In this article, we are going to discuss some methods that are used in Network Defense. The Security Actions we will focus on in this article are NIDS, NIPS, Firewalls, NAC, etc. Since this is a beginner’s guide we are only focusing on important things and tools and How they Works.
Network Intrusion Detection System (NIDS)
“Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator.” — Wikipedia.
Basically, NIDS can be of any type of software or physical device. It is used to tap monitor the network and if any anomaly is found in the network it generates an alert for the human analyst to for analyzing.
Some Open-Source And Free NIDS
- Snort – Snort is one o f the best intrusion detection system and is completely free to use. You can check the official Website – https://www.snort.org/
- Suricata – Suricata is the leading independent open source threat detection engine. By combining intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM) and PCAP processing, Suricata can quickly identify, stop, and assess the most sophisticated attacks. https://suricata.io/
- Zeek – Zeek has a long history in the open source and digital security worlds. Vern Paxson began developing the project in the 1990s under the name “Bro” https://zeek.org/
All of the above are open-source and free to use. one can easily install and implement for practical learning.
Network Intrusion Prevention System
Network Intrusion Prevention System or NIPS is exactly the same as NIDS but can take defensive actions against the alerts. Where NIDS can only generate alerts to be analyzed, NIPS can actually take some defensive action and alter the network as per requirement.
Some of the Defensive Actions taken by NIPS are –
- Dropping the Malicious Packets.
- Resetting the Connection.
- Blocking the traffic from the malicious IP.
- NIPS Also can mitigate TCP sequencing issues and clean up unwanted transport and network layer options.
- many more…..
For trying out things you can refer to the list of software that is listed in the NIDS section.
“In computing, a firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.” –Wikipedia
Basically, Firewalls are used to separate the networks into different zones or private zones by taking the control of the traffics.
Types of Firewalls
1. Packet Filtering Firewalls
The most common type of firewall is the packet filtering firewall. It checks the traffics and examines the packets and prohibits them to pass if they do not follow the Security Rules. The Firewalls check the Source and Destination IP of the packet and let them pass if they are allowed according to the ruleset.
2. Next Generations Firewalls
NGFW’s are advanced firewalls. These firewalls are combinations of the classic firewall with some advanced features like- Encrypted Packet Analyzing, Inbuilt Intrusion Prevention System, Antivirus, and more. These Firewalls have also consisted of Deep Packet Inspection (DPI). DPI is one of the advanced features to check the header of each packet to identify or stop the malicious packets.
3. Web Application Firewall
“A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application’s known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration.” –Wikipedia
The WAF works at the application layer and prevents any HTTP/s traffic that looks malicious or tries to load or get unauthorized data.
These are the main and important types of Firewalls. There are other types of firewalls like NAT Firewalls and SMLI Firewalls that are not mentioned here.
All the Networks devices generate logs and if there is SIEM configured in the system all the logs will go to the SIEM Dashboard and there an analyst can examine all the logs.
Basically, log monitoring is one of the important steps in network defense, Because logs stores many important and crucial information about the network. A Security Analyst can easily identify which of the Requests or packets tends to show some vulnerabilities in the network and take action on it.
Analyzing Logs can be very helpful to determine whether any IP or Packet or request is an Indicator of compromise (IOC) or not.
Any SIEM software is able to monitor the logs. But there are some Open-Source tools we would Like to mention here that are built for log monitoring.
- Graylog 2 – Graylog is a leading open-source and robust centralized logging management tool.Official Site
- Logcheck – Logcheck is yet another open-source log monitoring tool that is run as a cron job. Official Site
- Logstash – Logstash is a free and open server-side data processing pipeline. Official Site
Network Access Control (NAC)
“Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), the user or system authentication, and network security enforcement.” –Wikipedia
Basically, Network Access Control or NAC ensures that unauthorized users and devices stay out of the private network.
Now we have learned about some important network defense methods and how they work. Each of the network defense methods listed above is a whole topic with lots of things that are not listed here. We recommend the readers to study each one of them in-depth to get a better understanding of the things.
For more blogs like this please visit our blog page.
For Network security Interview Question Visit Here.