🛡️

Understanding Firewalls and IPS Technology

Dec 26, 2024

View transcript

Network-Based Firewalls and Intrusion Prevention Systems (IPS)

Network-Based Firewalls

  • Role and Function: Acts as an appliance in the network to allow or disallow traffic.

    • Decisions can be based on:
      • Port numbers (traditional firewalls)
      • Applications (Next Generation Firewalls - NGFW)
    • Also serves as:
      • VPN endpoints/concentrators for point-to-point or remote access VPNs.
      • Routers or layer 3 devices for network address translation, dynamic routing, etc.

  • Next Generation Firewalls (NGFW)

    • Analyze traffic to discern specific applications.
    • Known as:
      • Application Layer Gateway
      • Stateful Multi-Layer Inspection Device
      • Deep Packet Inspection Device
    • Can recognize applications like:
      • HTTP (Port 80), HTTPS (Port 443)
      • SSH (Port 22)
      • Microsoft Remote Desktop (Port 3389)
      • DNS (Port 53)
      • Network Time Protocol (Port 123)
    • Allows for more flexible security decisions based on application and port numbers.

  • Firewall Rule Base

    • Rules are evaluated from top to bottom.
    • Specific rules placed at the top; broad rules at the bottom.
    • Includes implicit deny for any unmatched traffic.
    • Rule base also known as Access Control List (ACL).

  • Example Firewall Rules

    • Rules allow specific traffic based on IP addresses, port numbers, and protocols.
    • Rules for allowing SSH, HTTP, HTTPS, Remote Desktop, DNS, and NTP traffic.
    • ICMP traffic may be denied if unmatched.

Intrusion Prevention Systems (IPS)

  • Integration with Firewalls: Often included in NGFWs with their own rule base.

  • Functionality

    • Monitors real-time traffic for malicious software.
    • Uses signature-based detection (e.g., for Conficker worm).
    • Can also detect anomalies (e.g., database injections).

  • IPS Rules and Signatures

    • IPS contains thousands of signatures.
    • Broad decisions can be made by grouping rules.
    • Customizable to balance security and false positive identification.
    • Example rules include detection of malware or worms based on specific port numbers and protocols.

Network Segmentation

  • Screened Subnets: Utilized to protect internal networks by directing internet-sourced traffic to a non-sensitive area.
  • Firewall Placement: Typically at network ingress/egress points, separating internal networks from the internet.

Full transcript