COMP2120›Network security: Firewalls and intrusion detection

Information SecurityTopic 10 of 15Regular Notes

Network security: Firewalls and intrusion detection

6 minread

1,007words

Intermediatelevel

🌐 Network Security: Firewalls and Intrusion Detection

🧠 What is Network Security?

Network security refers to the strategies, tools, and practices used to protect a network from cyber threats, unauthorized access, attacks, or misuse. It involves both hardware and software mechanisms to monitor, prevent, and respond to potential threats.

🔥 Firewalls

🧠 What is a Firewall?

A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks, such as the internet.

🔧 Types of Firewalls:

Packet-Filtering Firewalls:
- How it works: It inspects each packet (small chunk of data) passing through the network and filters based on set rules.
- Pros: Simple, fast, and easy to configure.
- Cons: Limited ability to detect more sophisticated attacks (e.g., DNS spoofing, IP address spoofing).
- Use case: Basic access control at the network boundary.
Stateful Inspection Firewalls:
- How it works: It tracks the state of active connections and makes decisions based on the context of traffic (not just individual packets).
- Pros: More secure than packet-filtering firewalls as it can maintain the state of connections.
- Cons: Slightly slower due to state-tracking overhead.
- Use case: Corporate networks with dynamic traffic flows.
Proxy Firewalls (Application-Level Gateways):
- How it works: Acts as an intermediary between users and the services they are accessing. It forwards requests on behalf of the user.
- Pros: Provides additional layer of security by hiding the true IP address of the internal network.
- Cons: Slower performance due to traffic being routed through the proxy.
- Use case: Protecting web applications and restricting internet access.
Next-Generation Firewalls (NGFW):
- How it works: Combines traditional firewall capabilities with more advanced features like deep packet inspection, application awareness, and integrated intrusion prevention systems (IPS).
- Pros: Provides advanced security by blocking application-level attacks and analyzing traffic for malware.
- Cons: Higher cost and complexity.
- Use case: Enterprise-level security for complex network infrastructures.

🔐 Firewall Rules and Policies

Allow or Deny: Firewalls examine traffic based on IP addresses, ports, protocols, and application types to either allow or deny access.
Whitelisting: Only known trusted IPs or applications are allowed.
Blacklisting: Known malicious IPs or applications are blocked.

🛡️ Protection Provided by Firewalls:

Prevent unauthorized access to the network.
Block malicious traffic (e.g., DDoS, malware).
Monitor traffic for suspicious patterns (e.g., large data transfers).
Provide logging and alerting of potential security incidents.

🛠 Intrusion Detection Systems (IDS)

🧠 What is an Intrusion Detection System (IDS)?

An IDS is a security system that monitors network or system activities for malicious actions or policy violations. When it detects suspicious activity, it alerts administrators so they can take action.

🔧 Types of IDS:

Network-based IDS (NIDS):
- How it works: Monitors network traffic for suspicious patterns and behaviors.
- Pros: Good for detecting network-based attacks like DDoS or malware spreading across the network.
- Cons: May struggle with encrypted traffic or high network volumes.
- Use case: Protecting the perimeter of an enterprise network.
Host-based IDS (HIDS):
- How it works: Monitors activities on a specific host (computer or server), such as file access, system calls, and user activity.
- Pros: Can detect insider attacks and changes to files, configurations, or user behavior.
- Cons: Limited to the host being monitored and may generate a lot of false positives.
- Use case: Protecting sensitive or critical servers from unauthorized access or tampering.
Signature-Based IDS:
- How it works: Detects known threats by comparing network traffic or system activities to a database of signatures (patterns of known attack activity).
- Pros: Fast and effective for detecting known attacks.
- Cons: Cannot detect new, unknown attacks (zero-day threats).
- Use case: Effective against well-known attacks (e.g., worms, malware).
Anomaly-Based IDS:
- How it works: Detects deviations from normal behavior (e.g., unusual traffic spikes or failed login attempts).
- Pros: Can detect unknown or zero-day attacks by identifying abnormal activity.
- Cons: Higher false positive rates; requires baseline profiling.
- Use case: Detecting sophisticated or new attack patterns that don't have signatures.
Hybrid IDS:
- How it works: Combines signature-based and anomaly-based methods to improve detection accuracy.
- Pros: More effective at detecting both known and unknown attacks.
- Cons: More resource-intensive and complex to manage.
- Use case: High-security environments where both known and novel threats must be detected.

🛡️ Protection Provided by IDS:

Detect malicious network traffic (e.g., DDoS, scanning).
Monitor system activity for unauthorized actions (e.g., privilege escalation).
Alert administrators of suspicious or malicious activities.
Provide logging and evidence for incident response and forensic analysis.

🔄 Firewalls vs. Intrusion Detection Systems (IDS)

Feature	Firewalls	Intrusion Detection Systems (IDS)
Primary Function	Block unauthorized access	Detect and alert on suspicious activities
Focus	Prevent traffic from malicious sources	Identify potential intrusions or attacks
Deployment	Placed at the network perimeter	Installed on networks or hosts for monitoring
Traffic Filtering	Yes (Allow/Deny based on rules)	No, just monitors and alerts
Prevention	Yes, actively blocks traffic	No, alerts only
Detection of Known Threats	Some (in NGFWs with deep packet inspection)	Signature-based IDS detects known attacks
Detection of Unknown Threats	Limited (depending on rules)	Anomaly-based IDS can detect unknown attacks

🚨 Real-World Example: Combining Firewalls and IDS

Firewall: Blocks unwanted traffic (e.g., ports open for remote desktop access, known malicious IP addresses).
IDS: Monitors for unusual behavior (e.g., multiple failed login attempts, suspicious data exfiltration).

🛠 Best Practices for Using Firewalls and IDS Together:

Layered Security: Use both firewalls and IDS for defense-in-depth. Firewalls block unauthorized access, and IDS provides detection of intrusions.
Regular Updates: Keep firewall rules and IDS signatures up-to-date to stay ahead of evolving threats.
Integration: Integrate firewall logs and IDS alerts with a Security Information and Event Management (SIEM) system for better monitoring and response.
User Training: Ensure network administrators understand how to configure firewalls and interpret IDS alerts effectively.

Previous topic 9

Malware and database security

Next topic 11

Security policies: Formation and enforcement

Past Papers

Open this section to load past papers

Click on Show Past Papers to see past papers.

COMP2120›Network security: Firewalls and intrusion detection

Information SecurityTopic 10 of 15Regular Notes

Network security: Firewalls and intrusion detection

6 minread

1,007words

Intermediatelevel

🌐 Network Security: Firewalls and Intrusion Detection

🧠 What is Network Security?

🔥 Firewalls

🧠 What is a Firewall?

🔧 Types of Firewalls:

Packet-Filtering Firewalls:
- How it works: It inspects each packet (small chunk of data) passing through the network and filters based on set rules.
- Pros: Simple, fast, and easy to configure.
- Cons: Limited ability to detect more sophisticated attacks (e.g., DNS spoofing, IP address spoofing).
- Use case: Basic access control at the network boundary.
Stateful Inspection Firewalls:
- How it works: It tracks the state of active connections and makes decisions based on the context of traffic (not just individual packets).
- Pros: More secure than packet-filtering firewalls as it can maintain the state of connections.
- Cons: Slightly slower due to state-tracking overhead.
- Use case: Corporate networks with dynamic traffic flows.
Proxy Firewalls (Application-Level Gateways):
- How it works: Acts as an intermediary between users and the services they are accessing. It forwards requests on behalf of the user.
- Pros: Provides additional layer of security by hiding the true IP address of the internal network.
- Cons: Slower performance due to traffic being routed through the proxy.
- Use case: Protecting web applications and restricting internet access.
Next-Generation Firewalls (NGFW):
- How it works: Combines traditional firewall capabilities with more advanced features like deep packet inspection, application awareness, and integrated intrusion prevention systems (IPS).
- Pros: Provides advanced security by blocking application-level attacks and analyzing traffic for malware.
- Cons: Higher cost and complexity.
- Use case: Enterprise-level security for complex network infrastructures.

