Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Similar documents
Symantec Client Security. Integrated protection for network and remote clients.

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

Internet Security: Firewall

Activating Intrusion Prevention Service

CSC Network Security

Cisco IOS Inline Intrusion Prevention System (IPS)

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

NetDefend Firewall UTM Services

NETWORK THREATS DEMAN

COMPUTER NETWORK SECURITY

KASPERSKY ANTI-MALWARE PROTECTION SYSTEM BE READY FOR WHAT S NEXT. Kaspersky Open Space Security

CyberP3i Course Module Series

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9. Firewalls

Computer Network Vulnerabilities

CERT-In. Indian Computer Emergency Response Team ANTI VIRUS POLICY & BEST PRACTICES

EXECUTIVE REPORT 20 / 12 / 2006

Fundamentals of Information Systems Security Lesson 8 Mitigation of Risk and Threats to Networks from Attacks and Malicious Code

Managing SonicWall Gateway Anti Virus Service

Chapter 8 roadmap. Network Security

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Basic Concepts in Intrusion Detection

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

CIH

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

Chapter 10: Denial-of-Services

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Symantec Endpoint Protection 14

CTS2134 Introduction to Networking. Module 08: Network Security

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

ASA Access Control. Section 3

Unit 2 Assignment 2. Software Utilities?

UTM Firewall Registration & Activation Manual DFL-260/ 860. Ver 1.00 Network Security Solution

Future-ready security for small and mid-size enterprises

Introduction to Security. Computer Networks Term A15

Security Configuration Guide: Denial of Service Attack Prevention, Cisco IOS Release 15M&T

Cisco ASA 5500 Series IPS Edition for the Enterprise

A Review Paper on Network Security Attacks and Defences

Endpoint Protection : Last line of defense?

4. The transport layer

UTM 5000 WannaCry Technote

Unit 4: Firewalls (I)

INSIDE. Integrated Security: Creating the Secure Enterprise. Symantec Enterprise Security

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

IC32E - Pre-Instructional Survey

Software. Linux. Squid Windows

Security Gap Analysis: Aggregrated Results

Symantec Endpoint Protection

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Cisco Intrusion Prevention Solutions

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Radware DefensePro DDoS Mitigation Release Notes Software Version Last Updated: December, 2017

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Education Network Security

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Barracuda Advanced Threat Protection. Bringing a New Layer of Security for . White Paper

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Employing VisNetic MailServer Security Features

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Cisco s Appliance-based Content Security: IronPort and Web Security

Indicate whether the statement is true or false.

SECURING INFORMATION SYSTEMS

Internet Security Firewalls

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Networking interview questions

20-CS Cyber Defense Overview Fall, Network Basics

Validating the Security of the Borderless Infrastructure

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Overview of TCP/IP Overview of TCP/IP protocol: TCP/IP architectural models TCP protocol layers.

How to Configure Virus Scanning in the Firewall for FTP Traffic

Chapter 4. Network Security. Part I

intelop Stealth IPS false Positive

FIREWALL BEST PRACTICES TO BLOCK

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

Cisco IPS AIM and IPS NME for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

Why Firewalls? Firewall Characteristics

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

Firewalls 1. Firewalls. Alexander Khodenko

Lecture 12. Application Layer. Application Layer 1

BUILDING A NEXT-GENERATION FIREWALL

Product Line Guide Corporate Antimalware PLUS Network Visibility PLUS Systems Management

A Unified Threat Defense: The Need for Security Convergence

Paloalto Networks PCNSA EXAM

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

e-commerce Study Guide Test 2. Security Chapter 10

CISNTWK-440. Chapter 5 Network Defenses

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

A. Carcano, I. Nai Fovino, M. Masera, A. Trombetta European Commission Joint Research Centre Critis 2008, Rome, October 15, 2008

Next-Generation Firewall Overview

ANATOMY OF AN ATTACK!

Transcription:

