Perimeter Devices

Outline
❑ IDS
❑ IPS
❑ Firewall
❑ NOC
❑ SOC
❑ SIEM
What Is IDS (Intrusion Detection System)?

• An intrusion detection system (IDS) is a cybersecurity solution that

monitors network traffic and events for suspicious behavior.

• IDS security systems aim to detect intrusions and security breaches so

that organizations can swiftly respond to potential threats.
The types of IDS include:

• Network-based: A network-based IDS (NIDS) is deployed at strategic points within a

computer network, examining incoming and outgoing traffic. It focuses on monitoring
network protocols, traffic patterns, and packet headers.
• Host-based: A host-based IDS (HIDS) is installed on individual machines or servers within
an IT environment. It focuses on monitoring system logs and files to detect events such as
unauthorized access attempts and abnormal changes to the system.
• Protocol-based: Place protection between a device and the server, and monitor all traffic
that goes between them.

• Application protocol-based: Place protection within a group of servers and watch how
they communicate with one another.

• Hybrid: A hybrid IDS combines both network-based and host-based approaches. This type
of IDS provides a more complete view of events within the IT ecosystem.
Working of IDS

IDS tools work by analyzing network packets and comparing them with known
attack signatures or behavioral patterns.

If the IDS believes that it has identified an intruder, it sends an alert to system
administrators or security teams.

These alerts contain detailed information about the detected activity, letting
employees quickly investigate and react.

IDS plays a vital role in maintaining the security and integrity of computer
networks and systems.
The benefits of IDS include:

• Early threat detection: IDS tools can proactively defend against

cyberattacks by detecting potential threats at an early stage of the
intrusion.
• Greater visibility: IDS solutions enhance organizations’ visibility into
their IT environment, helping security teams respond to attacks more
quickly and effectively.
The limitations of IDS include:

• False positives and false negatives: IDS tools aren’t perfect; they can
generate both false positives (labeling benign events as threats) and
false negatives (failing to detect real threats).
• Inability to prevent attacks: IDS solutions can detect attacks once
they occur, but they are unable to prevent them from occurring in the
first place.
What Is IPS (Intrusion Prevention System)?

• An intrusion prevention system (IPS) is a cybersecurity solution that

builds on the capabilities of IDS. IPS cyber security tools cannot only
detect potential intrusions but also actively prevent and mitigate
them.
Types of IPS same as IDS
• Network-based: A network-based IPS (NIPS) is deployed at strategic points within a computer
network, often at network gateways. It can protect the organization’s entire network, including
multiple connected hosts and devices.

• Host-based: A host-based IPS (HIPS) is deployed on a specific machine or server, offering protection
to a single host. It monitors system activities and can take actions to block or limit access to system
resources.

• Wireless: Observe anything happening within a wireless network and defend against an attack
launched from there.
• Network behavior: Spot attacks that involve unusual traffic on your network.

• Hybrid: A hybrid IPS combines both network-based and host-based approaches. For example, a
hybrid IPS may be primarily network-based but also include features for protecting individual hosts.
The benefits of IPS include:

• Real-time threat prevention: IPS can block or mitigate identified

threats in real time, providing 24/7 automated protection for IT
environments.
• Enhanced network defense: Unlike IDS tools, IPS systems are able
not only to detect threats but take action to defend against them by
blocking malicious and suspicious traffic.
The limitations of IPS include:

• Performance impact: IPS tools must examine all incoming and

outgoing traffic, which can introduce latency and slow down network
performance.
• Frequent updates: For maximum effectiveness, IPS solutions need to
be regularly updated with the latest information about threat
signatures, which can require significant time investment and
expertise
Differences Between IDS and IPS

• The main difference between IDS and IPS is that while IDS tools are
only capable of detecting intrusions, IPS tools can actively prevent
them as well.
❑ Functionality: IDS tools are restricted to detecting threats, while IPS
tools can both detect and prevent them.
❑ Response: IDS tools send alerts when a threat is detected, while IPS
tools can automatically block threats based on predefined security
policies or rules.
❑ Workflow: IDS tools passively monitor data flow, while IPS tools
actively inspect network packets and take action to prevent or
mitigate threats
Advances in IDS/IPS Technology

