hello everyone and welcome to my channel my name is Dr Karachi and in this video we're gonna talk about Network Protection Systems Now by then this module you should be able to explain how routers are used as a network Protection Systems describe the firewall technology and what type of tools to use for configured firewalls and routers described intrusion detection and prevention system web filter and technology and other Technologies explain the purpose of Honey pots now first of all anytime we talk about what is Network protection system I mean this could be like a device or a system designed to protect the network the first one I want to discuss about is the unified threat management device you know if you look at it here in this picture this is called you know UTM you know it contains here different type of network protection functions you know like a firewall ideas IBS VPN anti-malware spyware content filtering DLP email and spam filtering web application firewall load balancing and these are the name of very well-known companies who manufacture and sell this type of solution you know so you know basically this is like just a single device with multiple features in it now what is the advantage I mean it is from from management perspective it kind of simplify your work you know you know having a single device or solution for multiple security function it's simplify your work on the policy enforcement now it reduced complexity you know uh why because simply I have less number of devices and software solution that I need to maintain leading to a fewer compatibility issues and integration challenges you know especially if you have multiple multiple servers out there in your data center now cost efficiency utms often prove you know very cost effective you know the purchasing and installing maintaining multiple stand alone Security Solutions now okay uh also it can add layer security by integrating like multiple functions you know like the one you see it on screen that's multiple function or security you know in depth now however you need to be aware of the disadvantage the potential single point of failure of course I mean we have a centralized uh multiple security functions into one solution means if this device you see it here goes down for some reason multiple security functionalities might be compromised at the same you know immediately okay this can leave your network variables you know to attacks now performance issue you know this this type of devices they handle many many types of network functions at the same time which can lead to Performance bottlenecks especially during Peak laws or when performing resource intensive tasks like deep pocket inspection depth versus breath now while UTM offer a wide range of security functions they might not provide the depth of protection or specialized feature that you know like a standalone you go and buy it you know like for example like IPS might offer deeper inspection and fine grain controls than uh an IPS feature built into the UTM device complexity that's another issue you know I mean I mean we know that UTM tried to reduce complexity by you know combining different functions they can be complex to configure and fine-tune you know however you know remember this enemies configuration can potentially lead to security issue upgrade challenges here also you know upgrading an ATM device you know you know whether for capacity new features or improved performance often requires replacing the entire Appliance think about the cost now vendor lock in that's another issue you need to consider you know okay when the login means limiting flexibility by making it challenging to integrate other Solutions or even to switch vendors in future you know that's a major issue for companies uh it could you know could have limited scalability you know you know as organization grows its traffic and security needs might exceed the capabilities of the current UTM appliances now scaling mod then require a complete replacement or addition of separate devices somehow you know it could defeat the purpose of a unified solution and finally false positive false negatives you know you know given the depth of the threats uh the UTM is is used to detect uh there can be cases where legitimate traffic is flagged like a false positive or malicious traffic is overlooked false negative and that is a security problem I mean I just you know these are things you know you need to be aware of before making decision okay so uh you know before investing in any type of system you need to do a comprehensive means and performance system assessment of your organization because this is very important in you need to evaluate these devices in terms of scalability depth of protection and very important vendor reputation you know talk ask search you know about the repetition their support you know and also consider the cost implications and potential vendor lock-in these are very important look for a solution that offer customization easy integration and frequent updates now let's talk about Rafters you know routers are Hardware devices you know their purpose is to send Pockets to different network segments and you know also reduce broadcast traffic passing over the network and it will choose the best path for moving packets now we're not going to go in depth into routing protocol because obviously this is not a Cisco course here but I just want you know to give you just you know a quick idea what is routing protocols these are algorithms used by routers to determine the best path for data transfer between Network to another Network now the choice between any one of these three you see it on the screen it depends on a specific requirements of your network you know like a size desired speed of conversions the need for policy based routing decision so let's look at the first one link state routing protocols now it's like ospf open shortest path first and Isis uh you know the next state protocols rely on router sharing link stays to map the network ensuring a quick conversions and reduce Loop risks at the distance Vector routing protocols you know these routers that passes the routing tables to neighboring routers on the network a good example is the rip you know and it you know this type of protocols