lecture notes secured network with firewall
TRANSCRIPT
Lecture Notes: Secured Networks with Firewall
IP Address
IP address is one of the biggest identity entities in a TCP/IP and OSI internet model.IP is an integral part of any data transfer process, such as TCP and UDPcommunications.
The networks, devices and any entity related to end-point devices needs an IPaddress. IP stands for ‘internet protocol’ and the address refers to the identity of anyentity that is connected to the internet, which aids in device-to-devicecommunication and data transfer.
IP is usually composed of 4 binary octets with a total length of 32 bits.
IP address format: An IP address comprises a string of numbers separated by a ‘.’symbol. For example, 172.16.15.44.In an IP address:
1. Each octet can range from 0 to 2552. Each octet contains 1 or 3 characters followed by a ‘.’ symbol. For example,
‘172.16.13.38’.
IP address versions: There are two types of IP address versions: IPv4 and IPv6.
IPv4: If you take a look at your own IP address, it would probably look like, say,192.168.56.112. Such addresses are called IPv4 addresses.With the rising number ofdevices, IP addresses are always at a risk of exhaustion. IPv4 addresses are 32-bit(232) long and there can be a total of 4,294,967,296 IPv4 addresses. But, what if thenumber of devices rises past this number? To resolve this issue, IPv6 comes to therescue.
IPv6: This is next-generation IP address, which solves the issue of limited number ofIPv4 addresses..IPV6 looks like ‘2016:0tgbs:85b6:0000:0000:avg56’.IPv6 is 128-bit long, unlike IPv4, which is 32-bit long.Using the IPv6 address format, about 2128 unique addresses and combinations canbe obtained, thus eliminating the risk of running out of IP addresses.
An IP address plays a very vital role in the Domain Name System (DNS). DNSprimarily maps the domain name to IP and IP to domain name. Every domain nameis unique. However, one IP can host multiple domain names.
IP address classes: The first octet of an IP address helps determine its class. The IPaddress was designed in this way even before the emergence of the concept of‘Subnetting’.
When it comes to IP addresses, you must be familiar with three entities:1. Class2. Octet range3. Default mask
Let’s first understand the class of an IP address. The octet range indicates the rangeof an IP address. Each class begins at a particular address and ends at another. Next,a default mask is a number that depicts which range of IP addresses are available foruse and implementation within a network. Default subnet mask helps identify theclass of an IPV4. When a network is not subnetted, you can use this default mask toidentify the class of the IP address.
Now, let’s understand the significance of ‘127’. 127.0.0.1 is called a loopback address. Infact, any address that starts with ‘127’ is a loopback address. A simple example ofloopback is when you go to a hill-top, call your name, and receive an echo with yourname in response. Another example of loopback is sending an e-mail to your owne-mail id and getting it.Multicasting is mainly used for streaming media content. So, loopback is mostly usedfor multicasting. You usually work on IP addresses of A, B and C classes, as theseaddresses can be subnetted.
Public and private address: When you connect a device to a modem, you receive anIP address that is used by the internet to identify you. This IP address is called apublic address. Suppose you are hosting a website on your computer. If you want thewebsite to be accessed by anyone, you need to make it public. So, you connect it tothe internet and ensure that it can be accessed by port 80. Port numbers are similarto telephone directories or speed dial numbers, such as 100 for police or 911 foremergency services. So, each number is mapped to a service. Port 80, in the abovecase, points to HTTP. So, IP:80 will allow the user to access this website.A router connects you to the internet. It gives any connected device a public address.So, every device with a ‘private’ IP address cannot be accessed by the outside worldand to ensure access of the outside world, you get a ‘public’ IP address.
Gateways
A gateway connects different networks and devices. The devices inside a networkcannot automatically communicate with the devices outside the network, due to thedifferent ranges of IP addresses on different networks and the absence of amediator.Gateway is like a toll-gate or border security. You have to pass through them if youare exiting a state, a city or a country. Similarly, a gateway is used when data packetshave to be passed on to other networks or when two devices on two differentnetworks want to communicate.Technically, a gateway acts as a node that connects two different networks withdifferent protocols and any layer of the OSI model. Gateways act as entry and exitpoints for a data packet before it reaches its destination. So, if a packet travels fromnetwork A to B, it has to pass through the respective gateway, before it takes theappropriate route. Web application firewall is a type of gateway .
