Solved

Network Security

Posted on 2006-06-13
7
1,254 Views
Last Modified: 2013-11-16
Hello Experts,

I am kinda confused with some terms. Please clarify the following:

stateless packet filtering VS stateful packet filtering

and

NAT VS PAT

Thanks for all your help
0
Comment
Question by:elyrodriguez
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 32

Assisted Solution

by:r-k
r-k earned 20 total points
ID: 16899913
0
 

Author Comment

by:elyrodriguez
ID: 16900277
Ok, thanks for the info. However, I got few more quesitons. Can packet filtering be considered as an IDS system? If not, can it be configured into one? What is the difference in the way they filter? Which one is more reliable?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 50 total points
ID: 16901342
IDS is intrusion detection, and if your firewall logs are being looked through and you get alerted to certain traffic it's blocked or allowed, then it's an IDS. If you don't have the log's checked with a program or manually, then it's not much of any acronym. An IPS, intrusion PREVENTION system is one that blocks. Detection alerts you to trouble, or the lack there of, but doesn't act. IDS's like Snort, have plug-in's or add on's like SnortSAM that will see the alert, and then issue commands to your firewall to block that traffic for a specified time, seconds to forever depening on your settings.

IDS/IPS systems are both just as vlunerable to false-positives and false negitives, it depends on the rule that is written. Snort rules are community rule, eveyone across the globe contributes and writes rules for snort, some write better rules than others, some rules that are well written develop false-postives later down the road.
http://www.snort.org/  http://www.snort.org/docs/ (there are lots of links to doc's that apply to other IDS's aswell, like the IDS evasion docs)
http://www.snortsam.net/

Snort can also operate in "in-line" mode that allows it to use IPtables to block traffic, snortsam is however better suited in my opinion. http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node7.html
http://en.wikipedia.org/wiki/Stateful_Packet_Inspection
-rich
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 20 total points
ID: 16902149
> Can packet filtering be considered as an IDS system?
no

> If not, can it be configured into one?
yes, no, depends
configuerung iptables with logging, and the reading the logs might be considered an IDS
:)
> What is the difference in the way they filter?
IDS do *not* filter

> Which one is more reliable?
both, none, depends
I'd vote for a firewall ...
0
 
LVL 5

Accepted Solution

by:
kevinf40 earned 55 total points
ID: 16902221
Hi elyrodriguez

Packet filtering firewalls can not really be considered IDS/IPS systems (although rich's comment regarding log monitoring is perfectly valid).

A packet filtering firewall apply rules to connections - e.g. anyone can connect to server X on port 80.  But they do not have any intelligence (in general although many firewalls do now allow for some application intelligence) about what is sent to that port.  So although you may only be able to connect to the web server on port 80 you can send any data you like to that port - hence it is still vulnerable to attack.

An IPS / IDS device will use a combination of filters and / or heuristics to apply intelligence to what traffic is actually allowed. So continuing the above example if you put an IPS device behind the firewall this would then monitor the port 80 traffic to the web server and either alert or block anything suspicious (e.g worms etc) - thus offering further protection for your webserver.

Personally (I can't comment specifically on snort) I prefer in-line IPS devices as they can actually block traffic rather than relying on either changing firewall rules or sending resets.

As both IDS / IPS devices suffer from false positives so it is usual to configure them to monitor / alert only initially (especially IPS) in order to get a sensible baseline before allowing them to perform further actions.

Some vendors are now offering devices that offer both firewall and IDS functionality in one box.  The next  stage of IDS / IPS is building it into core switches thus allowing entire internal networks to be protected by one device - although these are currently in their infancy, and rather expensive.

IDS / IPS devices also offer value used on internal networks - as well as helping prevent the spread of malware, they can also spot many configuration errors such as blank sa passwords, use of banned protocols(e.g. we don't allow ftp or telnet on our network).

cheers

Kevin
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 55 total points
ID: 16902504
umm... it seems that several related concepts are confusing you. ok, let me explain them:

a packet filtering system is to be used at the frontline to defend your territory. it actually executes your defence plan. it recognizes the incoming people (the incoming packets) to determine your partners (legitimate requests) or your enemies (malicious requests), according to the rules defined in your defence plan. then do actions: for friends, let them in. for enemies, deport them (refuse the requests) or kill them (drop the packets). the actions depend on your defence plan (such as, to explicitly fight some or to implicitly confuse some).

a logging system is used to completely or partly record what actually have happened or is happening at the frontline, in detail or in summary, depending the battle types and your enemies. e.g. who has been allowed in as friends (might be enemies actually if your defence plan has defect or is wrong), who has been killed or refused, who was out. anything possibly used for analysis should be recorded.

an IDS is used to monitor the latest changes in the logs and determine any abnormal behaviors, based on some patterns or experience. 1) it needs more computing resources and consume more time 2) its outcomes are not actions (allow in or not) most are are suggestions. some IDSs may give commands to the packet filtering system at the frontline, to apply/change/stop a rule/policy, only if the conclusion of IDS is very sure.

humans should involve in the defence system and have the final decisions. IDS is just a tool to aid the involved people. the commander is a man, the IDS is the commander's intelligent department. the commander reviews the everything, and modifies the defence plan if necessary. then the frontline executes it.

briefly, the concepts are different things though related. they need to be connected to work together, in a closed loop: plan, do, check, action (PDCA).

hope it helps,
bbao
0
 

Author Comment

by:elyrodriguez
ID: 16903877
thanks for the detailed explanations.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Switch VLAN voice and Data 2 48
Behavior-based and anomalies detection for Symantec 2 23
Cisco SRST questions 5 27
Fraud Email 11 42
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question