they use distance metrics like hubs to determine the path sharing the routing tables with the neighbors but however they can suffer from longer conversions times and potential loops the last one is the path Victor routing protocols it uses dynamically updated paths or routing tables to transmit packets from one you know autonomous Network to another one a good example is the Border Gateway protocol that's a very well known path in Vector protocol primary use and on uh info routing between you know different systems on the internet no of course Cisco router like any another Hardware device it has wrong it has a firmware so I mean stuff this we don't need to discuss it but we're going to focus on important things like interfaces in a Cisco router has different type of interface components you know like ethernet Syria console interfaces uh one of the basic Cisco commands you know we these stuff that we're going to cover and I believe a security professional should be aware of these basic Cisco commands to view the information Cisco router components you know uh simply you know once you log into the router you need type show running Dash config now this one here you see it and skip the router B this refer to device host name followed by the prompt you know the hash you know the hash symbol indicates that the user is in privilege it execute mode which allows access to a lot of commands there including those that you can display even modify the device configuration now the show is the primary command used to display you know different piece of information about the device running config here basically tells the you know the short command to display any information or any active information or any running configuration of the Cisco router now there are two different configuration modes we have the user mode and the privilege mode these are more basically you know allowed the administrator you know to do just basic troubleshooting tests you know you know and you can see it like if you look into the router you should see it in in this look you know you just have compute in there Follow You Know by the symbol uh you know when you first log into router you basically you'll be in the user mode by default you can do ping Trace file turn it and very simple commands however if you want to do more uh and you know do a full router configuration tags you need to go into that privileged mode which is you could see it here on the screen router the hash sign this means you are in a privileged mode now there are many many type of commands you know you can run like show running config right memory copying running Dash config and so on all these are running in a privileged mode and more now they are most configured the router in a privileged mode that's something to keep in mind the first one is the global configuration mode basically the administrator can configure router settings that affect overall router operation and it will look like this router config hash I mean this axis level this mode you know allows you to make changes that impact a lot of those overall operation that's why it's called Globe configuration mode here now the interface configuration mode this way you start focusing on configuring a very specific interface on the router you know like the serial Port remember we're talking about serial Port we talk about ethernet and so on now and the command or sorry all the output will look like this router config dash s you know hash uh so like I said this mode is used to configure individual interfaces you know whether they are physical like Ethernet or serial pause or virtual you know now if you look here these are just a quick summary of different type of mold and commands and the prompt you know and I think it's good idea for you to become familiar with it like show version over here that's displayed the router's version information including iOS version number yeah you want to know if it's updated or not sure IP route you know it can be done by privilege or normal user that displayed a lot of routing table you know so so here you could see which mode you know can run certain things and which mode cannot like here you see that privilege or user show flash now the privilege for running this command it you know you have to be in a privileged mode here because you were displaying the current running router configuration file and now in this page here we can see that the only commands we're seeing here are run in the privileged mode like show startup config display the content of the NV run you know and that's how you know how this will look like Global configuration privilege configure terminal enables you to change configuration settings that affect overall router operation and here we have also a you know another type of configuration router config Dasher so you know it's good idea to become familiar with these type you know commands I just mentioned now let's talk about using access control list here now there's many different types of Access Control lists you know you can see it in Windows and Linux and so on but here right now we'll be focusing only on the system uh this section you know talks about IP access list where you could a list of IP addresses subnets or networks that allowed or deny access through a router interface now okay now the administrator can create two types of access online the standard one and the extended one so let's discuss briefly the difference between the standard versus the external now if you look at here here the standard IP access list filter traffic solely based on the source IP address very basic they are used only when you want the source of the traffic IP address needs to be considered for permatical denying traffic if I look at this command line over here now this line of ACL deny all traffic originating from you know IP address in a range of this here like you see it right here okay and this is the network here so here I'm denying that okay you know other than this permit any so number one by the way here in the case that this is a standard IP access list which is by the way in range of 1 to 1909 these from 1 to 99 is reserved for standard ACL in a Cisco iOS you know remember Sandra ACL and only evaluate the source IP address now and here's of course the IP address