A router is super intelligent and covers the functionality of a modem too. Routers canprovide packet-level inspection and data security. A router helps exchange packetsbetween networks. Routers comprise routing algorithms that, using a routing table,define the best route of packet transfer, which is similar to Google Maps.
Gateways are not as good as routers. It is simple to configure a gateway. Gatewaysare protocol translators and can translate protocol to protocol. A gateway also
forwards packets, but it requires some translation due to the risk of protocolincompatibility. Either two networks can run two different protocols or two networkscan run different versions of the same protocol.
Virtual LANIn a virtual local area network (LAN), the computers are logically connectedirrespective of their location. Suppose a forensic company consists of followingdepartments:
1. Malware forensics2. Memory forensics3. Mobile forensics
People working in these departments are not sitting next to each other or even onthe same floor. They are spread across the office. Here are two problem statements:
1. How do you group them?2. How do you separate the traffic when they are all communicating on the
same switch?
The switch will consider all the traffic from the different devices as they are on a LANand the traffic is of mixed nature, where the other departments are able to see othertraffic too. Confusing, right? Well, VLAN comes to the rescue.VLANs facilitate logical separation of virtual networks, so that you can separate thebroadcast traffic and get a clear visibility. You can have separate VLANs with thesame switch and cables.But, how do you do this?You use seperate ports in a switch for each department. Each port (or group of ports)will correspond to a VLAN.
Virtual Routing and Forwarding (VRF)
In a virtual LAN, computers are logically separated between virtual networks, so thatyou can separate the broadcast traffic and obtain a clear visibility for the networktraffic.
There is no problem in directly connecting two VLANs via a switch. This arrangementis good at L2 levels. But what if multiple VLANs are connected via multiple switches?Two VLANs require a router or a forwarder to communicate with each other. Thisactually leads to several issues associated with multi-tenancy, that is, when there area lot of users and overlapping IP spaces. To avoid such scenarios, you use a VLAN thattechnically acts as an individual switch inside a switch itself. VLANs act as virtualswitches and they basically divide a big network into smaller networks. In case ofrouters that are connected to multiple networks, you use VRF. VRF is a technology ofIP network routers that allows coexistence of multiple instances of routing tableswithin the same router at the same time. This enhances functionality by allowingnetwork paths to be segmented without using multiple devices. Since the routinginstances are independent, you can use the same or overlapping IP addresseswithout any conflict.
Suppose two enterprises are using the same subnet 10.1.1.0/24. It would be difficultwith just one global routing table. If you use two VRFs, with each one as an identifier,say, VRF enterprise_A and VRF enterprise_B, this would create two additional routingtables to the default routing table. Now, by virtue of 2 separate routing tables, youcan have 10.1.1.0/24 in all three routing tables.
Broadcast and Collision Domains
Broadcast domain: In this domain, a device sends out a broadcast message and allthe devices present within its broadcast domain have to pay attention to it. However,such a domain creates a lot of congestion in the network.
Collision domain: This domain is analogous to the ability to speak in a network. Ahub receives signals from a node and passes them on to the other nodes that areconnected to that hub. Hence, if a computer talks and is connected to a hub, the rest
of the computer connected to that hub can hear it too. Thus, when a computer isusing the hub, the rest of the devices that are connected to the hub must wait.
Carrier-sense multiple access with collision detection (CSMA/CD): It comes to therescue when computers are transmitting data at the same time, and respondsduring a collision, so that you are not lost in a forest with a blindfold on your eyes.
In the process, the medium is continuously monitored. If it is free, the packet istransferred, else the transfor of the packet is halted until the medium is free. Oncethe data packet is sent, it checks for the collision. If there is no collision, the processends, else it sends the JAM signal and checks for more attempts. If an attempt ispossible, a backoff algorithm is called and another attempt is made from thebeginning. If another attempt is not possible, then the process is just ended.
DMZ Network
DMZ stands for Demilitarized Zone. Any web server, service, or e-mail is usually a partof an organisation and stays within the organisation’s network, which is technicallycalled a private network. The issue, in this case, is that you have to expose theservices to the public if users or customers want to access the private network.
