A Firewall is a network device used to filter traffic between two or more networks or between a network and a host. The first kind of firewall is also called network firewall. It is generally a dedicated physical device (although it could also be a software installed in a general-purpose PC) with physical cables attached to it. Each cable eventually connects the devices in one or more subnets. The firewall states which traffic (like DNS or HTTP traffic) may be forwarded to which network or to which device of which network. This control is done for security purposes. The second kinf of firewall, filtering traffic between a network and a host, is called host-based firewall. It is a software firewall installed on a host with the purpose of providing an additional layer of security (defense-in-depth). Example: Windows firewall and iptables are two host-based firewalls available for, respectively, Windows and Linux systems.
ACL (Access Control List)
An ACL is a set of rules that states which packets are allowed inside, outside or through a firewall. Each entry in the ACL matches a given pattern of traffic, its direction, and at the end tells whether or not such traffic should be allowed. An ACL may filter traffic based on ip addresses or subnets, ports, protocols and direction of traffic. Example: a rule in the ACL may allow traffic passing being routed through the firewall from network 192.168.1.0/24 on interface eth1 to network 171.23.0.0/16 on interface eth2. Or, a rule may deny all the DNS traffic from any host to any other host except the DNS server. Note: ACL are implemented in routers too. In the context of routers, the focus is more shifted towards routing (that is, how to connect distinct networks) instead of security.
Application-based vs. network-based
An application firewall is a firewall specifically designed to protect an application. It has two distinguishing features. First: it is able to inspect the traffic at all 7 layers of the ISO/OSI stack, effectively filtering traffic at application layer. This is not done neither by stateless nor stateful firewall. Second: it may also monitor, and possibly block, system calls if they don't satisfy the policy. An application firewall is generally host-based, meaning that it is installed on a device (like a Web Server). Network-based firewall instead are physical devices with more than one network interface whose function is to monitor and filter traffic between different networks.
Stateful vs. stateless
A stateless firewalls allows or deny traffic based on the rules in the ACL. On the contrary, a stateful firewall records the state of the established connections. Every time it receives a new packet, it is able to check whether or not such packet matches an on-going connection. Example: a TCP packet which does not belong to an established connection will be dropped by a stateful firewall, while a stateless firewall won't perform this check and will only look at the ACL.
Implicit deny
Implicit deny is an important security concept for ACL. It may be implemented both in routers and firewall. It basically states that if a packet does not match a rule in the ACL then that packet should be discarded. The explicit deny rule is the last rule of an ACL.
A VPN concentrator is a device used to create a VPN (virtual private network). A VPN is a way to join distinct private networks separated by Internet into a single virtual network. This way, each device in any of the private networks sees any other device in any other private network as belonging to the same local area network. This is made possible by VPN concentrators, which take care of encrypting traffic before sending it into the Internet and decrypting traffic when getting packets from the Internet. Thus, VPN concentrators should have a public IP to be reachable on the Internet.
Remote access vs. site-to-site
In a remote access, the user want to use its device (laptop, smartphone, ...) to join the corporate network via a VPN. The user will have a software installed on its device which is capable of creating suitable VPN traffic. This traffic is sent to the VPN concentrator, which is exposed on the Internet. The concentrator decrypts the traffic and routes it to the proper destination, possibly sending back the encrypted response to the user.
In a site-to-site configuration, two corporate networks have to be joined into a single, virtual network. Anyway, the two network are geographically separated, and packets from one to another travel on the Internet. The solution is to employ one VPN concentrator per network, and then demand the duty of encrypting/decrypting traffic to/from the Internet to these concentrators. The net result is that each user in any of the two network see the devices of the other network as belonging to the same LAN.
IPSec
IPSec (Internet Protocol security) is a security protocol working at the Network layer of the ISO/OSI stack, designed to provide security services (authentication, integrity and encryption) for IP traffic.
Tunnel mode
IPsec encrypts the whole IP packet when used in tunnel mode. The original packet is encrypted, inserted as payload of a tunneling protocol like L2TP and then the whole packet is sent over the Internet. This way neither the payload nor the header of the original IP packet is disclosed during the transmission through the public network.
Transport mode
Transport mode is used when the destination host belongs to the same LAN. Since the packet does not cross the Internet, there is no need to encrypt the header to hide internal ip addresses: in this mode, only the payload of the IP packet is encrypted. Transport mode is used in private networks but (usually) not with VPNs.
