Week 09 - Information Security - Network Defenses II.pdf
Document Details
Uploaded by LuxuryTaylor8648
Full Transcript
Module Code: CIT114 Module Name: Information Security WEEK 09 Title: Network Defenses II Date: Saturday, September 28, 2024 Overview Firewall Proxy Server Honeypots Network Intrusion Detection System (NIDS) Intrusion Prevention System (IPS) Host Intru...
Module Code: CIT114 Module Name: Information Security WEEK 09 Title: Network Defenses II Date: Saturday, September 28, 2024 Overview Firewall Proxy Server Honeypots Network Intrusion Detection System (NIDS) Intrusion Prevention System (IPS) Host Intrusion Prevention System (HIPS) Network Intrusion Prevention System (NIPS) Protocol Analyzer Internet Content Filter Saturday, September 28, 2024 2024 © SLTC Research University 3 Firewall Often used to filter network packets and are sometimes called packet filters Designed to block malicious packets from entering a network Firewalls can be either software-based or hardware-based Hardware firewalls are typically positioned outside the network security perimeter, serving as the first line of defense Saturday, September 28, 2024 2024 © SLTC Research University 4 Firewall (Cont’d) Saturday, September 28, 2024 2024 © SLTC Research University 5 Firewall (Cont’d) Firewall Rule Base: Firewalls use a rule base to determine how to handle incoming packets, specifying actions like allow, block, or prompt Types of Packet Filtering: Stateless Packet Filtering: Examines incoming packets and allows or denies them strictly based on the rule base Stateful Packet Filtering: Maintains a record of the connection state between an internal computer and an external server Makes decisions on connections based on both the connection state and the rule base Saturday, September 28, 2024 2024 © SLTC Research University 6 Firewall (Cont’d) Stateless Firewalls Image Source: https://www.lanner-america.com/wp-content/uploads/stateless-firewall-packet-filtering-overview-1024x523.png Saturday, September 28, 2024 2024 © SLTC Research University 7 Firewall (Cont’d) Stateful Firewalls Image Source: https://www.lanner-america.com/wp-content/uploads/stateful-firewall-packet-filtering-overview-1024x539.png Saturday, September 28, 2024 2024 © SLTC Research University 8 Firewall (Cont’d) Most personal software firewalls today filter both inbound and outbound traffic Filtering outbound traffic safeguards users by preventing malware from connecting to other computers and spreading Web Application Firewalls (WAF): These are specialized firewalls designed for web applications WAFs operate at the application layer and protect against threats like SQL injection and Cross-Site Scripting (XSS) Saturday, September 28, 2024 2024 © SLTC Research University 9 Firewall (Cont’d) As an example, imagine you have to create rules on a firewall to meet the following requirements: Allow all HTTP traffic to a web server with an IP of 192.168.1.25 Allow all HTTP and HTTPS traffic to a web server with an IP of 192.168.1.25 Allow DNS queries from any source to a computer with an IP of 192.168.1.10 Block DNS zone transfer traffic from any source to any destination Block all DNS traffic from any source to any destination Implement implicit deny Saturday, September 28, 2024 2024 © SLTC Research University 10 Firewall (Cont’d) Solution: Allow all HTTP traffic to a web server with an IP of 192.168.1.25 Note that while HTTP traffic typically uses TCP, it can also use UDP. Because of this IP is used instead of TCP or UDP Allow all HTTP and HTTPS traffic to a web server with an IP of 192.168.1.25 This requires two rules. One rule allows HTTP traffic by allowing port 80, and the second rule allows HTTPS traffic by allowing port 443 Allow DNS queries from any source to a computer with an IP of 192.168.1.10 DNS name resolution queries use UDP port 53 Block DNS zone transfer traffic from any source to any destination DNS zone transfers use TCP port 53 Block all DNS traffic from any source to any destination Using IP blocks both DNS name resolution queries on UDP port 53 and DNS zone transfers on TCP port 53. You could also implement this was two separate rules with one for UDP and one for TCP Implement implicit deny The implicit deny rule is always placed last and it blocks any type of traffic from any source to any destination using any port Saturday, September 28, 2024 2024 © SLTC Research University 11 Firewall (Cont’d) Saturday, September 28, 2024 2024 © SLTC Research University 12 Proxy Servers Clients don't connect directly to the internet but instead go through a proxy server Saves bandwidth as a single copy of a popular web page can be reused for many clients Enables a company to block access to forbidden websites Helps prevent attacks in a similar way to Network Address Translation (NAT) Reverse Proxy: Doesn't serve clients directly