Firewalls and Intrusion Prevention System(IPS)

Traditional Firewalls:

Basically The firewalls do the same work as the ACL’s do by router, but they do their work by taking a lot more parameters than ACL’s.

The firewall shown in the above figure is same as Cisco Adaptive Security Appliance(ASA). Most firewalls do the following logic to make a choice to whether forward a packet or discard it.

■ Like router IP ACLs, match the source and destination IP addresses

■ Like router IP ACLs, identify applications by matching their static well-known TCP and UDP ports

■ Watch application-layer flows to know what additional TCP and UDP ports are used by a particular flow, and filter based on those ports

■ Match the text in the URI of an HTTP request — that is, look at and compare the contents of what is often called the web address — and match patterns to decide whether to allow or deny the download of the web page identified by that URI

■ Keep state information by storing information about each packet, and make decisions about filtering future packets based on the historical state information (called stateful inspection, or being a stateful firewall)

Of all the logic the main feature of firewall that stands out is that the firewall stores some information about the packets that it received and afterwards decides whether future packets should be processed or rejected. This is helpful when under attacks like DOS(Denial of Service)

By saving information about packets the firewall usually have an idea about, no.of minimum and maximum TCP connections the host will be sending and by that info it compares that info with the no.of TCP connections during DOS, which will be abnormally high, then the firewall will notice the host or server containing the host sending TCP packets and terminates the connection thus by preventing the DOS attacks.

Security Zones:

Firewalls not only filter the packets but also pay close attention to which host is initiating the TCP Connection by watching the TCP segments. The importance of noting who is initiating the TCP connection can be explained by an example. For example consider a company which contains a set of users. if one of the user wants to access the website then it initiates a TCP connection with the web server which also carries the risk of attracting the attackers which we do not want. In order to avoid this firewall users the Security Zones.

Firewalls use the concept of security zones (also called a zone for short) when defining which hosts can initiate new connections. The firewall has rules, and those rules define which host can initiate connections from one zone to another zone. Also, by using zones, a firewall can place multiple interfaces into the same zone, in cases for which multiple interfaces should have the same security rules applied.

The figure above shows how outbound connections are allowed and inbound connections are restricted. The most basic firewall rule when using two zones like Figure below reduces to this logic:

Allow hosts from zone inside to initiate connections to hosts in zone outside, for a predefined set of safe well-known ports (like HTTP port 80, for instance).

By default the firewall disallows every packet unless there is a rule which allows certain packets to flow. Hence by making certian rules. By using these rules we can even allow the users inside the zone can access the host in outside zone.

Most companies have a third zone apart from the inside zone and outside zone and it is known as Demilitarized Zone(DMZ). A typical example of the DMZ can be seen as shown in the below figure.

DMZ is the security zone where the companies set the servers which are available for public access. The firewall then needs another rule that enables users in the zone outside — that is, users in the Internet — to initiate connections to those web servers in the DMZ.

By separating those web servers into the DMZ, away from the rest of the enterprise, the enterprise can prevent Internet users from attempting to connect to the internal devices in the inside zone, preventing many types of attacks

Intrusion Prevention System:

Traditionally, a firewall works with a set of user-configured rules about where packets should be allowed to flow in a network. The firewall needs to sit in the path of the packets so it can filter the packets, redirect them for collection and later analysis, or let them continue toward their destination

A traditional intrusion prevention system (IPS) can sit in the path packets take through the network, and it can filter packets, but it makes its decisions with different logic. The IPS first downloads a database of exploit signatures. Each signature defines different header field values found in sequences of packets used by different exploits. Then the IPS can examine packets, compare them to the known exploit signatures, and notice when packets may be part of a known exploit. Once identified, the IPS can log the event, discard packets, or even redirect the packets to another security application for further examination.Those signatures look for these kinds of attacks.

■ DoS

■ DDoS

■ Worms

■ Viruses

Cisco Next Generation Firewalls:

A next-generation firewall that looks at the application layer data to identify the application instead of relying on the TCP and UDP port numbers used. Cisco performs their deep packet inspection using a feature called Application Visibility and Control (AVC)

Cisco AVC can identify many applications based on the data sent (application layer headers plus application data structures far past the TCP and UDP headers). When used with a Cisco NGFW, instead of matching port numbers, the firewall matches the application, defeating attacks like the one just described.

Key points at which Traditional firewall differs from the NGFW are as follows:

■ Traditional firewall: An NGFW performs traditional firewall features, like stateful firewall filtering, NAT/PAT, and VPN termination.

■ Application Visibility and Control (AVC): This feature looks deep into the application layer data to identify the application. For instance, it can identify the application based on the data, rather than port number, to defend against attacks that use random port

numbers.

■ Advanced Malware Protection: NGFW platforms run multiple security services, not just as a platform to run a separate service, but for better integration of functions. A network-based anti malware function can run on the firewall itself, blocking file transfers that would install malware, and saving copies of files for later analysis.

■ URL Filtering: This feature examines the URLs in each web request, categorizes the URLs, and either filters or rate limits the traffic based on rules. The Cisco Talos security group monitors and creates reputation scores for each domain known in the Internet, with URL filtering being able to use those scores in its decision to categorize, filter, or rate limit.

■ NGIPS: The Cisco NGFW products can also run their NGIPS feature along with the firewall.

Cisco Next Generation IPS:

One of the biggest problems of the IPS is amount of the security logs that has been generated. For instance:

1. An IPS compares the signature database, which lists all known exploits, to all messages.

2. It generates events, often far more than the security staff can read.

3. The staff must mentally filter events to find the proverbial needle in the haystack, possible only through hard work, vast experience, and a willingness to dig.

The following list mentions a few of the Cisco NGIPS features:

■ Traditional IPS: An NGIPS performs traditional IPS features, like using exploit signatures to compare packet flows, creating a log of events, and possibly discarding and/or redirecting packets.

■ Application Visibility and Control (AVC): As with NGFWs, an NGIPS has the ability to look deep into the application layer data to identify the application.

■ Contextual Awareness: NGFW platforms gather data from hosts — OS, software version/level, patches applied, applications running, open ports, applications currently sending data, and so on. Those facts inform the NGIPS as to the often more limited vulnerabilities in a portion of the network so that the NGIPS can focus on actual vulnerabilities while greatly reducing the number of logged events.

■ Reputation-Based Filtering: The Cisco Talos security intelligence group researches security threats daily, building the data used by the Cisco security portfolio. Part of that data identifies known bad actors, based on IP address, domain, name, or even specific URL, with a reputation score for each. A Cisco NGIPS can perform reputation-based filtering, taking the scores into account.

■ Event Impact Level: Security personnel need to assess the logged events, so an NGIPS provides an assessment based on impact levels, with characterizations as to the impact if an event is indeed some kind of attack.

Reference:

https://www.amazon.in/Exam-78-Official-Cert-Guide/dp/1587147130