AH (Authentication Header)
AH is an IPsec protocol that provides authenticity and integrity for IP traffic. It is identified by protocol number 51.
ESP (Encapsulating Security Payload)
ESP is an IPsec protocol that provides confidentiality for IP traffic by encrypting the whole IP packet. ESP includes AH to provide authentication, integrity and confidentiality. It is identified by protocol number 50.
Split tunnel vs. full tunnel
When a user configures the use of VPN on its device, its traffic passes through the configured VPN gateway. In a split tunnel, only the VPN traffic passes through the VPN gateway. This means that if a user visits Google, its request will be directed directly to Google without passing through the VPN. In a full tunnel, instead, all the IP traffic will pass through the VPN gateway. This means the if a user visits Google, its request will be directed to the VPN gateway, and then routed to Google.
TLS
The alternative to IPsec VPNs are TLS VPNs. They use TLS to encrypt traffic and run on port 443 (good for firewalls: no need to open other ports/ allow other protocol numbers). Examples: a protocol for VPN using TLS is SSTP (Secure Socket Tunneling Protocol). A well-known TLS VPN implementation is Open VPN
Always-on VPN
In a always-on-VPN the user device is configured to automatically connect to the corporate VPN as soon it finds Internet connection.
Extra
ISAKMP (Internet Security Association and Key Management Protocol) a framework used to negotiate a security association (SA) between two parties. The SA states which cryptographic algorithms and security keys should be used for the authentication. ISAKMP may use the IKE (Internet Key Exchange) protocol to negotiate the SA between hosts. IKE uses protocol number 500.
A NIPS (Network Intrusion Prevention System) is a network device that analyzes the traffic passing through itself and blocks malicious traffic, actually preventing attacks from succeding. A NIDS (Network Intrusion Detection System) is a network device that analyzes the traffic collected from sensors put inside the network with the goal of detecting and signaling on-going attacks.
Signature-based
Signature-based NIPS/NIDS analyze the traffic and match it against a database of known network attack pattern. If the current traffic matches an entry in the signature database, then there is an on-going attack. The drawback is that attacks not in the database (like a zero-day) are never caught.
Heuristic/behavioral
Heuristic/behavioural-based NIPS/NIDS analyze the 'normal' traffic pattern to create a baseline. Then, they monitor the traffic and continuously compare it with the baseline (which may change in time). If at some point the traffic show a significant difference with respect to the baseline then the NIPS/NIDS signals the event (in case of NIPS, it can also block some traffic).
Anomaly
Anomaly-based NIPS/NIDS work in the same way of Heuristic/behavioural-based NIPS/NIDS: they identify a 'normal' traffic baseline, monitor the traffic and react when there is an anomaly with respect to the baseline.
Inline vs. passive
A NIPS is inline meaning that all network traffic physically passes through it, entering in one (or more) NIC and exiting from one (or more) NIC. This way, the NIPS is able to block the attack, because if it drops malicious traffic there for sure such traffic won't find another path to the target network. A NIDS is instead an out-of-band, or passive, device. That means that the traffic does not flow through the NIDS and so the NIDS cannot be able to block an on-going attack. The NIDS analyze the traffic that it receives from the sensors deployed into the network, or maybe from a mirroring port, but the point is that a NIDS is a normal host of the network (like a PC, or a smartphone is), and so it is passive because it can only watch an attack happen.
In-band vs. out-of-band
See the previous topic: a NIPS is an In-band device, while a NIDS is an out-of-band device.
Rules
A NIPS/NIDS generally allow the specification of rules. If a traffic matches a rule, then same action is performed. As an example, an alert is produces. Rules are different from signatures, because they are not necessarily related to known exploits. In fact, a good rule may also block a 0-day vulnerability exploit.
Analytics
The output of a NIPS/NIDS should be properly interpretated because it can generate false positives and false negatives.
False positive
A False positive happens when a NIPS/NIDS signals an attack that did not take place.
False negative
A False negative happens when a NIPS/NIDS fails to block/signal an actual attack.
A router is a network device that operates at layer 3 level of the ISO/OSI stack (network level of the TCP/IP stack) used to connect distinct networks. It may join IP networks using different physical mediums. Sometimes it is used to split a big network into two or more smaller networks, actually decreasing the size of the broadcast domains of the various networks and thus lowering the traffic inside each network.
ACLs
A router uses an ACL to state which packets should be allowed and which denied. In this regard, it is similar to a firewall, although the main focus of a router is being able to route traffic among distinct networks while the main focus pf a firewall is filtering. ACLs generally allow to specify rules based on the protocol (ip, tcp, udp, http, ...), the source host or network, the destination host or network, the source port and the destination port.
