What type of network security device both detects unwanted activities on the network and also takes active steps to stop the traffic?

Network security is the security provided to a network from unauthorized access and risks. It is the duty of network administrators to adopt preventive measures to protect their networks from potential security threats.

Índice Show

Types of Network Security Devices
Active Devices
Passive Devices
Preventative Devices
Unified Threat Management (UTM)
Hardware and Software Firewalls
Content Filtering
Intrusion Detection Systems

Computer networks that are involved in regular transactions and communication within the government, individuals, or business require security. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

Types of Network Security Devices

Active Devices

These security devices block the surplus traffic. Firewalls, antivirus scanning devices, and content filtering devices are the examples of such devices.

Passive Devices

These devices identify and report on unwanted traffic, for example, intrusion detection appliances.

Preventative Devices

These devices scan the networks and identify potential security problems. For example, penetration testing devices and vulnerability assessment appliances.

Unified Threat Management (UTM)

These devices serve as all-in-one security devices. Examples include firewalls, content filtering, web caching, etc.

Firewalls

A firewall is a network security system that manages and regulates the network traffic based on some protocols. A firewall establishes a barrier between a trusted internal network and the internet.

Firewalls exist both as software that run on a hardware and as hardware appliances. Firewalls that are hardware-based also provide other functions like acting as a DHCP server for that network.

Most personal computers use software-based firewalls to secure data from threats from the internet. Many routers that pass data between networks contain firewall components and conversely, many firewalls can perform basic routing functions.

Firewalls are commonly used in private networks or intranets to prevent unauthorized access from the internet. Every message entering or leaving the intranet goes through the firewall to be examined for security measures.

An ideal firewall configuration consists of both hardware and software based devices. A firewall also helps in providing remote access to a private network through secure authentication certificates and logins.

Hardware and Software Firewalls

Hardware firewalls are standalone products. These are also found in broadband routers. Most hardware firewalls provide a minimum of four network ports to connect other computers. For larger networks − e.g., for business purpose − business networking firewall solutions are available.

Software firewalls are installed on your computers. A software firewall protects your computer from internet threats.

Antivirus

An antivirus is a tool that is used to detect and remove malicious software. It was originally designed to detect and remove viruses from computers.

Modern antivirus software provide protection not only from virus, but also from worms, Trojan-horses, adwares, spywares, keyloggers, etc. Some products also provide protection from malicious URLs, spam, phishing attacks, botnets, DDoS attacks, etc.

Content Filtering

Content filtering devices screen unpleasant and offensive emails or webpages. These are used as a part of firewalls in corporations as well as in personal computers. These devices generate the message "Access Denied" when someone tries to access any unauthorized web page or email.

Content is usually screened for pornographic content and also for violence- or hate-oriented content. Organizations also exclude shopping and job related contents.

Content filtering can be divided into the following categories −

Web filtering
Screening of Web sites or pages
E-mail filtering
Screening of e-mail for spam
Other objectionable content

Intrusion Detection Systems

Intrusion Detection Systems, also known as Intrusion Detection and Prevention Systems, are the appliances that monitor malicious activities in a network, log information about such activities, take steps to stop them, and finally report them.

Intrusion detection systems help in sending an alarm against any malicious activity in the network, drop the packets, and reset the connection to save the IP address from any blockage. Intrusion detection systems can also perform the following actions −

Correct Cyclic Redundancy Check (CRC) errors
Prevent TCP sequencing issues
Clean up unwanted transport and network layer options

Intrusion prevention and the firewall are part of Network Threat Protection. Network Threat Protection and Memory Exploit Mitigation are part of Network and Host Exploit Mitigation.

Intrusion prevention automatically detects and blocks network attacks. On Windows computers, intrusion prevention also detects and blocks browser attacks on supported browsers. Intrusion prevention is the second layer of defense after the firewall to protect client computers. Intrusion prevention is sometimes called the intrusion prevention system (IPS).

Intrusion prevention intercepts data at the network layer. It uses signatures to scan packets or streams of packets. It scans each packet individually by looking for the patterns that correspond to network attacks or browser attacks. Intrusion prevention detects attacks on operating system components and the application layer.

What is Intrusion Prevention System (IPS)?

An Intrusion Prevention System (IPS) is a security solution that provides security against unauthorized access and malicious activities at the network level. Unlike Intrusion Detection System that only monitors the network traffic, an Intrusion Prevention System also ensures protection against intrusions that takes place on the network. Main function of an Intrusion Prevention System is to analyze all the inbound and outbound network traffic for suspicious activities and perform appropriate actions instantaneously to prevent the intruders from entering into the internal network.

IPS offers proactive detection and prevention against unwanted network traffic by preventing it to reach to its intended victim. An IPS, when deployed correctly, immediately drops the detected unwanted or malicious data packets that may cause severe damage to the network and the resources that the network may have. An Intrusion Prevention System can be quite handy against various network security attacks such as brute force attacks, Denial of Service (DoS) attacks, vulnerability detection. Moreover, an IPS also ensures prevention against protocol exploits.
Intrusion Prevention System is also known as active security solution as it does not just detect the potential security threats on the network, but it also takes immediate actions against it in order to prevent the current attack and the similar ones that the intruders may initiate in future.

The other functions that an Intrusion Prevention System can perform include:

Blocks network traffic from the offending source IP addresses.
Resets the TCP connection
Corrects un-fragment packet streams
Corrects Cyclic Redundancy Check (CRC) errors
Checks TCP sequencing issues
Sanitizes unsolicited transport and network layer options.

How Intrusion Prevention System Works?

An Intrusion Prevention System is considered to be a pretty secure solution as compared to Intrusion Detection System due to its proactive threat detection and prevention capabilities. An Intrusion Prevention System works in in-line mode. It contains a sensor that is located directly in the actual network traffic route, which deep inspects all the network traffic as the packets passes through it. The in-line mode allows the sensor to run in prevention mode where it performs real-time packet inspection. Because of this, any identified suspicious or malicious packets are dropped immediately.

An Intrusion Prevention System can perform any of the following actions as it detects any malicious activity in the network:

Terminates the TCP session that is being exploited by an outsider for the attack. It blocks the offending user account or source IP address that attempts to access the target host, application, or other resources unethically.
As soon as an IPS detects an intrusion event, it can also reconfigure or reprogram the firewall to prevent the similar attacks in future.
IPS technologies are also smart enough to replace or remove the malicious contents of an attack. When used as a proxy, an IPS regulates the incoming requests. To perform this task, it repackages the payloads, and removes header information that incoming requests contain. It also has the capability to remove the infected attachments from an email before it is sent to its recipient in the internal network.

Intrusion Prevention System uses four types of approaches to secure the network from intrusions which include:

Signature-Based — In Signature-Based approach, predefined signatures or patterns of well-known network attacks are encoded into the IPS device by its vendors. The predefined patterns are then used to detect an attack by comparing the patterns that an attack contains, against the ones that are stockpiled in IPS. This method is also referred to as Pattern-Matching approach.
Anomaly-Based — In Anomaly-Based approach, if any abnormal behavior or activity is detected in the network, an IPS blocks its access to the target device as per the criteria defined by the administrators. This method is also known as Profile-based approach.
Policy-Based — In Policy-Based approach, administrators configure security policies into an IPS device according to their network infrastructure and organization policies. If an activity attempts to violate the configured security policies, an IPS triggers an alarm to alert the administrators about the malicious activity.
Protocol-Analysis-Based — This approach is somewhat similar to Signature-Based approach. The only difference between Signature-Based approach and Protocol-Analysis-Based approach is that the latter can perform much deeper data packet inspection, and is more resilient in detecting security threats as compared to Signature-Based.

Categories of Intrusion Prevention System

Host-Based Intrusion Prevention System (HIPS) — A host-based IPS is a software application that is installed on specific systems such as servers, notebooks or desktops. These host-based agents or applications only protect the operating system and the applications running on those specific hosts on which they are installed. A host-based IPS program either blocks the attack from its end, or commands operating system or application to stop the activity initiated by the attack.
Network-Based Intrusion Prevention System (NIPS) — Network-Based IPS appliances are deployed in in-line mode within the network parameter. In Network-Based IPS, all the incoming and outgoing network traffic that passes through it is inspected for potential security threats. As soon as the IPS identifies an attack, it blocks or discards the malicious data packet to prevent it from reaching to the intended target.

A firewall that has integrated Network-Based IPS feature contains at least two Network Interface Cards (NICs). One is selected as internal NIC and is connected to the internal network of the organization. The other NIC is selected as the external one and is connected to the external link, which in most cases is the Internet.

As the traffic is received at either of the NICs, it is deep inspected by the detection engine of integrated NIPS. If the NIPS perceives a malicious data packet, it instantaneously drops the data packet and alerts the network security personnel about the event. After detecting a single malicious packet from the source, it then immediately discards all the other packets arriving from that particular TCP connection, or blocks the session permanently.