• Machine learning and AI: IDS/IPS tools can use machine learning and
artificial intelligence to enhance their detection capabilities, learning
from historical data about cyber threats.
• Behavioral analysis: IDS/IPS tools can use a technique known as
behavioral analysis: comparing network traffic or user behavior to a
baseline that helps identify anomalies or deviations.
• Cloud-based deployments: With the increasing adoption of cloud
computing, many IDS/IPS tools can now be deployed in cloud-based
IT environments to make them more flexible and scalable.
IDS/IPS and Regulatory Compliance

❖ Installing IDS and IPS tools may be necessary for organizations to meet
regulatory compliance requirements. The use cases of IDS and IPS for
regulatory compliance include:
❖ Threat detection and incident response: IDS and IPS solutions actively
monitor network traffic, system logs, and events to detect and defend
against security threats.
❖ Protecting sensitive data: By blocking unauthorized access to confidential
information, IDS and IPS are invaluable tools for complying with data
privacy standards.
❖ Logging and reporting: IDS and IPS solutions generate system logs and
provide reporting capabilities that companies can use in the event of an
external audit.
Important Notes!
• Many data privacy and security regulations explicitly or implicitly
require organizations to implement IDS and IPS tools.

• For example, PCI DSS is a security standard for businesses that

handle payment card information.

• According to PCI DSS Requirement 11.4, companies must “use

network intrusion detection and/or intrusion prevention techniques
to detect and/or prevent intrusions into the network.”
IDS/IPS
• The GDPR (General Data Protection Regulation) is another regulation
that may require IDS/IPS solutions.
• The GDPR is a law in the European Union that safeguards the privacy
of citizens’ personal data.
• According to the GDPR, businesses must take “appropriate technical
and organizational measures” to protect this data against breaches
and unauthorized access, which could include deploying an IDS/IPS.
Misconceptions About IDS/IPS

• Total prevention: IDS and IPS tools cannot offer 100 percent
protection against a cyber attacks. They can only detect suspicious
activity based on predefined rules and signatures, which limits them
to known attack patterns.
• No other defenses required: IDS and IPS solutions can be highly
effective, but they are only one piece of the cybersecurity puzzle,
along with tools such as firewalls and antimalware software.
• Only useful for large enterprises: IDS/IPS technology is effective for
businesses of all sizes and industries, from tiny startups to huge
multinational firms.
IDS vs IPS
• IDS and IPS are crucial network security technologies often confused
or used interchangeably. So, what’s the difference between IDS and
IPS, and which one is the best choice for your organizational needs?
List of software solution for IDS/IPS
Cisco NGIPS OSSEC
Corelight and Zeek Trend Micro
Fidelis Network TippingPoint
FireEye Intrusion Vectra Cognito
Prevention System BlueVector Cortex
ZScalar Cloud IPS
Hillstone S-Series
Snort
McAfee Network Security
Platform
What is SNORT ?

• SNORT is a network based intrusion detection system which is written in C

programming language. It was developed in 1998 by Martin Roesch.
• Now it is developed by Cisco.
• It is free open-source software.
• It can also be used as a packet sniffer to monitor the system in real time. The
network admin can use it to watch all the incoming packets and find the ones
which are dangerous to the system.
• It is based on library packet capture tool.
• The rules are fairly easy to create and implement and it can be deployed in any
kind of operating system and any kind of network environment.
• The main reason of the popularity of this IDS over others is that it is a free-to-use
software and also open source because of which any user can be able to use it as
the way he wants.
Features:
• Real-time traffic monitor
• Packet logging
• Analysis of protocol
• Content matching
• OS fingerprinting
• Can be installed in any network environment.
• Creates logs
• Open Source
• Rules are easy to implement
Installation Steps:

