Archive for the ‘Network Security’ Category

“The network is protected by a firewall; isn’t a firewall enough?”

While a firewall is a critical component of secured network infrastructure, it only examines individual packets in isolation. The benefit of an IPS/IDS is that it can scrutinize the comprehensive behavior of a network attack spread out over dozens, even hundreds, of individual packets.

A real world comparison would be the security guard at the entrance to a building. The guard checks each person’s ID before allowing or denying access to the building. This guard would certainly be effective against a majority of villains; however, imagine a scenario where a team of attackers legitimately enter the building, all at different times, and then coordinate their attack once safely inside.

The guard at the front door would be completely ineffective against this type of attack. What’s required to defend against such tactics is a second security guard, that monitors the video feeds of multiple security cameras placed at key locations throughout the building. In the scenario above, these seemingly legitimate persons are now seen exhibiting suspicious behavior; for example all of them taking the service elevator and rendezvousing just outside the datacenter in the basement.

The point being, that while a firewall is a critical layer in a defensive architecture, it is simply not designed to detect more complex attacks.


Short for Intrusion Prevention System and Intrusion Detection System, respectively. At a high level, what differentiates the two is how they’re implemented in a network.

Intrusion Detection’s primary function is to alert on suspicious activity. It does not sit in the pathway of inbound/outbound traffic, like a firewall, but rather is placed to the side where traffic that traverses the network’s core is replicated out of a “span port” that is then fed to the IDS. The main disadvantage of this model is that if suspicious activity is detected, it cannot be effectively prevented. The best a deployment such as this can do is respond with TCP resets for any malicious connections. However this is not an efficient mechanism, and an IPS unit can quickly become overwhelmed. Furthermore, the replication of all traffic to the “span port” places an significant burden on core switch resources

Intrusion Prevention, on the other hand, is equally effective at detecting or blocking network attacks. The primary difference is that an IPS sits inline, directly between the path of traffic entering and leaving the protected network. Because of this, malicious traffic can be dropped before entering the network’s perimeter, and because it sits inline, there is no need to burden core switches with the task of replicating “span port” traffic. Additionally it can still function as an IDS by sending alerts exclusively without acting on any traffic it inspects.


Implementing an IPS system is not an arbitrary task. Because of the complexity of analysis, it’s important to first establish a base-lining period, to properly differentiate attack traffic from legitimate traffic. This essentially involves a period of monitoring & adjustment, where the number of “false positives” can be minimized.

A false positive is the misidentification of legitimate network sessions for attack traffic. It’s easy to see how disruptive this could be for a production network; the IPS blocking communication that is critical for business applications to run.

That is the reason for this preliminary monitoring phase; alerts generated by the IPS unit must be carefully examined and signature actions adjusted accordingly.


From a high level you have to identify potential threats and correlate them to applicable vulnerabilities.

A threat is essentially a network attack. Viruses, Denial Of Service, SQL Injections are all examples of threats.

A vulnerability is a point of weakness that allows a particular attack to succeed. Protocols such as TCP and HTTP have multiple vulnerabilities. Operating Systems like Linux and Windows also have vulnerabilities. Some of these vulnerabilities can be mitigated with security updates or specific configuration settings, but the reality is not all of them can be  fixed. These vulnerabilities are sometimes inherent to the technology and a fix isn’t always feasible.

The correlation of vulnerability to threat is a critical step in implementing an effective IPS solution. For example, is it necessarily a point of concern that your logs show a high amount of attacks that target http and IIS? Well that depends; if you’re running PostFix on a Linux server, then those attacks clearly aren’t as relevant.


Again, because of the nature of network security, implementing and IPS is not a “plug & play” solution. Technology evolves, threats evolve; you don’t simply lock the front door to your house and never return, naively assuming all will be well. The same is true for networks. Once the IPS is properly setup, it must be monitored on a daily basis to ensure not only that it is effectively securing the customer’s network, but that it is operating correctly and not prohibiting legitimate business applications from running.


