Solved

Network Security

Posted on 2006-06-13
7
1,187 Views
Last Modified: 2013-11-16
Hello Experts,

I am kinda confused with some terms. Please clarify the following:

stateless packet filtering VS stateful packet filtering

and

NAT VS PAT

Thanks for all your help
0
Comment
Question by:elyrodriguez
7 Comments
 
LVL 32

Assisted Solution

by:r-k
r-k earned 20 total points
Comment Utility
0
 

Author Comment

by:elyrodriguez
Comment Utility
Ok, thanks for the info. However, I got few more quesitons. Can packet filtering be considered as an IDS system? If not, can it be configured into one? What is the difference in the way they filter? Which one is more reliable?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 50 total points
Comment Utility
IDS is intrusion detection, and if your firewall logs are being looked through and you get alerted to certain traffic it's blocked or allowed, then it's an IDS. If you don't have the log's checked with a program or manually, then it's not much of any acronym. An IPS, intrusion PREVENTION system is one that blocks. Detection alerts you to trouble, or the lack there of, but doesn't act. IDS's like Snort, have plug-in's or add on's like SnortSAM that will see the alert, and then issue commands to your firewall to block that traffic for a specified time, seconds to forever depening on your settings.

IDS/IPS systems are both just as vlunerable to false-positives and false negitives, it depends on the rule that is written. Snort rules are community rule, eveyone across the globe contributes and writes rules for snort, some write better rules than others, some rules that are well written develop false-postives later down the road.
http://www.snort.org/  http://www.snort.org/docs/ (there are lots of links to doc's that apply to other IDS's aswell, like the IDS evasion docs)
http://www.snortsam.net/

Snort can also operate in "in-line" mode that allows it to use IPtables to block traffic, snortsam is however better suited in my opinion. http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node7.html
http://en.wikipedia.org/wiki/Stateful_Packet_Inspection
-rich
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 20 total points
Comment Utility
> Can packet filtering be considered as an IDS system?
no

> If not, can it be configured into one?
yes, no, depends
configuerung iptables with logging, and the reading the logs might be considered an IDS
:)
> What is the difference in the way they filter?
IDS do *not* filter

> Which one is more reliable?
both, none, depends
I'd vote for a firewall ...
0
 
LVL 5

Accepted Solution

by:
kevinf40 earned 55 total points
Comment Utility
Hi elyrodriguez

Packet filtering firewalls can not really be considered IDS/IPS systems (although rich's comment regarding log monitoring is perfectly valid).

A packet filtering firewall apply rules to connections - e.g. anyone can connect to server X on port 80.  But they do not have any intelligence (in general although many firewalls do now allow for some application intelligence) about what is sent to that port.  So although you may only be able to connect to the web server on port 80 you can send any data you like to that port - hence it is still vulnerable to attack.

An IPS / IDS device will use a combination of filters and / or heuristics to apply intelligence to what traffic is actually allowed. So continuing the above example if you put an IPS device behind the firewall this would then monitor the port 80 traffic to the web server and either alert or block anything suspicious (e.g worms etc) - thus offering further protection for your webserver.

Personally (I can't comment specifically on snort) I prefer in-line IPS devices as they can actually block traffic rather than relying on either changing firewall rules or sending resets.

As both IDS / IPS devices suffer from false positives so it is usual to configure them to monitor / alert only initially (especially IPS) in order to get a sensible baseline before allowing them to perform further actions.

Some vendors are now offering devices that offer both firewall and IDS functionality in one box.  The next  stage of IDS / IPS is building it into core switches thus allowing entire internal networks to be protected by one device - although these are currently in their infancy, and rather expensive.

IDS / IPS devices also offer value used on internal networks - as well as helping prevent the spread of malware, they can also spot many configuration errors such as blank sa passwords, use of banned protocols(e.g. we don't allow ftp or telnet on our network).

cheers

Kevin
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 55 total points
Comment Utility
umm... it seems that several related concepts are confusing you. ok, let me explain them:

a packet filtering system is to be used at the frontline to defend your territory. it actually executes your defence plan. it recognizes the incoming people (the incoming packets) to determine your partners (legitimate requests) or your enemies (malicious requests), according to the rules defined in your defence plan. then do actions: for friends, let them in. for enemies, deport them (refuse the requests) or kill them (drop the packets). the actions depend on your defence plan (such as, to explicitly fight some or to implicitly confuse some).

a logging system is used to completely or partly record what actually have happened or is happening at the frontline, in detail or in summary, depending the battle types and your enemies. e.g. who has been allowed in as friends (might be enemies actually if your defence plan has defect or is wrong), who has been killed or refused, who was out. anything possibly used for analysis should be recorded.

an IDS is used to monitor the latest changes in the logs and determine any abnormal behaviors, based on some patterns or experience. 1) it needs more computing resources and consume more time 2) its outcomes are not actions (allow in or not) most are are suggestions. some IDSs may give commands to the packet filtering system at the frontline, to apply/change/stop a rule/policy, only if the conclusion of IDS is very sure.

humans should involve in the defence system and have the final decisions. IDS is just a tool to aid the involved people. the commander is a man, the IDS is the commander's intelligent department. the commander reviews the everything, and modifies the defence plan if necessary. then the frontline executes it.

briefly, the concepts are different things though related. they need to be connected to work together, in a closed loop: plan, do, check, action (PDCA).

hope it helps,
bbao
0
 

Author Comment

by:elyrodriguez
Comment Utility
thanks for the detailed explanations.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now