• In Linux:
• Step-1: wget https://www.snort.org/downloads/snort/snort-2.9.15.tar.gz
• Step-2: tar xvzf snort-2.9.15.tar.gz
• Step-3: cd snort-2.9.15
• Step-4: ./configure –enable-sourcefire && make && sudo make install
• In Windows:
• Step-1: Download SNORT installer from
https://www.snort.org/downloads/snort/Snort_2_9_15_Installer.exe
• Step-1: Execute the Snort_2_9_15_Installer.exe
Different SNORT Modes:

• Sniffer Mode –
To print TCP/IP header use command ./snort -v
To print IP address along with header use command ./snort -vd
• Packet Logging –
To store packet in disk you need to give path where you want to store
the logs. For this command is./snort -dev -l ./SnortLogs.
• Activate network intrusion detection mode –
To start this mode use this command ./snort -dev -l ./SnortLogs -h
192.127.1.0/24 -c snort.conf
Types of Rules in SNORT:

• There are 3 types of rules in SNORT, those are

• Alert Rules: This uses the alert technique to produce notifications.
• Logging Rules: It logs each individual alert as soon as it is generated.
• Pass Rules: If the packet is deemed malicious, it is ignored and
dropped.
Application
• Packet Sniffing: The way traffic is being transmitted can be
thoroughly examined by gathering the individual packets that travel
to and from devices on the network.
• Generates Alerts: It generates warnings based on the configuration
file’s rules when it discovers unusual or malicious activity, the
possibility of a vulnerability being exploited, or a network threat that
compromises the organization’s security policy.
• Debug Traffic: After the traffic has been logged, any malicious
packets and configuration problems are checked.
Feature Firewall IPS

Function Traffic filtering Intrusion detection & prevention

Block traffic, generate alerts, log

Action Allow/Deny traffic
activity

Analysis Basic (IP, port, protocol) Deep packet inspection

More proactive (analyzes &

Approach Proactive (controls flow)
reacts)

Security guard inside a club

Analogy Bouncer at a club (checks IDs)
(monitors activity)

Best for Controlling authorized traffic Identifying & preventing attacks

Additional Notes May have built-in IPS features Often deployed behind firewalls
Firewall
A firewall is a network security device that
prevents unauthorized access to a network.
https://www.eve-ng.net/
https://www.gns3.com/
Concept of Firewall
• The concept of the firewall was introduced to secure the
communication process between various networks.
• A firewall is a software or a hardware device that examines the data
from several networks and then either permits it or blocks it to
communicate with your network and this process is governed by a set
of predefined security guidelines.
Application of firewall
• A firewall is a device or a combination of systems that supervises the flow
of traffic between distinctive parts of the network.
• A firewall is used to guard the network against nasty people and prohibit
their actions at predefined boundary levels.
• A firewall is not only used to protect the system from exterior threats but
the threat can be internal as well.
• Therefore we need protection at each level of the hierarchy of networking
systems.
• A good firewall should be sufficient enough to deal with both internal and
external threats and be able to deal with malicious software such as worms
from acquiring access to the network.
• It also provisions your system to stop forwarding unlawful data to another
system.
Firewall

Firewall provisions the authentication, address

allowing and restricting traffic,
security apparatus for translation,

It is a one-time investment for

It ensures 365 *24*7
any organization and only
and content security. protection of the network
needs timely updates to
from hackers.
function properly.

By deploying a firewall there is

no need for any panic in case
of network attacks.
Other features of firewall
Network Threat Prevention

Application and Identity-Based Control

Hybrid Cloud Support

Scalable Performance

Network Traffic Management and Control

Access Validation

Record and Report on Events

Limitations of Firewall
❑ Firewalls cannot stop users from accessing malicious websites, making it
vulnerable to internal threats or attacks.
❑ Firewalls cannot protect against the transfer of virus-infected files or
software.
❑ Firewalls cannot prevent misuse of passwords.
❑ Firewalls cannot protect if security rules are misconfigured.
❑ Firewalls cannot protect against non-technical security risks, such as social
engineering.
❑ Firewalls cannot stop or prevent attackers with modems from dialing in to
or out of the internal network.
❑ Firewalls cannot secure the system which is already infected.
Private… Network.. (Firewall)…Public
Network
• For Example, a firewall always exists between a private network and
the Internet which is a public network thus filters packets coming in
and out.
NAT (Network Address Translation)
• Network Address Translation (NAT) is a service that enables private IP networks to use the internet and
cloud.
• NAT translates private IP addresses in an internal network to a public IP address before packets are sent to
an external network.

