9/3/12

Firewalls and Intrusion Detection Systems

Firewall is a combination of hardware and software (such as iptables) that isolates an organization's internal network from the Internet at large, allowing some packets (of information) to pass and blocking others. A firewall allows a network administrator to control access between the outside world and resources within the administered network by managing the traffic flow to and from these resources.

A firewall has three goals:

  • All traffic from outside to inside and vice versa, passess through firewall.
  • Only autorized traffic, as defined by the local security policy, will be allowed to pass.
  • The firewall itself is immune to penetration.


Firewalls can be classified in three categories: traditional packet filters, stateful filters, and application gateways.

Traditional packet filters examine each datagram in isolation, determining whether the datagram should be allowed to pass or should be dropped on administrator-specific rules.

Stateful packet filters track all ongoing TCP connections in a connection table, which is also used to when choosing whether packet should be allowed to pass or not.

Application Gateway is an application-specific server through which all application data (inbound and outbound) must pass. It allows for finer-level security (allowing specific users of specific applications to access outside world services).

Packet filters inspect header fields when deciding which packets to let pass through firewall. However to detect many attack types, we need to perform deep packet inspection, that is, look beyond the header fields and into the actual application data that the packets carry.

A device that generates alerts when it oserves potentially malicious traffic is called an Intrusion Detection System (IDS). A device that filters out suspicious traffic is called an Intrusion Prevention System (IPS).

IDS (IPS are also IDS) systems are broadly classified as either signature-based systems or anomaly-ased systems. (Snort is program that has become de facto standard among IPS / IDS software).

A signature-based IDS maitains an extensive database of attack signatures. Each signature is a set of rules pertaining to an intrusion activity. A signature may simply be a list of characteristics about a single packet (e.g., source and destination port numbers, protocol type, and specific string of bits in the packet payload), or may relate to series of packets. The signatures are normally created by skilled network security engineers who research known attacks.

Signature-based IDS systems, although widely deployed, have a number of limitations. Most importantly, they require previous knowledge of the attack to generate an accurate signature. They also can be resource-intensive.

An anomaly-based IDS creates traffic profile as it observes traffic in normal operation. It then looks for packet streams that are statistically unusual. (For example, an inordinate percentage of ICMP packets or a sudden exponential growth in port scans and ping sweeps.). The great thing about anomaly-based IDS systems is that they don't rely on previous knowledge about existing attacks - that is, they can potentially detect new, undocumented attacks. On the other hand, it is an extremely challenging problem to distinguish between normal traffic and statistically unusual traffic.

To date, most IDS deployments are primarily signature-based, although some include some anomaly-based features.

1 comment:

  1. i need to read about IPSec and think if it can be part of firewall security harness.

    ReplyDelete