in the range we're talking about and you know so you know basically this is very very simple type of command here now extended IP address Now by looking at these restrictions that you could apply you could see that it has you know more option to do like here you see you can restrict The Source IP address destination protocol and application port number and if you look at this this example access list 101 okay deny TCP you know uh basically all Network coming okay from this here for STP you know and then permit anything so that's it very simple like range from this range to this range will be blocked so in summary both standard and extended IP address list serve the fundamental purpose of controlling filtering traffic now the depth of the control they offer is you saw it big difference the choice between them will depend on the specific needs of the network or the security policy in place now let's talk about a very important topic is the firewalls there are two types of firewalls you know you can have you can have a hardware firewalls with embedded operating system or you could have just a software firewall installed on operating system like Windows or Linux or whatever now there are two main purposes here basically to control access from outside to inside and from inside to outside now disadvantages and disadvantages you know for the hardware and the software the first one advantages of the hardware firewall they're you know they're faster than a software file was simply because there is no operating system you know it doesn't run on top of operating system it can handle a larger throughput than a software firewalls again because it does not run on top of operating system now Hardware file was a typically replaced at the network parameter okay there are Enterprise grade Hardware files are designed to scale up in case you know your company is to you know to add more and more firewalls is due to increased traffic or you know you know the thing that being separate from the host operating system and application they are less prone to some common software vulnerabilities and attacks now disadvantages is what is that if you buy a hardware firewall you are locked in into the vendor and also the maintenance costs you know could be like over time they might might be some costs associated with the firmware updates Hardware replacement or even like if you want to add additional modules or features to enhance the functionality of it now what is the advantages of the software firewall I mean you can add like additional ethernet card you can have like two or three you know uh like three if you want to you know the third one go to the DMZ and the second one goes to the uh internal Network and the first one is facing uh the clouds now it's cost effective yes because you know sometimes the hardware firewall costs more host level protection which means that you can add basically a layer of security filtering both inbound and outbound traffic at the host level in terms of visualization and Cloud those software firewalls are more adaptable in virtualized environment and can be deployed in the cloud infrastructures offering scalable solution in modern data centers now let's talk about disadvantages configuration problem might be a concern you know it's again because you're dealing with a software and also you you're dealing with up you know with the operating system a rely on operating system in which they are running which may lead to Performance issue if your Hardware is not good enough you know it might you know you know having a running operating system that's a layer that this is something is going to consume memory resources and CPU resources and then you're adding another software firewall that means another constraint limited protection in a compromised systems here is that like let's say for example like a malware manages to gain high level privilege on a system so it might be able to disable or bypass the software file wall now let's talk about firewall Technologies here we have net access list pocket filtering stateful pocket inspection and application layer inspection let's look at each one of them the first one here we'll talk about Matt that's the most basic security feature of firewall and here if you look at this picture here here we here you have the inside local private Network where you use like a private IP addresses and here you have for example like a Cisco router or firewall okay and it has its own IP now you can have like multiple computers here and then you know the the router or the firewall will do nothing means it will do translation from inside to the outside and then your traffic will go to the destination and here you can see this is the outside internet public now there is another one called port address translation path which is derived from net you see with uh with Pat a single public IPS is used for all internal private address but different port is assigned to each private IP address so the path allows you to support many hosts with only a few public IP addresses it works by creating Dynamic Nat mapping in which uh public iPad is a unique port number are selected so the router keeps a net table entry for every unique combination of the private iPads and the port with a transition to the global address and unique port number and that's the common used one now let's look at access list it used to filter traffic based on the source IP address destination IP address ports or Services now those are access controllers think about it as a sequential list of permit you know or deny condition applied to traffic flows on a network device they can be used to filter a traffic based on a set of criteria you know to either allow or deny Passage through the device now these are types you know all firewalls also use the technology to create access list on a firewall you can see many type of rules inside the firewall and they are pretty much similar to the router now there are certain consideration when configuring ACLS the order is very important now since those ACLS are processed top down the order of the conditions is crucial some conditions should be placed before more General wants to ensure correct processing now there will be implicit deny remember that you know deny all exists that should