Page 226 - DCAP403_Operating System
P. 226
Unit 11: System Security
Once again, the result is a self-inflicted Denial of Service condition, as the IPS device fi rst drops Notes
the “offending” packet, and then potentially blocks the entire data flow from the suspected
hacker.
If the traffic that triggered the false positive alert was part of a customer order, you can bet that
the customer will not wait around for long as his entire session is torn down and all subsequent
attempts to reconnect to your e-commerce site (if he decides to bother retrying at all, that is) are
blocked by the well-meaning IPS.
Another potential problem with any Gigabit IPS/IDS product is, by its very nature and
capabilities, the amount of alert data it is likely to generate. On such a busy network, how many
alerts will be generated in one working day? Or even one hour? Even with relatively low alert
rates of ten per second, you are talking about 36,000 alerts every hour. That is 864,000 alerts each
and every day.
The ability to tune the signature set accurately is essential in order to keep the number of alerts
to an absolute minimum. Once the alerts have been raised, however, it then becomes essential to
be able to process them effectively. Advanced alert handling and forensic analysis capabilities
including detailed exploit information and the ability to examine packet contents and data
streams can make or break a Gigabit IDS/IPS product.
Of course, one point in favour of IPS when compared with IDS is that because it is designed
to prevent the attacks rather than just detect and log them, the burden of examining and
investigating the alerts – and especially the problem of rectifying damage done by successful
exploits – is reduced considerably.
11.10 Firewall to Protect Systems and Networks
A firewall is a dedicated appliance, or software running on another computer, which inspects
network traffic passing through it, and denies or permits passage based on a set of rules.
Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls
are frequently used to prevent unauthorized Internet users from accessing private networks
connected to the Internet, especially intranets. All messages entering or leaving the intranet
pass through the firewall, which examines each message and blocks those that do not meet the
specified security criteria.
Basically, a firewall is a barrier to keep destructive forces away from your property. In fact, that’s
why its called a firewall. Its job is similar to a physical firewall that keeps a fire from spreading
from one area to the next.
A fi rewall is simply a program or hardware device that fi lters the information coming through
the Internet connection into your private network or computer system. If an incoming packet
of information is flagged by the filters, it is not allowed through. Let’s say that you work at a
company with 500 employees. The company will therefore have hundreds of computers that all
have network cards connecting them together.
In addition, the company will have one or more connections to the Internet through something
like T1 or T3 lines. Without a firewall in place, all of those hundreds of computers are directly
accessible to anyone on the Internet. A person who knows what he or she is doing can probe
those computers, try to make FTP connections to them, try to make telnet connections to them
and so on. If one employee makes a mistake and leaves a security hole, hackers can get to the
machine and exploit the hole.
With a firewall in place, the landscape is much different. A company will place a firewall at every
connection to the Internet (for example, at every T1 line coming into the company). The fi rewall
LOVELY PROFESSIONAL UNIVERSITY 219
