Firewalls, IDS, and IPS

Firewalls

• Software or hardware-based - designed to filter network traffic into or out of a network based on rules.

• Filters are based on source destination IP address, protocols, ports, etc.

• Primary function - prevent unauthorized access to or from a system or network.

• Network activity in both directions is logged for potential forensic investigation.

• Network-based firewalls are placed between the organization's edge router that connections to the Internet Service Provider (ISP) and the internal network.

• Firewalls can be likened to a customs officer inspecting boarding passes and ID/Passports - Who you are & where you are from (source IP address), Where you are flying to (destination IP address), which airline (protocol), and flight number (port).

Note: This leaves the internal network vulnerable to internal malicious traffic originating from within; Intrusion Detection Systems (IDS) & Intrusion Prevention Systems (IPS) -  handle these threats.

• Even with DPI, the office is stil using predefined rules, e.g., what you do for a living and reason for travel.

• IDP & IPS are like security guards on the other side of the gates - passengers may be able to pass the initial screening but still cause problems later.

• Software-based firewalls (host-based firewalls) only protect a single system or device, and mitigate the spread of an attack from one machine to another.

Firewall Techniques

• Regardless of the type of firewall they use similar techniques to filter network.

• Packet Filtering - 

  • Firewall inspects each packet into or out of the network and will permit or deny based on pre-defined rules such as source/destination IP address, protocol, and port.

  • IT can be broken down into two subcategories:

    • Stateless Packet Filtering (Sessionless) - 

      • Each packet is treated as an isolated piece of communication. 

      • It requires less memory, time, low overhead and high throughput.

      • It cannot make complex decisions based on the communication stage, just on access control lists referring to IP addresses, protocols, and ports.

      • Attackers can spoof an IP address and fool stateless packet filters.

    • Stateful Packet Filtering -

      • Uses sessions and can understand stages of a TCP/IP connection as well as IP address spoofing

      • For TCP-based traffic, once a connection has been established packets flow between host without further review.

• Application Level Gateway (ALG) -

  •   Applies security mechanisms on certain applications, .e.g, HTTP/S, SSL/TLS, FTP, DNS, VOIP.

  • ALG's looks deeper into the protocols to verify if they are being used properly.

  • It understands how each protocol should work and looks at layer 7 (application).

  • It can filter offensive/disallowed commands in a data stream - thus ALGs are stateful firewalls.

  • Deep Packet Inspection (DPI) -

    • DPI is done by ALG to examine in greater detail the contents of the data being sent, e.g, ensuring data is sent in the right format and no malware is attached.

    • Other uses include snooping and censoring.

    • Some ISPs use DPI to scan packet contents and reroute/drop packets meeting certain criteria; thus high-bandwidth communications such as Zoom, YouTube, etc. can be prioritized over other traffic.

    • ISPs can use DPI to find keywords and web addressed for censorship purposes.

  • Deep Content Inspections (DCI) -

    • DCI is the evolution of DPI that examines the entire file/email attachment looking for new generations of malware, spam, data exfiltration, keywords, and other content.

Key Points:

• DPI examines protocols & their behavior (& not just headers from lower layers).

• DCI puts together parts of an object transmitted in parts/fragments of different packets (e.g., PDFs and images. It even decodes and decompresses files, and is thus a  much greater form of intelligent analysis than the partial DPI inspection of data layer 7.

Intrusion Prevention System (IPS)

• A network security tool that monitors network activity for intrusions and anomalies and takes action to stop them.

• It is an inline tool, thus, network traffic must pass through for analysis.

• As such, IPS' add latency since network traffic is processed in real time, and if the IPS is targeted and goes down, network traffic will cease.

• Like an IDS, an IPS can alert administrators and automatically alert the firewall but also stop all network traffic.

• It is also can generate false positives and negatives, blocking legitimate traffic.

• IPS systems are not typically able to analyze encrypted network traffic, handle high traffic loads, or handle direct attacks against IDS/IPS.

• There are 4 main types of IPS implementations:

  • Network-Based (NIPS):

    • Monitors the entire network for malicious activity or suspicious traffic by analyzing protocols.

    • NIPS primarily use signature-based detection to identify threats.

    • They define a baseline ('normal' network activity) in order to identify any suspicious changes to the network. 

  • Wireless (WIPS):

    • Operate at the Data Link Layer 2 level.

    • WIPS can detect the presence of rogue or mis-configured devices and prevent them from operating on wireless networks by scanning the network's radio frequencies for DoS and other attack forms.

  • Network Behavior:

    • Primarily uses anomaly-based detection - looking for deviations from known 'normal' network or system activity.

    • It requires a training period to create a baseline profile for what is considered normal behavior; any inconsistencies with that profile are flagged as suspicious.

    • It is ideal for detecting new (unknown) threats; but this depends on ensuring the network was not compromised during the training period.

    • Anomaly-based detection is also prone to generating lots of false positives.

  • Host-Based (HIPS):

    • HIPS are installed on and analyze the activity for a single host to detect and prevent malicious activity.

    • HIPS primarily analyze code behavior, using both signature and anomaly-based detection methods to detect suspicious activity.

    • Similar to HIDS, many anti-malware solutions include HIPS functionality and features.

IDS and IPS Detection

There are 3 main common detection variants that IDS and IPS solutions employ to monitor for intrusions and attacks:

1. Signature-Based Detection:

   • Detects threats based on known patterns such as byte sequences in network traffic or known malicious intrusion sequences used by malware.

   • Not as effective in detecting new unknown network or system attacks.

   • Attackers constantly change the underlysing malware code to evade simple signature detection.

2. Heuristic/Behavior or Anomaly-Based Detection:

   • Designed to detect and adapt to unknown attacks, primarily due to the explosion of malware variants.

   • This detection method uses machine learning to created a defined model of trustworthy network and system activity, and then compare new behavior against this trust model.

   • However, it suffers from false positives, where previously unknown legitimate activities are flagged as malicious.

   • The latest IDS/IPS can detect malicious insiders, compromised devices and user accounts.

3. Reputation-Based Detection:

   • Uses established and known file reputations to identify suspicious files.