Firewall and Intrusion detection system

From a network administrator's point of view, the world can be clearly divided into two camps. Part of the good guys, they belong to the Agency network, which can access resources in the network of the institution in a relatively unrestricted manner, and the other part is a malicious attacker who has to be carefully scrutinized to determine whether they are allowed to access network resources. Then these security tasks are done by firewalls, intrusion detection systems, and the running devices of intrusion prevention systems.

A firewall is a combination of hardware and software that isolates an organization's internal network from the entire Internet, allowing some data to be grouped through to prevent others from passing. Firewalls have 3 goals:

First, all traffic from the outside to the inside and from the inside to the outside is through the firewall.

Second, only approved traffic (as defined by the local security policy) is allowed to pass.

Third, the firewall itself is free from infiltration.

Firewalls can be grouped into 3 categories: Traditional packet filters, state packet filters, and application set gateways.

The traditional packet filter, is to check each datagram individually, and then based on the rules set by the administrator to decide to discard the data is to allow the datagram through, filtering methods generally use the following factors, IP address, IP Datagram Protocol field type: TCP, UDP, ICMP, etc., Port, TCP flag bit SYN, ACK, etc., for different routers interface different rules. The access control list is used in general routers to implement.

The status packet filter actually tracks TCP connections and uses this knowledge to make filtering decisions. It is common to work with join tables and access control tables.

Application gateways, the first two classes are filtered by packet-level to enable an organization to perform coarse-grained filtering based on the content of the IP and the TCP/UDP header, but what if an organization provides Telnet services only for a restricted set of internal users? These tasks are beyond the capabilities of traditional filters and state filters. In fact, the identity information about internal users is applied data and is not included in the TCP/UDP/IP header. To achieve a higher level of security, the firewall must combine the packet filter and the application gateway. An application gateway, which is an application-specific server in which all application data must pass through the application gateway. Multiple application gateways can run on the same host, but each gateway is a separate server with its own process.

However, the application gateway also has its drawbacks. First, each application requires a different application gateway. Second, the loss of performance is also at the cost, since all data is forwarded by the Gateway. This problem is especially acute when multiple users or applications use the same gateway computer.

Intrusion Detection System

Traditional filters check the first fields of IP, TCP, UDP, and ICMP, however, in order to detect multiple types of attacks, we need to perform a deep group check, that is, to view the outside part of the header field to see the actual application data carried by the group. Devices that can observe potentially malicious traffic and produce warnings are called Intrusion detection systems (IDS). Devices that filter suspicious traffic are called intrusion Prevention systems (IPS). IDS can be used to detect a wide range of attacks, including network mappings, port scans, TCP stack scans, DOS bandwidth flooding attacks, and so on.

The general enterprise will deploy multiple IDs sensors, for what? Because IDs requires not only a deep group check, but a comparison of each past group with tens of thousands of "features", this can result in significant processing.

IDS systems can generally be categorized as either feature-based or anomaly based systems. A feature-based IDs maintains a database with a wide range of attack features. An alarm is generated by matching the features in the database. But it also has flaws, the first is that if the feature record does not, then it will lose judgment, and secondly, even if with a feature match, it may not be an attack, thus generating a false alarm.