Firewall
14
Issue in Computer Security
Firewall and Intrusion Prevention System
Not all know what is the meaning and function of firewall and intrusion prevention system especially non-IT background people and this lead them to neglect the security of their internet accesses. At some point, intrusion prevention system or IPS is commonly mistaken for a firewall or as a substitute for a firewall. While they both relate to network security, there is a big difference. An IPS is not a replacement for either a firewall or a good antivirus program. Rather, it is used in conjunction with our standard security products to increase our system specific or network-wide security. A firewall limits the access between networks in order to prevent intrusion and does not signal an attack from inside the network. When we have inbounded Internet traffic, at some point we will have to open a hole through our firewall. An intrusion prevention system (IPS) evaluates a suspected intrusion once it has taken place, signals an alarm, and makes attempts to stop it. It watches for attacks specifically designed to be overlooked by a firewall’s filtering rules.
There are several types of firewalls;
Static packet filtering firewalls -filter packets according to allow/deny rules based on the header fields like source/destination IP addresses and ports, protocol type and TCP flags. These firewalls do not look into the payload for malicious intent and it treats each packet as an individual entity. The advantage is that it is fast, but it’s prone to spoofing and fragmentation attacks.
Stateful packet filtering firewalls– an improvement over static packet filtering firewalls, as it has a notion of state. In client/server applications, the client contacts the server with a request and receives a response. Since the client initiated the request the response is allowed in, bypassing the firewall rules and optimizing the screening process, thereby improving firewall performance. However the firewall needs additional resources to maintain state tables. State tables can be maintained in hardware or software.
Stateful packet filtering firewalls– an improvement over static packet filtering firewalls, as it has a notion of state. In client/server applications, the client contacts the server with a request and receives a response. Since the client initiated the request the response is allowed in, bypassing the firewall rules and optimizing the screening process, thereby improving firewall performance. However the firewall needs additional resources to maintain state tables. State tables can be maintained in hardware or software.
Proxy firewalls -break up a client/server connection to examine the protocol’s syntax. If it meets the rules it forwards it’s payload to the corresponding daemon process. Proxy firewalls require a lot of resources, but provide a strong isolation between the internal network and the Internet.
There are two types of Intrusion Prevention System
Host IPS (HIPS), As with Host IDS systems, the Host IPS relies on agents installed directly on the system being protected. It binds closely with the operating system kernel and services, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them. It may also monitor data streams and the environment specific to a particular application (Eg : file locations and Registry settings for a Web server) in order to protect that application from generic attacks for which no “signature” yet exists. One potential disadvantage with this approach is that, given the necessarily tight integration with the host operating system, future OS upgrades could cause problems.
Network IPS (NIPS), . The next generation firewall – the deep inspection firewall – also exhibits a similar feature set, though we do not believe that the deep inspection firewall is ready for mainstream deployment just yet. As with a typical firewall, the NIPS has at least two network interfaces, one designated as internal and one as external. As packets appear at the either interface they are passed to the detection engine, at which point the IPS device functions much as any IDS would in determining whether or not the packet being examined poses a threat. However, if it should detect a malicious packet, in addition to raising an alert, it will discard the packet and mark that flow as bad. As the remaining packets that make up that particular TCP session arrive at the IPS device, they are discarded immediately. Legitimate packets are passed through to the second interface and on to their intended destination. A useful side effect of some NIPS products is that as a matter of course , in fact as part of the initial detection process which they will provide “packet scrubbing” functionality to remove protocol inconsistencies resulting from varying interpretations of the TCP/IP specification (or intentional packet manipulation).
By Puspha