The Effectiveness of Firewall, IDS, IPS, and ACL

 

Firewall

A firewall is a device that provides secure connectivity between networks.

 

A firewall is hardware or software designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communication to pass.

 

A Firewall monitors the Incoming traffic by applying a set of rules I.e Access Control Rules. You can create or disable firewall filter rules, based on conditions as:

 

l IP Addresses

l Domain Names

l Protocols (allowed/blocked)

l Keywords (permit/deny)

 

 

Hardware vs Software Firewalls

 

Properties	Hardware Firewall	Software Firewall
Cost	Expensive	Comparatively Cheaper
Complexity	Complex	Simple
Upgrades	Difficult to Upgrade	Easy to Upgrade(Users can simply download patches, fixes, and updates)
Configuration	Difficult to Configure	Can be easily installed
Ideal Environment	Suitable for Larger Organizations	Ideal for individual users or small business
Working	Need physical devices to be setup	Run as an application on the system
Accessibility	Cannot be accessed outside the secure network	Convenient for workers working remotely who need some security when working outside of the corporate network

 

 

1. Firewall Architecture

Firewall architecture determines the firewall topology. There are different ways in which a firewall can be implemented.

 

 

I. Demilitarized Zone (DMZ)

A demilitarized zone is a physical or logical grouping of devices in the network that contains devices that are exposed to the internet and maybe more vulnerable to attack.

Therefore these devices or should be kept segregated from the rest of the network by putting them into a separate segment - called the DMZ. Servers such as Web, FTP, Mail, DNS, etc. i.e services that are being provided to users on the internet are kept in the DMZ.

 

Ø Idea Behind a DMZ:

Hosts that are vulnerable to attacks such as web servers, database servers, DNS servers, etc. Or any other important devices are kept separately so that when these are targeted by intruders, the rest of the network is not affected. It adds an additional level of security to the organizations' network.

 

II. Bastion Host

A bastion host is a host in the network that is specially designed to defend against attacks targeted towards an organization's network.

It is completely unprotected by the firewall and is exposed to attacks. It is configured to host only a single or few applications and all other unnecessary services are turned off, operating systems are patched regularly, it is hardened to minimize the threats on it.

 

A honeypot is a bastion host. Firewalls and routers can also become bastion hosts, sometimes bastion hosts are used to drawing attacks so that source of the attacks may be traced. If the bastion host is compromised the intruder will not have access to the internal network.

2. Types of Firewalls

1. Packet Filtering Firewall

2. Stateful Multilayer Inspection Firewall

3. Circuit Level Gateway Firewall

4. Application Level Gateway Firewall

5. Cloud-Based Firewall

 

1. Packet Filtering Firewall

A packet-filtering firewall applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet

Filtering rules are based on information contained in a network packet:

l Source IP address

l Destination IP address

l Source and destination transport level address

l IP protocol Field

l Interface

 

It looks at each packet entering or leaving the network accepts or rejects it based on user-defined rules

Ex: HTTP.

 

Advantages

Ø Cost.

Ø Low resource usage.

Ø Best suited for Small Network.

 

Disadvantages

Ø Can work only on the Network Layer.

Ø Do not support complex rule-based support.

Ø Vulnerable to spoofing.

2. Application Level Gateway Firewall

The application-level gateway firewall not only checks the metadata for a data packet but also the payload (actual data).

l An application-level gateway also called an application proxy, acts as a rely on application level traffic.

l User requests service from the proxy.

l Proxy validates requests as legal.

l Then actions request and returns the result to the user. 

l Can log/audit traffic at the application level.

l EX: FTP , SMTP , HTTP.

 

Advantages

l More secure than packet filtering firewall.

l Easy to log and audit incoming traffic.