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies (How each protects the network) Dr. Gaurav Kumar Jain Email: gaurav.rinkujain.jain@gmail.com Mr. Pradeep Sharma Mukul Verma Abstract Widely connected enterprise networks and the Internet have enabled viruses, worms and blended threats to make use of computer networks for propagation, significantly increasing the speed of infection and damage. The Internet, with its ease of sharing and downloading of files, has also increased the risk of infection to the average user. A user may infect a computer by an action as simple as clicking on a downloaded file or an email attachment. Investment on several layers of protection is required for most enterprises for effective protection of computer networks. Index Terms enterprise network, viruses, worms, blended threats. 1.0 Introduction Network attacks are increasing both in sheer number as well as complexity. In recent news, we have seen how viruses, worms and other attacks can cause major business disruptions and cost companies worldwide billions of dollars. For instance, the Blaster worm infected over 1.2 million computers worldwide, and the SoBig.F virus infected over 100,000 computers 1. Viruses and worms are all examples of what are generally known as malicious programs or malware for short. A virus is just a program that tells the computer to do something that the user does not want it to do. It requires a host program to live and infects other files so that it can live longer. A virus can perform destructive actions, such as displaying irritating messages, overwriting hard drives, or rendering the machine inoperable. A worm is a program that replicates itself and spreads through network connections to infect other machines, eating up bandwidth and storage space and slowing computers down. Some worms use email to send messages to other users, while others use application vulnerabilities to replicate via the network. The distinction between viruses and worms is beginning to blur, as many viruses today also use email as their means of propagation. Blended threats, such as Code Red and Nimda, are sophisticated attacks that use multiple methods and techniques to propagate and inflict damage, thus spreading very rapidly and causing significant productivity disruptions. Blended threats can be part virus, part worm, and part backdoor2. Widely connected enterprise networks and the Internet have enabled viruses, worms and blended threats to make use of computer networks for propagation, significantly increasing the speed of infection and damage. The Internet, with its ease of sharing and downloading of files, has also increased the risk of infection to the average user. A user may infect a computer by an action as simple as clicking on a downloaded file or an email attachment. 28 P a g e w w w. i j l t e m a s. i n

2.0 Technologies for Network Security In this paper, we look at network security technologies that are used to protect computer networks and mitigate the risks associated with viruses, worms and other network attacks. For effective protection of computer networks, most organizations are deploying multiple layers of security, including firewall, intrusion prevention and gateway antivirus technologies. Understanding the different kinds of protection provided by each technology is helpful in deciding what systems are required for each network. Network security technologies can be broadly classified into four categories: Session level protection, such as stateful inspection firewalls Application level protection, such as proxy firewalls and intrusion prevention systems (IPS) File level protection, such as gateway antivirus systems Figure 1 compares the four categories of network security technologies. Evaluation of each category by coverage of protocols/applications, level of protection, and relative performance enables organizations to choose the appropriate network security technologies to protect their networks. Packet level protection, such as routers Access Control Lists (ACL) or stateless firewalls Figure 1. Comparison of network security technology categories 3.0 Packet Level Protection Packet level protection, also known as packet filtering, is one of the most widely used means of controlling access to a network. The concept is simple: determine whether a packet is allowed by comparing some basic pieces of information in the packet headers. Cisco IOS Access Control List (ACL) is one of the most used packet filters. IP Chains is also a popular packet filter application, which comes bundled with many versions of Linux. Two-way communication presents a challenge for network security based on packet filtering. If one blocks all incoming traffic, one prevents responses to outgoing traffic from coming in, disrupting communication. Consequently, one has to open two holes, one for outgoing traffic and one for incoming traffic, without enforcing any association of the incoming traffic with existing outgoing connections in the network. Packet filtering thus can allow in crafted malicious packets that appear to be part of existing sessions, causing damage to protected resources. Packet filtering devices do not track dynamic protocols, where a server and a client negotiate a random port for data transmission. Examples of 29 P a g e w w w. i j l t e m a s. i n

protocols that use dynamic ports include FTP, RPC, and H.323. To enable these applications to pass through packet filtering systems, one has to open a very large hole, significantly reducing the security protection provided by packet-filtering systems. For instance, in order to allow in standard FTP, one must let through any traffic with a destination port greater than 1,023 (1,023 65,500) and source port of 20, thus opening a significant security hole in the network. 4.0 Session Level Protection Session level protection technologies control the flow of traffic between two or more networks by tracking the state of sessions and dropping packets that are not part of a session allowed by a predefined security policy. Firewalls that implement session-level protection keep state information for each network session and make allow/deny decisions based on a session state table. The most common systems for session level protection are stateful inspection firewalls. Note that session level protection technologies are session based, meaning that firewalls go beyond individual TCP connections to involve many such connections. Session-level firewalls support dynamic protocols by identifying port change instructions in client-server communication and comparing future session s against these negotiated ports. For instance, to track FTP sessions, the firewall inspects the control connection, used for issuing commands and negotiating dynamic ports, and then allows in various data connections for transferring files. Because session level protection provides all the benefits of packet level protection without the limitations, it renders packet level protection unnecessary for most networks. 5.0 Application Level Protection Application level protection technologies monitor network traffic and dynamically analyze it for signs of attacks and intrusions. Within the network security infrastructure, two common technologies for application level protection are proxy firewalls and Intrusion Prevention Systems (IPS). Proxy firewalls are network systems that act on behalf of the client accessing a network service and shield the client and the server from direct peer-to-peer connection. The client establishes a connection with the proxy server, and the proxy server establishes a connection with the destination server. The proxy then forwards the data between the parties. IPS are network devices that can accept or deny traffic based on IP addresses, protocol/service, and application level analysis and verification. IPS receive traffic from the network, reassemble the traffic streams and look at application primitives and commands to detect suspicious fields that warrant some predefined action. These actions vary from logging suspicious events to dropping the connection completely. Proxy firewalls and IPS examine control and data fields within the application flow to verify that the actions are allowed by the security policy and do not represent a threat to end systems. By understanding application-level commands and primitives, they can identify content out of the norm and content that represents a known attack or exploit. Proxy firewalls and IPS perform IP defragmentation and TCP stream reassembly as well as eliminating ambiguity within traffic, which can be used by malicious users trying to conceal their actions. Proxy firewalls usually support the common Internet applications, including HTTP, FTP, telnet, rlogin, email and news. Yet, a new proxy must be developed for each new application or protocol to pass through the firewall, and custom software and user procedures are required for each application. IPS generally support a wider range of protocols and applications, including those required to protect the network against attacks from the Internet. New applications can be allowed through an IPS without requiring changes to the user workstations. In this way, IPS are more transparent to the network than proxy firewalls. 30 P a g e w w w. i j l t e m a s. i n