Exposing a server that is a part of a private network to the public can pose a hugerisk in terms of:
1. Attackers gathering information about the server2. Misconfiguration of the server that can leak information about the internal
network3. A server compromise that can lead to leakage of information about internal
work
So, the company will break a lot of policies and also risk their resources by letting theusers from outside the network gain access to their network resources, which areprotected by a firewall. In the next phase, you will learn about firewalls and how theywork.DMZ is the ideal solution in this case.
If you protect the services using a firewall:1. The servers can be made public.2. Users can access these public servers , without any threat of accessing internal
network resources.3. The servers are still a part of the organisation, but they are not inside its
network.
This is called a perimeter network or DMZ.
You can also use a pre-screening firewall, where you put another server on DMZ todetect and sense any malicious activities even before such activities hit the firewall.
For higher security, you can add multiple levels of firewalls both before and after theDMZ. So, even if one of the attacks bypasses a firewall, it can be sensed and detectedby another. Such multiple levels of firewalls can be termed as ‘Defence in Depth’.
Network Address Translation (NAT)
We have already discussed the limitation and the allocation of IPV4 addresses andthe possibility of running out of these addresses. So, there is a need to translate theIP addresses so that you do not run out of them.
There are two types of IP addresses: Public and Private. Public IP address means thatit is publicly registered on the internet. You need to have a public IP address if youwant to access the internet. Private IP addresses are not publicly-registered. They areused for internal use, like within an organisation or at home.
Now, several devices need access to the internet, so they need a public address. But,how do you do this? If each device gets a public IP address , you can, at some point,run out of public IP addresses.
Your router assigns you a public IP address,which helps you gain access to theinternet. So, when a device communicates with the router, it gets a public IP addressand its private IP address will be translated to a public IP address using ‘NAT’.
NAT translates public address to private address and vice-versa.
IPv6 can replace NAT, as it is 128-bit long and can span across many permutationsand combinations.
Types of NATStatic NAT: In this type of NAT, you manually enter the public address to theprivate address and the private address to the public address in the router
table. The rest of the process remains the same.Dynamic NAT: In this type of Nat, there is no table. It comprises amany-to-one mapping of the private IP address, subnet inside the SD-WANnetwork to a public IP address or subnet outside the SD-WAN network. Trafficfrom different segments and subnets to the internal IP addresses in the LANflows through a single public (external) IP address.
Advantages of NAT:1. NAT conserves the legally-registered IP addresses.2. It provides privacy, as it hides the IP address of the device that sends and
receives information .3. It eliminates the renumbering of an address when a network evolves.
Proxy and SSL
What is SSL?To understand SSL, you need to understand HTTP and HTTPS.HTTP stands for hypertext transfer protocol and HTTPS is a secure version of HTTP.
In HTTP protocol, data is transferred in the form of plain text. In this protocol, theintegrity of a message can be tampered with. A man-in-the-middle attack can aid inreading the data that is in the form of plain text. HTTPS, on the other hand, sports agreen lock alongside the URL.
The green lock in front of a URL indicates that the site is secure and any transactionor data transfer is encrypted. Since the data is encrypted, the attackers cannot spotplain text or sniff or tamper with the data.
For HTTPS, Secure Sockets Layer (SSL) certificates are used. SSL is the web service’sdigital certificate. Let’s say you want to access gmail.com and all yourcommunication must be encrypted. So, the following process takes place:
1. User enters ‘gmail.com’ in the browser.2. The request is pushed to gmail.com.3. The computer requests for the https pages from the gmail.com server.4. Gmail.com sends its public key and SSL certificate that is signed by a
third-party certificate authority (CA).5. Now the browser will verify the validity and the legality of the issued certificate
from CA.6. The browser also verifies the validity of the digital signature. A digital
signature is created with the CA’s private key and only they can verify whetherthe signature is valid or not.
