Network security appliances: Types and methods
There are so many methods and appliances are available to secure the network and also to examine its security. It is available for everyone who likes to use it. The ironic things are that if the selected one not use any of the tools, then it has the to miss the vulnerability that the attacker may find using the tool that have used. Employ the proactive security methods and appliances to catch and trap an attacker. In the following sections, the different methods of intrusion prevention and detection that can employ on the networks are discussed. Additionally, find some of the vulnerability scanners as well as more proactive and advanced methods used to trap, catch and decoy attackers.
IDS and IPS
An IDS is the intrusion detection system which ore than the firewall. This IDS is will act as an intelligent monitor of the network traffic that understand what normal traffic has to look like and also what has to perform and therefore can identify abnormal traffics as the threat. Either it is configured with a latest attack signature from their vendor or it just watches the network to learn which traffic is looks like normal. Since, the better systems is the combination of both two. Additionally, an IDS can also be configured to give an alert to the network administrators while it detects the threat. In general, a only action that the original IDS takes the response to threats are to alert an administrator with the network message or an email message if it is configured properly. An IDS simply logs on the threat so that the network administrator can also address it whenever possible. An IDS is the passive detection system.
Like that an IPS is the intrusion prevention system which is similar to that of an IDS, but the only difference is that it can take much action in response to the threat than the IDS. An IPS will address an identified threat by properly resetting the connections or closing the port. An IPS is the network device which continually scans a network, searching for an inappropriate activity. It has the capability to shut down any of the potential threats. An IPS looks for the known signature of the common attacks and prevents those attacks automatic. Although, an IPS can be configured to provide an alert to the administrator of the threat and then the action which was taken. The IPS is a reactive measure and it actively measure because it monitors actively and also take necessary steps to correct the potential security threat.
Practically, one of the main differences in between an IDS and an IPS is the software configuration. However, both the IPS and IDS device can also recognize the network attacks, it primarily differs in the network placement. Especially, when the IDS device gets the copy of traffic to be determined, the IPS device resides in line with a traffic. The analyzed traffic won't flow via the IDS device, an IDS devices are considered to be a passive, while an IPS devices are considered to be active. Both of the IPS and IDS device will send alerts. Although the IDS device also communicate with the security appliance or routers to prevent associated attack packets, initially offending the traffic reaches the targeted destination. Conversely, the IPS device will drop the traffic in line, it's preventing the first malicious packets from reaching the proposed target. There are 4 methods used by an IPS and IDS are discussed below.
The behavior based IPS/IDS is a software in general which is installed on a host to monitor it as the agent that can also detect as well as responds potentially to anyone or anything attempting to circumvent a security policy. It has the capability to dynamically inspect the network packet and also analyze which program uses which resource during the normal working days. After it learned which is normal, then it can detect an event which is not normal and also alert the administrators or take an action to close the connections and ports. Because it maintains the database of the attacks, it is necessary to learn gradually what is not and what is normal. The behavior based detection is also known as an anomaly based detection. The behavior based system search for the variations in behaviors such as unusually high traffic, violations, policy and so on. By searching for the deviations in the behavior, it can also recognize potential threats and also respond quickly. This type of approach is prone to false positive, because the normal condition is very difficult to define measurably.
Signature based The signature based IPS/IDS begins off with the database of familiar attacks and it is capable of determining those attacks. It allows certain protection in some quicker manner than the behavior based system. The catch is which, if an attack is occurring and not in the signature database, then it never recognized by the purely signature based IPS/IDS. The effective appliance uses the combination of the signature based and behavior based methods.
The signature based system is also called as misuse-detection IDS, and it is primarily focused on evaluating the attacks depends on audit trails and attack signature. An attack signature described as an established method of attacking the system. However, signature based IPS/IDS is, as its name implies, based on the signature, the administrator requires to update it routinely those signature files. The IDS uses most extensive database to analyze the signatures of the traffic.
The network based appliances are generally available on an edge of the network where that networks come in contact with the other network such as an internet. Some of the network appliances are used in between 2 corporate networks to control the information flow between 2 divisions such as in between departments in a same company. On the other side, the advantage of the network based appliances is that it offers general protection for the whole host behind it. Although, the disadvantages are that the settings on the firewalls will affect the whole host behind it and also it tend to be a general setting and mostly not specific setting for the specific network host.
