Skip to main content

Network Security

Intrusion Detection & Prevention Systems

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are integral tools in network security. Both IDS and IPS analyze entire packets, including the header and payload, in search of recognized events.

  • IDS: When a known event is detected, a log message is generated. There may also be reports or optional alerts. IDS observes, logs, and optionally alerts. It doesn't take action.

  • IPS: When it detects a known event, it rejects the packet. IPS takes action! It rejects malicious packets.

Types of IDS Systems

  1. Behavior-based IDS
    • Forms a baseline of activity to establish what constitutes normal behavior.
    • Measures system performance against the baseline to spot abnormal behavior.
    • Can detect previously unknown attack methods.
  2. Knowledge-based IDS
    • Uses signatures, akin to the signature definitions adopted by anti-malware software.
    • Only effective against known attack methods.

Both host-based (HIDS) and network-based (NIDS) systems can be knowledge-based, behavior-based, or a mix of the two.

IDS/IPS Classification by Deployment

  1. Host-based (HIDS/HIPS)

    • Deployed in software form.
    • Often installed on a server.
    • HIDS observes and logs known events from whole packets.
    • HIPS rejects packets when a known event is detected.

  2. Network-based (NIDS/NIPS)

    • Typically in hardware form at the network level.

Modes of Operation for Network-based IDS and IPS

  1. Inline (In-band)
    • Positioned on or near the firewall to enhance security layers.
    • Might integrate with a switch close to the firewall.
  1. Passive (Out-of-band)
    • Traffic doesn't directly flow through the NIPS/NIDS.
    • Uses sensors and collectors to forward alerts to the NIDS.

Sensors and collectors can be strategically placed in a network. For instance, a sensor on the internet side can scan all inbound traffic. But remember that running all traffic through an inline setup can be resource-intensive. Position sensors where they best serve your network's needs.

Secure Network Design

Understanding and leveraging secure network designs can significantly enhance the overall protection of systems and data. Here's a concise breakdown:

Bastion Host

A Bastion Host is a computer or appliance with exposure to the internet. It undergoes hardening, which means all unnecessary elements, such as non-essential services, programs, protocols, and ports, are eliminated.

Key characteristics of a Bastion Host:

  • Only necessary ports are open.
  • Removal of non-essential elements.
  • Examples include hardened browsers like Librewolf or the Firefox community version.

Screened Host

A Screened Host is a system protected by a firewall and is logically located just inside a private network. This design is optimal for heightened security.

It's one of the most secure options due to its firewall protection and its location within a network

Screened Subnet

Conceptually akin to a Screened Host, a Screened Subnet is a subnet positioned between two routers or firewalls. A Bastion Host is typically situated within this subnet.

Proxy Server

A Proxy Server acts on behalf of the client, forwarding its service request and hiding the client's true origin. It's prevalent in corporate environments for internet browsing. A proxy server masks the true origin of the request, often caching content for performance enhancements.

Network Attacks

Botnets

A botnet is a collection of compromised computing devices, often referred to as bots or zombies. These devices are infected with malicious software that allows them to be controlled remotely by an attacker.

Bot Herder

The person or entity in charge of the botnet. They use a command and control server to remotely manage the compromised devices (zombies).

Botnets are frequently used to launch distributed denial-of-service (DDoS) attacks, spread malware, send spam emails, and conduct other malicious activities.

Teardrop Attack

  • Description: A DoS attack involving the sending of mangled IP fragments with overlapping, oversized payloads to a target machine.

  • Effect: The target system tries, and fails, to reassemble these fragments, often leading to system crashes.

image.png

Fraggle Attack

  • Description: A DoS attack where an attacker sends a large volume of spoofed UDP traffic to a router's broadcast address within a network. It's akin to the smurf attack but uses UDP instead of ICMP traffic.

Land Attack

  • Description: Layer 4 DoS attack where both the source and destination addresses in a TCP segment are set to be the same.

  • Effect: Vulnerable machines might crash or freeze because the TCP stack keeps trying to process the confusing packet.

SYN Flood

  • Description: A DoS attack where attackers send multiple SYN requests (the initiation step in TCP handshake) to a target, overwhelming it.

  • Effect: Consumes server resources, rendering the system unresponsive to legitimate traffic.

TCP 3-way Handshake

The TCP 3-way handshake is the process used in a TCP/IP network to establish a connection between a client and a server.

  1. SYN: The client sends a SYN (synchronize) packet to the server.

  2. SYN-ACK: The server responds with a SYN-ACK (synchronize-acknowledge) packet.

  3. ACK: The client replies with an ACK (acknowledge), and the connection is established.

This handshake ensures both the client and server are ready for data transmission. Think of it as a polite introduction. Before two people (client and server) have a detailed conversation (data exchange), they introduce themselves and acknowledge each other.

Smurf Attack

  • Description: Employs an amplification network (a network of host computers that send broadcast messages) to inundate a victim with numerous response packets.

Ping of Death

  • Description: Involves sending an abnormally large ping packet. The max allowed packet size is 65,536 bytes. Ping of Death sends packets of size 65,537 bytes or larger.

Network Defense: Honeypot

A Honeypot is essentially a decoy system or network resource.resource with intentional flaws and pseudo data. 

  • Purpose: To attract potential attackers, allowing you to monitor their activities and study their techniques.

  • Rules:

    warning Enticement, NOT entrapment. E.g., You can't let attackers download fake payroll files.

    Why? If legal or insurance matters arise, improper handling might jeopardize claims or cases.

  • Goal: Deflect attackers from genuine assets and keep them contained long enough to gather intelligence or for possible identification.

As long as attackers are in the honeypot, they are not in the live network, and our administrators can observe. For example, our intrusion detection system may be able to transfer attackers into a padded cell after detection. 

Honeynet

A Honeynet is an extension of the honeypot concept, but it involves a whole network set up for the same deceptive purpose.

Back to top