Introduction to the TCP/IP Protocol Framework
Alright, time to dive into one of the most important parts of cybersecurity. NETWORKING! This blog will teach about network basics of TCP/IP and OSI models, DNS, DHCP, as well as switching and routing concepts, IP addressing, NAT, packet sniffing and finally, structures and vulnerabilities of key databases including SQL, CouchDB, Oracle and MongoDB. Let's get started!
To start off the topic of networking let's discuss what firewalls are and how they utilize stateless and stateful inspection, then compare stateless firewalls to stateful firewalls. According to Cisco (one of the leading companies in network technology) firewalls are "A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet. A firewall can be hardware, software, or both.". Now that we know what a firewall is, let's dig a little deeper into how firewalls filter incoming and outgoing network traffic stateless and stateful inspection. Regular routers and some firewalls use the stateless way of filtering packets, this means the firewall inspects each packet without any knowledge of previous packets, the firewall will inspect the destination and source address of the packet and then block or restrict addressess that are deemed untrusted. There may also be an Access Control List rule (ACL) that will determine weather the source addess and destination port of the packet is allowed on the network or if the destination address is allowed to be accessed or not. A few use cases for stateless inspection include:
Heading back over to Cisco, a Stateful Inspection is
"Now thought of as a “traditional” firewall, a stateful inspection firewall
allows or blocks traffic based on state, port, and protocol. It monitors all
activity from the opening of a connection until it is closed. Filtering
decisions are made based on both administrator-defined rules as well as
context, which refers to using information from previous connections and
packets belonging to the same connection.". In some cases there can be a stateless and stateful inspection, the
stateless inspection is going to be performed first and then will be followed
up by an evaluation of the stateful data. Now that we know about stateless and
stateful inspections what are the pros and cons of each method ? Below is a
list of the pros and cons of each inspection method courtesy of
IDS and IPS Systems
Now that we've talked about firewalls and the different types of firewalls, let's talk a little about 2 types of firewall filters. Intrusion Detection and Intrusion Prevention Systems. An Intrusion Detection System (IDS) "is a network security technology originally built for detecting vulnerability exploits against a target application or computer.". Intrusion Prevention Systems (IPS) "extended IDS solutions by adding the ability to block threats in addition to detecting them and has become the dominant deployment option for IDS/IPS technologies.".
Intrusion Detection Systems
An IDS needs to only detect threats on a network, because the IDS only detects threats and reports it's finds to an administrator. It is placed outside of the real-time communication path of the sender and receiver of information, which makes it a passive system. Due to the IDS not keeping up with real-time communication it will often take advantage of a TAP or SPAN port to analyze a copy of the inline network traffic stream. This ensures that the IDS does not impact inline network performance. Unfortunately due to the nature of IDS solutions, they lack the ability to prevent a detected exploit from taking over the system. Attackers are capable of quickly exploiting vulnerabilities once they've infiltrated the network. Rendering the IDS useless.
Intrusion Prevention Systems
IPS on the other hand, has the ability to block threats along with detecting
them. The IPS often sits directly behind the firewall and adds a layer of
analysis that actively searches for dangerous content. The IPS sites inline or
in the direct path of communication of the sender and receiver and takes
automated actions on all traffic flows that enter the network. The actions
performed by an IPS include:
Since the IPS works as an inline security component, it is crucial that the IPS works fast and efficiently to avoid degrading network performance as well as detect and respond to exploits accurately since exploits can happen in near real time. When it comes to detection methods IPS has a number of different detection methods but signiture-base and stistical anomaly-based are the two dominant methods. Signature-based detection "is based on a dictionary of uniquely identifiable patterns (or signatures) in the code of each exploit. As an exploit is discovered, its signature is recorded and stored in a continuously growing dictionary of signatures. Signature detection for IPS breaks down into two types:"
Network Address Translation
NAT or Network Address Translation is essentially a method of converting a private IP address to a public IP address when connecting to the Internet. NAT remaps the IP address by modifying information in the IP datagram packet headers as they transit across a traffic routing device. This is just a summerized version of what NAT is but you can read more about it through a FAQ form on CISCO's website Network Address Translation (NAT) FAQ. Below is a diagram of a Juniper NAT router and 4 key facts about NAT.