7. Browsers contain a list of the public keys of major CAs.8. After verification of the signature, you get the green lock. The green lock
appears in the browser window, which indicates that the signature is verified.9. The browser creates a magic key or a secret key that will be sent to the
gmail.com server.10. Any potential attacker in the middle can uncover this secret if it is not
encrypted.11. Hence, the browser uses the public key of gmail.com to encrypt the secret key
or the magic key to ensure security. This encrypted key is then sent togmail.com.
12. Now gmail.com uses its private key to decrypt it.13. Now, gmail.com has the browser’s key and all communications between the
server and the browser are encrypted and decrypted using the secret key. Thissecret key is called ‘Asymmetric key’ or ‘Symmetric key’.
Asymmetric key: The private and the public keys are used to establish trust and toauthenticate the owner.
Symmetric key: The shared magic key is used to encrypt and decrypt all trafficbetween gmail.com and the browser.
The twist in the tale is that HTTPS means the conversation between the client andthe server is encrypted. All sites that have HTTPS or the green lock in their URL aresecure. Phishing sites can also carry a green lock. After all, SSL certificates can beobtained by threat actors too!
Network Packet Analysis
Packet sniffer: Packet sniffers like Wireshark, tcpdump and Telerik Fiddler etc. areused to observe the network packet exchanges in a computer. As the namesuggests, a packet sniffer captures (‘sniffs’) the packets that are being sent/receivedfrom/by your computer. Usually, the packet sniffer also stores and/or displays thecontents of the various protocol fields in the captured packets. A packet sniffer is, bydefault, passive. It observes messages being sent from and received by applicationsand protocols running on your computer, but never sends the packets itself.
The above diagram shows the structure of a packet sniffer. The right side of thediagram depicts the protocols (in this case, Internet protocols) and applications (suchas a web browser or FTP client) that normally run on your computer. The packetsniffer, shown within the dashed rectangle, consists of two parts. The ‘packetcapture’ library receives a copy of every link-layer frame that is sent from or receivedby your computer. The messages that are exchanged by higher layer protocols, such
as HTTP, FTP, TCP, UDP, DNS, or IP, are eventually encapsulated in link-layer framesthat are transmitted over physical media, such as an Ethernet cable. In the abovefigure, an Ethernet is assumed as the physical media, and thus, all upper-layerprotocols are eventually encapsulated within an Ethernet frame. Hence, capturing alllink-layer frames gives you access to all the messages sent/received from/by all theprotocols and the applications executing on your computer.
HTTP packet: Let’s use Wireshark as a packet sniffer tool to analyse the HTTPpackets. Wireshark is a free and open-source packet analyser. It is used for networktroubleshooting, analysis, development of software and communications protocoland education.
As shown in the above picture, you can select any packet and get all the details ofthe packet from the options given below.
Similar process can be followed for FTP packets: Search an FTP packet and open it orfind complete details of that packet in the menu below.
Network Penetration
Please refer to this doc for this segment.
Introduction to Firewalls
A firewall is a network firmware or a security device, either hardware- orsoftware-based, which monitors incoming and outgoing traffic using a set of securityrules. Based on these rules, the firewall accepts, rejects, or drops any specific traffic.
Accept: It means that the firewall allows the flow of the traffic.
Reject: It means that the firewall blocks the traffic but replies with a message‘unreachable error’.Drop: It means that the firewall blocks the traffic with no reply.
Packet FilteringPacket filtering is a firewall technique that examines each packet that passesthrough the firewall and tests the packets according to a set of rules that you set up.You can set the rules to allow access to only familiar and established IP addressesand deny access to all unknown or unrecognised IP addresses.
If you set rules to deny outsiders’ access to port 80 , all the traffic from outside to theHTTP server will be blocked as most HTTP servers run on port 80. Alternatively, youcan set a rule in the packet filtering firewall that will filter the packets, allow onlyyour mail or a web server packet, and reject all other packets.
Stateful Inspection Firewall
Stateful inspection firewalls keep track of connection status. Ports can be openedand closed dynamically as is necessary to complete a transaction. For example, whenyou make a connection to a server using HTTP, the server will initiate a newconnection back to your system on a random port. A stateful inspection firewall willautomatically open a port for the latter connection.