ISR’s IOS firewall vs ASA

Posted: September 23, 2010 in Network Security

In the IT industry, some of the most common debates among technology professionals are Mac vs PC, Linux vs Everything, Nvdia vs ATI, Intel vs AMD, and ASA firewall vs IOS’s firewall.

Other than money, the decision is for the most part, depends on the engineer’s philosophy. Some prefer to have a single device do their routing and their security, while others prefer to have dedicated security devices. This reasoning, however, does not really determine what the “best” solution for your network is.

Since IOS 12.4(9)T, IOS routers now support Zone-Based firewalls; as opposed to the previous CBAC, which worked by deny-all ACL’s, and CBAC creating temporary holes in your ACL based on inspection rules. Because of this, the ~features~ offered by the IOS are just as rich as those offered by the ASA. One difference is that the IOS router starts out by allowing all traffic [on your untrusted interfaces], where as the ASA starts by denying all traffic. Consequently you have to configure the actual hardening of your IOS router. I will say the ASA typically offers faster performance, but that’s partially because the ASA is sort of a 1 trick pony and not doing any dynamic routing.

One advantage of the ASA is that it can operate in Transparent mode, in which the firewall is essentially acts as a Layer 2 bridge, and is not seen as a router hop in the network path. This simplifies deployment since there are no routing patterns to adjust and no complicated NAT configurations to setup. It also obfuscates the firewall’s presence.

The 800 series routers offer 3G cards, and as such, typically make for better branch office solutions than an ASA5505. This incorporation of 3G cards offer better fault tolerance if your main connection fails, and to date there are no ASA models that have integrated 3G. Both allow for High Availability clusters; however this only addresses the failure of the device itself, not the loss of service provider connectivity. [Which is something we all know; 90% of the time, the problem is with the ISP, not the device.]

When deploying for large corporate networks, with multiple sites that are networked together, I think one of the main things to consider is the complexity of VPN features desired. The ASA’s feature set is relatively limited in this respect. If you want to leverage more advanced features like DMVPN or GET VPN, and IOS router is your only option. Of course by default, the ASA performs a little faster on VPN tunnels, but if you need a boost to VPN performance, you can install one of the AIM-VPN boards and get a significant increase to the number of IPSec tunnels and/or SSL session. For example, on an 1841 the datasheet says about 800 tunnels and on a 2800 about 1500 tunnels. More info here:

If you’re looking for IPS, either platform will serve your needs: IOS routers have IPS AIM and IPS NME add on boards, and these will dramatically increase inspection performance over just using the router’s resources. I believe the stats show the AIM @ 45mb/s and the NME @ 75mb/s w/ about 3000 signatures. If you’re setting up a branch office or smaller office, yet you want advanced analysis offered by IPS, then the IOS Router is the less expensive solution. For an ASA you must purchase  an AIP module to do Intrusion Detection/Prevention, however an IOS router with the Advanced IP Services image can make use of software based IPS built into the image. The number of simultaneous inspections that can be performed depends on the DRAM installed in the router. For 128MB you use the 128MB.SDF signature file, which supports 300+ signatures. For 256MB, you use the 256MB.SDF signature file, which supports 500+ signatures. Now this is a far cry from the thousands of signatures offered the AIM or AIP hardware, but it does offer a bit more intelligence than a standard firewall

Click to access prod_presentation0900aecd806ccf26.pdf


If you’re looking for an appliance to just do traffic inspection, predominantly for a web DMZ or publicly accessible network, probably the ASA is your best bet. If however you have a highly decentralized -internal- network where branch offices frequently talk to each other, then you would benefit from something like DMVPN, thus your deployment would be greatly simplified using something like a 2800 running IPSec SSO w/ the AIM-VPN card.

As a matter of personal preference, I find myself moving away from the philosophy of this specialized device for routing and this specialized device for security. I prefer to simplify my deployments, and believe me w/ NAT, VPNs, Firewall, IPS, having an ASA sitting behind your border router…it can add a significant amount of complexity to your design…and ultimately, your troubleshooting.