PROFESSIONAL SECURITY SYSTEMS

Size: px
Start display at page:

Download "PROFESSIONAL SECURITY SYSTEMS"

Transcription

1 PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security systems which implementation is NetScreen IDP (formerly OneSecure ). This is a network security system performing intrusion detection tasks able to block attacks in a real time. IDP as opposed to ordinary IDS systems, which by listening to the network identify events when intruders have already made their attacks, and practically are unable to block them, is able to block attacks efficiently. Even if an ordinary IDS notifies the Firewall about an event, it is too late. IDP system operates in an in-line mode as the active network gateway, directly on the network traffic route. IDP system detects and blocks intruders before gaining access to the protected IT resources IDP makes possible to react at scanning attempts, penetrations and break-in attacks of Exploit type (on network and application level), destructive attacks of (D)DoS type as well as other techniques used by hackers. IDP sensors are delivered as dedicated, ready to deploy Appliances. IDP devices throughput is over 400 Mb/s. They can operate in in-line mode (e.g. network traffic flows through the device) or as a sniffer (a device listening to the network traffic). In the in-line mode of operation, IDP sensors can be deployed as routers or as bridges. CLICO Ltd., Al. 3-go Maja 7, Kraków, Poland; Tel: ; ; Fax: ; Ftp.clico.pl.;

2 IDP system architecture IDP security system has complete, three-layer architecture: sensors, management server and GUI interface. It allows for efficient security means deployment and network security management. IDP consists of the following components: IDP sensors - analyze whole network traffic, detect and block attacks and enforce accepted security policy, IDP Management Server - stores and manages all attack signatures, log database as well as security policies set. GUI interface - graphic tools for IDP management which allow administrators to perform their tasks from any point in the network. IDP can be deployed in a distributed (e.g. all the components are separate) or centralized architecture, where the management server and IDP sensor operate on the same device. All the IDP management and log processing is performed on the central management server. Security policies are created on the management server and installed on the IDP sensors in the network. Network communication between all the IDP components is protected by cryptographic means. IDP sensors can operate in in-line or sniffer modes. When operating in in-line mode, IDP sensors can be deployed in a failure resistant HA architecture CLICO LTD. ALL RIGHTS RESERVED 2

3 Attack detection techniques IDP security system utilizes many identification and attack protection methods. Attack detection methods are included depending on the network traffic controlled. At the same time data analysis using individual detection methods is performed (parallel processing). It ensures high detection level of attacks without affecting performance. Multi-Method Detection (MMD) mechanism used in the IDP includes the following detection methods: Stateful Signatures - detection of known attacks based on the signature database. Stateful signatures contain data about attack pattern as well as the communication type, where such an event could take place. Network traffic is exposed to the context analysis, thanks to which most of so-called false positives are eliminated. Attack patterns are searched only in the specific network communication, thus ensuring high control efficiency and security performance. Protocol Anomalies - detection of discrepancies between network traffic and standards of specific protocols (among others RFC). It happens in reality that intruders in order to confuse security means or hide real attacks generate network traffic different from accepted rules and standards. Backdoor Detection - detection of Trojans activities as well as unauthorized access to the protected systems through so-called backdoors. Detection is performed by comparison of network traffic with known intruders activity templates as well as an heuristic analysis of packets transmitted. Traffic Anomalies - identification of network activities regarded as prohibited or suspicious, performed in a form of many different connections (e.g. ports scanning). The subject of an analysis are connections within specific period of time. IP Spoofing - detection of network traffic with forged IP addresses of the packet sender. The IP Spoofing technique is often used by intruders in order to hide a real attack source. IDP detects IP Spoofing by comparing IP addresses in packets with addresses used in internal networks. Layer 2 - detection of attacks and suspicious activities on the 2 layer of the OSI model and MAC addressing levels (e.g. ARP cache poisoning). This is particularly valuable in case of IDP control of internal networks. Denial of Service Detection - detection of destructive and destabilizing DoS attacks (Denial-of-Service). DoS attacks are usually performed through sending to the service server many specifically created requests which cause running out of its resources (e.g. SYN-Flood). Network Honeypot - early detection and recognition of intruders activities by using a honeypot technique. In case of scanning, penetrating or break-in attempt IDP presents to intruders fictitious information regarding services available on servers CLICO LTD. ALL RIGHTS RESERVED 3