The operation of a conventional firewall can be very complicated. However, thisinternal complexity of a firewall can also make it easier to implement. Since thefirewall maintains a state table for its functionality, individual configuration entriesdo not require ACL configuration. For major firewalls, the only thing that needs to beconfigured is an internal and an external interface. Most people commonly use thiswithout even noticing it. This is because most of the at-home Internet routers use astateful firewall using an internal LAN port as an interface for the internal firewall anda WAN port as an external firewall interface. This allows traffic to flow freely from theinternal interface to the Internet without allowing the externally-initiated traffic toenter the internal network.
Pros of stateful inspection firewalls: Stateful inspection firewalls provide the mostoptimum balance between the performance of a packet filter and the security of anapplication proxy. A wide variety of such firewalls are available, and they have few, ifany, drawbacks.
Networking Standard: Currently, stateful inspection firewalls are a de factostandard for network protection. For example, these firewalls are required forthe quickest possible data transfers, while ensuring some security for theinternal network.
Performance and Protection: The balance of performance versus protection isexcellent. Since this type of firewall is a current standard, most vendorssupport this type of firewall and offer it at multiple levels of data transfer ratesand costs.
Cons of stateful inspection firewalls
Lower data transfer rates compared to packet filtering: Use of statefulinspection firewalls leads to performance degradation compared to a packetfiltering firewall. Furthermore, in case of stateful inspection firewall, tables areprepared and logic is used to parse the access lists, which require morememory and processor power.
Proxy FirewallsA proxy firewall is a network security method that protects the network resources byfiltering messages at the application layer.
Proxy firewalls are the most secure type of firewalls. However, this high securitycomes at the expense of speed and functionality, as they can limit the number ofapplications supported by your network. A proxy firewall filters, caches, logs andcontrols the requests from a client to keep the network secure and free of intrudersand viruses. In reality, proxies are gateway applications used to route the Internet andweb access from within a firewall. Proxy servers work by opening a socket on theserver and allowing the connection to pass through. Often, there is only onecomputer in a proxy firewall network with a direct Internet connection. All othercomputers in the network gain access to the Internet using that computer as agateway. A proxy gateway receives a request of a client from inside the firewall andsends this request to a remote server located outside the firewall. The response fromthe remote server is then read and sent back to the client. Usually, the same proxy isused by all client computers within a network. This enables the proxy firewall toefficiently cache the documents that are requested by multiple clients.
Host-Based FirewallsA host-based firewall runs on an individual computer or device connected to anetwork. These firewalls are a granular way to protect the individual hosts fromviruses and malware and to control the spread of malicious infections throughoutthe network.
Host-based firewalls are essential while creating multiple layers of security. Theyprotect individual hosts when they are used in untrusted and potentially maliciousenvironments. These firewalls also protect individual hosts from potentiallycompromised peers within a trusted network. A network-based firewall protects theinternal network by filtering the traffic flowing in and out of it, while the host-basedfirewall, that is present on each host, protects only the host device. Similar to thenetwork-based firewall, the host-based firewall should also comprise the implicitdeny rule. Then, you selectively enable specific services and ports that will be used.Remember that while securing the systems, you need to minimise attack surfaces orexposure. A host-based firewall is crucial in reducing the accessibility of an outsideattacker. It provides flexibility only while permitting connections to selective serviceson a given host from a specific range of networks or IP addresses. This ability torestrict connections from specific origins is used to implement a highly secure hostto a network. From there, access to critical or sensitive systems or infrastructure ispermitted.
Next-Gen/L7 Application-Aware Firewall
The next-generation firewall is a part of the third generation of the firewalltechnology. It combines the functions of a traditional firewall with other networkdevice filtering functions, such as an application firewall using in-line deep packetinspection, which is an intrusion prevention system.
The next-gen firewalls help you identify the application/protocol for/from which thepacket is coming. Based on the allowed status of the source application, they allowor deny the flow of traffic. They can also filter the traffic based on user (root user,customer, employee, etc.) identification. In addition, these firewalls can also allow ordeny the packet on the basis of its contents, like the URL, data, etc.These firewalls operate up to the application layer in the OSI model, whereasprevious firewall technologies operated only up to the transport layer. Recently, therehas been an increase in the amount of attacks on layers 4–7 of the OSI model, whichwarrants the need for these next-gen firewalls.
