Network Security Tools
The easiest way to keep a computer safe is by physically isolating it from outside contact. The way most companies do business today makes this virtually impossible. Our networks and environments are becoming increasingly more complex. Securing the devices on the network is imperative to protecting the environment. To secure devices, you must understand the basic security concepts of network security tools. This section introduces security concepts as they apply to the physical security devices used to form the protection found on most networks.
NIDS and HIDS
IDS stands for intrusion-detection system. Intrusion-detection systems are designed to analyze data, identify attacks, and respond to the intrusion. They are different from firewalls in that firewalls control the information that gets in and out of the network, whereas IDSs can identify unauthorized activity. IDSs are also designed to catch attacks in progress within the network, not just on the boundary between private and public networks. The two basic types of IDSs are network-based and host-based. As the names suggest, network-based IDSs (NIDSs) look at the information exchanged between machines, and host-based IDSs (HIDSs) look at information that originates on the individual machines. Here are some basics:
- NIDSs monitor the packet flow and try to locate packets that may have gotten through the firewall and are not allowed for one reason or another. They are best at detecting DoS attacks and unauthorized user access.
- HIDSs monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity.
NIDSs and HIDSs should be used together to ensure a truly secure environment. IDSs can be located anywhere on the network. They can be placed internally or between firewalls. Many different types of IDSs are available, all with different capabilities, so make sure they meet the needs of your company before committing to using them. Chapter 7, “Intrusion Detection and Security Baselines,” covers IDSs in more detail.
Network Intrusion Prevention System
Network intrusion-prevention systems (NIPSs) are sometimes considered to be an extension of IDSs. NIPSs can be either hardware- or software-based, like many other network-protection devices. Intrusion prevention differs from intrusion detection in that it actually prevents attacks instead of only detecting the occurrence of an attack. Intrusion-detection software is reactive, scanning for configuration weaknesses and detecting attacks after they occur. By the time an alert has been issued, the attack has usually occurred and has damaged the network or desktop. NIPS are designed to sit inline with traffic flows and prevent attacks in real time. An inline NIPS works like a Layer 2 bridge. It sits between the systems that need to be protected and the rest of the network. They proactively protect machines against damage from attacks that signature-based technologies cannot detect because most NIPS solutions can look at application layer protocols such HTTP, FTP, and SMTP.
When implementing a NIPS, keep in mind that the sensors must be physically inline to function properly. This adds single points of failure to the network. A good way to prevent this issue is to use fail-open technology. This means that if the device fails, it doesn’t cause a complete network outage; instead, it acts like a patch cable. NIPS are explained in greater detail in Chapter 7, “Intrusion Detection and Security Baselines.”
A firewall is a component placed on computers and networks to help eliminate undesired access by the outside world. It can be composed of hardware, software, or a combination of both. A firewall is the first line of defense for the network. How firewalls are configured is important, especially for large companies where a compromised firewall may spell disaster in the form of bad publicity or a lawsuit, not only for the company, but also for the companies it does business with. For smaller companies, a firewall is an excellent investment because most small companies don’t have a full-time technology staff, and an intrusion could easily put them out of business. All things considered, a firewall is an important part of your defense, but you should not rely on it exclusively for network protection. Figure 3.5 shows a network with a firewall in place.
Figure 3.5 A network with a firewall.
There are three main types of firewalls:
- Packet-filtering firewall
Proxy-service firewall, including two types of proxies:
- Circuit-level gateway
- Application-level gateway
- Stateful-inspection firewall
The following sections describe each type in detail.
A packet-filtering firewall is typically a router. Packets can be filtered based on IP addresses, ports, or protocols. They operate at the network layer (Layer 3) of the OSI model. Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. This leaves the system open to DoS attacks. Even though they are the simplest and least secure, they are a good first line of defense. Their main advantage is speed, which is why they are sometimes used before other types of firewalls to perform the first filtering pass.