 

Disadvantages

l It would work only for the protocols for which it  configured

l Since the application-level gateway firewalls interpret each data packet in detail it consumes a lot of CPU cycles and hence it is vulnerable to DDOS attacks

 

3. Circuit Level Gateway Firewall 

These firewalls maintain a table of established connections, allowing data to pass when session information matches an entry in the table. It is a stateful firewall as it maintains connection information.

 

Once the session is completed, the firewall removes its entry and all the associated entry in the table and closes the circuit this session used. They determine if a session is legitimate or not by the TCP handshake between data packets

 

Advantages:

l  Comparatively inexpensive

l provide Anonymity to the private network

 

Disadvantages

l Do not filter individual packets

l Unless circuit-level gateway firewalls are combined with some other form of traffic filtering, any type of data requested from inside the firewall will be allowed through.

4. Stateful Multilayer Inspection Firewall

Stateful firewalls keep information about the packet state in a state table, which exists on the firewall. The state table contains information about various communications. These firewalls filter packets at the network layer to determine if a packet is from a legitimate source or not and then evaluate packet contents at the application layer.

 

The state of the packet is nothing but the packet's state in the connection whether the packet is a start of a new connection or a part of an existing connection. If it is neither of the two, it is discarded.

 

The state table keeps a track of all the TCP connections that are made through the firewall. It knows which IP addresses are currently having connections. It removes port and IP address when it sees a TCP FIN occur.

 It also stores the mac addresses.

 

Advantages

l Can work on a transparent mode allowing direct connections between the client and the server.

l Can also implement algorithms and complex security models which are protocol specific, making the connections and data transfer more secure.

 

Disadvantages

l They require more memory to track active connections.

l Cache table overflow: As more and more connections are activated, the cache table grows.

 

5. Cloud-Based Firewall

 Cloud Firewalls are software-based, cloud-deployed network devices, built to stop or mitigate unwanted access to private networks. As a new technology, they are designed for modern business needs.

 Cloud Firewall Types There are two types of cloud firewalls.

I. SaaS Firewall

II. Next-Generation Firewall

I. SaaS Firewall

SaaS Firewalls are designed to secure an organization’s network and its users – not unlike a traditional on-premises hardware or software firewall. The only difference is that it’s deployed off-site from the cloud. This type of firewall can be called:

A. software-as-a-service firewall (SaaS firewall)

B. Security-as-a-service (SECaaS)

C. Security-as-a-service (SECaaS)

 

II. Next-Generation Firewall

Next-Generation Firewalls are cloud-based services intended to deploy within a virtual data center. They protect an organization’s own servers in a platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS) model. The firewall application exists on a virtual server and secures incoming and outgoing traffic between cloud-based applications.

Vendors: Barracuda, Check Point Software, Cisco, Sophos, Juniper Networks, Palo Alto Networks

3. IP Tables

It is a rule-based firewall that is installed in most Linux systems to filter packets. Primary used from IPv4. IPTables comes with all Linux distributions. It is used to examine, modify, forward, drop IPv4 packets depending upon the rules set.

The basic structure of IP tables: IP tables -> Tables -> Chains -> Rules.

1. Tables - There are four types of tables. Every table has chains associated with it.

I. Filter Table: This is the default table. It has the following inbuilt chains:

A. INPUT Chain - Used to control the behavior of incoming packets.

B. OUTPUT Chain - Used for packets generated locally and going out of the local server.

C. FORWARD Chain - Used for packets routed through the local server.

II. NAT Table: This type of table is used when a packet that creates a new connection has been encountered. The types of Chains Include:

A. PREROUTING Chain - This type of chain modifies packets before routing them as the name suggests (Packet Translation).

B. POSTROUTING Chain - This type of chain alters packets after routing as the name suggests (Packet Translation).

C. OUTPUT Chain - This type of chain is used for NAT of logically generated packets on the firewall.

III. Mangle Table: This is used for specialized packet alteration by altering QoS in the TCP header. The types of chains are:

A. PREROUTING Chain - This type of chain alters packets before routing them as the name suggests (Packet Translation).

B. OUTPUT Chain - This type of Chain is used for altering locally-generated packets on the firewall.

C. FORWARD Chain - This type of Chain is used for altering packets being routed through the box.

D. INPUT Chain - This type of chain is used for altering packets coming into the box itself.

E. POSTROUING Chain - This type of chain alters packets after routing. Here translation packets happen when the packets are leaving the system.

