3.4 Network security management equipment

Data reference: CISP official 

Table of contents

• IDS (Intrusion Detection System)
• Cyber ​​Security Audit
• Vulnerability Scanning System
• VPN (Virtual Private Network)
• bastion host
• Security Management Platform

1. IDS (Intrusion Detection System)

Intrusion Detection System (IDS) is a network security device used to monitor and detect intrusions in the network and take corresponding response measures. It listens to the data packets transmitted in the network, analyzes and interprets these data packets to determine whether there are potential attacks or security holes.

The main functions of an intrusion detection system include:

1. Provide active defense : The intrusion detection system can actively monitor the traffic and data packets in the network, discover and respond to potential intrusions in time. Combined with other security devices such as firewalls, it forms a comprehensive network security defense system and enhances the overall security of the network.

2. Supplementary firewall functions : Although a firewall is an important part of network security, its function is mainly rule-based access control, which may not provide timely defense against specific or unknown attacks. Through real-time monitoring and analysis of network traffic, the intrusion detection system can discover new attacks, abnormal behaviors or unknown vulnerabilities, and immediately take measures to block or alarm.

3. An important part of building a network security defense system : As an important part of the network security defense system, the intrusion detection system works in conjunction with other security devices (such as firewalls, intrusion prevention systems, etc.) to jointly build a powerful network security defense system. It provides a deeper detection and response mechanism, enhancing the overall security and resiliency of the network.

  

Intrusion Detection Type

1. Network Intrusion Detection System (NIDS): NIDS is deployed on network borders or key network nodes to detect potential intrusions by monitoring network traffic and analyzing data packets. It can monitor the communication flow in the whole network, and detect and report the non-compliance with the security policy or abnormal behavior. NIDS can identify common attack patterns, malicious code, and network security events such as unauthorized access.

2. Host Intrusion Detection System (HIDS): HIDS is deployed on a single host to monitor and detect intrusions on that host. It detects whether there is anomalous behavior, unauthorized access or malicious activity by monitoring information such as the host's operating system, applications, and logs. HIDS can detect host-level attacks such as unauthorized file changes, abnormal process behavior, or virus infection.

  

 Intrusion Detection System Features

• Discover and report unauthorized or security policy violations in the system
• Provide guidance for the formulation of network security policies

Network Intrusion Detection System (NIDS) has the following advantages:

1. Bypass installation : NIDS is usually deployed in a bypass manner, that is, it is located on the transmission path of network traffic and will not have a significant impact on network performance. This installation method does not require modification or configuration of existing network equipment, reducing the complexity and risk of deployment.

2. Low equipment performance requirements : Compared with other network security equipment (such as firewalls), NIDS does not have high equipment performance requirements. It mainly focuses on the monitoring and analysis of network traffic without complex access control or packet filtering operations. Therefore, NIDS is not likely to become a bottleneck of network performance.

However, network intrusion detection systems also have some limitations:

1. Unable to analyze and detect encrypted data : Due to the existence of encryption algorithms, NIDS cannot conduct in-depth analysis and detection on encrypted data. When network traffic is transmitted using encrypted protocols, NIDS can only identify encrypted traffic, but cannot analyze the content and potential attack behavior in detail.

2. Heavy processing load in high-speed switching networks : In high-speed switching networks, the network traffic is very large and complex, and the processing load on NIDS is heavy. In order to maintain low latency and high throughput in high-speed networks, NIDS needs to have powerful processing capabilities and efficient algorithms to avoid becoming a performance bottleneck.

3. Unable to judge the consequences of attacks : NIDS mainly focuses on detecting and reporting attacks in the network, but cannot directly judge the consequences of attacks. It can only provide alerts and logs about attack events, which need to be further analyzed by security administrators and respond accordingly.

Host Intrusion Detection System (HIDS) has the following advantages:

1. Network packets monitor all system behaviors : HIDS can monitor all system behaviors on the host, including system logs, account systems, file reading and writing, etc. It can comprehensively monitor and analyze the activities on the host, and discover potential intrusion behaviors and abnormal behaviors.

2. Able to detect the consequences of attacks : Compared with network intrusion detection systems, HIDS is closer to the host operating system and application level, so it can better detect the consequences of attacks. For example, it can identify unauthorized file changes, unusual process behavior, or virus infections, among others.

3. Suitable for encrypted network environments : HIDS can work in encrypted network environments because it is mainly based on the monitoring and analysis of host behavior rather than in-depth analysis of network traffic. This makes HIDS a powerful tool for securing hosts in encrypted network environments.

However, host intrusion detection systems also have some limitations:

1. Poor portability, high development and testing pressure : Since HIDS needs to be installed on each host and integrated with different operating systems and applications, its portability is poor. There is also pressure to develop and test HIDS for various host environments.

2. Consumption of host hardware resources : HIDS needs to run on the host and consume certain CPU, memory and storage resources. This may have some impact on the performance of the host, especially on resource-constrained or high-performance hosts.

3. It can only protect the host on which the product is installed : HIDS can only protect the host on which the system is installed, but cannot directly protect other hosts or network devices. If a host does not have HIDS installed, intrusions on that host cannot be detected.

Misuse Detection Technology

• Establish intrusion behavior model (attack signature)
• Assume that all possible features can be identified and represented
• System-based and user-based misuse

Anomaly Detection Technology

• Set "normal" behavior patterns ·
• Assume all intrusions are abnormal
• System-based and user-based exceptions 

Deployment of Intrusion Detection System

• Based on the analysis of data packets across the entire network : This deployment method involves setting up monitoring devices in the network to capture all data packets passing through the network. The intrusion detection system will analyze and identify these data packets to detect possible intrusion behaviors. This method can help discover intrusion attempts at the network level, such as port scanning, DoS (Denial of Service) attacks, etc. However, due to the need to process a large number of data packets, the requirements for system resources are relatively high.

• Based on the analysis of packets in the server area : In this deployment mode, the intrusion detection system is deployed in a specific network area where the server is located. It monitors the data packets that occur in the area, as well as the traffic going out of the area. Compared with the whole network analysis, this method has higher efficiency and accuracy, because it can focus on the data traffic and activities related to the server. This is very effective for detecting server-related intrusions such as exploits, malicious file uploads, etc.

• Based on the analysis of packets of key hosts or servers : In this deployment mode, the intrusion detection system is only deployed on key hosts or servers. It will monitor and analyze the inbound and outbound messages of the host or server, so as to detect and prevent intrusions targeting these key devices in time. This method is suitable for hosts or servers that require high protection, such as important data storage and business-critical applications.

 Answers to Challenges and Questions Related to Intrusion Detection Systems

1. High user knowledge requirements : Indeed, using an intrusion detection system requires certain professional knowledge and skills. Users need to understand the configuration, operation, and management of the system, and understand how to interpret and respond to alert messages generated by the system. In order to reduce the burden on users, an easy-to-use user interface and clear documentation can be provided to assist users in operating and understanding the system.

2. High processing performance requirements : With the rapid development of the network, the intrusion detection system needs to have sufficient processing performance to cope with the ever-increasing network traffic and complex attack methods. This presents challenges for hardware and software selection and optimization. One possible solution is to adopt distributed deployment and parallel processing techniques to improve the processing capacity and efficiency of the system.

3. High false alarm rate : The false alarm rate of an intrusion detection system refers to the frequency of system false positives. Since the intrusion detection system needs to make judgments based on predefined rules and models, there is a certain possibility of false positives. In order to reduce the false alarm rate, the accuracy of the system can be improved by adding more precise rules and models, combining machine learning and other technologies.

4. Incompletely documented warning messages : It is important to ensure completeness and traceability of warning messages. The system should be able to record and store all warning information, including relevant context and event information, for subsequent analysis and investigation. Additionally, log management and security information and event management (SIEM) systems can be leveraged to help collect, analyze, and correlate warning information in order to generate more useful results.

5. Potentially limited detection of other data : In response to its own attacks, an intrusion detection system may focus on a specific target or area, resulting in limited detection of other data. In order to make up for this problem, consider introducing multi-level and multi-angle intrusion detection technology to cover a wider range of data and attack methods to improve overall security and defense capabilities.

2. Network security audit

Security Audit System

• According to a certain security policy, check system logs, network data, user activities, and environmental conditions to discover system vulnerabilities, illegal operations, etc. Security equipment, and other network security products (firewall intrusion detection system, vulnerability scanning, etc.) They are independent of each other, but also complement each other to protect the overall security of the network.
• network audit
• host audit
• The security audit system is actually to record and review the user's computer system and network activities. Through the independent review of system records and behaviors, it can deter and warn possible attackers, find out the unsafe state of the system, adjust it in time, and correct it. Evaluate and give feedback on security policy changes.

3. Vulnerability scanning system

loophole

        Vulnerabilities refer to security weaknesses or flaws in information systems, software, networks, and other environments, which may be exploited by attackers to obtain unauthorized access, perform malicious operations, and steal sensitive information. Vulnerabilities can appear in various aspects of system design, implementation, and configuration, including program errors in software codes, system configuration errors, and insecure network protocols.

vulnerability scan

        Vulnerability scanning is a proactive network security technology used to detect and discover security loopholes in information systems. By using special scanning tools, system administrators can regularly scan network devices, operating systems, applications, etc., so as to discover vulnerabilities and configuration defects in the system in time.

        The purpose of vulnerability scanning is to help organizations identify potential security risks so that they can take timely steps to remediate these vulnerabilities . The scanning tool will automatically check all aspects of the system, including open ports, services, patch status, configuration settings, etc., and then compare it with the known vulnerability database to find possible security vulnerabilities.

        Vulnerability scanning system is an important tool for network security managers, which can find security loopholes and configuration defects in the system . Through regular vulnerability scanning, administrators can understand the security status of the system and take corresponding measures to repair the vulnerabilities so as to improve the overall security of the system.

        However, it should be noted that the vulnerability scanning system may also be abused by attackers to a certain extent . Attackers can use the vulnerability scanning system to find security holes and intrusion paths in the system, so as to launch attacks. Therefore, when using a vulnerability scanning system, it is necessary to take necessary security measures, such as access control, authentication, etc., to prevent unauthorized individuals or organizations from using the system.

        In addition, vulnerability scanning technology is usually used in combination with other security measures such as firewalls and intrusion detection systems to form a comprehensive security protection system. Vulnerability scanning provides the discovery of security weaknesses, while firewalls and intrusion detection systems can block malicious traffic or detect intrusions, further improving network security .

4. VPN (Virtual Private Network)

        A virtual private network (Virtual Private Network, VPN) is a method of using tunneling technology to create a virtual, temporary, and dedicated secure channel in a public network to protect users' network connections and data transmission.

VPN implementation technology:

• Point-to-Point Tunneling Protocol (PPTP): An early protocol for creating tunneled connections.
• Layer 2 Tunneling Protocol (L2TP): Combines PPTP and Layer 2 Forwarding Protocol (L2F) to enhance security and reliability. (is a tunneling protocol that works at layer 2)
• IP Security (IPsec): A widely adopted set of security protocols that provide data encryption and authentication.
• Generic Routing Encapsulation (GRE): A technique for encapsulating IP packets for transmission within other protocols.

Cryptography:

• Symmetric encryption: Use the same key for encryption and decryption, which is faster. Common algorithms include AES, DES, and 3DES.
• Asymmetric encryption: A pair of keys is used, the public key is used to encrypt data and the private key is used to decrypt data. Common algorithms include RSA and Elliptic Curve Cryptography (ECC), etc.
• SSL (Secure Sockets Layer): An encryption protocol used to establish a secure connection between a web browser and a server.
• TLS (Transport Layer Security): The successor of SSL, used to protect the confidentiality and integrity of the communication process.

Compared with establishing or renting a dedicated line, a virtual private network (Virtual Private Network, VPN) has the following advantages :

1. Low cost : Compared with dedicated lines, the cost of establishing remote access through VPN is lower. Using the Internet as the transmission medium, no additional investment in leased line fees is required.

2. High security : VPN provides a strong encryption and identity authentication mechanism to ensure the security of data during transmission. By establishing a VPN tunnel, all data is encapsulated and transmitted encrypted to prevent data from being eavesdropped or tampered with.

3. Simple, flexible and convenient : It is relatively simple to establish a VPN connection and can adapt to different network environments. Users only need to install the VPN client and connect to the VPN server through the Internet to realize remote access.

4. Provide service assurance : VPN can provide services such as identity authentication, access control, security management, and traffic management to ensure that only authorized users can access internal resources, and manage and optimize traffic.

5. Rich application scenarios : VPN meets the needs of organizations that need to remotely access internal resources of the enterprise through the Internet. Whether it is remote office, cross-regional office, mobile office, or remote users accessing internal systems, VPN can provide a secure and reliable connection.

Through VPN access, remote users can access internal resources while ensuring security, which can benefit both corporate organizations and private institutions. VPNs provide a flexible and cost-effective way to meet remote access needs.

VPN setup :

1. Choose the right VPN service provider : First, you need to choose a trustworthy VPN service provider. They will provide the VPN server and corresponding software/app. Make sure you choose a provider that meets your needs and provides a secure, stable connection.

2. Configure VPN server : The provider usually provides a VPN server, and you need to configure the server according to the instructions provided by the provider. This may involve setting network parameters, security protocols, encryption methods, user authentication, etc.

3. Purchase and configure VPN hardware equipment : If you decide to build a VPN by yourself, you need to purchase hardware equipment suitable for VPN, such as VPN routers, firewalls, VPN hubs, etc. These devices will help you create and manage VPN connections.

4. Network setup and configuration : You need to do some setup and configuration of the network, including IP address allocation, subnetting, routing settings, etc. This will ensure that the VPN network is functioning properly and connecting properly with other networks.

5. VPN client setup and configuration : Remote users need to install VPN client software and configure it according to the guide provided by the provider. These guidelines typically include server addresses, authentication methods, and other related settings.

6. Security and Monitoring : To keep your VPN safe, you need to take steps such as using strong passwords, regularly updating software and firmware, conducting traffic monitoring, and more. This will help prevent potential security breaches or intrusions.

5. Bastion host

The bastion host is a security device used to solve the security problems of remote maintenance operations, also known as a springboard host . It is a specially developed and security-enhanced computer system that is usually deployed in the network area where the equipment that needs to be maintained remotely is located.

The working principle of the bastion host is that all remote maintenance operations on equipment must first be connected to the bastion host, and then the bastion host is used as a springboard for remote access and maintenance operations . Doing so has several advantages:

1. Isolation access : As an intermediate link, the bastion host can effectively isolate direct access between the external network and internal devices, reducing the risk of potential attackers directly targeting internal devices.

2. Access control : The bastion host has strict access control and authentication mechanisms. Only authorized and authenticated users can connect to the bastion host and further access internal devices. This can effectively prevent unauthorized access and illegal operations.

3. Security audit : the bastion host can record and monitor all remote maintenance operations, including user login, command execution, etc. This is very important for later security audits and tracking illegal operations.

4. Security hardening : The bastion host usually adopts a series of security measures and technologies to enhance its security, such as firewall, intrusion detection and prevention system, encrypted transmission, etc., to ensure the security of remote maintenance operations.

In short, the bastion host is an important security device, which is widely used in operation and maintenance management to solve the security problems of remote maintenance operations. It provides a safe and reliable remote maintenance environment through measures such as isolated access, strict access control, security audit, and security reinforcement.

6. Safety management platform

The security management platform (SOC), also known as the security operation center, is a platform that provides centralized, unified and visualized security information management for organizations .

The main functions of the SOC include:

1. Real-time collection of security information:

   • network traffic log
   • event log
   • Intrusion detection system alarm, etc.

2. Security information association analysis and risk assessment:

   • Correlation analysis of collected security information
   • Identify potential threats and security incidents
   • Conduct risk assessments and determine treatment priorities

3. Security incident tracking and location:

   • Fast Track Security Incidents
   • Provide timely alerts
   • Analyze and trace events, locate sources and affected areas

4. Emergency Response:

   • Take Quick Actions to Respond to Security Incidents
   • Emergency fixes, isolation of affected systems, etc.
   • minimize loss

Other features include:

• Unified log management:

  • Centralized monitoring and management of log information generated by security devices and systems
  • Collect, store, analyze and retrieve logs
  • Support security incident traceability and investigation

• Centralized monitoring and unified configuration management:

  • Monitor and manage configuration items of various security products and systems
  • Unified configuration standard
  • Improve the efficiency and accuracy of configuration management

• Collaborative processing:

  • Coordinate information sharing and joint response among different security products and systems
  • Realize the collaborative processing of security incidents
  • Improve the synergy and overall effect of security protection

• Unified security status management and control:

  • Real-time monitoring and management of the security status of the network system
  • Monitor the operating status of security devices
  • Ensure consistency and stability of network security posture

• Automated Risk Analysis:

  • Analyze collected safety data
  • Automatically identify and assess potential security risks

• Security business process management:

  • Supports the management of secure business processes
  • Data support and information sharing

The importance of a security management platform 

        By establishing SOC, organizations can realize centralized management and analysis of security information, quickly respond to security incidents, improve security protection capabilities, and establish a measurable unified security management support platform to protect important data and system security.

        As a good technical infrastructure, the security management platform can provide strong support for the security operation and maintenance and security management of information systems.

        In my country's graded protection standards released in 2019, the construction of a security management platform is written into the general requirements for security management, which shows that more and more organizations will consider deploying a security management platform in information planning. By establishing a security management platform, organizations can centrally manage and monitor the operating status of security devices and systems, respond to and process security incidents in a timely manner, and conduct risk assessment and security policy formulation.

        The construction of the security management platform can also improve the overall effect of security protection, strengthen the collaborative processing of security incidents, and realize information sharing and linkage response between different security products and systems. In addition, the security management platform can also help organizations fully understand the security status of the network through unified log management, configuration management, and automatic risk analysis, and to detect and respond to security threats in a timely manner.

        Therefore, incorporating the security management platform into the informatization planning can improve the organization's information security management level and strengthen the protection of key information assets to cope with evolving security threats and risks.