Lecture 11: Network Firewall and VPN planning implementation:

IDS, IPS:

Comparison: IDS vs IPS

Intrusion detection system (IDS) is more like a monitoring system whereas IPS is a control system.
That means, IDS continuously monitor the network traffic for any suspicious activity and alert the
administrator if found whereas IPS acts to suspicious activity with the aim of preventing them from
reaching to targeted system.

IDS compare network traffic against known threats, and someone is needed to analyse the results
and take necessary actions. IPS can detect and acting itself. Unlike IPS, IDS is passive/offline, so
traffic does not have to flow through IDS.

Everything about IDS and IPS:

https://www.upguard.com/blog/ids-vs-ips

How are IDS/IPS different from firewall?

Limitations:

IDS is more vulnerable to network evasion technique.

IDS/IPS sensor failure can cause abnormal/ intrusion to bypass network security and then cause
severe attacks.

Cannot protect against weak authentication: If an attack gains access due to weak password, IDS will
not be able to detect such abnormalities.

Outdated signature database is prone to new attacks.

False positive and noise due to bad packets.

Prevention from zero-day attack:

Use of IPsec: As we know, with IPsec it encrypts and authenticates all network traffic. Any suspicious
traffic will be prevented.

Deploying firewall for scanning data packets for threats.

IDS/IPS: IDS and IPS must be placed in our network for continuously monitoring and analysing the
network traffic. In case of any suspicious detection, it will alert the administrator so that mitigation
measures can be implemented.
Examples of Zero-day exploit:

https://guardiandigital.com/blog/zero-day-attack

Components of Intrusion detection System:

IPS and IDS can deploy as a sensor in router, security appliances subjected to provide IDS/IPS
services, Host software on client computer, servers.

Lecture 10: Network Firewall and VPN planning implementation:

Selecting a firewall for any company needs to address company’s characteristics: The common
firewall implementation and design should address:

Suitability,

Flexibility,

Training,

Need,

Risk,

Cost.

Software firewall and VPN: Smoothwall, openswan

Features

Testing smoothwall-47

Troubleshooting -48

Openswan-49

Microsoft DirectAccess as an alternative to VPN:

http://techgenix.com/microsoft-directaccess-overview/
lecture 9: Network Security and threats.

Case studies:

Identify assets:

Identify threats:

Malicious attack

Theft : hardware theft, software theft

System failure

Worms viruses

Identify vulnerabilities:

Weaknesses that can be exploited by threats

Lack of user knowledge

Poor choices of password

Unsecured data transmission

Poor security policies

Recommend solutions:

Firewalls, IDS, Network monitoring tools

Before implementing the measure, it is important to calculate the cost of implementation and the
benefits of implementation. If implementation cost exceeds benefits, then its better to accept the
risks.

Risk matrix:

Risk = Impact X Likelihood

 Impact Likelihood Risk Countermeasures
(a) (b) (c)
Threats

High High critical Firewalls, IDS, regular

Malicious attack OS patching

Loss of data low Medium Surveillance cameras,

Theft (hardware (high) buzzer, and Alarm
theft) system.

All servers and Low Low The IT infrastructures

System Failure devices could be should be maintained in
E.g. Electrical damaged regular basis.
power problem (critical)
Sensitive data can Medium Low Backup Server, control
Human Error be lost but could user access to
(accidental be recovered from information
deletion of file) backup
(Low)

Common malware examples:

• Viruses and Worms

• Trojan Horses

• Keystroke Loggers (“keyloggers”)

• Spyware and Adware

• Bots

• Rootkits

• Logic Bombs

• Trapdoors and Backdoors

• Advanced persistent threat

Risk associated to seven IT domains:

lecture 9
Lecture 8:
VPN pre deployment best practices:

 We need to choose best VPN solution with proven capabilities.

 Redundancy plan should be made.
 Developing a VPN policy
 Also, procedures for vulnerability assessment should be put in place.
 Lastly, documenting the VPN implantation plan.

VPN post deployment best practices:

Usage review, backup and patching is a must after deploying the VPN.

Developing a VPN policy:

 split tunneling should be prohibited. While split tunneling, there is always risk that
threat actor can take advantage of remote user to access secure corporate network
and cause severe damage.
 There should be central authentication of user through RADIUS server. It will
prevent unauthorized access to VPN.
 Strong encryption via IPSEC and AES should be configured and implemented.

VPN deployment Models:

True, trusted, Secure and Hybrid:
Trusted VPN- It uses leased circuits from service provider and performs packet
switching over these lines. Company must trust the service provider that these
circuits are not vulnerable are securely protected and maintained.
Secure VPN: In secure VPN, there is transmission of encrypted traffic over public
network through various security protocols.
Hybrid VPN: It combines trusted and Secure VPN i.e. encrypted traffic packets are
transmitted over trusted VPN circuit.

http://www.hit.bme.hu/~jakab/edu/litr/VPN/vpn-technologies.pdf

VPN components:

Edge routers,
Cooperate firewalls,
VPN appliances,
 VPN architecture

Types of VPN implementation:

Bypass VPN
Internally connected Vpn
VPN in a DMZ

VPN topologies:

VPN vulnerabilities:
• Backdoor attacks: Backdoor installation on remote user devices and other security
appliances would allow remote attacker to data theft, session hijacking, malware implanting
etc.

• Weak client security: lack of personal firewall, IDS/IPS, lack of anti-malware software on
remote user computer will harm the entire network.

• Weak authentication: In case of weak authentication, attacker can access the VPN network
by crafting brute-force attack.

• Worms: Any remote user, connected to the VPN network with infected devices (worms,
malicious viruses) can affect the entire network.
• Credential sharing: attacker may craft various social-engineering technique to lure the victim
into revealing the VPN credentials. And later, they can access the system.

As we know home computers are more suspectable to threats compared to IT

maintained computers. The attack on remote home computer might lead to attack
on VPN and to the internal network. There should be measures in place for securing
home computers:
 Home computers must have personal firewall for traffic filtering.
 There should be IDS/IPS for intrusion detection.
 Home computers and networking devices should apply regular software
patches.
 There should be physical boundaries for preventing hardware theft at home.

Limitations of IPSEC VPN- slide 36

Advantages of ssl VPN- Slide 37