Hi, I'm Mark Bowling, and I'm going to talk about the network security devices that are used for managing traffic flow. There are numerous types of devices used to make network communications more secure. Traditional security devices typically include firewalls, Intrusion Detection and Prevention Systems, also known as IDS and IPS. Web content filters, Virtual Private Networks, also known as VPN and Data Loss Prevention DLP and Unified Threat Management UTM, as well as Security Information and Event Management known as SIEM. Firewalls have been a cornerstone in network security since the early days of the Internet. The firewalls are hardware and or software platform, that controls the flow of traffic between trusted networks such as a corporate LAN and an untrusted network such as the Internet. Firewall technology has evolved over time and there are currently three generations of firewalls to talk about. First generation packet filtering, also known as port-based firewalls, have the following characteristics. They operate up to layer 3, the network layer of the Open Systems Interconnector, OSI reference model and inspect individual packet headers to determine source and destination IP address, protocol, whether be TCP, UDP or ICMP import number. They also match source and destination IP address protocol import number information contained within each packet header to a corresponding role in the firewall that designates whether the packet should be allowed, blocked or dropped. These first generation firewalls inspect and handle each packet individually with no information about context or session. Second generation stateful inspection firewalls, also known as dynamic packet filtering firewalls, have the following characteristics. They operate up to layer 4, the transport layer of the OsI model. It maintains state information about different communication sessions that have been established between host on the trusted and untrusted networks. These firewalls inspect individual packet headers to determine source and destination IP address, protocol, important number during session establishment only, to determine if the sessions should be allowed, blocked or dropped based on pre-established firewall rules. Once a permitted connection is established between two hosts, the firewall creates and deletes firewall rules for individual connections as needed, effectively creating a tunnel that allows traffic to flow between two hosts without further inspection of individual packets during the session. This type of firewall is very fast, but it is highly dependent on the trustworthiness of two hosts because individual packets are not inspected after the connection is established. Third generation application firewalls also known as application layer gateways or proxy-based and reverse proxy firewalls have the following characteristics. They operate up to layer 7, the application layer of the OSI model, and control access to specific applications and services on the network. They proxy network traffic rather than permitting direct communication between hosts, requests are sent from the originating host to a proxy server, which analyzes the contents of the data packets and if permitted, sends a copy of the original data packets to the destination host. They also inspect the application layer traffic and therefore they're able to identify and block specified content such as malware exploits websites and applications or services which may be using hiding techniques such as encryption and non-standard ports. Proxy servers can also be used to implement strong user authentication and web application filtering and to mask the internal network for untrusted networks. However, proxy servers have a significant negative impact on the overall performance of the network. Intrusion Detection Systems and Intrusion Prevention Systems, also known as IDS and IPS, provide real-time monitoring of network traffic and perform deep packet inspection and analysis of network activity and data. Unlike traditional packet filtering and stateful packet inspection firewalls that only examine packet header information, IDS and IPS examines both the packet header and payloads of network traffic IDS, IPS attempts to match known bad or malicious patterns or signatures found within inspected packets. IDS IPS is typically deployed to detect and block exploits of software vulnerabilities on target networks. The primary difference between IDS and IPS is that IDS is considered to be a passive system, whereas IPS is an active system. IDS monitors and analyzes network activity and provides alerts in potential attacks and vulnerabilities on the network. But it doesn't perform any preventive action to stop an attack. An IPS, on the other hand, performs all of the same functions as the IDS, but also automatically blocks or drops suspicious pattern matching activity on the network in real-time. However, IPS has some disadvantages. They must be placed in line along a network boundary and is therefore directly susceptible to attack itself. False alarms must be properly identified and filtered to avoid inadvertently blocking unauthorized users and applications. They may be used to effect a denial of service or DOS attack by flooding the IPS, causing it to block connections until no connection or bandwidth is available. IDS and IPS can also be classified as knowledge-based, known as signature-based or behavior-based, also known as statistical anomaly-based systems. Knowledge-based systems use a database of known vulnerabilities and attack profiles to identify intrusion attempts. These types of systems have lower false alarm rates than behavior-based systems, but must be continuously updated with the new attack signature to be effective. A behavior-based system, however uses a baseline of normal network activity to identify unusual patterns or levels of network activity that may be indicative of an intrusion attempt. These types of systems are more adaptive than knowledge-based systems and may therefore be more effective in detecting previously unknown vulnerabilities and attacks, but they have a much higher false-positive rate than knowledge-based systems. Web content filters are used to restrict the Internet activity of users on a network. Web content filters match a web address, also called a Uniform Resource Locator, or your URL against a database of websites, which is typically maintained by the individual security vendors that sell the web content filters. Web content filters, attempt to classify websites based on broad categories that are either allowed or blocked for various groups of users on the network. For example, the Marketing and Human Resources Department may have access to social media sites such as Facebook and LinkedIn for legitimate online marketing and recruiting activities while other users are blocked. Examples of typical website categories could include gambling and online gaming, hacking, hate crimes and violence, pornography, social media, and web-based email. In addition to lowering individual productivity, these sites may be prime targets for malware that users may unwittingly fall victim to via drive-by downloads. Certain sites may also create liabilities in the form of sexual harassment or racial discrimination suits for organizations that fail to protect other employees from being exposed to pornographic or hate-based websites. Organizations may elect to implement these solutions in a variety of modes to either block content, warn users before accessing restricted sites, or log all activity. The disadvantage of blocking content is that false positives require a user to contact a security administrator to allow access to websites that have been improperly classified and blocked, or they need to be accessed for a legitimate purpose. This concludes part 1 of the network security devices module. Part 2 outline the function and purpose of VPN, DLP, UTM and SIEM devices. I'm Mark Bowling and thank you for watching.