If it is a software, it is installed on the servers or systems which can monitor inbound traffic. If it is a hardware, it might be connected to a switch or hub to monitor the traffic.
The software based firewall which is used to control the traffic to the signal host are mostly referred as a host based system. A windows operating system is the prime example of the firewalls that comes with an operating system software. The recent versions of the Windows &, windows client will warn a user if it fails to detect the use of the 3rd party application or native windows firewalls to take its place. The applications which could offer this service might include McAfee and Norton antivirus as well as firewall product. The configuration of a windows firewall is generally the "no brainer" for most of the client computers. Then the default setting will offer the necessary security, so it simply requires to be kept it on. The configuration of the McAfee and Norton products will be more defined and complex, but more often the default setting will suffices as well. The host based system creates and monitor logs on a local system.
In the vulnerability test, run the software program, which contains the database of familiar vulnerabilities against the system to determine the weakness. The vulnerability scanner might be the port scanner, a web application, a worm or a network enumerator, but in all the cases it runs tests on the targeted against the gamut of the known vulnerabilities.
The reason that the threats harms the network is that the networks have the vulnerability which it can exploit. It is really hard to eliminate a threat and some of the people are simply meant as well as nasty. However, it is possible to reduce vulnerability to the threats. And to perform this, like to sue the vulnerability scanners to determine where strong and where weak. Listed below are two most commonly using vulnerability scanners.
The Nessus is the proprietary vulnerability scanning program which will detect the open ports or misconfigurations that might permit an attacker to attain control of the system or sensitive data. In case, if it checks for the default password, missing patches, weak passwords and the most like. While at the writing time, this tool was more free and also it is estimated to be used by nearly more than 75,000 organizations throughout the world.
The Nmap is referred as network mapper. Nmap is the security scanner which can discover host on the computer networks and thereby creates the map of an active network. It also sends the special packet to targeted host and determines the response it receives. It can analyze the open ports, presence of the firewalls and capability of the device that it discovers. The Nmap runs on the Linux, solaris, windows as well as other operating system.
Sometimes to catch an attacker have to think like them. Create an environments which look like the good target for it, but really simply the decoy to. At the least, distract it from finding the original sensitive data and a trap which will cause to slip up and also get caught. There are 2 decoys namely honeynets and honeypots.
The Honeypots are the security devices which are used as the decoy to look similar like the valuable server target to the attacker. It can also appear to be a vulnerable to undefended and attack, when in fact monitored and isolated from any real sensitive computer data. An idea behind this is to get an attacker to take a bait, and when he is wasting time in a Honeypot, the real data will be safe and the gathered information about an attacker and provide it with the right authority.
There are 2 or more Honeypots on a same network from the Honeynets. This will be used when the organization is relatively large and the single Honeypot server never performs the job. This Honeynets simulates the production networks, but it is actually a heavily isolated and monitored from the real production networks. It can also be used to draw an attacker deeper in as well as providing much opportunity to make the mistake that can get him caught.
It is essential to know the difference between the IPS and IDS. The IDS will watch the network for ordinary traffic and also other traffic, which looks for suspicious as well alert the administrators when it finds suspicious traffic. The IPS also watch a network for the suspicious traffic and also perform more than alerting the administrator. The IPS has the capability to close the port or reset the connection automatically on suspicious traffic. Then the behavior based system can be an appliances and protects the whole network, just not a host. Like that, the signature based IPS/IDS begins off with the database of the known attacks which is capable of determining it. It implies that it will get the head start on a behavior based system. Use the combination of these methods for the most efficient systems.
The network based system is an appliance which is located on an edge of a network. It offers general protection for the hosts. Then the host based firewall is used to offer customized protection for the single host. Be familiar with the vulnerability scanners includes software like Nmap and Nesses. Make use of the 2 programs to examine for weakness in the network security. Grasp the difference between honeynets and honeypots. The Honeypots are the security devices which are made to search a hacker like the valuable and sensitive target. This is used as decoys to draw hacker to keep distracted or to catch from the sensitive targets. 2 or more Honeypots on a same network from the Honeynet.