Firewalls

1. Network-Based

Hardware and/or software that controls network traffic based on source destination / protocol / context / content.

• Could be a dedicated device, network device, or host.
• Often provides NAT functionality as well (to make a virtual private network).

Human Firewall: Humans are the first line of defense.

• Hence, training is very important.

Types:

1. Packet Filter: Static rules that uses header data.
2. Stateful Packet Filer: Uses state (outgoing / incoming), header data, and state.
3. Application Layer Gateway / Proxy: Deep packet inspection. Looks are head, payload, and context. More dynamic.

2. Host-Based

Modern OSes come with built-in host-based firewalls.

• There are also third-party vendors.

Intrusion Detection (IDS)

Detect and document malicious/anonymous activity.

Host-Based: File integrity, user behavior, process behavior, logs and audit.

Network: Deep packet inspection, network traffic/flow.

Host-based IDSes typically have more overhead.

IDS Approaches

1. Signature-based: Static rules
2. Anomaly Detection: Dynamic statistical rules.

Intrusion Prevention (IPS)

Like IDS, except is also takes action to block activity.

• Similar to IDS, but more advanced.

False positives and negatives are hard to predict.

• Many businesses prefer IDSes manned by analysts over IPSes.

Remember: Rulesets need to be kept up-to-date, and tools aren’t foolproof.