Firewall Fundamentals

Because network traffic must cross the firewall to reach the end systems, the firewall has also become a point where the inspection of this traffic is appropriate. For many years, firewall vendors such as Cisco Systems, Inc. and Check Point have been including intrusion detection system (IDS) capabilities to their firewalls. These devices were the first "in-line" IDS systems long before in-line IDS-dedicated appliances ever existed.

Overview of IDS

Intrusion detection is an aspect of security whereby a device detects the fingerprint of an attack within the network. Modern IDSs use a variety of techniques to ensure that the alarms they raise are of actual attacks being conducted rather than a false alarm. Many IDSs connect to the network through a port on a switch, and the interface that connects to that port captures traffic to a particular system or subnet, as shown in Figure 14-2.

Figure 14-2. Intrusion Detection

The Firewall as an IDS Sensor

As firewall hardware has become more and more powerful, vendors have sought to use the additional computing power by adding features to the firewall code. Many vendors have offered IDS capabilities in their firewalls for quite some time and have made the firewalls the first true in-line intrusion prevention systems (IPSs). However, the IDS code in the firewall was, until recently, not on par with the IDS code used in the dedicated IDS appliance. For example, the Cisco PIX Firewall integrated IDS capability was really an incredibly small subset of the capabilities of their dedicated IDS/IPS offerings. The IDS capabilities of the firewall did not fully mimic those of the dedicated appliance because of concerns about the impact of those capabilities on firewall performance. However, the firewall does make an excellent sensor in that it is directly in-line with the traffic flow and has the capability to capture all traffic destined for target hosts located behind the firewall.

Combined with other IDS devices, such as dedicated appliances, the firewall makes an effective line of defense with these capabilities. In addition to the use of dedicated IDS appliances, the use of host IPS agents helps significantly improve the deterrent capabilities and the defenses of a network. With alarms from firewalls, dedicated IDS appliances, and host IPS agents, a strong correlation can be made in identifying a real attack versus a false positive. This, in turn, can allow the administrator to better conduct countermeasures such as having the dedicated appliance issue TCP resets or use shunning or even allow the firewall to drop the offending traffic. Overall, the role of firewalls in intrusion detection is still being defined as vendors migrate more and more IDS code into the firewall appliance.

The Firewall as the IPS

With the increased market desire to go beyond simple intrusion detection to intrusion prevention, more vendors have begun using the firewall not just as an IDS sensor but as an actual IPS device in and of itself (particularly true of devices such as the Cisco Adaptive Security Appliance [ASA]).

The logic behind this is relatively sound. Because the firewall is a natural control point for network traffic, and because all traffic entering or exiting a network through a firewall must be processed by the firewall anyway, with added IPS functionality the firewall can not only detect intrusion attempts on its own, it can also then block the traffic without requiring any other devices to be involved in the processing decision. This functionality is relatively new and is largely the result of the increased processing power of today's microprocessors, which allow a firewall to perform this more intensive data processing with a minimal impact on network performance.

Категории