Ardeliza Lansang

Technologies for Intrusion Detection   

Prompt: Both firewalls and intrusion detection systems are used to monitor network traffic and implement network security policies. Research these technologies and determine how they are similar and how they differ. Are both needed? Explain your answer in a short paper. (SNHU. n.d.)

BRIEF INTRODUCTION:

Technology has enhanced our functional lives by providing us with innovations (e.g., stationary and portable devices). It has also developed various modes of communications (e.g., VOiP, video conferencing, email, SMS). These advancements have allowed individuals and business the ability to remain connected with one another — continuously and globally, regardless of time and space.

Concurrently, the digital or information age has also produced serious network concerns and threats. The prevalent problems range from phishing, scamming, cyber-bullying to network services disruption (such as DoS, or denial of service), information or identity theft and information sabotage. Cyber or Internet crimes have resulted in diminishing or halting productivity. They have also caused victims to suffer physical, mental, emotional and financial loss.

To counter ominous risks, various software and hardware products have been manufactured to prevent and combat unauthorized access to the network systems. Implementing the necessary security measures can eliminate or decrease the ongoing vulnerability to cyber violations. In addition to having a stable security infrastructure, it is crucial to raise awareness of any threats among users and to remind them of their responsibilities toward maintaining security or how to work against malicious activities (e.g., secure password, keeping software and the OS current, safeguarding sensitive information, etc.)

FIREWALL:

A firewall is a hardware or a software (or a combination of both) that sits between a LAN and the Internet. Acting as a barrier between a trusted and an untrusted network, its main function is to filter traffic in a networked environment by blocking unauthorized or harmful activities and permitting authorized communications. By monitoring the incoming and outgoing network traffic, a firewall is fundamentally the first line of peripheral defense against any intrusions.  (Bradley.)

A firewall not only enhances the security of a host or a network but also protects and shields the applications, services, and machines that are attached to the network system. By checking data packets, it allows nonthreats to pass through. Conversely, it either drops, erases, denies or returns threats to the sender. (Sherman.)

Types of firewalls:

• Packet filters: Packet filtering is the process of allowing or preventing packets at a network interface by checking destination port number source and destination addresses, and/or protocols. In a software firewall, a packet filter program examines the header of each packet based on a specific set of rules and is either passed (called ACCEPT) or prevented (called DROP). (TechTarget.com.)
• Stateful inspection This firewall technology (also referred to known as dynamic packet filtering, monitors the state of active connections. Based on this information and by analyzing packets down to the application layer, it determines which network packets to permit passage through the firewall. It monitors and tracks communications packets over a length of time. (TechTarget.com.)
• Proxys: Proxy firewalls, in combination with stateful inspection firewall perform deep application inspections (e.g., layer 7 protocols such as HTTP, FTP). Unlike stateful firewalls which cannot inspect application layer traffic, proxys can prevent an HTTP-based attack. This process is achieved by making the firewall act as a proxy, i.e., after the client opens a connection to the firewall, the firewall opens a separate connection to the server on behalf of the client (without the client’s knowledge). (TechTarget.com.)

Benefits of firewall:

• Protects against routing-based attacks
• Controls access to systems
• Ensures privacy

Drawbacks of firewall:

• Difficult to configure
• Possibility of blocking nonthreats or useful services
• Could allow back door attack (via modem access)
• No antivirus protection
• Possible performance problems (or, cause potential bottleneck)
• Security tends to be concentrated in a single spot

INTRUSION DETECTION SYSTEMS (IDS):

An IDS can also be software- or hardware-based, such as a separate computer, that monitors network activity in a single computer, or a specific network or multiple networks within a WAN. It attempts to identify and evaluate a suspected intrusion once it has occurred by signaling an alarm and trying to stop it. It is akin to a smoke detector that raises an alarm at the signs of threat. (Pfleeger and Pfleeger.)

It oversees traffic by identifying patterns of activity and comparing the information to attacks that are already listed in the IDS database. For example, detected anomalies are compared with normal levels, i.e., a high level of or a spike in packet size or activity could mean a hacking attack. The technology is typically use to enforce corporate policy and are not configured to drop, delete or deny traffic. It primarily generates warning signals or alarms. (Sherman.)

