Network Protection: Adding Intelligence to Security

Network protection devices should have the ability to deliver additional control analytics and provide insight into the content and applications users are accessing.

Adding intelligence to a network mitigates risks through real-time situational awareness of network activity, and adds critical transparency to allay fears of potential customers. You can use intelligent network protection to harden network security to restrict data leakage or data theft. You can also audit trails of all network transactions related to a customer’s account, assuring compliance with regulation and standards.

Network protection: business intelligence for data networks

Nowadays the typical business infrastructure depends on network connectivity. Even brief outages or slowdowns can cause significant economic loss. To stay on top of events, hosting companies and Internet service providers need to know what’s going on in their servers. To achieve this goal, monitoring is critical.

By monitoring network traffic, one can…

  1. Resolve issues before clients or users notice a problem.
  2. Discover which applications are using up too much bandwidth.
  3. Reduce costs by buying bandwidth and hardware according to actual load.
  4. Be proactive and deliver a higher quality service to your users.
  5. Quickly troubleshoot network problems.

An efficient approach to 24×7 monitoring for large enterprises, service providers, and SMEs involves automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates. Effective application of these tools can allow fully capable network protection monitoring systems within hours of installation

Network protection tools:

Business models usual require online connectivity to be both available and secure. As more data and business processes move online, organizations sometimes struggle to protect websites and infrastructure without sacrificing performance for security.
With modern threats bypassing conventional protection systems almost routinely, a new approach to security is imperative.

Network protection is required in order to secure websites and data centers to reduce the risk of downtime and data theft. Below are some common tools used for network protection:

1. Firewalls:

A firewall applies an array of rules that to each packet moving between trusted and untrusted networks. The rules determine whether a packet can pass or not. When it’s a large network that needs protection, the firewall software often runs on its own dedicated hardware. Firewalls can also be helpful for monitoring network traffic.
In general, there are two types of firewalls network protection:

  1. Software-based firewalls are often run as additional programs on computers that are primarily used for other purposes.
  2. Hardware-based firewalls run on a dedicated computer (or appliance). While they often provide better performance than software firewalls, they are also more expensive.

2. IPS: an active network protection security solution:

Intrusion Prevention Systems (IPS), can definitely deliver next-level security technology to provide security at all system levels from the operating system kernel to network data packets. An IPS will support various policies and rules for tracking network traffic and for alerting system or network administrators to suspicious traffic.

Besides triggering alerts in the face of potential attacks, an IPS will also employ active defenses to stop it. An IPS has the ability to prevent known intrusion signatures and can also prevent some unknown attacks due to its database of generic attack behavior. In combination with an IDS and an application layer firewall, a well-designed IPS is generally considered “state of the art” in network protection.

Network-based vs. Host-based IPS

Host-based intrusion prevention systems are used to protect servers and workstations through software which runs between a system’s applications and OS kernel. Network-based intrusion prevention systems intercept all network traffic and monitor it for suspicious activity and events. But while they can both be effective, each has its own limitations:

  • Host-based systems are generally more secure than network-based.
  • Both are costly.
  • Both require regular updates.
  • NIPS implementation is more complicated.

3. IDS: a passive network protection security solution

An Intrusion Detection System (IDS – see this post on Server Security) will look for any suspicious activity and events that might be the result of a virus, worm or hacker. This is done by looking for known intrusion signatures or attack signatures that characterize different worms or viruses and by tracking general variances which differ from regular system activity. The IDS is able to provide notification of only known attacks.

Passive vs. Reactive Systems

In a passive system, the IDS will detect a potential security breach, log the information and signal an alert. In a reactive system, the IDS will respond to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source.

Network-based vs. Host-based IDS

Intrusion Detection Systems are network or host-based solutions. Network-based IDS systems (NIDS) are often standalone hardware appliances that include network intrusion detection capabilities. It will usually consist of hardware sensors located at various points along the network or software that is installed on system computers connected to your network. The IDS will analyze data packets entering and leaving the network.

Host-based IDS systems (HIDS) do not offer true real-time detection, but if configured correctly they can reach close to true real-time. Host-based IDS systems consist of software agents installed on individual computers within the system. HIDS analyze the traffic to and from the systems on which they’re installed. HIDS systems often provide features you can’t get with network-based IDS.

4. HIPS (Host IPS) (similar to Antivirus on a consumer PC):

HIPS are installed software packages that analyze events occurring within a host, to monitor for suspicious practices. By monitoring code behavior, HIPS can stop malware from running without requiring that a specific threat already has been added through a detection update.

HIPS are closely related to firewalls: HIPS systems block attempts by a hacker or malware, and encourage the user to react.
Advantages of the HIPS network protection:

  • Monitors other programs.
  • Changes important registry keys for certain events.
  • Stops active malware.
  • Relatively simple: it has a basic set of rules to be followed.
  • Starts before other programs, immediately after device or driver installation.
  • Injects malicious code into a trusted program as it pre-processes the memory access.
  • Very useful for adapting or creating new rules.

Note: It is important that the admin understands the consequences of using HIPS, as it could disable certain system tasks.

Conclusion

Your network still needs to be protected – and never more so than in the cloud. Network protection devices need the ability to provide extra control with analytics and insight into which users are accessing what content and applications.

Cloud Academy