🔐 Firewall Rules and Policies

Allow or Deny: Firewalls examine traffic based on IP addresses, ports, protocols, and application types to either allow or deny access.
Whitelisting: Only known trusted IPs or applications are allowed.
Blacklisting: Known malicious IPs or applications are blocked.

🛡️ Protection Provided by Firewalls:

Prevent unauthorized access to the network.
Block malicious traffic (e.g., DDoS, malware).
Monitor traffic for suspicious patterns (e.g., large data transfers).
Provide logging and alerting of potential security incidents.

🛠 Intrusion Detection Systems (IDS)

🧠 What is an Intrusion Detection System (IDS)?

🔧 Types of IDS:

Network-based IDS (NIDS):
- How it works: Monitors network traffic for suspicious patterns and behaviors.
- Pros: Good for detecting network-based attacks like DDoS or malware spreading across the network.
- Cons: May struggle with encrypted traffic or high network volumes.
- Use case: Protecting the perimeter of an enterprise network.
Host-based IDS (HIDS):
- How it works: Monitors activities on a specific host (computer or server), such as file access, system calls, and user activity.
- Pros: Can detect insider attacks and changes to files, configurations, or user behavior.
- Cons: Limited to the host being monitored and may generate a lot of false positives.
- Use case: Protecting sensitive or critical servers from unauthorized access or tampering.
Signature-Based IDS:
- How it works: Detects known threats by comparing network traffic or system activities to a database of signatures (patterns of known attack activity).
- Pros: Fast and effective for detecting known attacks.
- Cons: Cannot detect new, unknown attacks (zero-day threats).
- Use case: Effective against well-known attacks (e.g., worms, malware).
Anomaly-Based IDS:
- How it works: Detects deviations from normal behavior (e.g., unusual traffic spikes or failed login attempts).
- Pros: Can detect unknown or zero-day attacks by identifying abnormal activity.
- Cons: Higher false positive rates; requires baseline profiling.
- Use case: Detecting sophisticated or new attack patterns that don't have signatures.
Hybrid IDS:
- How it works: Combines signature-based and anomaly-based methods to improve detection accuracy.
- Pros: More effective at detecting both known and unknown attacks.
- Cons: More resource-intensive and complex to manage.
- Use case: High-security environments where both known and novel threats must be detected.

🛡️ Protection Provided by IDS:

Detect malicious network traffic (e.g., DDoS, scanning).
Monitor system activity for unauthorized actions (e.g., privilege escalation).
Alert administrators of suspicious or malicious activities.
Provide logging and evidence for incident response and forensic analysis.

🔄 Firewalls vs. Intrusion Detection Systems (IDS)

Feature	Firewalls	Intrusion Detection Systems (IDS)
Primary Function	Block unauthorized access	Detect and alert on suspicious activities
Focus	Prevent traffic from malicious sources	Identify potential intrusions or attacks
Deployment	Placed at the network perimeter	Installed on networks or hosts for monitoring
Traffic Filtering	Yes (Allow/Deny based on rules)	No, just monitors and alerts
Prevention	Yes, actively blocks traffic	No, alerts only
Detection of Known Threats	Some (in NGFWs with deep packet inspection)	Signature-based IDS detects known attacks
Detection of Unknown Threats	Limited (depending on rules)	Anomaly-based IDS can detect unknown attacks

🚨 Real-World Example: Combining Firewalls and IDS

Firewall: Blocks unwanted traffic (e.g., ports open for remote desktop access, known malicious IP addresses).
IDS: Monitors for unusual behavior (e.g., multiple failed login attempts, suspicious data exfiltration).

🛠 Best Practices for Using Firewalls and IDS Together:

Layered Security: Use both firewalls and IDS for defense-in-depth. Firewalls block unauthorized access, and IDS provides detection of intrusions.
Regular Updates: Keep firewall rules and IDS signatures up-to-date to stay ahead of evolving threats.
Integration: Integrate firewall logs and IDS alerts with a Security Information and Event Management (SIEM) system for better monitoring and response.
User Training: Ensure network administrators understand how to configure firewalls and interpret IDS alerts effectively.

Previous topic 9

Malware and database security

Next topic 11

Security policies: Formation and enforcement

Past Papers

Open this section to load past papers

Click on Show Past Papers to see past papers.