be at the end of uh you know the firewall rules even I mean some of them even if if not explicitly written it will be there now resources conception uh you know be careful when having very long Access Control list or those with many matches can consume more resources on the network device you know now let's talk about pocket filtering it which is called stateless that's basically a screen pocket based on the information contained in a packet header now what is the criteria for filtering our source IP address destination IP address source and destination port numbers protocol type TCP UDP icmp interface inbound or outbound directions here now these are the typical rules I mean you could see here they're not detailed rules and you will see why once we get to the stateful firewall now it's rule-based decision now the firewall has a set of rules defined by you as administrator now each packet is compared against these rules in sequence and the first rule that matches the packet determines its fate Allah or dinar now fast simple and low resources comes uh conception well because it is stateless firewall no but there are disadvantages you know well since we we mentioned that they are stateless they cannot understand or make decisions based on the context of the pocket payload or state of the network connection this can allow certain types of attacks that you know that exploit the lack of State awareness to happen uh did you cannot it does not offer A fine grain control over traffic that states for or even the application layer file was provided which is our next topics uh you know you know pocket filter fire was might not provide detailed logging capabilities you know which makes it hard for forensic investigation on audits you know to do their job now let's talk about the stateful pocket filters at record session specific information about the network connection including a state table now it can also be referred to connection table or session table you know which is which is basically a mechanism used by the stateful firewalls to track the state of the active connection at the high level for every connection established through the firewall there's an entry you will see it added like like you see it here on this table and this entry contains session specific information about the connection here you know so I mean like like for example here you can see that the source IP The Source Port destination IP the destination port and the connection state if it's established or since sent or finished with or what or or even closed you know and some of them they will add the protocol also like if you're using TCP or UDP or icmp so what's so what are the benefits of estate tables in a firewall well it has two ways session traffic here see see the you see the thing that by keeping track of established session the firewall can efficiently permit to retain traffics without re-evaluating every pocket against its own rule said like for example like if an internal user initiates a web browsing session to CNN for example the firewall will automatically allow return traffic from CNN without requiring a specific rule for it it also it has a protection against spoofing and scam you know like a stateful firewall can deal with the port scans and other reconnaissance tactics that rely on you know unusual pocket sequence and that's very important for example let's say that you use nmap to send a packet with TCP Flex acknowledge or finish pocket from outside now the firewall okay we look at it as oh okay see these flags will arrive okay however without a prior syn packet to initiate the connection so hold on this is unusual so the firewall will drop it now anomalies are threat detection are also one of the things happen like for example unexpected packets like I mentioned if a bucket arrives that does not match any entry in a state table and is not part of recognized connection initiation sequence the firewall will drop it connection limit exceeded now if an IP address attempts to establish an unusually high number of connections you know you know they want to do like uh you know uh send it too many sessions and does not return back it might indicate a Dos attack because they're trying to exhaust the resources of the server and valid TCP Flags uh you know packets with unusual unexpected TCP flat combination inconsistent with the typical connection stages will be flagged timeout anomalies sessions that remain open significantly much longer than typical one or like than typical for this type of protocol might be suspicious activity out of state Pockets Pockets that arrive in an unexpected order such as receiving a finished packet before acknowledge can indicate potential malicious activity now another important topic here is the application aware firewall which is called Next Generation file or ngfw or layers of it now this one is designed basically to inspect and make a decision on application Level for which is layer 7 according to OSI you know and you know rather just merely considering only the source and destination IP addresses and ports or protocol type now it's important for you to understand some of the key features and because of this you'll be able to know what this type of application firewall can do now the first one number one is a deep pocket inspection now this allows the firewall to look beyond the hidden information you know like a port number or you know you know Source destination and examine the payload the content of the pocket to determine the specific application or Services generating that traffic number two application protocol verification you know this type of file was ensured that application protocol being used aligned with what is expected and Allowed by the rule for example like if HTTP traffic is detected on a non-standard port the firewall can identify and act upon based on the rules application under identification are control these type of followers can identify differentiate between between specific application even if they are operating on non-standard ports or are encapsulated within other protocols like for example it can differentiate between General web browsing streaming fire sharing even if all are over HTTP or https it could have proxy capability you know could act you know uh can