15
Issue in Computer Security
How do Firewall works?
How Intrusion Prevention System works?
There are several methods used to filter traffic, which may be used individually or combined into a firewall product:
Circuit level gateways–Here the firewall only allows communications to the protected network based on requests that come from computers inside that network. Anyone scanning the network from outside only “sees” the address of the firewall, not the inside network. Non-requested data from outside the firewall is not allowed in, period. All in-bound ports are closed and all out-bound ports are open. To allow for exceptions, this method is usually combined with another method.
Packet filtering– examines communication packets as they attempt to pass through the firewalls, comparing them to the rules. The rules determine how the communication is handled. The rules are based on the source IP of the data and the port it is intended for. The limitation of packet filters is that ports and IP addresses are all they will filter. They don’t evaluate the content of the data or the status of the connection, just where it’s headed.
Stateful inspection -combines elements of packet filtering with some of the elements of the gateway methods. Stateful inspection firewalls hold in memory attributes such as IP address, port number and TCP handshake status of each connection from start to finish. All outgoing packets pass through the firewall but only allow incoming packets if they are part of a TCP connection with an ESTABLISHED status. This ensures that hackers cannot start unsolicited connections. Established connections time out if no traffic has passed for a certain period of time and are removed from memory. Many cable/DSL SOHO gateway/routers use this method.
Proxy service/application level gateways-Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa. Rather than letting computers retrieve data directly, a proxy service firewall runs proxy applications to view common types of data (like HTTP for web-pages or POP3 for email, etc.) before it is allowed through the firewall. This has at least two advantages. First, no direct communication is allowed between outside sources and computers behind the firewall and second, filtering can now be done using the actual content of the data, rather than just where it came from and where it’s going.
Intrusion prevention system can be achieved through three main approaches: Building systems with no vulnerability, Taking perfect remediation steps to uncover vulnerabilities\ and patch them. Detecting the exploit attempts and blocking them before serious damage is done.
IPS operates on the In-line mode i.e. the sensor is placed directly in the network traffic path, inspecting all traffic at wire speed as it passes through the assigned port pair. In-line mode enables the sensor to run in a protection/prevention mode, where packet inspection is performed in real time, and intrusive packets are dealt with immediately, the sensor can drop malicious packets. This enables it to actually prevent an attack reaching its target. IPS technologies are differentiated from IDS technologies by one characteristic. IPS technologies can respond to a detected threat by attempting to prevent it from succeeding.
They use several response techniques, which can be divided into the following groups.The IPS stops the attack itself, The IPS changes the security environment and the IPS changes the attack’s content.
The IPS stops the attack itself: Terminate the network connection or user session that is being used for the attack. Block access to the target from the offending user account, IP address, or other attacker attribute. Block all access to the targeted host, service, application, or other resource.
The IPS changes the security environment: The IPS could change the configuration of other security controls to disrupt an attack. Common examples are reconfiguring a network device such as firewall, router, and switch to block access from the attacker.
The IPS changes the attack’s content: IPS technologies can remove or replace malicious portions of an attack to make it benign. An example is an IPS that acts as a proxy and normalizes incoming requests, which means that the proxy repackages the payloads of the requests, discarding header information or removing an infected file attachment from an e-mail and then permitting the cleaned email to reach its recipient.