IV. Raw Table: This is used only for configuring packets so that they are exempt from connecting track. The type of chains are:

A. PREROUTING Chain - This type of chain is used for packets arriving via any network interface.

B. OUTPUT Chain - This type of chain is used for packets generated by a local process.

 

2. Chains

A chain is a list of rules which match a set of packets. The rule specifies the action to be performed when a packet matches a rule.

 

3. Rules

By default, there are no rules in the chains. The default policy is always applied at the end of a chain only. Hence, the packet has to pass through all existing rules in the chain before it is applied.

l Rule contains criteria and a target.

l If the criteria are matched, it goes to rules specified by the target.

l If the criteria are not matched, it moves on to the next rule.

 

A rule will match the following:

l Interface on which packet is coming.

l Type of packet.

the l Destination port of the packet etc.

Intrusion Detection and Prevention System (IDS/IPS)

A firewall filters traffic based on the access rules that are configured on a firewall. IDS/IPS analyzes the traffic in more detail. They are intelligent as compared to firewalls.

 

Intrusion Prevention System(IPS)

Intrusion prevention is the process of performing intrusion detection and stopping the detected incidents 

 

The IPS often sits directly behind the firewall and provides a complementary layer of analysis that negatively selects for dangerous content. Unlike its predecessor the Intrusion Detection System (IDS)—which is a passive system that scans traffic and reports back on threats—the IPS is placed inline (in the direct communication path between source and destination), actively analyzing and taking automated actions on all traffic flows that enter the network. Specifically, these actions include:

l Identifies malicious activity. (Raise alarm)

l Logs Information about this activity.

l Tries to prevent it (dropping the malicious packets/blocking traffic from that particular IP).

l Reports the activity to the network/firewall administrator.

 

As an inline security component, the IPS must work efficiently to avoid degrading network performance. It must also work fast because exploits can happen in near real-time. The IPS must also detect and respond accurately, to eliminate threats and false positives (legitimate packets misread as threats).

 

Intrusion Detection System

An Intrusion detection system monitors network traffic for malicious activity. It detects an intrusion and does not block or stop it like an IPS. Some systems may attempt to stop an intrusion attempt but an IDS is neither required nor expected of a monitoring system, IDS:

l Identify malicious activity.

l Logs Information about this activity.

l May does not block or stop the attack.

l Report the Activity.

 

There are network-based (NIDS) and host-based (HIDS) Intrusion detection systems.

Network IDS	Host-based IDS
Network IDS are placed at various locations in the network to monitor traffic to and from all devices on the network.	Host-based IDS are runs of Individual hosts on the network.
It monitors traffic to and from all devices on the network	It only monitors traffic from the device on which IDS is installed.
It analyzes the traffic on the subnet and matches the traffic that passed on the subnets to a library of known attacks. The alerts are sent to administrators.	It takes a snapshot of existing system files and matches it to the system file's previous snapshot and compares for any unusual change. Alerts are sent to the administrators.
Example: Snort	Example: OSSEC

 

Techniques of Intrusion Detection

1. Signature-based intrusion detection

 A Signature-Based IDS will monitor traffic on the network and compare them against a database of signatures (patterns of Cyber Attacks).

 

Drawback:

If there is a new type of attack or a zero-day attack on the network for which there is no signature database, the attack cannot be detected.

 

2. Anomaly-based intrusion detection

As opposed to signature-based systems, which can only detect attacks for which a signature is stored, anomaly-based IDS will monitor traffic on the network based on its behavior. The behavior is defined by many factors such as bandwidth, protocols, ports, and devices used. Here the system detects any type of activity that falls out of normal system operation.

