?
Solved

Network Security

Posted on 2006-06-13
7
Medium Priority
?
1,360 Views
Last Modified: 2013-11-16
Hello Experts,

I am kinda confused with some terms. Please clarify the following:

stateless packet filtering VS stateful packet filtering

and

NAT VS PAT

Thanks for all your help
0
Comment
Question by:elyrodriguez
7 Comments
 
LVL 32

Assisted Solution

by:r-k
r-k earned 80 total points
ID: 16899913
0
 

Author Comment

by:elyrodriguez
ID: 16900277
Ok, thanks for the info. However, I got few more quesitons. Can packet filtering be considered as an IDS system? If not, can it be configured into one? What is the difference in the way they filter? Which one is more reliable?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 200 total points
ID: 16901342
IDS is intrusion detection, and if your firewall logs are being looked through and you get alerted to certain traffic it's blocked or allowed, then it's an IDS. If you don't have the log's checked with a program or manually, then it's not much of any acronym. An IPS, intrusion PREVENTION system is one that blocks. Detection alerts you to trouble, or the lack there of, but doesn't act. IDS's like Snort, have plug-in's or add on's like SnortSAM that will see the alert, and then issue commands to your firewall to block that traffic for a specified time, seconds to forever depening on your settings.

IDS/IPS systems are both just as vlunerable to false-positives and false negitives, it depends on the rule that is written. Snort rules are community rule, eveyone across the globe contributes and writes rules for snort, some write better rules than others, some rules that are well written develop false-postives later down the road.
http://www.snort.org/  http://www.snort.org/docs/ (there are lots of links to doc's that apply to other IDS's aswell, like the IDS evasion docs)
http://www.snortsam.net/

Snort can also operate in "in-line" mode that allows it to use IPtables to block traffic, snortsam is however better suited in my opinion. http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node7.html
http://en.wikipedia.org/wiki/Stateful_Packet_Inspection
-rich
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 80 total points
ID: 16902149
> Can packet filtering be considered as an IDS system?
no

> If not, can it be configured into one?
yes, no, depends
configuerung iptables with logging, and the reading the logs might be considered an IDS
:)
> What is the difference in the way they filter?
IDS do *not* filter

> Which one is more reliable?
both, none, depends
I'd vote for a firewall ...
0
 
LVL 5

Accepted Solution

by:
kevinf40 earned 220 total points
ID: 16902221
Hi elyrodriguez

Packet filtering firewalls can not really be considered IDS/IPS systems (although rich's comment regarding log monitoring is perfectly valid).

A packet filtering firewall apply rules to connections - e.g. anyone can connect to server X on port 80.  But they do not have any intelligence (in general although many firewalls do now allow for some application intelligence) about what is sent to that port.  So although you may only be able to connect to the web server on port 80 you can send any data you like to that port - hence it is still vulnerable to attack.

An IPS / IDS device will use a combination of filters and / or heuristics to apply intelligence to what traffic is actually allowed. So continuing the above example if you put an IPS device behind the firewall this would then monitor the port 80 traffic to the web server and either alert or block anything suspicious (e.g worms etc) - thus offering further protection for your webserver.

Personally (I can't comment specifically on snort) I prefer in-line IPS devices as they can actually block traffic rather than relying on either changing firewall rules or sending resets.

As both IDS / IPS devices suffer from false positives so it is usual to configure them to monitor / alert only initially (especially IPS) in order to get a sensible baseline before allowing them to perform further actions.

Some vendors are now offering devices that offer both firewall and IDS functionality in one box.  The next  stage of IDS / IPS is building it into core switches thus allowing entire internal networks to be protected by one device - although these are currently in their infancy, and rather expensive.

IDS / IPS devices also offer value used on internal networks - as well as helping prevent the spread of malware, they can also spot many configuration errors such as blank sa passwords, use of banned protocols(e.g. we don't allow ftp or telnet on our network).

cheers

Kevin
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 220 total points
ID: 16902504
umm... it seems that several related concepts are confusing you. ok, let me explain them:

a packet filtering system is to be used at the frontline to defend your territory. it actually executes your defence plan. it recognizes the incoming people (the incoming packets) to determine your partners (legitimate requests) or your enemies (malicious requests), according to the rules defined in your defence plan. then do actions: for friends, let them in. for enemies, deport them (refuse the requests) or kill them (drop the packets). the actions depend on your defence plan (such as, to explicitly fight some or to implicitly confuse some).

a logging system is used to completely or partly record what actually have happened or is happening at the frontline, in detail or in summary, depending the battle types and your enemies. e.g. who has been allowed in as friends (might be enemies actually if your defence plan has defect or is wrong), who has been killed or refused, who was out. anything possibly used for analysis should be recorded.

an IDS is used to monitor the latest changes in the logs and determine any abnormal behaviors, based on some patterns or experience. 1) it needs more computing resources and consume more time 2) its outcomes are not actions (allow in or not) most are are suggestions. some IDSs may give commands to the packet filtering system at the frontline, to apply/change/stop a rule/policy, only if the conclusion of IDS is very sure.

humans should involve in the defence system and have the final decisions. IDS is just a tool to aid the involved people. the commander is a man, the IDS is the commander's intelligent department. the commander reviews the everything, and modifies the defence plan if necessary. then the frontline executes it.

briefly, the concepts are different things though related. they need to be connected to work together, in a closed loop: plan, do, check, action (PDCA).

hope it helps,
bbao
0
 

Author Comment

by:elyrodriguez
ID: 16903877
thanks for the detailed explanations.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Experts Exchange expands question security options for members.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question