Proxy Service Firewall
Proxy service firewalls are go-betweens for the network and the Internet. They hide the internal addresses from the outside world and don’t allow the computers on the network to directly access the Internet. This type of firewall has a set of rules that the packets must pass to get in or out. It receives all packets and replaces the IP address on the packets going out with its own address and then changes the address of the packets coming in to the destination address. Here are the two basic types of proxies:
- Circuit-level gateway—Operates at the OSI session layer (Layer 5) by monitoring the TCP packet flow to determine whether the session requested is a legitimate one. DoS attacks are detected and prevented in circuit-level architecture where a security device discards suspicious requests.
- Application-level gateway—All traffic is examined to check for OSI application layer (Layer 7) protocols that are allowed. Examples of this type of traffic are File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP). Because the filtering is application-specific, it adds overhead to the transmissions but is more secure than packet filtering.
A stateful-inspection firewall is a combination of all types of firewalls. This firewall relies on algorithms to process application layer data. Because it knows the connection status, it can protect against IP spoofing. It has better security controls than packet filtering, but because it has more security controls and features, it increases the attack surface and is more complicated to maintain.
Other Firewall Considerations
In addition to the core firewall components, administrators should consider other elements when designing a firewall solution. These include network, remote-access, and authentication policies. Firewalls can also provide access control, logging, and intrusion notification.
A proxy server operates on the same principle as a proxy–level firewall in that it is a go-between for the network and the Internet. Proxy servers are used for security, logging, and caching. When the proxy server receives a request for an Internet service, it passes through filtering requirements and checks its local cache for previously downloaded web pages. Because web pages are stored locally, response times for web pages are faster, and traffic to the Internet is substantially reduced. The web cache can also be used to block content from websites that you don’t want employees to access, such as pornography, social, or peer-to peer networks. This type of server can be used to rearrange web content to work for mobile devices. It also provides better utilization of bandwidth because it stores all your results from requests for a period of time.
Internet Content Filters
Internet content filters use a collection of terms, words, and phrases that are compared to content from browsers and applications. This type of software can filter content from various types of Internet activity and applications, such as instant messaging, email, and office documents. Content filtering will report only on violations identified in the specified applications listed for the filtering application. In other words, if the application will filter only Microsoft Office documents and a user chooses to use open Office, the content will not be filtered. Internet content filtering works by analyzing data against a database contained in the software. If a match occurs, the data can be addressed in one of several ways, including filtering, capturing, or blocking the content and closing the application. An example of such software is Vista’s Parental Controls.
Content filtering requires an agent on each workstation to inspect the content being accessed. If the content data violates the preset policy, a capture of the violating screen is stored on the server with pertinent information relating to the violation. This might include a violation stamp with user, time, date, and application. This information can later be reviewed. Using a predetermined database of specific terminology can help the organization focus on content that violates policy. For example, a sexually explicit database may contain words that are used in the medical industry. Content-filtering applications allow those words that are used in medical context to pass through the filter without reporting a violation. This same principle enables an organization to monitor for unauthorized transfer of confidential information.
Content filtering is integrated at the operating system level so that it can monitor events such as opening files via Windows Explorer. It can be used to monitor and stop the disclosure of the organization’s proprietary or confidential information. Because content filtering uses screen captures of each violation with time-stamped data, it provides proper documentation for forensic investigations and litigation purposes. Unlike antivirus and antispyware applications, content monitoring does not require daily updates to keep the database effective and current. On the downside, content filtering needs to be “trained.” For example, to filter nonpornographic material, the terminology must be input and defined in the database.
Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and decode the information into readable data for analysis. Protocol analyzers can do more than just look at packets. They prove useful in many other areas of network management, such as monitoring the network for unexpected, unwanted, and unnecessary traffic. For example, if the network is running slowly, a protocol analyzer can tell you whether unnecessary protocols are running on the network. You can also filter specific port numbers and types of traffic so that you can keep an eye on indicators that may cause you problems. Many protocol analyzers can be run on multiple platforms and do live traffic captures and offline analysis. Software USB protocol analyzers are also available for the development of USB devices and analysis of USB traffic.