1.1. Security functions of network devices – Continued
VPN (Virtual Private Network) will be discussed in the future as a chapter of its own due to its importance in the network security world.
VPN concentrators are sometimes known by many other names such as VPN servers, VPN firewalls, VPN RAS (VPN Remote Access Servers), VPN Proxies, etc.
VPN concentrators allows for high availability, high scalability and performance for VPN connections. They’re hardware appliances designed to facilitate a large number of multiple simultaneous VPN connections, usually hundreds or even in some implementations thousands of simultaneous VPN connections.
NIDS (Network Intrusion Detection Systems) and NIPS (Network Intrusion Prevention Systems)
IDSs and IPSs (IDPSs) will be full discussed in an upcoming article as part of the IDS category, however due to its importance it will be briefly mentioned here. As I said what will be discussed here counts as the tip of the ice burg compared to what I’m planning to in the IDS category where I try to go into the topic in a much more details as it was my MSc degree graduation dissertation.
IDSs/IPSs have become one of the most important components of the components used to secure networks. In brief IDSs monitor the network for any intrusions, if an incident occurs it logs it and produces an alert. An IPS however blocks the attack from succeeding. Many IDSs these days have an IPS feature that you have to enable to make it function in IPS mode.
There are many different types of IDS/IPSs but all can be categorised into the following categories:
- NIDS (Network IDS)
- NBA (Network Behaviour Analysis IDSs)
- WIDS (Wireless IDS)
- HIDS (Host IDS)
There are different types of detection technologies and techniques and each one of the above uses one or a combination of these technologies:
- State-full protocol analysis
Each has their advantages and disadvantages and organisations have begun to learn not to rely fully on them as they can be defeated. Like I said I’ll go in a lot more details in an upcoming series of articles in the intrusion detection category, where some of the areas I’m planning to discuss include:
- Detection Technologies
- Differences between each technology
- Advantages and disadvantages of each technology
- IDS limitations
- IDS deployment
- Devices involved in deploying these devices
- Evasion techniques
The practical side of this series can be outlined as follows:
- Installing snort on linux and windows
- Configuring snort
- Writing rules
- Testing the IDS
- Creating a network security monitoring system (NSM)
- Might go into OSSEC (HIDS)
- Evading IDSs
I can’t really specify a certain date when this series will be published, so please be patient with me.
A protocol analyser is a tool used to analyse the network by capturing all packets seen on the network and then displays the information on each packet according to the protocols used. An example would be a tool like wireshark, which is an open source tool that captures the packets and then decodes all the information in human readable form. It also splits the information and colour codes it according to the 7 layers of the OSI model. Protocol analysers usually put the NIC (Network Interface Card) into promiscuous mode or monitor mode in case of wireless networks. These tools usually have filtering capabilities to allow you to focus on specific packets.
Protocol analysers can be either hardware or software and can be used to check for any problems in the network. They can discover be used by security professionals to track the source of an attack.
Sniffers are basically similar to protocol analysers. They sniff or capture the packets on the network, while a protocol analyser is also able to decode and translate packet or frame contents.
Spam filters and all-in-one security tools
Spam filters can be hardware or software products, they’re used to filter out, remove or even block bad messages and usually used for emails, instant messages (IM), SMS, web forums or blogs.
All-in-one security devices or sometimes called security gateways or UTMs (Unified Threat Management) systems are sometimes used by organisations as a low cost solutions because they are devices that can perform all of the functions discussed here and in network security – part 1 all in one single devices. They can do:
- Firewall functions
- Virus scanning
- Privacy protection
- Spam filtering
- Web filtering
- DoS protection
- Spyware blocking and activity tracking
- Some can also provide server-side services for web hosting as well as provide wireless security functions.
Although to some organisations this can be a very useful and cost effective way to protect their network, in some implementations such as large enterprise networks this might not be a good solution however due to the load all these different features could put on the device, which obviously make it miss packets or even cause a DoS. So in this case a dedicated individual product that performs one of the functions discussed although will be expensive, it is however this best solution for enterprise networks.