you know it can effectively terminating and re-establishing connection you know to ensure that that the data passing through adheres to expected protocols and patterns here now protection against Advanced threats you know many of these type of firewalls uh can include IPS intrusion prevention system which can help and detect and prevent Advanced trust you know such as zero day attacks you know by analyzing the behavior or the heuristics okay user-based firewalls you know they have ability to implement policy based on the user identities and can be integrated by the way you would active directory and that's very important feature in like if you have Windows Active detected environment content filtering you know they could filter content based on certain categories you know like uh for example like it can block uh dot exe or can block dot dll for coming inside the network you know which is basically and also it can add a layer of data leakage prevention like in like a credit card numbers or specific keywords and these are example of well-known products that uh you know did you know they have application uh firewall very well known products now let's talk about uh web application firewall now these are specifically designed to predict web application it can be deployed on promises and the premises or in a cloud or as a hybrid solution now let's look at the key features here to understand so the very important feature that Waf can inspect and analyze the content of traffic to detect unblock content that could be harmful like the scale injection attack or cross-site scripting attacks now again it has a application specific profile you know it can be tailored to the specific profile of protected web application so so it can give you the option to fine tune the protection it can block known vulnerabilities assuming that you that you are regularly updating the database of known vulnerabilities now it can provide protection against all wasp top 10 non-vulnerabilities you know and you know basically top 10 list uh the most critical web application security risk and it's very important that you become familiar with all was top 10. customizable rule set you know you as administrator can configure custom rules to the file what is considered legitimate traffic for their web applications session management it can detect and prevent session hijacking or cookie poisoning attacks now geoblocking also this is very important because it can block request originating from specific countries as well Now API security now some of them can provide specialized protection for aprs you know by ensuring that only legitimate API requests are processed now another thing here we have the threat intelligence integration you know some of them can can be integrated with a threat intelligence Feats which is important so the firewall can get real-time data on emerging threats you know and this does not also include firewalls can include also Sim now SSL inspection it means what it can decrypts and inspects SSL and crypto traffic to detect any threats hidden in encrypted session how's that possible well the SSL okay uh TLS inspection thing that happened in the firewall because it acts as a man in the middle between the client and the server so briefly when a client initiates an SSL or TL TLS session the security device intercept this request establishes its own encrypted session with the server and and then present the clients with a mimicked certificate sign signed by by its own certificate Authority in the firewall now with this is in place the firewall decrypts the incoming traffic to inspect its content for potential threats after an inspection it re-encrypts the traffic and forwarded it to the intended server either allowing or blocking the content based on its evaluation so in other words both the client and the and the server does not know that there is a firewall doing encryption and decryption based on the feature it has now let's talk about implementing a firewall now I have seen before like company with a single firewall between the internal and external I mean usually they are very small simple companies but that's definitely a bad idea why it is a single point of failure Imagine One firewall becomes becomes a malfunction or compromised there's no backup or second layer of security to prevent unauthorized access now we always talk about depth of defense strategy defensive depth now signify what does not have that making Network variable ones that a single defense is breached uh what about Advanced resistor threats apt now we know apt are designed to be stealthy and persistent right so if an EPT compromise this single firewall well it it means that it has a foothold inside your network making those attackers literally you know you know browsing your network and establish you know probably like multiple back doors uh you know undetected ones uh zero day vulnerabilities you know firewalls like any software or Hardware can have unknown vulnerabilities now if a 0d explored targeting firewall is used by attacker the entire antenna network becomes exposed you know now insufficient internal segmentation now this type of firewalls I mean I don't care if your perimeter file is reboost but without proper antenna segmentation of your network you divide the network based on the same Department stuff like this and you know and also now and now you have only one single firewall you're making it easy on the hackers to break into your system so therefore Network segmentation using internal firewalls and other mechanism it's very important to reduce the damage of of any potential breach now direct access points we work in the culpers we know that any corporate will have multiple direct access sponsor internal Network you know like you could have VPN you can have also direct Cloud connections so a single one might not be sufficient to Monitor and control all these potential interpols so what is the solution in this case well you should have a multiple firewalls there I mean look over it here you have this external firewall which is facing the internet and then and then we have internal firewall that's it basically protecting the internal Network okay from inside and also here we have the DMC so briefly so when we talk about parameter firewalls