IDS (intrusion detection system)

• is a device or software application that monitors a network or systems for

malicious activity or policy violations.
• Any intrusion activity or violation is typically reported either to an
administrator or collected centrally using a security information and event
management (SIEM) system.
• A SIEM system combines outputs from multiple sources and uses alarm
filtering techniques to distinguish malicious activity from false alarms
IDS can be classified into 3 different types:
•NIDS: Network-based intrusion detection system
• HIDS: Host-based intrusion detection system
• HYBRID IDS
HIDS (Host-based intrusion detection system)
• is an intrusion detection system that is capable of monitoring and analyzing
the internals of a computing system as well as the network packets on its
network interfaces, similar to the way a network-based intrusion detection
system (NIDS) operates.
• This was the first type of intrusion detection software to have been designed,
with the original target system being the mainframe computer where outside
interaction was infrequent
IDS Detection methods
• Signature-based detection
• Statistical anomaly-based detection
•Stateful protocol analysis detection
IPS (Intrusion prevention systems)
• are network security appliances that monitor network or system activities for
malicious activity.
• The main functions of intrusion prevention systems are:
✓ to identify malicious activity

✓ log information about this activity (ghi chép)

✓ report it and attempt to block or stop it.
• are considered extensions of intrusion detection systems because they both
monitor network traffic and/or system activities for malicious activity.
IPS can be classified into four different types:
• NIPS: Network-based intrusion prevention system
• WIPS: Wireless intrusion prevention system
• NBA: Network behavior analysis
• HIPS: Host-based intrusion prevention system
IPS can be classified into four different types:
• Network-based intrusion prevention system (NIPS): monitors the entire
network for suspicious traffic by analyzing protocol activity.
• Wireless intrusion prevention system (WIPS): monitor a wireless network for
suspicious traffic by analyzing wireless networking protocols.
• Network behavior analysis (NBA): examines network traffic to identify threats
that generate unusual traffic flows, such as distributed denial of service (DDoS)
attacks, certain forms of malware and policy violations.
• Host-based intrusion prevention system (HIPS): an installed software package
which monitors a single host for suspicious activity by analyzing events
occurring within that host
IDS & IPS difference
• The main differences are
✓ unlike intrusion detection systems, intrusion prevention systems are placed
in-line and are able to actively prevent or block intrusions that are detected.
✓ IPS can take such actions as sending an alarm, dropping detected malicious
packets, resetting a connection or blocking traffic from the offending ĪP
address. (malicious)
✓ An IPS also can correct cyclic (theo chu kỳ) redundancy, check (CRC) errors
(kiêm dự chu trình) , defragment (chống phân mảnh) packet streams, mitigate
(giảm bớt) TCP sequencing issues, and clean up unwanted transport and
network layer options
Firewall
• In commercial and residential construction, firewalls are concrete or masonry
walls that/which run from the basement through the roof, to prevent a fire from
spreading from one section of the building to another.
• In aircraft and automobiles, a firewall is an insulated metal barrier that keeps
the hot and dangerous moving parts of the motor separate from the inflammable
interior where the passengers sit.
• A firewall in an information security program is similar to a building's firewall
in events specific types of information from moving between the outside world,
known as the untrusted network (for example, the Internet), and the inside
world, known as the trusted network. The firewall may be a separate computer
system, a software service running on an existing router or server, or a separate
network containing a number of supporting devices.
• In computing, a firewall is a network security system that monitors and
controls incoming and outgoing network traffic based on predetermined security
rules. A firewall typically establishes a barrier between a trusted internal
network and untrusted external network, such as the Internet. Firewalls can be
categorized by processing mode, development era, or structure.
Firewall
• Firewall (computing), a technological barrier designed to prevent unauthorized
or unwanted communications between computer networks or hosts
• Firewall (construction), a barrier inside a building, designed to limit the spread
of fire, heat and structural collapse
• Firewall (engine), the part of a vehicle that separates the engine compartment
from the rest of the vehicle.
****
• A firewall that protects an individual computer is called a Personal Firewall. It
is an application which controls network traffic to and from a computer,
permitting or denying communications based on a security policy. Typically it
works as an application layer firewall.
• It is useful for an individual and a family because simply they only need to
protect their own computer.
• It allows a security policy to be defined for individual computers
• Many personal firewalls are able to control network traffic allowed ne secured
computer. When an application attempts an outbound connection, the firewall
may block it if blacklisted, or ask the user whether to blacklist it if it is not yet