Proxy firewalls and IPS can detect certain viruses or Trojans by looking at application service fields. For instance, IPS can look at the subject field, attachment name, or attachment type within email traffic to detect characteristics of known viruses. However, application level protection does not do a detailed analysis at the file level, which is also required to detect the large number of viruses in existence. 6.0 File Level Protection File level protection provides the ability to extract files within traffic and inspect them to detect malware, including viruses, worms or Trojans 3. A common technology for file level protection in a network is gateway antivirus. An antivirus system looks for virus signatures a unique string of bytes that identifies a virus and zaps the virus from the file. Most antivirus scanning systems catch not only the initial virus but also many of its variants, since the signature code usually remains intact. Gateway antivirus systems scan files that are embedded in network traffic, including files in HTTP traffic (web downloads) and files in email traffic (attachments). If an infected file is detected, a gateway antivirus system removes it from the traffic, so it does not affect other users. To scan files within network traffic, gateway antivirus must understand a broad range of file encoding protocols (i.e., MIME, uucode, Base64) and file compression algorithms. viruses are continuously being uncovered 4. Since the application streams that are scanned for viruses must be completely reassembled by the gateway antivirus system as the traffic crosses the network, users or servers might experience a slight delay in the scanned streams. Administrators usually have granular control of the traffic and file types that warrant scanning. Antivirus typically scans files in email and web traffic, mainly inspecting communication from servers to clients. Viruses are aimed at damaging end user systems, but use various email and web servers to propagate. Consequently, it is important to detect viruses while they are being uploaded to or downloaded from servers. 7.0 Example Network security technologies at the network level, session level, application level and file level are used by organizations to add layers of protection in the network against viruses, worms and other network attacks. Note that session level protection offers the security of packet level protection without the limitations, so it makes packet level protection unnecessary for most networks. Figure 2 illustrates the inspection functions that take place as the packets are analyzed by stateful firewall for session level protection, Intrusion Prevention Systems (IPS) for application level protection and gateway antivirus for file level protection. Since there are over 60,000 known viruses, gateway antivirus systems must be able to conduct thorough scans. Constant updates to the virus pattern file are required for effective protection against new virus outbreaks, since new 31 P a g e w w w. i j l t e m a s. i n

Figure 2. Network packets are inspected by session level protection, application level protection and file level protection technologies in order to defend the network from viruses, worms and other network attacks. 8.0 CONCLUSION Organizations must deploy multiple security technologies to protect networks against viruses, worms and other sophisticated attacks. Stateful inspection firewalls offer protection at the session level, proxy firewalls and Intrusion Prevention Systems at the application level, and gateway antivirus at the file level. Investment on all these levels of protection is required for most enterprises for effective protection of computer networks. ACKNOWLEDGEMENTS We would like to thank everyone, especially developers, early adopters, I.T. enthusiast and family members who provided support and followed up with us. REFERENCES [1.] http://www.tech-faq.com/networkattacks.html [2.] www.ehow.com/about_6375469_blasterworm_.html [3.] http://blasterworm.net/ [4.] www.expresscomputeronline.com/200807 28/securityspecial02.shtml [5.] http://en.wikipedia.org/wiki/code_red _(computer_worm) [6.] virus.wikia.com/wiki/nimda [7.] en.wikipedia.org/wiki/backdoor_(compu ting) [8.] khodenko.tripod.com/firewalls [9.] http://pl.safensoft.com/security.phtml?c =587 [10.] www.protocols.com/pbook/h323.htm [11.] www.webopedia.com/term/p/proxy_ server.html [12.] http://en.wikipedia.org/wiki/applicati on_firewall 32 P a g e w w w. i j l t e m a s. i n

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback