Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
122 CHAPTER 8 Security Standards and Services<br />
■<br />
■<br />
IDSes may be software-based or may combine hardware and software.<br />
Network IDS exists for the purpose of catching malicious activity once the<br />
activity occurs anywhere within your network environment.<br />
Intrusion Prevention Systems<br />
An intrusion prevention system (IPS) is basically the same tool as an IDS except<br />
that it has the capability to take some sort of action in response to a suspected<br />
attack, such as blocking the malicious network traffic.<br />
An IPS is capable of responding to attacks when they occur, such as:<br />
■ Halting the attack in progress.<br />
■ Automatically updating firewall and router rules to block future traffic from<br />
the same address.<br />
FIREWALLS<br />
A firewall blocks access to an internal network from outside and blocks users of<br />
the internal network from accessing potentially dangerous external networks or<br />
ports. There are three distinct firewall technologies:<br />
■ Packet filtering A network layer firewall or packet-filtering firewall works<br />
at the network layer of the Open Systems Interconnection (OSI) model<br />
and can be configured to deny or allow access to specific ports or Internet<br />
Protocol (IP) addresses. It is designed to operate rapidly by either allowing<br />
or denying packets simply based on source and destination IP address and<br />
port information. This is the simplest and fastest form of traffic-filtering<br />
firewall technologies.<br />
■ It works in two directions: to keep intruders at bay and to restrict access<br />
to the external network from internal users.<br />
■ Two distinct firewall base policies are as follows:<br />
• Allow by default – it allows all traffic to pass through the firewall except<br />
traffic that is specifically denied.<br />
• Deny by default – it blocks all traffic from passing through the firewall<br />
except for traffic that is explicitly allowed.<br />
■ Ports 0 through 1023 are considered well-known ports. These ports are<br />
used for specific network services and should be considered the only ports<br />
allowed to transmit traffic through a firewall.<br />
■ Ports outside the range of 0 through 1023 are either registered ports or<br />
dynamic/private ports.<br />
• User ports range from 1024 to 49,151.<br />
• Dynamic/private ports range from 49,152 to 65,535.<br />
■ Since only the header of a packet is examined, a packet-filtering firewall<br />
has speed.<br />
■ There are two major drawbacks to packet filtering:<br />
• A port is either open or closed.<br />
• It does not understand the contents of any packet beyond the header.<br />
■ Stateful inspection Stateful inspection operates at the network and the<br />
transport layers of the OSI model, but it has the ability to monitor