NETSEC 06

Let's go back to the first chapter and discuss why LANs are connected to the internet. The most common reason is for company to sell goods or advertise products through their website. Companies may also better communicate with partners and employees. Employees would also be more productive due to the resources available in the Internet.
However, this exposes the company to dangers such as:
-Intrusions
-Port scanning
-DoS
-Undesired packets
-Connection to untrusted networks

A firewall is a device, or a system of devices, that is designed to prevent unauthorized access to or from a private network. It isolates the LAN from the Internet by implementing the company's security policy with respect to Internet connections.

Typically, a Router is needed to connect to the Internet. As it is the border of the network, a firewall is typically implemented in a router. The router is then known as a screening router (discussed later). The perimeter device (whether it is a dedicated firewall or a screening router) is the first line of defense, and typically provides logging functions as well.

There are three main types of firewalls:
-Packet filter
-Application gateway
-Proxy server

Packet filters look at each packet and checks it against the firewall rules (typically a table that is matched from top to bottom). If it matches a rule (either PERMIT or DENY), it is applied to the packet. Packet filtering is effective, fast, and transparent to users.

An application gateway provides the highest level of security. This involves inspection of the application layer data, such as in the case of NBAR, where it is able to defend against tunneled traffic (e.g. Port 80 but not HTTP inside).

A proxy server is an intermediate server that makes connections on behalf of users. It breaks the client-server model. Each connection would then need two handshakes: One between client and firewall, and one between firewall and target host.

Proxy servers conceal the internal addressing of the clients, and it allows inspection of the application layer data (i.e. able to inspect tunneled traffic), allowing them to filter viruses, malware and other malicious content. However, it adds latency and sometimes bandwidth problems as extra steps are required to establish connections.

How a firewall works depend on what its filters are based on and also the OSI layer it operates on. Firewalls typically work at Layers 2 and above (it is not possible, feasible or practical to filter based on Layer 1 characteristics).

A perimeter firewall, however, cannot defend against internal attacks or any other attack that doesn't go through the firewall such as social engineering. Clients can also bypass perimeter firewalls by dialing out through a modem or using a VPN tunnel (such as HotSpot Shield)

The most basic type of firewall is the packet filter firewall, which examines the headers and fields of the protocols to determine whether it is permitted or denied. The action to take is stored in an ACL (Access-Control List).

Ingress filtering and egress filtering denotes filtering of incoming and outgoing packets respectively. The direction is with respect to the LAN.

Packet filter can be placed on the network-level (router-based) or the host-level (host-based). Network-level firewalls are typically implemented in routers, making it a screening router. It protects against threats passing through it.

At Host-level, it is typically a personal firewall installed on each host to protect ONLY that host.

Information used in packet filtering include:
Source/Destination IP, MAC, Port, Direction of traffic, Protocol and fields/flags (such as TCP bits, and IP Fragments/DSCP options).

The information can be used to block access to specific websites (by IP, not domain name) and connection to specific ports (e.g. cannot use FTP). It can also be used to block certain hosts from entering. A lot of flexibility can be added by specifying the port.

The ACLs can be default allow or default deny. It is typically default deny, which means that traffic that doesn't match any policy is implicitly denied at the end.

Packet filtering has the advantage of being faster due to having low overhead. This results in higher throughput than other types of firewall. This is due to the fewer evaluations it needs to perform.

However, certain rules are complex to specify, test, and modify. Exceptions may be difficult to create and it is difficult to block services using dynamic ports. IP Spoofing attacks can also defeat this type of firewall to a certain extend (attacks that require one sided communication, for example, can use a spoofed source IP).

An IDS (Intrusion Detection System) is similar to a firewall in that it is used to monitor the network. However, it monitors based on things like signatures (specific pattern that indicate an attack) and anomalies (network activity deviation). An IDS does not typically prevent intrusions as it is not inline with the traffic (it works with mirrored traffic), so it would have to rely on a secondary device (such as a router) to block attacks. It is vulnerable also to single-packet attacks.

IPSs are IDS that are inline with the traffic, and can block attacks without the help of a secondary device.

Think of IDS as simply a burglar alarm and a security camera combined. It detects attacks, attempts to enforce policies, and provides an audit trail after the attack is done.

An IDS can detect if a worm is attacking the network, or if a system has been compromised. It can also alert the administrator in such a case. An IDS can be configured to detect activities that does not confirm to security policies. Finally, an IDS can provide an after-attack audit trail to see how far an attacker got and where it came from.

There are different ways to categorize detection:
False Positive - Test turns out positive (e.g. ALERT!) but it's false (there is no attack).
False Negative - Test turns out negative, but it's false (there is an attack).
True Positive - Test turns out positive, and indeed there is an attack.
True Negative - Test turns out negative, and there indeed is no attack.

Like firewalls, IDS can be host-based or network-based. If they are on a single host, they would have limited view of the entire network and cannot detect attacks (or can only detect to a certain extent) attacks targeted at another host.

A honeypot is a server that is used to attack hackers. They look like tempting targets like a database server but there is actually no service running there. It is used for distracting hackers away from real targets, and to study the attack methods. However, it may not be used to convict a hacker.