we mean this is the parameter firewalls that's the one that plays within the organization internal Network and uh and the public internet that's your first line of defense internal firewalls like you see over here you know the often set between uh you know it could be like between different departments or within the organization tender Network it can help in segmenting the internal Network and limiting the spread of antenna effect and here you can see these are only four users so it so that's you know that segmentation and this is another type of segmentation that the keeping the SQL servers here and all the traffic has to go through the antenna firewall now it's very common to see DMZ here let's say for example here we have HTTP so anybody wants to access your website of your company they have to go through the firewall and the firewall based on the rules will forward the users outside users requested HTTP now so what is DMZ it's basically think about like isolated subnet design to host public facing application okay so now when it comes to configuration management let's look at important things here consistent policies even with multiple firewalls is a crucial to maintain consistent security policy you know uh you know tools like firewall management platform can help and centralize the configuration and monitoring of multiple devices and remember we need to have rule-based optimization because as you add more rules over time it is essential to every once a while review and clean up the rule base to prevent conflicts and maintain performance and second thing I always recommend to have different followers from different vendors I know this this might be a too much worker administrators but think about it this way if this render firewall becomes uh you know vulnerable for some reason or another you know you know you have another file of a different company and this this will reduce the risk now there are two types of modes for firewalls you have the active passive mode and active active mode the first one active passive mode one firewall is active one and process everything all the traffic others are passive standby mode The Pacifier wall is synchronized with the active firewall you know so it can take over if the active one goes down it's usually simpler to configure and manage now active active firewall you know both firewalls are active and processing traffic and the traffic is distributed between two firewalls think about it's more like load balancing algorithm where you have two firewalls sitting next to each other and the low balance the traffic between them you know so this can help what an improve performance and scalability okay it is also more complex to configure and manage you you know now let's look at just briefly go over some of the features of Cisco adaptive security Appliance ASA firewall that's most widely used firewalls uh it has in a advanced modular features like you could like you know IPS VPN and unified communication capabilities it has very sophisticated application layer inspection now let's look at using configuration and risk analysis tool for firewalls and routers now there is Center for internet uh security CIS this is one of the best websites for finding configuration benchmarks and configuration assessment tools now so what is the Benchmark you know industry basically published the best configuration practices on how and why for example like to secure certain device for example in our example here how and why to secure a Cisco router or firewall now for Cisco devices you know you could use the CIS Cisco iOS Benchmark which basically it's a comprehensive document that offers details uh detailed guidelines for the secure configuration of the Cisco devices you know those that's running the IOS operating system now these guidelines they offer like for example device Access Control service configuration logging on auditing Network protocols and service and other things now these are nice features very helpful this software tool designed to access the configuration of the system against the CIS Benchmark faster and easier to by using automated assessment also some of them you know it comes with automated assessment and the generate reports after evaluating the device or system detailing deviation from The Benchmark providing actionable insights now okay so the reason why benchmark are essential is that many system and devices out of the box are configured for ease of use rather than security so basically if you you know it's important for you to become familiar with the configuration assessment tool you know and The Benchmark provided you know by the CIS here because it can guide you to hardened the devices against potential threats here now there is another device he is called or service or product called Red Sea this is a unique Network risk assessment and mapping tool it helps organization to understand manage the Cyber risk it can help you to identify configuration variabilities and routers or firewalls it can generate professional looking reports that can be customizable it can analyze IPS or sustainability scans of the network and give you a very detailed analysis and and mapping it can show you a graphic representation of an abilities discovered in the context of the network you know that you know and on which they found it's high in security solution it's used by a variety of organizations or the government agencies financial institutions and healthcare providers for example like a healthcare provider can use it to ensure that its network complies with a HIPAA regulations this is by USA government for health a government agency can use it to model and simulate attacks on its Network to identify potential weakness and develop mitigation strategies now and this is basically uh you know just a sample an example of Wet Seal Network risk map and this is one of the key features of the Red Seal platform is it because it is designed to visually represent the security position and the risk land Escape of the organization Network infrastructure now let's talk about a very important components you will find it in a different uh you know network setup now the first one is intrusion detection system it's basically monitoring network devices or us devices and you know you