This video is part two of section 2.1
and Stall and configure network components, hardware and software based to support organisational security.
As you see on your screen, there's numerous technologies associated with network security.
In this video, I'll be focusing on firewalls, unified threat management, network intrusion detection and protection systems and VP and concentrators. This section focuses on the network components that are used for perimeter security.
Keep in mind that each organization has different needs and might use additional tools for their defense.
The objective of this section is to give you an idea of how the purpose of a component determines the placement of the device.
Before you can properly secure network, you must understand the security functions, the purpose of network devices and technologies used to secure the network.
A firewall could be hardware or software, a component or application placed on computers and networks to help eliminate under undesired access by outsiders.
A firewall is the first line of defense for the network.
The primary function of a firewall is to mitigate threats by monitoring all traffic, entering or leaving the network and blocking undesirable traffic.
Firewall can be network based or host based.
There are different types of firewall she may encounter that provide different levels of security and features.
The first is a packet filter. This is the oldest type of firewall
fire, while operating as a packet filter or static firewall passes or blocks. Traffic to specific address is based on the type of application
for the I P address number or port.
The packet filter doesn't analyze the data of a packet based on any rules. It decides whether to pass it based solely on address ING information.
For instance, a packet filter may allow Web traffic on port 80 or 443
but block telling that traffic import 23.
This type of filtering is included in many routers as well, if a received packet request. As for port that isn't authorized, the filter may reject the request or simply ignore it.
Many packet filters can also specify which I P address can request which ports in the lower deny them. Based on the security settings of the firewall,
a proxy fire law could be thought of as an intermediary between your network and any other network.
Proxy firewalls are used to process requests from outside the network. The proxy firewall examines the data and makes rule based decisions about whether to request should be forward it or refused.
The proxy intercepts all of the packets and reprocesses them for use internally.
There's also state full packet inspection firewalls, which I'll talk about next.
Stay. Full firewalls are deeper inspection firewall type that analyzes traffic patterns and data flows. They look into the packets and make decisions based on some intelligence and rules.
This allows for a more dynamic access control decision because the network state is not static.
Stay full. Firewalls are better when it comes to identifying unauthorized communication attempts because they watch the state of the connection from beginning to end,
including security functions such as tunnels and encryption
with state full inspection firewalls. Rep. Records are kept using a state table that tracks every communications channel.
State Full inspection Firewall remembers where the package came from and where the next one should come from and could make intelligent decisions based on that.
Most firewalls today, our state ful
firewall rules can be created either for inbound traffic or outbound traffic, toe allow or block traffic based on a criteria set within the rule.
In many firewalls, the rules could be granular and configured to specify the computer users, programs, protocols, service or ports.
Rules could be configured so they could be applied when profiles are used. As soon as a network packet matches a rule, that rule is then applied and processing stops.
The more restrictive rules should be listed first, and the least restrictive rules should follow
otherwise. If a less restrictive rule is placed before more restrictive rule,
checking stops at the first rule.
So the order of firewall rules matters.
There's also the concept of implicit deny.
Access or resource availability is restricted on Lee to those that are explicitly granted access.
All others are denied.
You see a typical firewall rule on your screen of deny any any, and this should be the last firewall or a c. L. L rule.
This firewall rule ensures that when access and that is not explicitly granted, it is automatically denied by default.
Application layer firewalls can examine application traffic and identify threats through deep packet inspection techniques. Often we do not think in terms of application level security when discussing devices such as firewalls, I PS ideas and proxies.
Yet most next generation devices are capable of being application aware
application firewalls, control, input, output and or access from two or by any application or service based on categories, rules or heuristics
functions. At Layer seven of the O. S I model
most common one is a Web application firewall, which is software hardware appliance used to protect an organization's Web server. From Attack,
a Web application firewall could be a plug in or filtered that issues specifically for preventing execution of common Web based attacks such as cross site scripting, sequel injection and buffer overflows on a Web server.
Most next generation firewall devices are also capable of being application aware
this type of features often combined into one centralized, managed firewall.
We'll transition to talking about intrusion detection systems and intrusion protection systems focusing on network devices.
We'll start by defining an intrusion.
It's any activity or action that attempts to undermine or compromise the confidentiality, integrity or availability of resource is
an intrusion detection system acts like a burglar alarm. It raises an alert when it detects something that shouldn't be occurring, such as an anomaly or some type of an attack.
Intrusion detection software could be the reactive or passive. This means that the system detects a potential security beat breach logs the information and signals and alert after the event occurs.
Network intrusion detection system or needs monitors packet flow across the network and tries to locate packets that might have gotten through the firewall but are not allowed to do so.
Their best. That detecting denial of service and unauthorized user access. Attempts.
Who's based Intrusion detection monitors systems on host by host basis.
Hit's is often combined with the host based protection, such as anti virus and host firewall ing.
A sensor is that intrusion detection component that collects data from that data source and passes it to an analyzer,
often a centralized manage device.
Early on in networking, we only had intrusion detection systems that is now transition to intrusion protection or prevention systems.
I. D. S is more passive. A passive response. Simply that's logging notification with maybe some capability for shunning and quarantine.
An active response has seen with an I. P s terminates processes or sessions or can change configuration settings
with the deception. Active response Attacker believes the attack is succeeding while the system monitors the activity and potentially redirects the attacker toe, honey pot
or a logging system.
Focus on the differences and similarities between I. D S and I PS and see where there used within your own networks.
There are additional types of ideas and I ps systems
first being signature based knowledge or rule based. It detects only known vulnerabilities.