• Network Address Translation (NAT) is a process that enables one, unique IP address to represent an entire
group of computers.
• In network address translation, a network device, often a router or NAT firewall, assigns a computer or
computers inside a private network a public address.

• In this way, network address translation allows the single device to act as an intermediary or agent between
the local, private network and the public network that is the internet.

• NAT’s main purpose is to conserve the number of public IP addresses in use, for both security and economic
goals.
•
NAT
Firewall is a barrier between Local Area Network (LAN) and the Internet.
It allows keeping private resources confidential and minimizes the security risks.
It controls network traffic, in both directions.
How does a firewall work?

• A firewall system analyzes network traffic based on pre-defined rules.

It then filters the traffic and prevents any such traffic coming from
unreliable or suspicious sources. It only allows incoming traffic that is
configured to accept.

• Typically, firewalls intercept network traffic at a computer's entry

point, known as a port. Firewalls perform this task by allowing or
blocking specific data packets (units of communication transferred
over a digital network) based on pre-defined security rules. Incoming
traffic is allowed only through trusted IP addresses, or sources.
Hardware firewall protects the entire network of an organization using it from external threats only.
In case, if an employee of the organization is connected to the network via his laptop then he can’t avail the protection.

On the other hand, software firewall provision host-based security as the software is installed on each of the devices
connected to the network, thereby protecting the system from external as well as internal threats.
It is most widely used by mobile users to digitally protect their handset from malicious attacks.
Firewall and OSI Reference Model

A firewall system can work on five layers of

the OSI-ISO reference model. But most of
them run at only four layers i.e.
data-link layer, network layer,
transport layer, and application layers.
DMZ

• A demilitarized zone (DMZ) is used by a majority of firewall systems to guard assets and resources.
• DMZ’s are deployed to give external users access to resources like e-mail servers, DNS servers, and
web pages without uncovering the internal network.
• It behaves as a buffer between distinctive segments in the network.

• Each region in the firewall system is allocated a security level.

•
For Example, low, medium, and high. Normally traffic flows from a higher level to a lower level. But
for traffic to move from a lower to a higher level, a different set of filtering rules are deployed.

• For permitting the traffic to move from a lower security level to a higher security level, one should
be precise about the kind of traffic permitted. By being precise we are unlocking the firewall system
only for that traffic which is essential, all other kinds of traffic will be blocked by configuration.
Firewall enable/service/rules…
• A firewall is a network security device, either hardware or
software-based, which monitors all incoming and outgoing traffic and
based on a defined set of security rules accepts, rejects, or drops that
specific traffic.

• Accept: allow the traffic

• Reject: block the traffic but reply with an “unreachable error”
• Drop : block the traffic with no reply
Stop /Start firewalld service?
Systemctl start/enable firewalld
Systemctl stop/disable firewalld
Systemctl status firewalld
Systemctl restart firewalld
Check the rules of fiewalld
• #Check the rules of fiewalld
• Firewall-cmd –list-all

• Listing of all the services firealld is aware of :

• Firewall-cmd –get-services

• To reload the config of firewalld

• Firewall-cmd --reload
Zone wise firewall rules
• #different zone wise different rules in firewall
• Firewall-cmd --get-zone

• # To see the list of active zone

• Firewall-cmd --get-active-zones

• To get firewall rules ofr a specific zone

• Firewall-cmd --zone =public --list-all
To add or remove a service
• Check service
• Systemctl status http
• Firewall-cmd –list-all
• Firewall-cmd –get-services
• Firewall-cmd –add-service=http
• Firewall-cmd --add-service=<name_of_service> --permanent
• Firewall-cmd –remove-service=<name_of_service>

• To reoload the config

• Firewall-cmd --reload
To add or remove a port
• Firewall-cmd –add-port=20201/tcp
• Firewall-cmd –remove-port=2021/tcp

