This article summarizes definitions, functions, and the security capabilities provided by common network security devices. The content is primarily conceptual.
Router
A router connects multiple networks that use the same protocol and mainly operates at the network layer. It determines the most efficient path for network traffic. An analogy is choosing the fastest road from home to school. Most routers do not forward broadcast traffic.
Security related: Routers use access control lists (ACLs), which are rule sets that allow or block traffic. ACLs can filter network traffic and block unwanted flows.
Switch
A switch is a device with multiple network ports that combines multiple physical devices into a single logical network. It primarily operates at the data link layer, although some switches (layer 3 switches) can perform routing functions.
Operation: Switches use physical addresses (MAC addresses) to forward frames to specific hosts.
Security related: Access can be limited to specific ports by MAC address, flood protection can mitigate DoS attacks, and loop prevention (STP) can disable network loops.
Proxy
A proxy communicates with one end on behalf of another, acting as an intermediary. It can intercept and block abnormal traffic before it reaches the endpoint.
Security related:
- Content filtering to prevent malicious code from executing on local machines.
- Forward proxies can intercept client traffic before it leaves the internal network.
- Proxies may modify traffic or simply forward it unchanged.
- Reverse proxies intercept incoming external traffic and protect target servers.
Firewall
A firewall protects systems or networks by blocking unnecessary network traffic based on a predefined set of rules. Firewalls can be software-based or hardware-based. Common hardware vendors include Huawei, Sangfor, and Cisco; a well-known software example is Microsoft ISA.
Security related: Firewall policy sets typically implement implicit deny, meaning that unless traffic is explicitly allowed, it is blocked. Implicit deny is effectively the final rule in all policy sets.
Load Balancer
A load balancer distributes workload across multiple devices. Two common distribution methods are:
- Round-robin: traffic is forwarded sequentially to servers in the list. For example, with servers A, B, C, inbound requests A,B,C,D,E,F would be forwarded to A,B,C,A,B,C respectively.
- Affinity (session persistence): traffic from a client is forwarded to the server with which the client already has an established connection.
Security related: Load balancers can provide some mitigation against DDoS attacks.
IDS
An intrusion detection system (IDS) scans, assesses, and monitors computing infrastructure to identify signs of ongoing attacks. IDS analyzes data and sends alerts to security administrators. Components include hardware sensors, intrusion detection software, and management software. IDS types include host-based IDS (HIDS) and network-based IDS (NIDS).
Network IDS typically uses passive hardware sensors to monitor segment traffic by sniffing packets and issuing alerts. It can detect rogue hosts, reconnaissance activity, and attack patterns.
IPS
An intrusion prevention system (IPS) can perform IDS functions and also take actions to block threats. IPS functionality overlaps with IDS, but IPS can actively prevent attacks. Proper configuration is critical: overly strict rules may block legitimate activity, while overly permissive rules may lead to missed detections. Well-managed and finely tuned IPS devices are effective defensive tools.
IPS types include host-based IPS (HIPS) and network IPS (NIPS). NIPS monitors suspicious network traffic and can drop unwanted packets or reset connections. NIPS can also normalize traffic based on specific content rules.
Types of Network Monitoring Detection Methods
IDS and IPS primarily rely on several methods to identify alert-worthy traffic:
- Signature-based: detects known threats by matching known characteristics.
- Anomaly-based: identifies alerts based on abnormal behavior relative to a predefined baseline. This requires configuration of acceptable behavior; without a baseline, some anomalies may not trigger alerts.
- Behavior-based: models an entity's normal behavior and compares future behavior to detect deviations from the norm.
- Heuristic (AI): infers whether an entity may pose a threat based on behavior in a given environment.
SIEM
Security information and event management (SIEM) provides real-time or near-real-time analysis of security alerts from network hardware and applications, helping administrators detect potential attacks more quickly.
Main functions:
- Provide deeper context for IDS/IPS and help reduce false positives and false negatives.
- Aggregate security data from logs across systems to ensure comprehensive visibility and place related events into proper context through correlation.
Other functions:
- Automated alerts.
- Time synchronization across servers and the SIEM.
- Event de-duplication to reduce analyst workload.
- Write-once, read-many logging to protect SIEM logs from tampering or deletion by attackers.
DLP
Data loss prevention (DLP) solutions detect and prevent sensitive information from being stolen or otherwise leaving the organization, with emphasis on outbound detection. DLP monitors data and blocks unauthorized destruction, movement, or copying.
Examples:
- Network: detect and block confidential files sent by email.
- Host: block USB ports entirely or prevent specific files from being written to removable drives to stop users from copying sensitive data offsite.
Security Gateway
A security gateway controls traffic to ensure that inbound and outbound network flows are subject to appropriate controls. A mail gateway is a type of security gateway that includes spam filtering to reject inbound messages containing known spam content. Security gateways can integrate with DLP to prevent data exfiltration, and they can encrypt data leaving the network to protect confidentiality and integrity.
Unified Threat Management
Unified threat management (UTM) consolidates multiple security technologies into a single appliance, typically managed from a single console. UTMs were created to reduce the cost and complexity of discrete systems, simplifying security operations and administration.
Drawbacks: UTMs can create single points of failure, and adding functions increases processing load.