IDS can be network based or host based:

• NIDS (Network Intrusion Detection Systems), which are placed at a strategic point or points within the network, oversee inbound and outbound traffic among all devices on the network. In this system, anti-threat software is installed only at specific servers that interface between the external environment and the internal network. (TechTarget.com.)
• HIDS (Host Intrusion Detection Systems), which are conducted on individual hosts or devices on the network, monitor the incoming and outgoing packets from the device only and will signal an alert when suspicious activity is identified.  In this system, anti-threat applications (e.g., firewalls, antivirus and spyware-detection software) are installed on every computer connected to the network system and that has access to the Internet. (TechTarget.com.)

Benefits of IDS:

Enables the detection of external hackers and internal network-based attacks

Can be scaled easily, providing protection for the entire network

Accommodates in-depth defense

Allows an additional layer of protection

Drawbacks of IDS:

Produces false reports (positives and negatives)

Acknowledges attacks but does not prevent them

Expensive to implement, requiring full-time monitoring and highly-skilled staff

Requires a complex event-response process

Unable to monitor traffic at higher transmission rates

Produces a tremendous amount of data to be analyzed

Vulnerable to “low and slow” attacks

Cannot deal with encrypted network traffic

CONCLUSION:

Both firewall and IDS complement one another. While a firewall limits network access to prevent intrusions or watches out for intrusions to prevent them from occurring, it does not signal an attack from inside the network the way an IDS does. While a firewall can block traffic or connection, IDS cannot. It can only alert any intrusion attempts. It monitors attacks and evaluates intrusions that are specifically designed to be overlooked by a firewall’s filtering rules. A firewall is analogous to a security guards or personnel at the gate and an IDS device is a security camera after the gate. Another analogy that can be used is that a firewall is akin to installing locks on doors to prevent intrusion; IDS is installing security systems with alarms. (TechTarget.com.)

References

Barbish, J. J. (n.d.). Chapter 29. Firewalls. Retrieved on March 6, 2017 from https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

Bradley, T. (August 21, 2016). Introduction to Intrusion Detection Systems (IDS). Retrieved on March 6, 2017 from https://www.lifewire.com/introduction-to-intrusion-detection-systems-ids-2486799

Difference between Firewall and Intrusion Detection System. (n.d.). Retrieved on March 10, 2017 from http://www.omnisecu.com/security/infrastructure-and-email-security/difference-between-firewall-and-intrusion-detection-system.php

Firewall. (n.d.). Retrieved on March 10, 2017 from http://searchsecurity.techtarget.com/definition/firewall

Firewalls. (n.d.). Retrieved on March 10, 2017 from http://csc.columbusstate.edu/summers/Research/NetworkSecurity/security/firewalls.htm

Gattine, K. (n.d.). Types of firewalls: An introduction to firewalls. Retrieved on March 10, 2017 from http://searchnetworking.techtarget.com/tutorial/Introduction-to-firewalls-Types-of-firewalls

HIDS/NIDS (host intrusion detection systems and network intrusion detection systems). (n.d.). Retrieved on March 10, 2017 from http://searchsecurity.techtarget.com/definition/HIDS-NIDS

IDS/IPS Pros and Cons. (n.d.). Retrieved on March 10, 2017 from  http://flylib.com/books/en/2.352.1.16/1/

Kurose, J. F., Ross, K. W. (2013). Computer Networking: A Top-Down Approach, 6th Edition. [MBS Direct]. Retrieved from https://mbsdirect.vitalsource.com/#/books/9780133464641/

Pfleeger, C.P. and Pfleeger, S.L. (March 28, 2003). Security in Networks. .). Retrieved on March 10, 2017 from http://www.informit.com/articles/article.aspx?p=31339&seqNum=5

Sherman, F.  (n.d.). The Differences between a Firewall and an Intrusion Detection System. Retrieved on March 10, 2017 from http://smallbusiness.chron.com/differences-between-firewall-intrusion-detection-system-62856.html

Short Paper/Case Study Analysis Rubric. (n.d.). Retrieved on January 7, 2017 from https://bb.snhu.edu/webapps/blackboard/content/listContent.jsp?course_id=_107231_1&content_id=_14552222_1