The rules or signatures are provided by a vendor. This tends to be a lot more of a reactive type of approach.
Behavior based looks for activity outside of normal bounds.
Outside of an established profile, for example, too much wet Web traffic will hit a behavior based I. D s were even to little Web traffic
could also be anomaly based, looking for things that shouldn't be there
based on normal traffic and behavior.
There's a potential, though, for false positive with behavior based I. D. S I. P ET
lastest Eurest IX based, which uses algorithms to analyze the activity and network traffic.
This has a high initial overload.
Often, today's ideas I PS systems use a combination of signature behavioral and heuristic based approaches
When analyzing network traffic, there's a potential for false positives and false negatives.
A false positive occurs when a typical or expected behaviour as identified as a regular or malicious
false positives generally occur when an I. D. S detects the presence of a newly installed application. And the ad yes, has not yet been trained for this new behavior.
Sometimes anomalous behavior in one area of an organization is acceptable in other areas.
This behavior may be viewed as suspicious.
False positives are one of the largest problems encountered an I. D. S. I. P s management. Because they could easily prevent legitimate alerts from quickly being identified.
Rule sets need to be tuned to reduce the number of false positives.
False negatives occur when alert should have been generated. That did not happen.
In other words, an attack takes place, but the I. D. S doesn't detect it.
False negatives most often happened because the I. D. S is reactive and signature based systems do not recognize new attacks. Sometimes in signature based systems, rule can be written to catch on Lee, a subset of an attack vector,
be aware of these different terms and how they are used with an I. D. S. I. P s systems
will encounter false positives and false negatives in other videos. Up to this point, I've talked about generic intrusion detection, intrusion protection systems.
Let's focus on a network intrusion detection protection system, needs and nips.
The analysis used to be separate, used to have a separate need system.
There are two types of needs and nips, one being passive where traffic is mirrored to a sensor. So it's out of band, if you will.
The other is in line. Traffic flows in through the needs naps and can prevent attacks in real times. But this can also cause the network Leighton See
allowed transition to talking about VPN Concentrators.
A virtual private network allows remote access into the internal network. This could be either site to site, so a vendor coming into your internal network or user host to site.
The concept is that someone using a VPN looks like they are on the internal network.
A VPN concentrator is a single device to funnel all VPN access and can you be used to connect multiple VPN nodes?
Creates encrypted VPN tunnels using a centralized authentication system like radius curb rose or Federated i D
and always on VPN automatically connects a system. Were another network to the internal VPN system as opposed to one that's not always on. You have to explicitly turn on the VP and service.
They're two different types of network security through encryption associated with VP ends.
One is I p sec.
The other is S S L
the Internet Protocol security or better known as I p SEC protocol is designed to provide secure communications between systems.
This includes system to system communication, the same network as well as communication to systems on external networks.
I p sec is an i p layer security protocol that can both encrypt and authenticate network transmissions.
In a nutshell. I p sec is composed of two separate mutually exclusive protocols.
and encapsulating security. Payload H provides the authentication and integrity checking for data packets
and e S p provides the encryption service is
i. P. SEC provides three Security service's data verification, verifying that the data received is from an intended source
protection from data tampering. During that, the data has not been changed and private transactions ensuring that data sent between the sending and receiving the devices
is encrypted and unreadable by any other devices.
An alternative toe i p sec VP ends are S S L T L s V p ends
Note. T l s now should replace SSL. Do not use SSL within your networks.
Also known as Web v p N S S L T L s v p ends provide remote access through a website using the S S L T L s Protocol, and it's used for point to point encrypted communications. So it's best for that user to internal network communications rather than a site to site
site to site should use I p sec VPN
VPN Tunneling also needs to be considered when configuring your remote access
with a full tunnel. All requests are routed and encrypted through the VPN. This is the most secure option.
Ah, split tunnel has only some usually all incoming requests routed encrypted over VPN, for example Let me let's say I'm using VPN at my home. I might have personal traffic going through my own router while my business traffic goes through VPN
that is split tunneling and it does have some security challenges associated with it.
VP ends are used all the time for remote access, so you need to understand how they work
and how you can secure them.
Unified threat management, you tm and next generation firewalls or N G F W's their security appliances that combine firewall capabilities with many other types of capabilities. For example, spam filtering functions, maybe Web application firewall proxy service is
Network Ideas and I PS
content inspection and Mauer Inspection.
Many of the firewall devices on corporate networks today are you T M's or N G. F. W's.
In this video, I discussed different network components associated with security. For example, firewalls needs nips and VPN concentrators.
Let's practice on a simple quiz question.
Which of the following tunneling configurations is the process of allowing a remote VPN user to access a public network of the Internet at the same time that the user is allowed to access? Organizational resource is
the answer is a split tunneling
where network traffic is split
as opposed to an always on VPN were full tunneling
This type of firewall passes or blocks traffic to specific boards or I P addresses based on predetermined rules.
This is the definition for C,
a packet filtering firewall. This also could be included on some routers with their A C L's.
There are a couple of labs you should consider to practice hands on with these concepts.
In this exercise, you will create firewall rules using Windows Firewall and verify their efficiency in managing access in the computer.
A second lab, which will give you hands on experience, is configuring ideas and honey pots. Using snort Snort is a portable intrusion detection system for Windows and Lennox operating systems.
This tool is capable of capturing real time network traffic analysis and performing packet logging on T c p I P Networks.
This concludes Part two of section 2.1,
installing configure network components to support organisational security.