Antispoofing
Spoofing is the practice where an attacker carries out a network attack using a fake address. In the context of routing, we are talking about IP addresses. A router has two or more NICs (network interface cards), each one connected to a distinct network. Antispoofing is the process of defining which addresses are considered valid source addresses for the networks connected to each NIC. As an example, a packet coming from the Internet with a private IP address is for sure a packet with a spoofed source address, and so it should be dropped.
A switch is a device operating at layer 2 of the ISO/OSI stack (data link layer), and it is used to directly connect with each other devices belonging to the same network. It forwards frames based on the frame destination MAC address and automatically learns the devices attached to its ports by looking at the source address of the MAC frames. A switch has several ports and each network host is connected to a distinct port of the switch, so that its traffic cannot be intercepted by the devices connected to other ports of the switch.
Port security
Port security is implemented by means of techniques like disabling unused switch port and allowing the access to a switch port only to devices with a given MAC address. The goal is to prevent unauthorized devices to connect to the switch and this to the network.
Layer 2 vs. Layer 3
A traditional switch operates at layer 2 of the ISO/OSI stack (data link layer) and forwards traffic based on the destination MAC address. In particular, broadcast frames are delivered to all the hosts attached to the switch. It may be the case that some different hosts should be gathered in different groups, and each group shouldn't receive the broadcast traffic of the other group. As an example, we could want to group HVAC devices in one network and the other devices (PCs, smartphones, printers, ...) in another network. This may be done by creating two LANs: we should attach each group of devices to a distinct switch, and then connect the two switches to a router. Or we could simply use a Layer-3 switch which allows to define VLANs (virtual LANs). No additional switch or router is involved with this solution, the broadcast traffic is still segregated (into the VLANs), and we have a high gain in flexibility, because we can move devices between LANs by simply acting on the switch console (maybe a Web GUI) and we are not constrained by physical criteria to create these (virtual) LANs.
Loop prevention
Switches are vulnerable to loops. A loops happens for instance when two switches are connected by more than one cable. In this case a frame sent from a switch to the other switch would travel along the loop without exiting, thus degrading the performance of the network. With a lot of frames doing this kind of thing, the network would result unavailable. That's why switches implement loop prevention techniques. A loop prevention technique is the SPT (spanning tree protocol), which is a distributed protocol jointly run by the switches in a network that allows the switches to identify loops and to avoid them by disabling the switch ports corresponding to the loops.
Flood guard
In a MAC flood attack, the attacker is connected to a port of the switch and floods it with frames having a spoofed source MAC address. Since the switch has to remember to which port the devices are attached, or it won't be able to deliver the frames, it has to store all the spoofed MAC addresses (that it believes legitimate) in memory. At some point it will exhaust memory and won't be able to add eny other entry MAC address-port. At this point the only way to deliver frames to the recipient is to broadcast the frame to all ports. This is exactly what the attacker hoped, since now she is able to receive traffic which is directed to other devices. Switches protect from this attack by means of flood guards: a switch will store up to a maximum number of MAC address - port exhaust for each port, thus not incurring in memory exhaustion and not behaving like a simple hub. Note: a switch could send a SNMP trap in response to a MAC flood alert, and it could also disable the attacked port.
Proxy servers are placed in the middle between a client and a server for security or performance reasons.
Forward and reverse proxy
A forward proxy server typically takes the requests from a client inside a private network and forwards them to a server in the public Internet. They can improve latency by caching web pages and directly serving them to the requesting users. They can also restrict the requests that are allowed to pass by inspecting them. A reverse proxy server is placed inside a private network (tipically in the DMZ) and intercepts the request originated from a client and (usually) directed to a web server. A reverse proxy server may reduce the latency, by serving clients cached versions of the pages returned by the web server. It can also act as a load balancer: if there is a cluster of web server, it may schedule the requests to the web servers in order to evenly distribute the load.
Transparent
A transparent proxy forwards and returns requests without inspecting them. A non-transparent proxy inspects the received requests and can also block them if they do not adhere to a policy. As an example, it could be configured with url filters to discard the requests made towards forbidden websites.
Application/multipurpose
An application proxy provides proxy services for a specific application and work at the application layer of the TCP/IP protocol stack. Example: HTTP proxy. A multipurpose proxy provides proxy services for several application level protocols, like HTTP, https, FTP, ...