known
Common personal firewalls:
• Cisco Security Agent
• Microsoft Internet connection firewall
• Symantec personal firewall
****
• A firewall that is present in an enterprise network for the protection of
multiple computers is called a Network Firewall and it is classified into 4 sub
types as follow:
- Packet-filtering firewalls (stateful and nonstateful)
- Circuit-level gateways
- Application-level gateways
- NAT firewall (Network Address Translation)
• Common appliance-based network firewalls:
- Cisco PIX, Cisco ASA
- Juniper NetScreen firewall
- Nokia firewalls
- Symantec's Enterprise Firewall.
***ẢNH***
Firewall products
• Software firewalls are the firewalls which are installed in the Operating
System
• Some software firewall products are:
- SunScreen firewall
- IPF
- Microsoft ISA server
- Check Point NG
- Linux's IPTables
• Software Firewalls are responsible for more tasks than Hardware firewalls. It
operates as DNS server or DHCP server.
Firewall products
• Hardware firewalls or appliance firewalls are the firewalls which are
integrated in specialized hardwares designed for firewall only.
• Some common hardware firewall products are:
- Cisco PIX
- Cisco ASA
- NetScreen firewall
- SonicWall Appliaces
- WatchGuard Fireboxes
- Nokia firewall
- Symantec's Enterprise Firewall.
• Integrated firewalls: Besides basic functions of a firewall, it has another
function like VPN, intrusion detection and prevention, spam filtering,
antiviruses
Firewall classification based on use technology
• Personal firewalls
• Packet filters
• Network Address Translations (NAT) firewalls
• Circuit-level firewalls
• Proxy firewalls • Stateful firewalls
• Transparent firewall: trong suốt
• Virtual firewalls
Fundamental components of a firewall
A firewall consists of one or more components as follow:
•Packet Filtering - Bộ lọc gói tin
• Application Gateway - Cổng ứng dụng
• Circuit Level Gate - Cổng mạch
Some firewall architectures
• Packet filtering Router
• Dual – homed Host • Screened Host
• Screened Subnet Host
- Use Bastion Host
- Put internal router external router together
- Put Bastion host and external router together put sth together
Common personal firewall features: (advatages)
• Block or alert the user about all unauthorized inbound or outbound connection
attempts.
• Allows the user to control which programs can and cannot access the local
network and/or Internet and provide the user with information about an
application that makes a connection attempt.
• Hide the computer from port scans by not responding to unsolicited network
traffic.
• Monitor applications that are listening for incoming connections. • Monitor
and regulate all incoming and outgoing Internet users.
• Prevent unwanted network traffic from locally installed applications.
• Provide information about the destination server with which an application is
attempting to communicate.
• Track recent incoming events, outgoing events, and intrusion events to see
who has accessed or tried to access your computer.
• Blocks and prevents hacking attempt or attack from hackers.
Firewalls help protecting internal network from hackers, however
firewall do have some limitations.
• If the system has been compromised by malware, spyware or similar
software, these programs can also manipulate the firewall, because both are
running on the same system. It may be possible to bypass or even completely
shut down software firewalls in such a manner.
• A firewall can't notify, if it has been incorrectly configured.
• Firewall may limit access from the Internet, but it may not protect your
network from wireless and other access to your systems.
• Firewalls and Virtual Private Networks are not the only solution to secure
private documents and emails that are either sent within an organization or to
other business contacts that are outside the organization.
• The alerts generated can possibly desensitize users to alerts by warning the
user of actions that may not be malicious.
• Software firewalls that interface with the operating system or with other
firewalls or security software at the kernel mode level may potentially cause
instability and/or introduce security flaws.
A firewall is used to
• Prevent the Passage of Unwanted Content
• Prevent Unauthorized Remote Access
• Prevent Indecent Content
• Guarantee Security Based on Protocol and IP Address
• Protect Seamless Operations in Enterprises
•Protect Conversations and Coordination Contents
• Prevent Destructive Content from Online Videos and Games
Key differences between Firewall and Antivirus
1. A firewall can be employed for software as well as hardware; antivirus can
only be applied for software.
2. Antivirus conducts screening, including identification, naming, and deletion.
Alternatively, firewall controls and processes input and output sets.
3. External attacks are only managed by Firewalls, while Antivirus manages
external and internal threats.
4. When the attack firewall is checked, certain rules are applied based on
inbound packets. In comparison, malicious files and applications corrupted by
antivirus are scanned and checked. IP spoofing and routing attacks are strategies
that may theoretically compromise the protection of the packet filters.
5. A network protocol firewall protects your device, thereby blocking
vulnerable port packets, whereas an anti-virus prevents malicious data on the
level of the file.
6. The monitoring capability of the firewall is based on a pre-defined set of
rules. Whereas the monitoring capability of antivirus is based on techniques
imposed by the manufacturer.