Hi, I'm Mark Bowling, and I'm going to talk about the network security devices that are used for managing traffic flow. There are numerous types of devices used to make network communications more secure. Traditional security devices typically include firewalls, intrusion detection and prevention systems, also known as as IDS, and IPS, web content filters, virtual private networks, also known as VPNs, data loss prevention, DLP, and unified threat management, UTM. As well as security information and event management, known as SIM. Firewalls have been a cornerstone in network security since the early days of the Internet. A firewall is a hardware and or software platform that controls the flow of traffic between trusted networks, such as a corporate LAN, and an untrusted network such as the Internet. Firewall technology has evolved over time, and there are currently three generations of firewalls to talk about. First generation packet filtering, also known as port-based firewalls, have the following characteristics. They operate up two layer three, the Network layer of the open systems interconnector OSI reference model, and inspect individual packet headers to determine source and destination IP address protocol, whether it will be TCP, UDP, or ICMP, and port number. They also mark source and destination IP address protocol and port number information contained within each packet header to a corresponding rule in the firewall that designates whether packet should be allowed, blocked, or dropped. These first generation firewalls inspect and handle each packet individually with no information about context or session. Second generation stateful packet extension firewalls, also known as dynamic packet filtering firewalls, have the following characteristics. They operate up to layer four, the Transport layer, of the OSI model, and maintain state information about different communication sessions that have been established between hosts on the trusted and untrusted networks. These firewalls inspect individual packet headers to determine source and destination IP address, protocol, and port number during session establishment only, to determine if the sessions should be allowed, blocked, or dropped based on pre-established firewall rules. Once a permitted connection is established between two hosts, the firewall creates and deletes firewall rules for individual connections as needed. Effectively creating a tunnel that allows traffic to flow between two hosts without further inspection of individual packets during the session. This type of firewall is very fast, but is highly dependent on the trustworthiness of two hosts because individual packets are not inspected after the connection is established. Third generation application firewalls, also known as application layer gateways, or proxy based and reverse proxy firewalls, have the following characteristics. They operate up to layer seven, the Application layer of the OSI model, and control access to specific applications and services on the network. They proxy network traffic rather than permitting direct communication between hosts. Requests are sent from the originating host to a proxy server which analyzes the contents of the data pockets, and if permitted, sends a copy of the original data packets to the destination host. They also inspect application layer traffic, and therefore, they're able to identify and block specified content such as malware, exploits, websites, and applications or services which may be using hiding techniques such as encryption and non-standard ports. Proxy servers can also be used to implement strong user authentication and web application filtering, and to mask the internal network for untrusted networks. However, proxy servers have a significant negative impact on the overall performance of the network. Intrusion detection systems and intrusion prevention systems, also known as IDS and IPS, provide real-time monitoring of network traffic and perform deep packet in inspection and analysis of network activity and data. Unlike traditional packet filtering in statefull packet inspection firewalls that only examine packet header information, IDS and IPS examines both the packet header and payloads of network traffic. IDS, IPS attempts to match known bad or malicious patterns or signatures found within inspected packets. And IDS, IPS is typically deployed to detect and block exploits of software vulnerabilities on target networks. The primary difference between IDS and IPS is that IDS is considered to be a passive system, whereas IPS is an active system,. IDS monitors and analyzes network activity and provides alerts of potential attacks and vulnerabilities on the network, but it doesn't perform any preventative action to stop an attack. An IPS, on the other hand, performs all of the same functions as an IDS, but also automatically blocks or drops suspicious pattern matching activity on the network in real-time. However, IPS has some disadvantages. They must be placed inline along a network boundary, and is therefore directly susceptible to attack itself. False alarms must be properly identified and filtered to avoid inadvertently blocking authorized users and applications. They may be used to affect a denial of service, or DoS attack, by flooding the IPS, causing it to block connections until no connection or bandwidth is available. IDS and IPS can also be classified as knowledge-based, known as signature based, or behavior based, also known as statistical anomaly based systems. Knowledge based systems use a data base of known vulnerabilities and attack profiles to identify intrusion attempts. These types of systems have lower false alarm rates than behavior based systems, but must be continuously updated with the new attack signature to be effective. A behavior based system, however, uses a baseline of normal network activity to identify unusual patterns or levels of network activity that may be indicative of an intrusion attempt. These types of systems are more adaptive than knowledge based systems, and may therefore be more effective in detecting previously unknown vulnerabilities and attacks. But they have a much higher false positive rate than knowledge based systems. Web content filters are used to restrict the Internet activity of users on a network. Web content filters match a web address, also called the Uniform Resource Locator or the URL, against a database of websites, which is typically maintained by the individual security vendors that sell the web content filters. Web content filters attempt to classify websites based on broad categories that are either allowed or blocked for various groups of users on the network. For example, the marketing and human resources departments may have access to social media sites such as Facebook and LinkedIn for legitimate online marketing and recruiting activities, while other users are blocked. Examples of typical website categories could include gambling and online gaming, hacking, hate crimes and violence, pornography, social media, and web-based e-mail. In addition to lowering individual productivity, these sites may be prime targets for malware that users may unwittingly fall victim to via drive-by downloads. Certain sites may also create liabilities and form sexual harassment or racial discrimination suits for organizations that fail to protect other employees from being exposed to pornographic or hate-based websites. Organizations may elect to implement these solutions in a variety of modes to either block content, warn users before accessing restricted sites, or log all activity. The disadvantage of blocking content is that false positives require user to contact a security administrator to allow access to websites that have been improperly classified, blocked, or they need to be accessed for legitimate purpose. And this concludes part one of the network security devices module. In part two, I'll outline the function and purpose of VPN, DLP, UTM, and SIM devices. I'm Mark Bolling, and thank you for watching.