know if it detects something it will you know alert the administrator and through gin prevention system similar to ideas except it does some action to prevent them food now vendors have started focusing a lot on IPS the first one is the network base IPS and here you could see that the network IDs is placed in line between the trusted Network and the internet and it's right after the firewall now the network based IPS is an advanced security solution position in line within the network infrastructure designed to detect and prevent a wide range of malicious activities in real time now by analyzing Network traffic for suspicious patterns or behavior against predefined signature and anomaly based metrics it can proactively block or terminate malicious connection now this system is suppresses traditional firewall by diving deeper into the parking payloads enabling active defense against both known and emerging threats while maintaining basically good understanding of their Network environment now the hospace IDS basically it can be installed in any uh computer now it is very commonly used security solution that is used to Monitor and protect individual devices are lost from malicious activity installed directly on a Target system it analyzes system behaviors application activities and system logs and also system calls for any sign of suspicious or unauthorized action you know by leveraging a combination of signature based detection Behavior Analysis and System state information you know the host IPS can proactively prevent potential security breaches making it an essential layer of difference in safeguarding sensitive data and system resources on these individual devices now let's talk about also web filter you know we're filtering it's very common application that you use in many many corporators because you know we have so many use as the access internet and you know I use on my end up visiting uh like you know uh bogus website or install malicious code from email attachment you know and this does not impact the firewall you know and and you know very well what would happen if a Georgian Court is installed on one of your users workstation you know so web filtering it scans everything beat access by the user now for you to understand the value of web filtering you know and how it it is used to detect users attempts to access non-malicious websites on block depth we need to look at the main features now the first feature here is content filtering and analyzing the contact of work pages to determine if they contained like any prohibited keywords phrases or or any criteria now Pages matching the band content will be blocked and the user will get the display say this site is blocked now it has also URL filtering uh you know uh you know those web filtering servers have database or blocked off for sorry blacklisted or white listed URLs if a user tries to access a blacklisted URL the cost will be denied we have also category based filtering this is very important like you know we know that websites are categorized like an adult governing social media blah blah administrators can block or allow entire categories based on organizational policies also another important thing file type per sections like you know it can block the user from download specific file you know like Superfly dll files to prevent malware infectious or unauthorized software installation bandwidth management these these type of servers also can limit the bandwidth consumed by certain types of content like streaming media Netflix to ensure optimal natural performance see search enforcement here for like for search engine the server can enforce receive search mode filtering out explicit or harmful results time-based access also it's one of the these cool features the way user can Define times where you know when specific websites or categories can be asked you know such as a long social media only doing one JavaScript also it has custom white listing and blacklisting you know uh administrator can create customers based again honest you know on the company's policy of size that are always allowed which is why they said or always blocked blacklisted now organization deployed we're filtering service to enforce acceptable use policies compliant with regulation and has productivity and predict against work based threats now let's talk about also another type of system that you will see it in many organizations to enhance the protection the first one secure email Gateway it's a security solution again designed to prevent unwanted emails including phishing attempts malware spam and other malicious email you know type of threats for reaching users in boxes it acts as a filter between inbound and outbound email traffic and users analyzing every email for potential thrust or undesired contact let's look at some of the features for very well known GFI male essential which is you know I used to use it in addition to web filtering system like the first one is anti-spam anti-efficient year now uh this uh the the GFI male essential employs multiple anti-spam filters including you know you know for example DNS Blacklist and key on checking to detect a blogspan and fishing here and here you can see this is one of the features in GFI yeah uh virus protection notice virus protection it has like four different virus protection but this solution is basically and integrated you know into the system it has multiple different antiviruses for a good reason okay like if one of them does not detect you know a threat uh we you know we're hoping the other two or three will detect the threat so that's a multi-layer approach which increases the detection rate and reduces the chances of false positively now email content Sheltering you know administrators can create policies to manage email content like Insurance like sensitive data remains secure you know like you know uh it will look for specific keywords attachments or pattern also email disclaimers this is also uh a feature that allows organization to add legal disclaimers or other essential notices for outgoing emails and attachment blocking or okay it can I it you know it has the capability to block specific attachment types you know like preventing potentially dangerous file types or large files from clogging