but routes incoming requests to the appropriate server, enhancing security and load distribution Saturday, September 28, 2024 2024 © SLTC Research University 13 Proxy Servers (Cont’d) How proxy servers work Saturday, September 28, 2024 2024 © SLTC Research University 14 Proxy Servers (Cont’d) How proxy servers work Connect to web server 1 192.168.118.254 Saturday, September 28, 2024 2024 © SLTC Research University 15 Honeypots Honeypots are cybersecurity mechanisms designed to attract and trap malicious actors or potential threats They appear to be vulnerable or valuable targets, luring attackers into engaging with them Honeypots can be real or simulated systems, applications, or networks Their primary purpose is to gather information about attack techniques, tactics, and potential threats Valuable for cybersecurity research, threat detection, and understanding attacker behavior Honeypots are deployed alongside other security measures to enhance overall network security Saturday, September 28, 2024 2024 © SLTC Research University 16 Honeypots (Cont’d) A computer typically located in a DMZ that is loaded with software and data files that appear to be authentic But honeypots can be located anywhere in the network Three primary purposes of a honeypot: Deflect attention Early warnings of new attacks Examine attacker techniques Saturday, September 28, 2024 2024 © SLTC Research University 17 Honeypots (Cont’d) Saturday, September 28, 2024 2024 © SLTC Research University 18 Network Intrusion Detection System (NIDS) NIDS keeps an eye out for attempts by attackers to break into a network It operates by comparing what's happening now to what's considered normal or acceptable behavior NIDS scans for unusual patterns or activities that could signal an intrusion There are two types: Passive intrusion detection Make logs of network traffic and sends alerts when something's amiss Active intrusion detection Can take actions to block threats Saturday, September 28, 2024 2024 © SLTC Research University 19 Intrusion Prevention System (IPS) Detects and handles malicious network traffic in real-time Also known as Active Intrusion Detection It can respond by taking actions like blocking incoming traffic on a specific network port Two types of IPS: Host Intrusion Prevention System (HIPS) focuses on protecting individual devices Network Intrusion Prevention System (NIPS) safeguards the entire network Saturday, September 28, 2024 2024 © SLTC Research University 20 Host Intrusion Prevention system (HIPS) Installed on each individual system that needs protection Relies on agents installed directly on the protected system These agents work closely with the operating system to monitor and intercept requests, preventing potential attacks HIPS typically monitor various desktop functions, including: System calls File system access System Registry settings Host input and output Designed to work in conjunction with existing antivirus, anti-spyware, and firewall software Saturday, September 28, 2024 2024 © SLTC Research University 21 Network Intrusion Prevention System (NIPS) Safeguards the entire network and all connected devices Monitors network traffic and can swiftly block malicious attacks NIPS typically run on dedicated hardware platforms designed for security They analyze, detect, and respond to security-related events NIPS can drop malicious network traffic based on their configuration or security policies Saturday, September 28, 2024 2024 © SLTC Research University 22 IDS vs IPS Saturday, September 28, 2024 2024 © SLTC Research University 23 Protocol Analyzer Ways to Detect Potential Intrusions: Detecting Statistical Anomalies: Identifying unusual network traffic patterns Recognizing Known Attack Patterns: Examining network data for well-known attack behaviors Using Protocol Analyzer Technology: Employing protocol analyzers to inspect network communication Protocol Analyzers: Full Protocol Decoding: Protocol analyzers can fully understand application-layer network protocols Suspicious Behavior Analysis: They can analyze parts of the protocol for any abnormal or suspicious activities For instance, they might flag an overly long User Agent field in an HTTP GET request as a potential threat Saturday, September 28, 2024 2024 © SLTC Research University 24 Internet Content Filter Monitors internet traffic and prevents access to specific websites and files Only displays requested web pages if they meet specified filters Unapproved websites can be blocked using Uniform Resource Locator (URL) or by detecting specific keywords. Saturday, September 28, 2024 2024 © SLTC Research University 25 Weekly Activity 08 Write down the pros and cons about; Honeypots IDSs IPSs Proxy Servers Saturday, September 28, 2024 2024 © SLTC Research University 26 Thank You Saturday, September 28, 2024 2024 © SLTC Research University 27