The traffic control systems, besides a security function realize the following functions: traffic filtering, bandwidth limitation, collecting information about traffic characteristic. Each of mentioned device in the title, perform similar task but work in different way. Deployment one of them depends on network size, efficiency, utilized solutions (i.e remote access). They may work on different OSI layers and deal better or worse with different threats.
Firewall is a point of passing between LAN and WAN network. The major role of the firewall is controlling and scrutinizing of incoming and outgoing traffic. Firewall works based on Zone Based Firewall technology (hardware ZBF). The flow between particular zones is allowed or denied depends on policies. We’ve got assigned security levels to the interfaces and flow from the higher security level will be allowed but inversely not. INSIDE interface is the most trusted, OUTSIDE interface is the less trusted. Between them is DMZ interface.
Application of firewall
– connection of two encrypted VPN networks through a tunnel via an unencrypted network (Internet).
– mobile users identification and authentication during the access to the LAN network. – remote access by IPSec or SSL
– servers protection and enabling selected services (http, ftp )
– separating LAN network on security zones with different levels of security
– protection of a private network against unauthorized access
Firewall – default packets inspection
Incoming packets (from INSIDE to OUTSIDE) are subjected to inspection. Inspected traffic is defined in default packet inspection class-map that can be freely modified. This solution is “out of the box”. Many protocols like FTP, TFTP are added, but for example ICMP not, but may be added as well. If we don’t add ICMP traffic to the packet inspection class-map, returning traffic will be rejected on the OUTSIDE interface and ping will never comes back, because firewall didn’t memorize session between INSIDE host and OUTSIDE target. If we add ICMP traffic for being inspected then, when we send ping from our host towards the OUTSIDE target, returning traffic will be allowed and passed based on Stateful Filtering.
Stateless and Stateful filtering
The task of stateless filtering is analysing the header of each incoming packet and making decision allow or drop the single packet. This is exactly how simple access lists work, unless we define “Reflexive access list”.
The task of stateful filtering is analysing the stream of packets, tracing and analysing the context of communication in order to predict a type of future traffic. Stateful firewall keeps a table with information about current connections (based on TCP flags) and decision is being made based on a whole stream of data not only the one packet!. In the other words firewall knows, that the traffic which has left the internal network from specific host to the specific outside place has to get back and knows everything about of the context of this conversation. Imagine situation, the user is downloading the movie 1GB. Does ASA has to check each 1500 bytes of movie that arrives on the outside interface, especially if “trusted” user behind Inside interface initiated connection? Of course not.
IDS – Intrusion Detection System
IDS is a system that consists of sensors, which a main role is detection and notification an administrator about events (for example break-in). Some IDS uses advanced heuristic. Usually IDS is placed alongside a firewall or router. May be used in case if attacker will bypass a Firewall or can measure a network traffic (used protocols, ports). IDS may consists of a few sensors and each of them may be responsible for analysing different traffic, to different servers in LAN network or different protocols.
IDS works “out of band” not inline alike IPS and makes copy of frames which are passing through the edge router, inspects them and makes decision, report about an event or not.The decision is being made based on :
– signature matching,
– policy (our own definitions),
– anomaly ( e.g too many TCP half-open sessions)
– reputation ( IDS connects with global base of “bad places”)
Types of IDS
Network based – independent station which analyse traffic and monitor many stations connected with a network. Network IDS gains access to data by directly connection to the switch or router via special port.
Host based IDS – consist of a software agent installed on the host (hosts) which analyse operating system behavior
Protocol based IDS – the system which control one selected protocol between devices
Application based IDS – analyses particular protocols connected with an application like SQL
Hybrid IDS – uses 2 or more above ideas.
IPS – Intrusion Prevention System
IPS is active protection solutions which have all IDS advantages. System prevents breaks-in proactively, unlike IDS, IPS can react to attacks and reject packets or deny access to the network. The major difference between IDS and IPS is, that IPS is placed inline, on the path of data, whereas IDS is not. IPS have the ability to take actions on defined policies such as blocking a connection, providing alerts, logging the event, quarantining the host or a combination of these. Policies define the rules which specify what should be detected and type of required response .
UTM – Unified Threat Management
UTM merged a firewall and the other security systems (modules) in one device. Thanks to this has become possible more accurate analysing of incoming and outgoing traffic.
Functions of UTM
– e-mail filtering (anti-spam protection)
– antivirus protection
– filtering WWW content (Java, Java Scripts or ActiveX applets removal)
– analyse of the traffic of network individual users
How UTM Works
Incoming traffic is decrypted if it is necessary before firewall module inspection. Analyse engine controls a consistent work of particular modules, every potential threat makes that a traffic is rejected. Next, analyse engine put multipackets traffic together in order to enable antivirus and anti-spam checking. VPN traffic is being encrypted again in encryption module. Discovered threats are being reported to the log which is used for generating alarms.
Example of UTM is Cisco Firepower Threat Defense