successful on the first packets but will be blocked afterwards
While active response devices are beneficial, this one aspect makes them unsuitable as an overall solution
Network intrusion prevention devices, on the other hand, are typically inline devices on the network that inspect packets and make decisions before forwarding them on to the destination
Intrusion Prevention Technologies
System Memory and Process Protection
This type of intrusion prevention strategy resides at the system level
Memory protection consists of a mechanism to prevent a process from corrupting the memory of another process running on the same system
Process protection consists of a mechanism for monitoring process execution, with the ability to kill processes that are suspected of being attacks
Inline Network Devices
This type of intrusion prevention strategy places a network device directly in the path of network communications with the capability to modify and block attack packets as they traverse the device’s interfaces
It acts much like a router or firewall combined with the signature-matching capabilities of IDS. The detection and response happens in real time before the packet is passed on to the destination network
Session Sniping
This type of intrusion prevention strategy terminates a TCP session by sending a TCP RST packet to both ends of the connection
When an attempted attack is detected, the TCP RST is sent and the attempted exploit is flushed from the buffers and thus prevented
Note that the TCP RST packets must have the correct sequence and acknowledgement numbers to be effective
Gateway Interaction Devices
This type of intrusion prevention strategy allows a detection device to dynamically interact with network gateway devices such as routers or firewalls
When an attempted attack is detected, the detection device can direct the router or firewall to block the attack
Risks with IDS
Recurring issue of false positives in today’s intrusion detection systems
Legitimate traffic displaying characteristics similar to malicious traffic
Attackers who discover or suspect the use of intrusion prevention methods can purposely create a DoS attack against legitimate networks and sources by sending attacks with spoofed source IP addresses
Gateway interaction timing and race conditions
Detection device directs a router or firewall to block the attempted attack, However, because of network latency, the attack has already passed the gateway device before it receives this direction from the detection device