Advantages of next-gen firewalls:● New age hardware makes it possible to merge multiple security functions in
one device/lesser number of devices.● Security functions of these firewalls are seamlessly integrated, leading to
better enforcement and higher throughputs.● Unified visibility with better ROI● Automated remediation● These firewalls can integrate multi-source threat intelligence into a single
enforcement point.● These firewalls also reduce management overheads/delays and TCO.
Hardware Firewalls
Both hardware and software firewalls protect computers from hackers and otheronline threats by blocking malicious data from reaching the system. While hardwarefirewalls offer network-wide protection from external threats, software firewallsinstalled on individual computers can more closely inspect the data and can blockspecific programs from even sending data to the Internet. On networks withhigh-security concerns, combining both kinds of firewalls provides a more efficientsafety net.
What are hardware firewalls?● A physical device that sits between your network and the Internet● Protects the network● Filters packets and has all the usual firewall functionalities● Dedicated hardware and resources● Configuration and support team in place● Sometimes super hard to configure● Integrates with existing solutions, like VPN● Faster and dedicated detection rates● For example, Cisco/Palo Alto firewalls
What are software firewalls?● More of a software-based solution● Does not require a dedicated hardware● More of a second line of defense● Ends up protecting a single computer● Up and running with a few commands● Best for mitigation● Affordable, upgradable and configurable● Resource-eater and drains the resources too● For example, PFsense
Network Firewall Storage
Network-attached storage (NAS): NAS is a computer connected to a network thatprovides file-based data storage services to other devices on the network. Theprimary strength of NAS is that it is simple to set up and deploy.
When it comes to security breaches, NAS devices are way behind cloud storage. Youcan limit the access to NAS devices by closing ports or whitelisting only a fewconnections. Most NAS devices have network backup, firewalls, DoS protection andother security features.
● NAS aids in scale-up of storage and easy disaster recovery● Scores with scale-up● Scores with performance● Scores with easy set-up
Ease of access
Storage area network (SAN): SAN provides the users with a high-performance,low-latency shared access to storage. It is built from a combination of servers andstorage over a high-speed, low-latency interconnect that allows direct fibre channelconnections from the client to the storage volume to provide the fastest possibleperformance.
● A dedicated high-speed storage network that connects to storage devices● Fault-tolerant● One can access the data even if the switch or storage goes down● Highly scalable● High-speed network comprising devices connected via fibre optics● Network traffic is not a factor at all as it is a dedicated network.
How to Choose a Good Firewall?
The firewall you choose will depend on the scale of your business. Everyone needs atleast the most basic level of protection, with a stateful inspection firewall compatiblewith most of the typical internet users. If you run a small business, then acloud-based Unified Threat Management (UTM) firewall may be better suited foryour operation. Given below are some points that must be considered whilechoosing a firewall:
Visibility and control of your applications: Traditional firewalls only providelimited control and visibility of the applications and end-users that access thenetwork.You do not want everyone in your organisation to access applications likeFacebook, YouTube or other social media apps. However, what about your HR,digital marketing team or teachers who are streaming a video for a specificlesson?With the proper firewall in place, you can apply specific policies to specificend-users, allowing access to the applications relevant to their jobs.Different policies can be implemented for different end-users to prevent themfrom accessing specific applications.Furthermore, next-gen firewalls can restrict access to certain parts of theapplications. For instance, a user might be able to use Facebook calling and
messaging but not be able to post to their timeline or on a friend’s ‘wall’.
Protection and prevention from threats: A next-gen firewall can monitorand manage all the applications and sensitive information located on awireless network. These firewalls can restrict the traffic and risks to thenetwork by allowing the use of only authorised applications.You can even scan these approved applications to ensure that there are nopotential threats. Since applications have to be approved by the firewall, it canalso reduce bandwidth consumption, improving the overall performance ofyour wifi.
Remote users: With the emergence of employers now allowing remoteworkers in every industry, employees need to access internal networks andapplications from remote locations. They should be able to connect theorganisation’s network and complete their work.NextGen firewall keeps the traffic that is coming in and out of the internalserver safe and threat-free.