 

Drawback:

The chances of false positives are more as the system can log a normal activity as an attack if it matches the defined attack behavior.

 

Tool: Snort

Snort, a free and open-source software, created by Martin Roesch in 1998 is a network intrusion prevention system(NIPS) and network intrusion detection system (NIDS).

 

Snort can be configured in three main modes:

l Sniffer - In this mode, snort will sniff or read the packets and display them on snort’s console.

l Packet Logger - In this mode, snort will log network packets to the disk.

l Network Intrusion detection - In this mode, snort will monitor network traffic and analyze it against a predefined ruleset.

 

Snort as a NIDS only monitors the traffic passing through it and sends alerts to the network administrator if any malicious activity is detected. Action against the threat solely relies on the administrator's response.

 

Snort can operate in three different modes:

l Tap (passive) - It acts as an IDS drop rule that is not loaded.

l Inline - Acts as an IPS allowing drop rules to trigger.

l Inline-test - Simulates the inline mode of snort and evaluates its inline behavior.

 

Snort can be configured as an IPS by using the following settings:

l Network Deployment Method - In-line deployment: Enables SNORT to look at each packet and deal with suspicious packets directly in real-time.

l Advanced Network Configuration - IP tables.

l SNORT Mode Configuration - in-line mode

l SNORT rule Actions - drop/reject/drop.

ACL

ACL are rules or commands that are used to filter traffic entering or leaving a network. There are two types of ACLs depending upon the direction in which the traffic is to be filtered I.e. entering or leaving.

 

Outbound Access Control Lists - Outbound ACLs filter traffic that is exiting an interface in the network.

 

Inbound Access Control Lists - Inbound ACLs filter traffic that is entering an interface in the network.

 

The ACLs can also be divided into standard and Extended ACLs depending upon the configuration.

Standard ACL	Extended ACL
Standard ACLs provide basic filtering abilities.	Extended ACL’s provides more options with filtering as compared to the standard ACLs.
It Filters traffic based on its source address	It filters traffic not only on the source address but the destination address, port numbers, protocols used, and other parameters.
The access list numbers for standard ACLs are between 1-99 and 1300-1999.	The access list for Extended ACL’s are 101-199 and 2000-2699

 

 

Access List Numbers - The access list numbers are pre-defined numbers to identify different types of ACLs. Like for instance, 1-99 is for standard ACLs, etc. When you set the rule you can use any number from 1-99 to specify that it is a standard ACL.

 

Commands to set ACL:

1. For Standard ACL

Syntax :

>access-list  <access list number>  <permit/deny>  <IP address to match/host/any>.

 

EX: > access-list 10 permit 192.168.1.3 255.255.255.0

There is an implicit deny-all at the end of each ACL so there is no need to specify the traffic that is to be denied access.

 

2. For Extended ACL

Syntax :

>access-list <access list number>  <permit/deny>  <protocol> <source IP> <destination IP> <eq destination-port>

 

EX : > #access-list 110 permit tcp host 192.168.1.3 host 192.168.1.4 eq  www

Options for Protocols, Source:

ahp - Authentication Header Protocol

eigrp - Cisco’s EIGRP routing protocol

esp - Encapsulation Security Payload

gre - Cisco’s GRE tunneling

ICMP - Internet Control Message Protocol

IP - Any Internet Protocol

ospf - OSPF routing protocol

tcp - Transmission Control Protocol

udp - User Datagram Protocol

 

Options for Destination:

A.B.C.D - Destination Address.

Any - Any destination Host.

eq - Match only packets on a given port number.

gt - Match only packets with a greater port number.

Host - A single destination host.

it - Match only packets with a lower port number.

neq - Match only packets not on a given port number.

Range - Match only packets in the range of port numbers.