4 IDP administrator console IDP system is managed from the central management console (see figure). All the IDP security means in the network regardless of their location operate according to one, coherent security policy of the enterprise. The GUI console allows for maintaining one, central enterprise security policy with regard to intruders detection and active attacks blocking CLICO LTD. ALL RIGHTS RESERVED 4

5 Management tools overview IDP management server is responsible for centralized creation and deployment of enterprise's security policy with regard to detection and blocking attacks and other prohibited activities as well as consolidation of events (logs, alerts) registered on many sensors in the network and storing them in the central database. Administrators can control the whole IDP system from any point in the network using dedicated, graphic tools. The GUI interface consists of the following six components: Security Policy Editor - a tool allowing for creating different rules (e.g. Main, SYN- Protector, Network Honeypot, Backdoor Detection, Traffic Anomalies, Sensor Settings Rulebases) and deploying them on the specific IDP sensors in the network. Dashboard - displays the most important statistics regarding network and security means operation in a real time. It contains the following sections: Host Watch List, Source Watch List, Attack Summary, Reports and Device Status. IDP graphic console presents the current network security status 2003 CLICO LTD. ALL RIGHTS RESERVED 5

6 Object Editor - object management 1 on which the IDP security system operates. Basic objects include Network Object (e.g. network, host, server, sensor), Service Object (e.g. FTP, HTTP, Telnet) and Attack Object (e.g. attacks and protocols anomalies signatures). Log Viewer - browsing and analyzing of events logged by IDP sensors according to the accepted security policy. Displays record logs in the table format with possibility to define specific data filtering and selection rules. Administrator analyzes events logged by the IDP sensors in real-time. Device Monitor - shows the current state of the IDP sensors and the management server (among others processor, RAM, security processes) and in case of emergency alerts the Administrator. Reports generates different reports based on the events logged by the IDP sensors CLICO LTD. ALL RIGHTS RESERVED 6

7 IDP security policy Currently existed IDS systems are accused of illogically analyzing the attack signature database (e.g. communication to the DNS server is analyzed focusing on HTTP attacks) and sensors detect and log events which are irrelevant from protected network security perspective. Most of the currently available IDS systems were created in At that time, IDS signature database did not exceed 100 records. Development and complexity of network environment as well as large, constantly increasing number of known attacks, require effectiveness of IDS systems operation. The most complex and time-consuming operation for IDS systems are those which are performed with use of a signature database (among others matching attack signatures to the captured network traffic). The signature database consists of large number of basic attacks definitions (over 1000 records) as well as of different mutations of those attacks. For effective operation of security means, the IDS security policy should unambiguously define what kind of network traffic is a subject of inspections by the specific sensors and what this traffic should be searched for (e.g. what kind of attacks). It became important to create a detailed IDS security policy. Identification of the traffic network itself (e.g. reading the packet headers) is performed much quicker than an analysis of the signature database. The IDP security policy consists of set of rules, which unambiguously determine what kind of network traffic should be inspected by specific IDP sensors, what should be looked for in it (e.g. what kind of attacks) and what kind of activity should be initiated by the system in case when these events are detected. The IDP security policy allows for effectively maintaining their logical cohesion and correctness as well as their efficient management. On the other hand, the security policy of old generation IDS system only makes out what signatures should be included on the specific sensor and what kind of IDS sensor's action should be undertaken for each signature. Maintaining logically correct and efficient security policy of an old generation IDS system, taking into account big volume of constantly increasing signature database (currently about 1500 records) is extremely time-consuming. IDP belongs to the new generation of intrusion detection and attack protection systems. It provides administrators with robust tools for monitoring and control of network traffic which were unavailable in old generation of IDS systems. IDP configuration is directly based on the accepted IT system security policy. IDP has been developed in a way to avoid necessity to tune the security policy to the accepted security technology (e.g. resigning for required security function as a result of security technology limitations) CLICO LTD. ALL RIGHTS RESERVED 7

8 IDP security policy consists of set of rules describing security means operation principles. The rules are defined through the graphic Policy Editor. The Policy Editor contains five sections: Main basic rules regarding network monitoring, prohibited and suspicious activity detection as well as attacks elimination, Backdoor Detection network traffic analysis (among others heuristic analysis) focusing on interactive session detection indicating existence of applications of a Trojan or Backdoor types, Network Honeypot presenting of fictitious information regarding IT system services in case of detection of unauthorized access attempts, SYN-Protector protection of servers against attacks of Syn Flood type, Traffic Anomalies - detection of suspicious operation in the network (e.g. TCP and UDP ports scanning). When defining network traffic control rules, the Administrator can choose a configuration mode Basic, which contains only basic settings or Advanced, which describes IDP operation more specifically (View Main Rulebase). What kind of network traffic is the subject of inspection? What should be looked for (e.g. what kind of attacks)? What action should be taken in case of an event detection? 2003 CLICO LTD. ALL RIGHTS RESERVED 8

9 The Match field unambiguously identifies the network traffic which is subject to control. Who initiates communication (the client)? With whom communication is being performed (the server)? Is the communication controlled against the other security rules after being identified by the IDP? When defining IDP rules in the Advanced mode there is an additional field Service, which determines network protocols and services which are under control. The Look For field identifies events and attacks, which should be detected by the IDP CLICO LTD. ALL RIGHTS RESERVED 9

10 The Action field describes the way IDP operates after the event has been identified. What action is taken by the IDP? How the Administrator is notified? Where the rule is valid? The IDP system after detecting an event can undertake different actions depending on the mode it operates: none no action, ignore the network traffic is ignored, close client & server closing session and sending an RST packet to the client and the application server. close client closing session and sending an RST packet to the application client, close server closing session and sending an RST packet to the application server, (in the in-line mode only) drop packet blocking the packet without sending an RST packet, drop connection blocking the connection without sending an RST packet CLICO LTD. ALL RIGHTS RESERVED 10

11 The IDP Administrator can be notified about the event in the following way: logging storing information about the event in the Log, alarm information about the event is displayed on the console as an alarm (flag in the Log Viewer), session description of the event additionally includes information about the number of packets in session, number of bytes and time of session duration, SNMP Trap the responsive message to the SNMP manager, syslog sending information about the event to the SYSLOG server, send sending information about the event via , run script running a specific script or an application, log packets logging packets before the event and/or after the event (i.e. in order to perform a detailed analysis of the network traffic). Settings for different types of IDP notification are performed in the Tools Preferences menu CLICO LTD. ALL RIGHTS RESERVED 11

12 When defining IDP rules in the Advanced mode there are two additional fields: IP Action action is undertaken after detection of the event for next packets within the same communication (e.g. blocking packets from IP address which is the source of the attack for specific time), Severity event priority. Note: IP Action settings should be carefully thought over before they are used. This is a very strong mechanism for the Administrator and its utilization should be specially planned. It allows for blocking any intruders action in case when IDP has detected their unaccepted behavior. First of all, the IP Action should not be used in response to attacks, which might possibly be made from different IP addresses (e.g. IP Spoofing, IP addresses in packets sent by intruders have been forged) CLICO LTD. ALL RIGHTS RESERVED 12

13 IDP system perform analysis of specific network traffic performing among others the following: heuristic analysis focusing on interactive session detection, indicating existence on the protected servers applications of Trojan or Backdoor types. For instance, all the sessions with the FTP server except for the FTP protocol are analyzed for existence of applications of Backdoor/Trojan type. In case of detection of unauthorized access attempts to the protected servers, IDP systems present to intruders false information about IT system services available there. For instance, in case of access attempt to the FTP and Web services of Windows 2000 domain controller, intruders get only apparent access to the server and all their actions are monitored and logged CLICO LTD. ALL RIGHTS RESERVED 13

14 Server protection in networks protected against DoS attacks (destabilizing, destructive) using SYN Flood technique. IDP system after noticing the attack can send an RST packet to the TCP server (passive method) or establish temporary TCP session with the server in order to better recognize the attack (relay method). IDP system detects suspicious operations (e.g. TCP/UDP ports scanning) and reacts to them according to the security policy settings CLICO LTD. ALL RIGHTS RESERVED 14

15 Analysis and reporting of logged events IDP system in a real time detects unauthorized and suspicious operations such as scanning, penetration and break-in attempts, attacks of Exploit type (on network and application levels), destructive and destabilizing attacks of (D)DoS type as well as many other techniques used by hackers. Attack detection is being performed using different methods used depending on the type of the traffic analyzed (among others Stateful Signatures, Anomaly Detection, Network Honeypot, Spoofing Detection, Backdoor Detection). Administrator immediately analyzes the security of the IT system using dedicated tools. With Log Viewer he views and selects events logged by individual IDP sensors. Special tools Log Investigator allow for detailed recognition of how attacks are conducted and what is their range CLICO LTD. ALL RIGHTS RESERVED 15

16 The events logged in the IDP log can be stored in the other format (e.g. PDF file). Based on their content administrator can create reports focusing on the analysis of specific behavior or security state (e.g. servers which are scanned most often, attacks most often performed, list of the most dangerous attacks. When needed, the reports can be tuned using factors available for each of them (e.g. time boundaries, type of chart displayed). 1 IDP security policy objects can also be imported from the Check Point FireWall-1 management workstation using CPMI API protocol (OPSEC ) CLICO LTD. ALL RIGHTS RESERVED 16

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

Network Forensics: Log Analysis

Network Forensics: Log Analysis Network Forensics: Analysis Richard Baskerville Agenda P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Two Important Terms PPromiscuous Mode

More information

Intrusion Detection Systems (IDS)

Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) What are They and How do They Work? By Wayne T Work Security Gauntlet Consulting 56 Applewood Lane Naugatuck, CT 06770 203.217.5004 Page 1 6/12/2003 1. Introduction Intrusion

More information

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Resolving problems with SMTP Security Server and CVP operating in Check Point NG

Resolving problems with SMTP Security Server and CVP operating in Check Point NG PROFESSIONAL SECURITY SYSTEMS Resolving problems with SMTP Security Server and CVP operating in Check Point NG by Mariusz Stawowski CCSA/CCSE (4.1x, NG) The Check Point FireWall-1 Next Generation (NG)

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Security Scanning Procedures Version 1.1 Release: September 2006 Table of Contents Purpose...1 Introduction...1 Scope of PCI Security Scanning...1 Scanning

More information

Network- vs. Host-based Intrusion Detection

Network- vs. Host-based Intrusion Detection Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

RAVEN, Network Security and Health for the Enterprise

RAVEN, Network Security and Health for the Enterprise RAVEN, Network Security and Health for the Enterprise The Promia RAVEN is a hardened Security Information and Event Management (SIEM) solution further providing network health, and interactive visualizations

More information

8. Firewall Design & Implementation

8. Firewall Design & Implementation DMZ Networks The most common firewall environment implementation is known as a DMZ, or DeMilitarized Zone network. A DMZ network is created out of a network connecting two firewalls; i.e., when two or

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

FortiWeb 5.0, Web Application Firewall Course #251

FortiWeb 5.0, Web Application Firewall Course #251 FortiWeb 5.0, Web Application Firewall Course #251 Course Overview Through this 1-day instructor-led classroom or online virtual training, participants learn the basic configuration and administration

More information

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls CSE 4482 Computer Security Management: Assessment and Forensics Protection Mechanisms: Firewalls Instructor: N. Vlajic, Fall 2013 Required reading: Management of Information Security (MIS), by Whitman

More information

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS) 1 of 8 3/25/2005 9:45 AM Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Intrusion Detection systems fall into two broad categories and a single new one. All categories

More information

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis Agenda Richard Baskerville P Principles of P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Principles Kim, et al (2004) A fuzzy expert system for

More information

Lab VI Capturing and monitoring the network traffic

Lab VI Capturing and monitoring the network traffic Lab VI Capturing and monitoring the network traffic 1. Goals To gain general knowledge about the network analyzers and to understand their utility To learn how to use network traffic analyzer tools (Wireshark)

More information

A Prevention & Notification System By Using Firewall. Log Data. Pilan Lin

A Prevention & Notification System By Using Firewall. Log Data. Pilan Lin A Prevention & Notification System By Using Firewall Log Data By Pilan Lin 1 Table Of Content ABSTRACT... 3 1 INTRODUCTION... 4 2. Firewall Log data... 6 2.1 How to collect log data... 6 3. Prevention

More information

Check Point FireWall-1 HTTP Security Server performance tuning

Check Point FireWall-1 HTTP Security Server performance tuning PROFESSIONAL SECURITY SYSTEMS Check Point FireWall-1 HTTP Security Server performance tuning by Mariusz Stawowski CCSA/CCSE (4.1x, NG) Check Point FireWall-1 security system has been designed as a means

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

PROFESSIONAL SECURITY SYSTEMS

PROFESSIONAL SECURITY SYSTEMS PROFESSIONAL SECURITY SYSTEMS Check Point SecurePlatform Firewall security platform for use in the systems with increased security requirements IT technologies are essential for proper operation of majority

More information

Rules definition for anomaly based intrusion detection

Rules definition for anomaly based intrusion detection Rules definition for anomaly based intrusion detection 2002 By Lubomir Nistor Introduction Intrusion detection systems (IDS) are one of the fastest growing technologies within the security space. Unfortunately,

More information

White Paper: Combining Network Intrusion Detection with Firewalls for Maximum Perimeter Protection

White Paper: Combining Network Intrusion Detection with Firewalls for Maximum Perimeter Protection White Paper: Combining Network Intrusion Detection with Firewalls for Maximum Perimeter Protection April 2001 Abstract 2 What is a network intrusion detection system? 2 Electronic security mimics physical

More information

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University Module II. Internet Security Chapter 7 Intrusion Detection Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 7.1 Threats to Computer System 7.2 Process of Intrusions

More information

Firewalls. Chapter 3

Firewalls. Chapter 3 Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border

More information

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall SOFTWARE ENGINEERING 4C03 Computer Networks & Computer Security Network Firewall HAO WANG #0159386 Instructor: Dr. Kartik Krishnan Mar.29, 2004 Software Engineering Department of Computing and Software

More information

Firewalls, IDS and IPS

Firewalls, IDS and IPS Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not

More information

Name. Description. Rationale

Name. Description. Rationale Complliiance Componentt Description DEEFFI INITION Network-Based Intrusion Detection Systems (NIDS) Network-Based Intrusion Detection Systems (NIDS) detect attacks by capturing and analyzing network traffic.

More information

Chapter 15. Firewalls, IDS and IPS

Chapter 15. Firewalls, IDS and IPS Chapter 15 Firewalls, IDS and IPS Basic Firewall Operation The firewall is a border firewall. It sits at the boundary between the corporate site and the external Internet. A firewall examines each packet

More information

FIREWALLS & CBAC. philip.heimer@hh.se

FIREWALLS & CBAC. philip.heimer@hh.se FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

IntruPro TM IPS. Inline Intrusion Prevention. White Paper IntruPro TM IPS Inline Intrusion Prevention White Paper White Paper Inline Intrusion Prevention Introduction Enterprises are increasingly looking at tools that detect network security breaches and alert

More information

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding? Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against

More information

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow IDS 4.0 Roadshow Module 1- IDS Technology Overview Agenda Network Security Network Security Policy Management Protocols The Security Wheel IDS Terminology IDS Technology HIDS and NIDS IDS Communication

More information

PCI Security Scan Procedures. Version 1.0 December 2004

PCI Security Scan Procedures. Version 1.0 December 2004 PCI Security Scan Procedures Version 1.0 December 2004 Disclaimer The Payment Card Industry (PCI) is to be used as a guideline for all entities that store, process, or transmit Visa cardholder data conducting

More information

10 Configuring Packet Filtering and Routing Rules

10 Configuring Packet Filtering and Routing Rules Blind Folio 10:1 10 Configuring Packet Filtering and Routing Rules CERTIFICATION OBJECTIVES 10.01 Understanding Packet Filtering and Routing 10.02 Creating and Managing Packet Filtering 10.03 Configuring

More information

Service Managed Gateway TM. How to Configure a Firewall

Service Managed Gateway TM. How to Configure a Firewall Service Managed Gateway TM Issue 1.3 Date 10 March 2006 Table of contents 1 Introduction... 3 1.1 What is a firewall?... 3 1.2 The benefits of using a firewall... 3 2 How to configure firewall settings

More information

Buyer s Guide For Intrusion Prevention Systems (IPS)

Buyer s Guide For Intrusion Prevention Systems (IPS) Buyer s Guide For Intrusion Prevention Systems (IPS) Table of Contents Introduction... 3 Executive Summary... 5 Quick Checklist... 8 Detailed Buyer s Checklist... 10 Introduction Security has long been

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

Classic IOS Firewall using CBACs. 2012 Cisco and/or its affiliates. All rights reserved. 1

Classic IOS Firewall using CBACs. 2012 Cisco and/or its affiliates. All rights reserved. 1 Classic IOS Firewall using CBACs 2012 Cisco and/or its affiliates. All rights reserved. 1 Although CBAC serves as a good foundation for understanding the revolutionary path toward modern zone based firewalls,

More information

LogLogic Juniper Networks Intrusion Detection and Prevention (IDP) Log Configuration Guide

LogLogic Juniper Networks Intrusion Detection and Prevention (IDP) Log Configuration Guide LogLogic Juniper Networks Intrusion Detection and Prevention (IDP) Log Configuration Guide Document Release: September 2011 Part Number: LL600015-00ELS090000 This manual supports LogLogic Juniper Networks

More information

Network Based Intrusion Detection Using Honey pot Deception

Network Based Intrusion Detection Using Honey pot Deception Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.

More information

IDS / IPS. James E. Thiel S.W.A.T.

IDS / IPS. James E. Thiel S.W.A.T. IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall

More information

IP Filter/Firewall Setup

IP Filter/Firewall Setup IP Filter/Firewall Setup Introduction The IP Filter/Firewall function helps protect your local network against attack from outside. It also provides a method of restricting users on the local network from

More information

12. Firewalls Content

12. Firewalls Content Content 1 / 17 12.1 Definition 12.2 Packet Filtering & Proxy Servers 12.3 Architectures - Dual-Homed Host Firewall 12.4 Architectures - Screened Host Firewall 12.5 Architectures - Screened Subnet Firewall

More information

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker

More information

Fig. 4.2.1: Packet Filtering

Fig. 4.2.1: Packet Filtering 4.2 Types of Firewalls /DKo98/ FIREWALL CHARACTERISTICS 1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the

More information

By David G. Holmberg, Ph.D., Member ASHRAE

By David G. Holmberg, Ph.D., Member ASHRAE The following article was published in ASHRAE Journal, November 2003. Copyright 2003 American Society of Heating, Refrigerating and Air-Conditioning Engineers, Inc. It is presented for educational purposes

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of

Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of Intrusion Detection Tianen Liu May 22, 2003 I. Abstract Computers are vulnerable to many threats. Hackers and unauthorized users can compromise systems. Viruses, worms, and other kinds of harmful code

More information

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Passive Logging. Intrusion Detection System (IDS): Software that automates this process Passive Logging Intrusion Detection: Monitor events, analyze for signs of incidents Look for violations or imminent violations of security policies accepted use policies standard security practices Intrusion

More information

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT WHAT S INSIDE: 1. GENERAL INFORMATION 1 2. EXECUTIVE SUMMARY 1 3. BACKGROUND 2 4. QUESTIONS FOR CONSIDERATION

More information

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts

More information

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Cconducted at the Cisco facility and Miercom lab. Specific areas examined Lab Testing Summary Report July 2009 Report 090708 Product Category: Unified Communications Vendor Tested: Key findings and conclusions: Cisco Unified Communications solution uses multilayered security

More information

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of

More information

The Truth about False Positives

The Truth about False Positives An ISS Technical White Paper The Truth about False Positives 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Overview In the security industry, many security analysts remark that

More information

Chapter 11 Cloud Application Development

Chapter 11 Cloud Application Development Chapter 11 Cloud Application Development Contents Motivation. Connecting clients to instances through firewalls. Chapter 10 2 Motivation Some of the questions of interest to application developers: How

More information

Quality Certificate for Kaspersky DDoS Prevention Software

Quality Certificate for Kaspersky DDoS Prevention Software Quality Certificate for Kaspersky DDoS Prevention Software Quality Certificate for Kaspersky DDoS Prevention Software Table of Contents Definitions 3 1. Conditions of software operability 4 2. General

More information

Managing Latency in IPS Networks

Managing Latency in IPS Networks Application Note Revision B McAfee Network Security Platform Managing Latency in IPS Networks Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended

More information

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN) MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file

More information

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

CYBER ATTACKS EXPLAINED: PACKET CRAFTING CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations

More information

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Firewalls Intrusion Detection

More information

Barracuda Intrusion Detection and Prevention System

Barracuda Intrusion Detection and Prevention System Providing complete and comprehensive real-time network protection Today s networks are constantly under attack by an ever growing number of emerging exploits and attackers using advanced evasion techniques

More information

Stateful Inspection Technology

Stateful Inspection Technology Stateful Inspection Technology Security Requirements TECH NOTE In order to provide robust security, a firewall must track and control the flow of communication passing through it. To reach control decisions

More information

Norton Personal Firewall for Macintosh

Norton Personal Firewall for Macintosh Norton Personal Firewall for Macintosh Evaluation Guide Firewall Protection for Client Computers Corporate firewalls, while providing an excellent level of security, are not always enough protection for

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of

More information

Security Type of attacks Firewalls Protocols Packet filter

Security Type of attacks Firewalls Protocols Packet filter Overview Security Type of attacks Firewalls Protocols Packet filter Computer Net Lab/Praktikum Datenverarbeitung 2 1 Security Security means, protect information (during and after processing) against impairment

More information

MIGRATING IPS SECURITY POLICY TO JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS

MIGRATING IPS SECURITY POLICY TO JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS APPLICATION NOTE MIGRATING IPS SECURITY POLICY TO JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS Migrating Advanced Security Policies to SRX Series Services Gateways Copyright 2009, Juniper Networks, Inc.

