What You Need To Know About Firewalls and Intrusion Detection

Abstract This paper will address a need in network security, which is consisting of firewalls and intrusion detection used in different companies or businesses. The paper will discuss the different types of firewalls and intrusion detection tools and systems that are used or could be used in different companies or businesses. The focus will be on firewalls and intrusion detection and how they work independently and together to achieve a common goal which is to keep companies and businesses data safe. By writing this paper, I wish to benefit myself and the community by sharing useful knowledge and tools related to the security of protecting companies and businesses data from being compromised. Not only will this information help others in the field of network security but, it will also enable the use of this information for other companies or businesses to be aware of what they should have in their network to prevent their data from being compromised. Introduction This paper introduces information about firewalls and different types of firewall that can be used for different situations. This paper will also give you information about the different types of firewalls and what purposes that they could be used for to help prevent attacks. We will also discuss the Intrusion Detection ystem and what it is and also what attacks it will help prevent. We will also be giving insight of misuse and anomaly detections. Firewalls !irewall systems are commonly implemented throughout computer networks for protection. They act as a measure of control, enforcing the relevant components of the security policy. " firewall can be a number of different components such as a router or a collection of host machines. #owever, the basic function of a firewall is to protect the integrity of the network which is firewall controlled. There are different types of firewall that can be implemented depending on your situation, with the choice of firewall being dependent upon the security policy of the company or businesses and the level of deployment in the system that is going to be used. " firewall management program can be configured one of two basic ways$

" default%deny policy. The firewall administrator lists the allowed network services, and everything else is denied. " default%allow policy. The firewall administrator lists network services which are not allowed, and everything else is accepted.

" default%deny approach to firewall security is by far the more secure, but due to the difficulty in configuring and managing a network in that fashion, many networks instead use the default%allow approach. &et's assume for the moment that your firewall management program utili(es a default%deny policy, and you only have certain services enabled that you want people to be able to use from the Internet. !or e)ample, you have a web server which you want the general public to be able to access. What happens ne)t depends on what kind of firewall security you have. Packet filtering firewall This type of firewall has a list of firewall security rules which can block traffic based on I* protocol, I* address and+or port number. ,nder this firewall management program, all web traffic will be allowed, including web%based attacks. In this situation, you need to have intrusion prevention, in addition to firewall security, in order to differentiate between good web traffic like simple web re-uests from people browsing your website and bad web traffic like people attacking your website. " packet filtering firewall has no way to tell the difference. "n additional problem with packet filtering firewalls which are not stateful is that the firewall can't tell the difference between a legitimate return packet and a packet which pretends to be from an established connection, which means your firewall management system configuration, will have to allow both kinds of packets into the network.

Stateful firewall
This is similar to a packet filtering firewall, but it is more intelligent about keeping track of active connections, so you can define firewall management rules such as only allow packets into the network that are part of an already established outbound connection. .ou have solved the established connection issue described above, but you still can't tell the difference between good and bad web traffic. .ou need intrusion prevention to detect and block web attacks.

Deep packet inspection firewall

"n application firewall actually e)amines the data in the packet, and can therefore look at application layer attacks. This kind of firewall security is similar to intrusion prevention technology, and, therefore, may be able to provide some of the same functionality. There are three warnings, first, for some vendors, the definition of deep e)tends to some particular depth in the packet and does not necessarily e)amine the entire packet. This can result in missing some kinds of attacks. econd, depending on the hardware, a firewall may not have ade-uate processing power to handle the deep packet inspection for your network. Be sure to ask -uestions about how much bandwidth it can handle while performing such inspection. "nd finally, embedded firewall management technology may not have the fle)ibility to handle all attacks.

Application aware firewall

imilar to deep packet inspection e)cept that the firewall understands certain protocols and can parse them, so that signatures or rules can specifically address certain fields in the protocol. The fle)ibility of this approach to computer firewall protection is great and permits the signatures or rules to be both specific and comprehensive. There are no specific drawbacks to this approach to firewall security as generally it will yield improvements over a standard deep packet inspection approach. #owever, some actual attacks may be overlooked false negatives because the firewall security parsing routines are not robust enough to handle variations in real%world traffic.

