Professional Documents
Culture Documents
As we all know, the universal presence of the Internet has completely changed networking as we
know it. Networks that were once completely isolated are now connected to the world. This universal
connectivity allows companies to achieve things never before imaginable. At the same time though, there is
a dark side. The Internet is a haven for cyber criminals who use the connectivity to launch an
unprecedented number of attacks against companies.
When the Internet first started to gain popularity, companies started to realize that they needed to
implement firewalls in an effort to prevent attacks against them. Firewalls work by blocking unused TCP
and UDP ports. Although firewalls are effective at blocking some types of attacks, they have one major
weakness: You simply can't close all of the ports. Some ports are necessary for things like HTTP, SMTP
and POP3 traffic. Ports corresponding to these common services must remain open in order for those
services to function properly.
In other words, IDS cannot respond to an attack until it is already there, but IPS can stop it before
it happens. Like the police---they cannot stop a person from committing a crime until they actually commit
the crime.
• Observes, and blocks or alarms if an event outside the configured policy is detected
Honeypot
• The special system is a trap for attackers and not used for anything else.
• Buffer overflow
• DoS Prevention
NIPS Features
• Sensors are network appliances tuned for intrusion detection analysis.
• Sensors are connected to network segments. A single sensor can monitor many hosts.
Exploit Signatures
• IP options
• Signature databases:
• Static (attack-drop.sdf)
• Configuration flexibility:
– Load built-in signature database, SDF file, or even merge signatures to increase
coverage
Firewall Technologies
• Packet filtering
Packet Filtering
• Packet filtering limits traffic into a network based on the destination and source addresses and ports
• The ALG intercepts and establishes connections to the Internet hosts on behalf of the
client.
As a network grows, it becomes more important to manage the increased traffic going
across the network. Access lists help limit traffic by filtering traffic based on packet
characteristics. Access lists define a set of rules used by routers to identify particular types of
traffic. Access lists can be used to filter both incoming and outgoing traffic on a router’s
interface. An access list applied to a router specifies rules for only traffic going through the
router. Traffic originating from a router is not affected by that router’s access lists. (It is subject
to access lists within other routers as it passes through them.)
Packet Filtering
Access lists can be configured to permit or deny incoming and outgoing packets on an interface.
By following a set of conventions, the network administrator can exercise greater control over
network traffic by restricting network use by certain users or devices.
To establish an access list, you must define a sequential list of permit and deny conditions that
apply IP addresses or IP protocols. Access lists filter only traffic going through the router; they
do not filter traffic originated from the router. Access lists can also filter Telnet traffic in to or
out of the router’s vty ports.
Extended IP access lists check both source and destination packet addresses.
Extended lists specify protocols, port numbers, and other parameters, giving
administrators more flexibility and control.
Example: