Firewall
A firewall is a network security device placed at the perimeter of the corporate network. This is done so all the packets entering the network first go through the firewall. The main function of the firewall is to screen all the packets entering, leaving and flowing in the network to prevent unauthorized access between two or more computers. A firewall scans all the packets and accordingly allows, denies or drops packets, depending upon the rules configured on it. For example, a firewall may have rules configured to allow only HTTP packets. If a firewall receives ICMP packet, it simply drops the packet and does not allow it to be entered into the network.
Firewall types
Generally, there are two types of firewall available in use. They are as follows:
Network-based firewall: These firewalls function at network level. It takes care of all the packets coming in and going out of the network and filters traffic based on the rules configured on the firewall. Host-based firewall: Host-based firewalls are the ones which are installed on a personal computer/PC. Thus, this firewall takes care of filtering all the traffic for a single dedicated system — unlike network-based ones, which take care of the whole network. These are software-based firewalls, which usually come as a part of the operating system.
Firewall classification
A firewall is available in many forms. They are:
Hardware firewall Software firewall Packet-filter firewall Proxy firewall Application gateways Circuit-level gateways Stateful packet inspection (SPI)
IDS
IDS stands for Intrusion Detection System. As the name suggests, it is used to detect and monitor traffic for illegitimate packets or suspicious activity and raises an alert when it comes across one. An IDS is usually software which scans a network and reports it to SIEM for further analysis so correct measures are taken.
IDS detection method
IDS implements two methods to detect anomaly in the packet in the network. They are:
Signature-based detection: In signature-based detection, IDS detects malicious packets by observing the events and identifying patterns with the signatures of known attacks. If the signature matches then the alert is raised, else the packet is allowed in the network. Anomaly-based detection: In anomaly-based detection, packet filtering is based on a predefined set of rules or patterns rather than signatures/patterns. If the packet does not match the rules/patterns then the alert is raised and sent to SIEM.
IDS classification
IDSes can be classified into five types.
Network Intrusion Detection System (NIDS) Host Intrusion Detection System (HIDS) Protocol-based Intrusion Detection System (PIDS) Application Protocol-based Intrusion Detection System (APIDS) Hybrid Intrusion Detection System
IPS
IPS stands for Intrusion Detection and Prevention System. As the name suggests, it detects malicious packets, sends info to SIEM and blocks the packet. Unlike IDS, which just detects and reports the packet, IPS attempts to block the packets as well. Thus, IPS is a bit advanced and is more effective than IDS.
IPS detection method
IPS implements three methods to detect anomaly and block the packet in the network. They are:
Signature-based detection: In signature-based detection, IPS detects malicious packets by observing the events and identifying patterns with the signatures of known attacks. If the signature matches, then the alert is raised and the packet is dropped. Anomaly-based detection: In anomaly-based detection, packet filtering is based on a predefined set of rules or patterns rather than signatures/patterns. If the packet does not match the rules/patterns then the alert is raised, sent to SIEM and the packet is dropped. Stateful protocol analysis detection: In stateful protocol analysis detection, detection is based on divergence of protocol. Incoming packets are compared with the profile of accepted definitions and accordingly packet is dropped or allowed.
Firewall vs. IDS vs. IPS
Following is the general comparison between firewall, IDS and IPS.
Conclusion
This article provided an overview of firewall, IDS and IPS. It also stresses the importance and their role in protecting the corporate network. We saw why they should be part of every network and how they can provide active defense against malicious attacks from outside players.
Sources
IDS vs. IPS: What is the Difference?, Varonis What Is a Firewall?, Cisco Introduction of Firewall in Computer Network, GeeksforGeeks Intrusion Detection System (IDS), GeeksforGeeks Intrusion Prevention System (IPS), GeeksforGeeks
