Firewall

Firewall

The firewall refers to the one located between networks, with security policy as the core, implementing inter-networkAccess controlA collection of a set of security components.

Technically, it can be divided into: packet filtering firewall, stateful firewall, and proxy firewall.

According to the architecture, it can be divided into screened routing architecture, screened host architecture, dual-homed host architecture, and screened subnet architecture.

Character

• Dual-homed host architecture;

The bastion host has two interfaces, which can connect to two networks simultaneously, without the need to configure rules on the packet filtering firewall, thereby forcing the communication between the internal network and the external network to pass through the bastion host, avoiding the failure of the packet filtering firewall leading to the possibility of direct communication between the internal network and the external network, which is more secure than the single-homed bastion host structure.

The main drawback of this architecture lies in the main protection point ofDual-homed hostOnce the dual-homed host is compromised and configured to forward data packets between the internal and external networks, then the external network hosts can directly access the internal network, and the protective function of the firewall architecture is completely lost.

• Screened host architecture;

Under this structure, for the external network attacker to attack the internal network, the attack packets need to pass through the packet filtering firewall and the bastion host, making the difficulty of the attack very high.

When problems ariseBastion hostDirectly exposed to the attacker, once the bastion host is compromised, the entire internal network is threatened.

• Screened subnet architecture;

The internal network is divided into different subnets according to the security level, with the security of internal network 1 being higher. To attack internal network 1, it is necessary to penetrate two packet filtering firewalls and one bastion host, increasing the difficulty of the attack.

The disadvantages areManagement complexity.

The internal packet filter protects the internal network from intrusions from the DMZ and the external network, and also restricts the internal network hosts to communicate with the external network only through the DMZ bastion host, avoiding direct communication between the internal and external networks.

External packet filter limits the external network host to only access the specific services of DMZ, making the internal network completely invisible to the external network users.

Difference

Packet filtering VS State detection

Answer from two aspects: configuration method and port opening:

Therefore, the main difference between packet filtering and state detection firewalls is:

1. Packet filtering firewall needsBidirectional staticConfiguration, after configuration, it will exist all the time; the status detection firewall only needsUnidirectional staticConfiguration, and the other direction is automatically configured by the firewallDynamically establish temporary session pass-through——It will be automatically deleted after use.

2. Packet filtering firewall, the destination port from server to client needsAllOpen; status detection firewall, the destination port from server to client is onlyAs neededOpen

Intrusion Detection System

What is IDS: used to detect internal network intrusion behavior and violations of security policies that do not pass through the firewall.

There are mainly two detection methods: abuse detection and anomaly detection (the basic principle of anomaly detection is to establish a normal profile, and when user behavior deviates significantly from the normal profile, these deviations can be checked to detect intrusion).

Abuse detection VS Anomaly detection:
Abuse detection is relatively accurate, but it cannot detect unknown attacks, with a low false positive rate but a high false negative rate.

Anomaly detection can detect unknown attacks, but it requires stronger intelligence.

General process (feels similar to traffic detection): data extraction, data analysis, result processing. Response can be excluded.

According to the different sources of system data, it can be divided into: host-based intrusion detection system and network-based intrusion detection system.

HIDS: advantages: it can be customized for the actual situation of the protected host, making the work effective, with a low false positive rate; disadvantages are that the accuracy or integrity of data or systems may be threatened by attackers (bypassing audit through system privileges), and HIDS may affect host performance.

NIDS advantages: the detection range is the entire network segment; no need to log in or audit mechanism, just need to configure the network interface; disadvantages are that it can only detect activities passing through this network, and the accuracy is poor, it is difficult to configure under the switched network, and the anti-deception ability is poor; and it cannot defend against threats inside the host, nor can it effectively review encrypted data streams.

Measuring indicators: false positive rate and false negative rate.

Q&A;

WHY DMZ

DMZ is of moderate trust level in the network, usually used to define the network where internal servers are located. If it does not cross domain, the related traffic will not be protected.