In an age were applications are quickly moving to the web, security threats increase the risks of a breach causing economic damage and loss of reputation to businesses.
No longer is it viable to have a firewall protecting internal resources from the outside world without knowing and inspecting the legitimate traffic coming into the network, which hackers take advantage of by climbing the OSI layer were 1st generation firewalls were not protecting.
The OSI layer is an abstract definition for layered communications between computers, starting at the bottom of the layer with the physical wire and moving to to the 7th layer called the application layer.
The first firewalls on the scene allowed the network administrator to protect up to the 3rd and 4th layer which are named the Network and Transport layers, by restricting access to certain to an IP address from a range of IP addresses or restricting access to a server only on port TCP 80 in the case of a web server.
Application aware firewalls soon surfaced but the horse power required to break down the packets for analysis and reconstruct them to send them to their destination was not there, taking a big hit on the performance of the link and even then only a few widely used applications (http, ftp, etc.) were available to perform inspection on.
A different device to address this shortfall was introduced and named IDS (Intrusion Detection System) allowing the detection of malicious attempts to access computer systems.
Later IDS (Intrusion Detection System) were able to send control signals to firewalls and routers to actively block attacks and were often used in conjunction with Honeypots which deflected attempts at unauthorized use of the systems it was protecting.
Intrusion Detection Systems (IDS) work by classifying traffic as either normal or anomalous based on rules and in order to create these rules the system must be taught to recognise normal traffic activity using artificial intelligence techniques. Once these systems were taught using neural networks or usage of the system adhering to a strict mathematical model, any traffic deviating from the norm would flagged as an attack.
This proved to be problematic with the introduction of new variables into the system/network like new applications or services that could potentially trigger a Denial of Service (DoS) by making an unwanted change to the firewall. Additionally IDS (Intrusion Detection System) would not be in-line with the firewall but rather out of band adding latency to the process handling attacks.
The IDS (Intrusion Detection System) required two major and critical areas of improvement which included moving beyond the anomaly detection to add vulnerability-based signatures and the capability to work at wire speeds to enable in-line deployment.
Vulnerability-based signatures was a way for security vendors to work proactively with software vendors in finding and patching vulnerabilities before the bad guys did, thus releasing updates to blocked specific attacks to systems which may have not been patched yet.
Sekiur provides consulting through partnerships with the leading players in this market segment, providing design, installation, configuration and troubleshooting services to our clients.