3. FIREWALL
A choke point of control and monitoring
Interconnects networks with differing trust
Imposes restrictions on network services
only authorized traffic is allowed
Auditing and controlling access
can implement alarms for abnormal behaviour
Itself immune to penetration
Provides perimeter defence
8. Load balancer
SLB
Gets user to needed resource:
Server must be available
User’s “session” must not be broken
If user must get to same resource over and over, the SLB device must ensure that happens (ie,
session persistence)
In order to do work, SLB must:
Know servers – IP/port, availability
Understand details of some protocols (e.g., FTP, SIP, etc)
Network AddressTranslation, NAT:
Packets are re-written as they pass through SLB device.
9. Most predominant algoritms:
least connections: server with fewest number of flows gets the new flow request.
weighted least connections: associate a weight / strength for each server and
distribute load across server farm based on the weights of all servers in the farm.
round robin: round robin thru the servers in server farm.
weighted round robin: give each server ‘weight’ number of flows in a row; weight
is set just like it is in weighted least flows.
There are other algorithms that look at or try to predict server load in determining
the load of the real server.
The SLB device can make its load-balancing decisions based on several factors.
Some of these factors can be obtained from the packet headers (i.e., IP address,
port numbers, etc.).
Other factors are obtained by looking at the data beyond the network headers.
Examples:
HTTP Cookies
HTTP URLs
SSL Client certificate
The decisions can be based strictly on flow counts or they can be based on
knowledge of application.
For some protocols, like FTP, you have to have knowledge of protocol to correctly
load-balance (i.e., control and data connection must go to same physical server).
10. Web server gateway &WAF
Web application firewalls are designed to work on the OSI
layer 7 (the application layer).They are fully aware of
application layer protocols such as HTTP(S) and SOAP and can
analyze those requests in great detail. Compared to a layer 3/4
firewall, rules can be defined to allow/disallow certain HTTP
requests like POST, PUSH, OPTIONS, etc., set limits in file
transfer size or URL parameter argument length.WAF log files
contain as much information as those from a web server plus the
policy decisions of the filter rules (e.g. HTTP request blocked;
file transfer size limit reached, etc.). AWAF provides a wealth
of information for filtering and detection purposes and is thus a
good place for the detection of attacks.
11. If the HTTP traffic is SSL encrypted (HTTPS), the NIDS
might not decrypt the traffic;
high traffic load can make it difficult to analyze network traffic in real time;
NIDS are designed to work on theTCP/IP level (OSI layer3/4), and thus may not be
as effective on the HTTP layer;
Attackers might use IDS evasion techniques (HTTP,encoding, fragmenting, etc.)
which the IDS is not aware of.
Snort, the most powerful open source IDS, has over 800 rules
for detecting malicious webtraffic (over 400 for PHP alone).With the help of
preprocessorlike frag3 (IP defragmentation), stream4 (statefulinspection/stream r
eassembly) and http_inspect (normalize anddetect HTTP traffic and protocol ano
maly) snort tries to
assemble packets and avoid IDS evasion techniques.These hurdles
have to be overcome before anything can be detected.
12. WEB SECURITY GATEWAY
sees application layer traffic http request and response
Contents and tags involved inside the application cross site
scripting identified and stopped by web security gate way
13.
14. Proxy server
According to cooperate policy internal web traffic is redirected through proxy
Mode of operation
Transparent – both parties (local/remote) are unaware that the connection is being
proxied
Zorp - application layer proxy is transparent
Opaque – the local party must configure client software to use the proxy
client software must be proxy-aware software
Netscape proxy server is opaque
With all of the things modern firewalls can do in the area of redirection you could
configure the firewall to redirect all http requests to a proxy
no user configuration required (transparent)
15. Proxy server works on 4-7
Functions :
Monitors at application layer
url filtering
Content filtering
Limit access control on websites
Proxy rules denying urls &web site based on categorization
A reverse-proxy is a "backwards" proxy-cache server; it's a proxy server that, rather
than allowing internal users to access the Internet, lets Internet users indirectly
access certain internal servers.
The reverse-proxy server is used as an intermediary by Internet users who want to
access an internal website, by sending it requests indirectly.With a reverse-proxy,
the web server is protected from direct outside attacks, which increases the internal
network's strength.What's more, a reverse-proxy's cache function can lower the
workload if the server it is assigned to, and for this reason is sometimes called a
server accelerator.
Finally, with perfected algorithms, the reverse-proxy can distribute the workload by
redirecting requests to other, similar servers; this process is called load balancing.
18. NIDS & NIPS
IDS see attack paterns and set alarms act as warning system
Uses 1 connection
IPS has the ability to block & stop traffic
Uses 2 connections
NIDS & NIPS sees traffic for subnets
19. Types of IDS & IPS
Behavior based
Signature based
Anomaly based
Heuristic
23. DLP
DATA LOSS PREVENTION
INTERNAL TRAFFIC CONTAINS CONFEDENTIAL
INFORMATION WHICH SHOULD NOT BE ALLOWED TO
TRANSMIT OUTSIDE OFTHE ORGANIZATION
DLP CONFIGURED ON INSTANT MESSAGING
USB PORTS DISABLED
24. SIEM
The process of gathering and maintaining network, system,
and application log data is
commonly referred to using several different definitions. It is
sometimes defined as
Security Information and Event Management (SIEM),
Security Event Management
(SEM), Security Information Management (SIM), systems
monitoring, and network
monitoring
25. Actionable Information
First and foremost, for SIEM to be truly useful, only actionable data must be sent onward to
system and application administrators or security staff.To make SIEM alerts actionable it must
address the “Five W’s”, a basic investigative technique of determining when the event
occurred, who was involved, what happened, where did it take place, and why did it happen.
The “Five W’s” can be mapped directly to common variables in a security investigation.
•When –Time/Date stamp of the event(s) happening
•Who – Identifier of the requestor; typically an IP address and/or a username
•What – Description of the event (such as a GET or POST to a web server)
•Where – System or application that generated the event and where the request
originated from
•Why –The purpose of the action and typically is what is being investigated
Scale applications / services
Ease of administration / maintenance
Easily and transparently remove physical servers from rotation in order to perform any type of maintenance on that server.
Resource sharing
Can run multiple instances of an application / service on a server; could be running on a different port for each instance; can load-balance to different port based on data analyzed.