Application pro!" firewall

"n application pro)y acts as an intermediary for certain application traffic such as #TT*, or web, traffic, intercepting all re-uests and validating them before passing them along. "gain, an application pro)y firewall is similar to certain kinds of intrusion prevention. The implementation of a full application pro)y is, however, -uite difficult, and each pro)y can only handle one protocol. !or an application pro)y firewall to be effective as computer firewall protection, it has to be able to understand the protocol completely and to enforce blocking on violations of the protocol. Because implementations of the protocol being e)amined often do not follow a protocol correctly, or because implementers add their own e)tensions to a protocol, this can result in the pro)y blocking valid traffic false positives. Because of these kinds of problems, end users will often not enable these technologies. Intrusion Detection S"ste#s The ma/ority of traffic on the network is not malicious, and users within a system do not set out to gain unauthori(ed access to information. #owever, the use of an intrusion detection system is becoming increasingly commonplace due to both the increase in comple)ity of attack and of the computer systems themselves. "s with any comple) system, emergent properties can arise une)pectedly. In the case of such systems, une)pected interactions between the various components can give rise to vulnerabilities which can be e)ploited. "dditionally, the use of a firewall may not prevent internal abuse from an otherwise legitimate user of the system either for breaches of confidentiality or for system integrity. When defining what intrusion detection systems are, it perhaps makes more sense to describe what they are not. ID are not a preventive measure. They will not stop intruders breaking into a system. Neither will they prevent internal damage to a system. "s the name clearly states, they are a detection system, thus implying that abuse of a system is reported as and when it happens. In essence, they are similar to a burglar alarm in a house. uch an alarm can trigger an immediate response e.g. call the police, can be used to alert the owner that unauthori(ed behavior is taking place, or simply to cause aggravation to the neighbors.

"s with firewalls, different types of intrusion detection system e)ist. There are two different ways of classifying an ID . The first way is to classify based on the method of detection, in the form of either misuse detection or anomaly detection. "n alternative way is to classify based on the position of deployment within a network. ID can be either network based, host based or application based, depending on where they are deployed 012. $isuse Detection This type of ID can also be called a signature recognition system. 3isuse detection systems rely on the accurate matching of system or network activity 042. This method of detection is accurate for matching behavior against a list of already documented patterns, known as signatures. "n e)ample of this type of ID is a system known as nort 052. The means by which snort functions involves the use of software component processing information regarding network connections. nort e)amines the network traffic at its position on the network in a passive manner$ it sniffs the network. 6)amination of the headers and content of T7* packets is performed and matched against patterns contained in a signature database. If certain patterns of traffic are captured, then an alert is generated. The use of only already known signatures means that the system will produce only a few false positives, or false alarms where an alert is generated yet there is not actual attack. There is a relatively high maintenance cost in that the signature base has to be kept up to date8 else potential attacks could go unnoticed. "dditionally, this type of system can miss highly novel attacks to which a signature does not yet e)ist, giving a higher rate of false negatives than would be desired. 3issing an actual attack is probably worse than being inundated with false alarms, though this is debatable. Ano#al" Detection The goal of anomaly detection systems is to successfully classify user or network behavior as normal or abnormal based on a profile of information gathered during a training period. This is performed by taking into account the amount of background noise or user variation which is intrinsic to the system. The characteri(ation of what constitutes normal behavior is certainly a non%trivial issue. There have been many approaches used in order to perform this classification, including statistical models, 3arkov chains, neural nets and ideas based on other modern "I techni-ues 9inclusive of artificial immune systems0:2;. Normal behavior is profiled either from an individual user or from the network, variants from this are defined as anomalies and alerts are generated. !or e)ample, a user of the e)ample network ordinarily runs word processing applications and Internet browsers. If this user suddenly gains super%user privileges, starts changing file permissions and sending broadcast .N packets, then it is likely that the integrity of the system is being compromised. " corresponding alert would be generated and some form of action would be taken by the system administrator. "n e)ample of this type of ID is the e)perimental artificial immune system developed by omaya/i 0<2. This ID resides on a host machine and e)amines numerous ,ni) system calls to construct a profile of normal behavior over a training period through e)amining the I* traffic in and out of the host machine. =nce this period had ends, an insight into normal behavior was used as the

basis of the classification if the observed behavior deviates from the normal and then an anomaly is detected. This causes the generation of a warning message which is sent to the user. While anomaly detection is a relatively effective way of predicting novel attacks, they do not as yet feature in many commercially produced systems partially due to the high rate of false positives.

%eference& '() S *of#e"r and S Forrest+ I##unit" b" design+ Proceedings of ,-../0 pages (1234(1350 (333+ '1) $artin %oesch+ Snort& 6ightweight intrusion detection for networks+ In Proceedings of the (7th .onference on S"ste#s Ad#inistration0 pages 1134172+ 8S-NI9 Association0 (333+ '7) A So#a"a:i0 S Forrest0 S *of#e"r0 and T 6ongstaff+ A sense of self for uni! processes+ I--- S"#posiu# on Securit" and Pri;ac"0 pages (1<4(120 (335+ '=) * >enter and ? -loff+ A ta!ono#" for infor#ation securit" technologies+ .o#puters and Securit"0 11@=A&13347<B0 1<<7+ 'C) Nong Ye0 9iang"ang 6i0 Diang .hen0 S"ed $asu# -#ran0 and $ing#ing 9u+ Probabilistic techniEues for intrusion detection based on co#puter audit data+ In I--- Transactions on s"ste#s0 #an and c"bernetics part A0 s"ste#s and hu#ans0 ;olu#e 7(&=0 pages 15541B=0 1<<(+ http&FFwww+secureworks+co#FresourcesFarticlesFotherGarticlesFfirewall securit"F