Professional Documents
Culture Documents
Abstract This paper will address a need in network security, which is consisting of firewalls and intrusion detection used in different companies or businesses. The paper will discuss the different types of firewalls and intrusion detection tools and systems that are used or could be used in different companies or businesses. The focus will be on firewalls and intrusion detection and how they work independently and together to achieve a common goal which is to keep companies and businesses data safe. By writing this paper, I wish to benefit myself and the community by sharing useful knowledge and tools related to the security of protecting companies and businesses data from being compromised. Not only will this information help others in the field of network security but, it will also enable the use of this information for other companies or businesses to be aware of what they should have in their network to prevent their data from being compromised. Introduction This paper introduces information about firewalls and different types of firewall that can be used for different situations. This paper will also give you information about the different types of firewalls and what purposes that they could be used for to help prevent attacks. We will also discuss the Intrusion Detection ystem and what it is and also what attacks it will help prevent. We will also be giving insight of misuse and anomaly detections. Firewalls !irewall systems are commonly implemented throughout computer networks for protection. They act as a measure of control, enforcing the relevant components of the security policy. " firewall can be a number of different components such as a router or a collection of host machines. #owever, the basic function of a firewall is to protect the integrity of the network which is firewall controlled. There are different types of firewall that can be implemented depending on your situation, with the choice of firewall being dependent upon the security policy of the company or businesses and the level of deployment in the system that is going to be used. " firewall management program can be configured one of two basic ways$
" default%deny policy. The firewall administrator lists the allowed network services, and everything else is denied. " default%allow policy. The firewall administrator lists network services which are not allowed, and everything else is accepted.
" default%deny approach to firewall security is by far the more secure, but due to the difficulty in configuring and managing a network in that fashion, many networks instead use the default%allow approach. &et's assume for the moment that your firewall management program utili(es a default%deny policy, and you only have certain services enabled that you want people to be able to use from the Internet. !or e)ample, you have a web server which you want the general public to be able to access. What happens ne)t depends on what kind of firewall security you have. Packet filtering firewall This type of firewall has a list of firewall security rules which can block traffic based on I* protocol, I* address and+or port number. ,nder this firewall management program, all web traffic will be allowed, including web%based attacks. In this situation, you need to have intrusion prevention, in addition to firewall security, in order to differentiate between good web traffic like simple web re-uests from people browsing your website and bad web traffic like people attacking your website. " packet filtering firewall has no way to tell the difference. "n additional problem with packet filtering firewalls which are not stateful is that the firewall can't tell the difference between a legitimate return packet and a packet which pretends to be from an established connection, which means your firewall management system configuration, will have to allow both kinds of packets into the network.
Stateful firewall
This is similar to a packet filtering firewall, but it is more intelligent about keeping track of active connections, so you can define firewall management rules such as only allow packets into the network that are part of an already established outbound connection. .ou have solved the established connection issue described above, but you still can't tell the difference between good and bad web traffic. .ou need intrusion prevention to detect and block web attacks.
"s with firewalls, different types of intrusion detection system e)ist. There are two different ways of classifying an ID . The first way is to classify based on the method of detection, in the form of either misuse detection or anomaly detection. "n alternative way is to classify based on the position of deployment within a network. ID can be either network based, host based or application based, depending on where they are deployed 012. $isuse Detection This type of ID can also be called a signature recognition system. 3isuse detection systems rely on the accurate matching of system or network activity 042. This method of detection is accurate for matching behavior against a list of already documented patterns, known as signatures. "n e)ample of this type of ID is a system known as nort 052. The means by which snort functions involves the use of software component processing information regarding network connections. nort e)amines the network traffic at its position on the network in a passive manner$ it sniffs the network. 6)amination of the headers and content of T7* packets is performed and matched against patterns contained in a signature database. If certain patterns of traffic are captured, then an alert is generated. The use of only already known signatures means that the system will produce only a few false positives, or false alarms where an alert is generated yet there is not actual attack. There is a relatively high maintenance cost in that the signature base has to be kept up to date8 else potential attacks could go unnoticed. "dditionally, this type of system can miss highly novel attacks to which a signature does not yet e)ist, giving a higher rate of false negatives than would be desired. 3issing an actual attack is probably worse than being inundated with false alarms, though this is debatable. Ano#al" Detection The goal of anomaly detection systems is to successfully classify user or network behavior as normal or abnormal based on a profile of information gathered during a training period. This is performed by taking into account the amount of background noise or user variation which is intrinsic to the system. The characteri(ation of what constitutes normal behavior is certainly a non%trivial issue. There have been many approaches used in order to perform this classification, including statistical models, 3arkov chains, neural nets and ideas based on other modern "I techni-ues 9inclusive of artificial immune systems0:2;. Normal behavior is profiled either from an individual user or from the network, variants from this are defined as anomalies and alerts are generated. !or e)ample, a user of the e)ample network ordinarily runs word processing applications and Internet browsers. If this user suddenly gains super%user privileges, starts changing file permissions and sending broadcast .N packets, then it is likely that the integrity of the system is being compromised. " corresponding alert would be generated and some form of action would be taken by the system administrator. "n e)ample of this type of ID is the e)perimental artificial immune system developed by omaya/i 0<2. This ID resides on a host machine and e)amines numerous ,ni) system calls to construct a profile of normal behavior over a training period through e)amining the I* traffic in and out of the host machine. =nce this period had ends, an insight into normal behavior was used as the
basis of the classification if the observed behavior deviates from the normal and then an anomaly is detected. This causes the generation of a warning message which is sent to the user. While anomaly detection is a relatively effective way of predicting novel attacks, they do not as yet feature in many commercially produced systems partially due to the high rate of false positives.
%eference& '() S *of#e"r and S Forrest+ I##unit" b" design+ Proceedings of ,-../0 pages (1234(1350 (333+ '1) $artin %oesch+ Snort& 6ightweight intrusion detection for networks+ In Proceedings of the (7th .onference on S"ste#s Ad#inistration0 pages 1134172+ 8S-NI9 Association0 (333+ '7) A So#a"a:i0 S Forrest0 S *of#e"r0 and T 6ongstaff+ A sense of self for uni! processes+ I--- S"#posiu# on Securit" and Pri;ac"0 pages (1<4(120 (335+ '=) * >enter and ? -loff+ A ta!ono#" for infor#ation securit" technologies+ .o#puters and Securit"0 11@=A&13347<B0 1<<7+ 'C) Nong Ye0 9iang"ang 6i0 Diang .hen0 S"ed $asu# -#ran0 and $ing#ing 9u+ Probabilistic techniEues for intrusion detection based on co#puter audit data+ In I--- Transactions on s"ste#s0 #an and c"bernetics part A0 s"ste#s and hu#ans0 ;olu#e 7(&=0 pages 15541B=0 1<<(+ http&FFwww+secureworks+co#FresourcesFarticlesFotherGarticlesFfirewall securit"F