1. Streamlined security infrastructure: Buying more security elements is notalways the solution to fix the security needs. In fact, this approach frequentlyends up being costly and ineffective.Addition of a higher number of elements means more elements to manageand update, which decreases the efficiency by creating an unnecessarily morecomplex system.Next-gen firewalls already have the necessary security infrastructure elementsbuilt-in, including:
● Anti-virus protection● Spam filtering● Deep packet inspection● Application filtering
It is a comprehensive security component that enables you to remain carefreeregarding any other elements that you would need to add to increase thesecurity of your network.
Cost: Last but not the least, cost is always a factor when it comes to choosingthe proper firewall. It is better if you think about how a firewall will fit in thebudget rather than how much it costs.
Risk of Not Having a Firewall
If you do not use any firewall, then, practically any connection can access yournetwork. You will not be able to detect potential threats or untrustworthy sources.Moreover, this could expose your device and business to a security breach. Notinstalling a firewall is associated with a lot of risks, such as:
Unlimited public access: If your network is not protected by any firewall, then,practically any connection can access your network. You will not be able todetect potential threats or untrustworthy sources. Moreover, this could exposeyour device and business to a security breach.
Data hacks: If anyone can access a network, every device connected to thatnetwork becomes a security risk. Cybercriminals can access laptops, mobilesand wireless routers, and erase essential data, steal client information, or holdthe company to ransom.
1. Network downtime: The most critical consequence of not having a firewall istotal network breakdown. Hackers could access systems and effectively shutthe entire business down. Furthermore, it is both costly and time-consumingto recover the lost data and bring the business back online. Therefore, youmust choose the right type of firewall and give your business an umbrella ofprotection that keeps every device safe and secure.
Network Security Elements
What is an intrusion prevention system (IPS)?
An IPS is a network security element that detects and prevents identified threats. Itcontinuously monitors the network, looking for possible malicious incidents andobtaining information about them. It then reports these issues to systemadministrators and takes preventive actions, such as closing the access points andconfiguring the firewalls to prevent future attacks. The actions of IPS can also beused to identify corporate security policy issues, discouraging employees andnetwork guests from disrupting the rules defined within these policies.
IPSs monitor all network traffic. They prevent against several types of threats,including:
● Denial of Service (DoS) attack● Distributed Denial of Service (DDoS) attack● Various types of exploits● Worms● Viruses
An IPS performs real-time packet inspection, deeply examining every packet thattravels across the network. If any malicious or suspected packets are detected, theIPS will perform one of the following actions:
● Terminate that TCP session and block that particular source IP address or useraccount from accessing any application, target hosts, or other networkresources unethically.
● Reprogram or reconfigure the firewall to prevent any similar attack in thefuture.
● Remove or replace any malicious content that might be present on thenetwork after an attack.
Threat Intelligence
Threat intelligence is the production of actionable intelligence through variouscollection, analysis and collaboration activities. It increases the visibility of the threat
landscape and helps mitigate cyber threats.
‘The use of sophisticated malware, along with highly cooperative hackers for hire,makes it difficult to attribute responsibility for the entities behind corporatecomputer network intrusions…’
- Errol Weiss, Director of the Cyber Intelligence Center, Citigroup
Threat intelligence includes:● Creating situational awareness by collecting and aggregating indicators of
compromise (IOCs) with affiliated threat actors● Identifying threat actors, including IP addresses, domain names, network
traffic content, email addresses, user names, file names and file hashes● Proactively identifying the attack methods, such as phishing, malware, DDoS
attack, etc.● Acting on relevant data to improve incident response times and vulnerability
patching efforts, and preparing for future attacks● Designing a structured data analysis process that contextualises threat data● Creating formalised communication processes to streamline escalation
procedures and disseminate intelligence to the appropriate stakeholders
Simply put, threat intelligence is a combination of people and processes, not just aproduct. It is the collection, classification and correlation of data about relevantthreat actor campaigns, cyber tools, tactics and procedures that are published tovarious tactical, operational and strategic stakeholder communities.
Advantages of developing a threat intelligence program:● Improved effectiveness of internal defense controls, such as security
information and event management (SIEM), next-generation firewalls(NGFWs), IPS, IDS, secure web gateways (SWGs) and anti-malware andanti-spam packages
● Increased operational efficiency in terms of asset management, humancapital management, etc.