More information

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

Attack Lab: Attacks on TCP/IP Protocols

Attack Lab: Attacks on TCP/IP Protocols Laboratory for Computer Security Education 1 Attack Lab: Attacks on TCP/IP Protocols Copyright c 2006-2010 Wenliang Du, Syracuse University. The development of this document is funded by the National Science

More information

Datasheet. Cover. Datasheet. (Enterprise Edition) Copyright 2015 Colasoft LLC. All rights reserved. 0

Datasheet. Cover. Datasheet. (Enterprise Edition) Copyright 2015 Colasoft LLC. All rights reserved. 0 Cover Datasheet Datasheet (Enterprise Edition) Copyright 2015 Colasoft LLC. All rights reserved. 0 Colasoft Capsa Enterprise enables you to: Identify the root cause of performance issues; Provide 24/7

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

What is Firewall? A system designed to prevent unauthorized access to or from a private network. What is Firewall? A system designed to prevent unauthorized access to or from a private network. What is Firewall? (cont d) Firewall is a set of related programs, located at a network gateway server. Firewalls

More information

Guidelines for Web applications protection with dedicated Web Application Firewall

Guidelines for Web applications protection with dedicated Web Application Firewall Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security

More information

Linux Network Security

Linux Network Security Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols

More information

IBM. Vulnerability scanning and best practices

IBM. Vulnerability scanning and best practices IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration

More information

Total solution for your network security. Provide policy-based firewall on scheduled time. Prevent many known DoS and DDoS attack

Total solution for your network security. Provide policy-based firewall on scheduled time. Prevent many known DoS and DDoS attack Network Security Total solution for your network security With the growth of the Internet, malicious attacks are happening every minute, and intruders are trying to access your network, using expensive

More information

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

McAfee Network Security Platform Administration Course

McAfee Network Security Platform Administration Course McAfee Network Security Platform Administration Course Intel Security Education Services Administration Course The McAfee Network Security Platform Administration course from McAfee Education Services

More information

Protecting and controlling Virtual LANs by Linux router-firewall

Protecting and controlling Virtual LANs by Linux router-firewall Protecting and controlling Virtual LANs by Linux router-firewall Tihomir Katić Mile Šikić Krešimir Šikić Faculty of Electrical Engineering and Computing University of Zagreb Unska 3, HR 10000 Zagreb, Croatia

More information

funkwerk packetalarm NG IDS/IPS Systems

funkwerk packetalarm NG IDS/IPS Systems funkwerk packetalarm NG IDS/IPS Systems First Class Security. Intrusion Detection and Intrusion Prevention Funkwerk IP-Appliances Corporate and Authorities networks: A Popular Target of Attacks Nowadays,

More information

UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04

UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04 UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04 REVISED 23 FEBRUARY 2005 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation

More information

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS) ISCA Journal of Engineering Sciences ISCA J. Engineering Sci. Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS) Abstract Tiwari Nitin, Solanki Rajdeep

More information

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Jaimin K. Khatri IT Systems and Network Security GTU PG School, Ahmedabad, Gujarat, India Mr. Girish Khilari Senior Consultant,

More information

642 552 Securing Cisco Network Devices (SND)

642 552 Securing Cisco Network Devices (SND) 642 552 Securing Cisco Network Devices (SND) Course Number: 642 552 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional, Cisco Firewall Specialist,

More information

Network Security Forensics

Network Security Forensics Network Security Forensics As hacking and security threats grow in complexity and organizations face stringent requirements to document access to private data on the network, organizations require a new

More information

Network Security: A New Perspective. NIKSUN Inc.

Network Security: A New Perspective. NIKSUN Inc. Network Security: A New Perspective NIKSUN Inc. Security: State of the Industry Case Study: Hacker University Questions Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com

More information

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International. www.radware.

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International. www.radware. Radware s Smart IDS Management FireProof and Intrusion Detection Systems Deployment and ROI North America Radware Inc. 575 Corporate Dr. Suite 205 Mahwah, NJ 07430 Tel 888 234 5763 International Radware

More information

Overview. Packet filter

Overview. Packet filter Computer Network Lab 2015 Fachgebiet Technische h Informatik, Joachim Zumbrägel Overview Security Type of attacks Firewalls Protocols Packet filter Security Security means, protect information (during

More information

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis Intrusion Detection Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/

More information