• Firewall-cmd --add-port=80/tcp
• Firewall-cmd –list-all
To block incoming traffic from an IP
• Firewall-cmd –add-rich-rule=‘rule family=“ipv4” source
address”192.168.0.0” reject’
To block outgoing traffic to a IP or URL
• Firewall-cmd --direct --add-rule=ipv filter OUTPUT 0 –d <IP> -j DROP

• Firewall-cmd –direct –add-rule ipv4 filter OUTPUT 0 –d

157.240.242.35 -j DROP
To block ICMP incoming traffic
• Firewall-cmd –add-icmp-block-inversion
Types of Firewall

• Packet Filtering Firewall

• Stateful Inspection Firewall
• Software Firewall
• Hardware Firewall
• Application Layer Firewall
• Proxy Firewall
• Unified threat management (UTM) firewall
• Next-generation firewall (NGFW)
• Network address translation (NAT) firewalls
1. Packet Filtering Firewall
❑ Packet filtering firewall is used to control network access by monitoring
outgoing and incoming packets and allowing them to pass or stop based on
source and destination IP address, protocols, and ports.
❑ It analyses traffic at the transport protocol layer (but mainly uses first 3
layers).
❑ Packet firewalls treat each packet in isolation. They have no ability to tell
whether a packet is part of an existing stream of traffic.
❑ Only It can allow or deny the packets based on unique packet headers.
Packet filtering firewall maintains a filtering table that decides whether the
packet will be forwarded or discarded.
❑ From the given filtering table, the packets will be filtered according to the
following rules:
Incoming packets from network 192.168.21.0 are blocked.
Incoming packets destined for the internal TELNET server (port 23) are blocked.
Incoming packets destined for host 192.168.21.3 are blocked.
All well-known services to the network 192.168.21.0 are allowed.
2. Stateful Inspection Firewall

• Stateful firewalls (performs Stateful Packet Inspection) are able to

determine the connection state of packet, unlike Packet filtering
firewall, which makes it more efficient.

• It keeps track of the state of networks connection travelling across it,

such as TCP streams.

• So the filtering decisions would not only be based on defined rules,

but also on packet’s history in the state table.
3. Software Firewall

• A software firewall is any firewall that is set up locally or on a cloud

server.

• When it comes to controlling the inflow and outflow of data packets

and limiting the number of networks that can be linked to a single
device, they may be the most advantageous.

• But the problem with software firewall is they are time-consuming.

4. Hardware Firewall

• They also go by the name “firewalls based on physical appliances.” It

guarantees that the malicious data is halted before it reaches the
network endpoint that is in danger.
Application Layer Firewall

• Application layer firewall can inspect and filter the packets on any OSI
layer, up to the application layer.
• It has the ability to block specific content, also recognize when certain
application and protocols (like HTTP, FTP) are being misused.
• In other words, Application layer firewalls are hosts that run proxy
servers.
• A proxy firewall prevents the direct connection between either side
of the firewall, each packet has to pass through the proxy.
6. Next Generation Firewalls (NGFW)

• NGFW consists of Deep Packet Inspection, Application Inspection,

SSL/SSH inspection and many functionalities to protect the network
from these modern threats.
7. Proxy Service Firewall

• This kind of firewall filters communications at the application layer,

and protects the network. A proxy firewall acts as a gateway between
two networks for a particular application.
8. Circuit Level Gateway Firewall

• This works as the Sessions layer of the OSI Model’s . This allows for
the simultaneous setup of two Transmission Control Protocol (TCP)
connections. It can effortlessly allow data packets to flow without
using quite a lot of computing power. These firewalls are ineffective
because they do not inspect data packets; if malware is found in a
data packet, they will permit it to pass provided that TCP connections
are established properly.
References…
• https://www.softwaretestinghelp.com/firewall-security/
• https://networklessons.com/cisco/asa-firewall/introduction-to-firew
alls
• https://www.javatpoint.com/firewall#:~:text=How%20does%20a%20
firewall%20work,that%20is%20configured%20to%20accept.
• https://www.geeksforgeeks.org/introduction-of-firewall-in-computer
-network/