● Reduced chances of breaches and improved internal network defences● Improved standardisation of data collection, analysis and publication● Increased visibility to the threat landscape● Enhanced overall security posture
Impact of threat intelligence● Short-term impact:
★ Streamlines the process of formalising a threat intelligence programtailored to your organisation-specific strategic needs
★ Assesses current operational gaps and tailors your unique threatintelligence process in a structured manner
● Long-term impact: ‘★ Provides greater visibility to your immediate threat environment
★ A well-defined intelligence collection plan will result in better threatmitigation and analysis, which will ultimately improve defenses and anorganisation’s situational awareness.
Snort● Snort is a network-based intrusion detection system (IDS). It is being used as a
packet sniffer to monitor the network in real-time. The network admin canmonitor all the incoming packets and find harmful packets among them. Thissystem is based on a library packet capture tool. Its rules can be created andimplemented easily, and can be deployed in any operating system and anynetwork environment. SNORT has gained immense popularity because it isfree to use and open-source software.
● Features:○ Real-time traffic monitoring○ Packet logging○ Analysis of protocol○ Content matching○ OS fingerprinting○ Can be installed in any network environment○ Creates logs○ Open-Source○ Easy-to-implement rules
Intrusion Detection System (IDS): With the rise in internet services, such asonline banking and e-commerce, network protection has become a necessity.An IDS is a hardware or software that identifies and mitigates threats andattacks. It collects and analyses information on malicious movements andreports them to the system administrator. It can also be stored in a SecurityInformation and Event Management System (SIEM).
● The main difference between Intrusion prevention systems (IPS) andintrusion detection systems (IDS) is their response against threat detection.IPSs control the access to an IT network and protect it from damage andattack. These systems are designed to monitor intrusion data and take actionrequired to prevent any future attacks.IDSs are not intended to block attacks. Instead, they monitor the network andsend alerts to system administrators if a potential threat is detected.
Snort Rules
Uses of Snort rules● Snort uses the libpcap (for UNIX/Linux) or the winpcap (for Windows) library,
which is the same library used by tcpdump for packet sniffing.● Snort’s ‘Packet Logger’ feature is used for debugging network traffic.● Snort creates alerts according to the rules defined in the configuration file.● The Snort rules are very flexible and writing of new rules is moderately simple.
● Snort rules help distinguish between normal and malicious Internet activities.
Examples of the snort rule:1. log tcp !192.168.0/24 any -> 192.168.0.33 (msg: "mounted access" ; )2. log tcp !192.168.0/24 any <> 192.168.0.33 (msg: "mounted access" ; )
The direction operators ‘<>’ and ‘->’ indicate the direction of interest for the traffic.This means that the traffic flow can be either unidirectional or bidirectional. Thekeyword ‘any’ can be used to define any IP address, and numeric IP addresses mustbe used with a Classless Inter-Domain Routing (CDIR) netmask. According to Snortrules, the port numbers can be listed in many ways, including ports, negation, etc.Port ranges are indicated using the Range operator ‘:’.
An example of multi-line Snort rule:
log tcp !192.168.0/24 any -> 192.168.0.33 \(msg: "mounted access" ; )
Usually, Snort rules are written in a single line. However, in the new version, they canalso be written in multiple lines. This can be done by adding a backslash ‘\’ at the endof the line. This multiple-line approach helps if a rule is substantial and easy tounderstand.
An example of port negation:
log tcp any any -> 192.168.1.0/24 !6000:6010
The ‘!’ symbol is used for negation. The above rule states that SNORT will log everyTCP packet that is coming from any IP address and port to 192.168.1.0/24 and doesnot reach port number 6000 to 6010.
Snort Architecture
Every element of this architecture is packet-based. Packet decoder contains the logicto decode the packet. The decoded packet is passed to the pre-processor, whichprocesses the packet and passes the processed information to the detection engine,which heavily works on the snort rules. Based on the rules, it determines whether thepacket is good or bad, and if the packet matches the rules, the detection enginesends it to the alert mechanism that communicates with the alert DB to get thealert information, and finally, generates the alert.