the email system now there's also another important components you would find it which is uh called The Sim which is stand for security information and event management now it helps the security operations center team or you know they're working 24 hours seven days a week to help them identify attacks and you know indicators of compromise by collecting aggregating and correlating logs okay and alerts from different systems like routers firewalls IDs IPS and endpoint logs web filtering devices honey parts and other security tools now let's look at the main components the first one is data aggregation now those same collect and aggregate data from various resources one what do I just mentioned here you know these critical blogs events Network traffic and even user activities now it does you know even coloration the coloration it's it's very important role because you know because it helped to map different data streams I see same can identify patterns and sequence that might indicate a security has about here now alerting okay you know any suspicious path is identified based on predefined or dynamic criteria uh which in this case those same system will generate a lot for security analysts to investigate it has very nice finally dashboard of course every system has its own design of a dashboard you know uh which is you know it include like a different type of Windows like some windows will display specific type of of information and this include real-time threat intelligence ongoing incidence or surgical data also all can be displayed in a small windows so you could monitor different type of information on your screen now data storage now send store aggregated and normalized data often for both short-term rapid analysis and long term forensics all compliance purposes you know uh concerning forensics analysis you know send provide tools for deep dive investigation you know it helps analysts you know uh basically you know pick up some pieces of data you know and try to learn or unco or uncover the full scope on the context of a security engine and this information are usually usually stored in a secure letter at it for again for forensics purposes compliance reported many Sims platform come uh with built-in reporting tools designed to help organization and demonstrating compliance with the various regulations and standard for example it has a uh you know report template for HIPAA okay now IBM cured is one of those leading Sim Solutions designed to provide comprehension insight into security data its main technological feature include Advanced log and flow data processing to detect and prioritize potential threats it's it has also an integrated threat intelligence feed for real-time threat correlation uh which is you know they called IBM X-Force threat intelligence and also it has a behavioral analytics powered by Machine learning to identify malicious activities and anomalies uh also it has automated incident response capabilities and also a great scalable architecture that can adopt to the needs of diverse Enterprise environments you know and also also again it has very nice user-friendly dashboard and it supports extensive customization for these dashboards and also it can integrate with the various third-party tools you know like writing message or nmap or or many many uh different third-party tools it's important for you to understand Sim does not prevent attacks it's only alert and you know in very very intelligent method now we have also the Honeypot it creates a decoy system to lower attackers so it is a computer system or it could be a network that is designed to look like a legitimate Target for attackers you know but it's actually isolated from the rest of the network and monitor for malicious activities you see see here's the good thing when an attacker attempts to exploit a Honeypot their activities can be logged and analyzed which can help security teams to learn more about the attackers tactics and techniques okay they might learn something new that they were not aware of now how honeypots work there are deployed in a variety of ways the first one is the high interaction honeypots these funny parts are designed to mimic real world system and application and allow attackers to interact with them in a meaningful way this type of Honeypot can provide the most valuable information about attackers Behavior why because it because it you know because it it it it allows you to monitor their behavior and to learn from it okay but the problem here it requires the most resources to maintain now law interaction on the pots these honey pots are designed to be simple and easy to deploy and all need to mimic the most basic aspects of reward system and application now this type of Honeypot is less resource intensive than you know than the high interaction honey pots but this also provide less detailed information about the attackers now here you could see the honey Parts also sorry honey nuts here the honey nuts as you see it over here okay our network of Honey parts that are designed to mimic real world networks money Nets can be used to provide a more realistic environment for attackers to play around to operate there which can lead to more valuable intelligence and information about that you know the attack and activities and again we learn as there are new to technique or new things that we're not aware of we could learn by monitoring those attackers action inside this Colony net servers okay so let's talk about the principle of Technology you find it in different type of solution I'm sure you heard me talking about signature analysis anonymity based detection Behavior Analysis machine learning and some other Technologies in the previous YouTube videos now together these Technologies provide a multiple approach to safeguarding you know digital asset ensuring both real-time threat mitigation and proactive defense against this evolving cyber threats we see it on daily basis now it is very important to understand the principle of this technology how they work and where they are applied in cyber security and other business domains so you could pick the right solution for your organization now there are I mean the traditional one is we have the signature base detection and I mean this technology you know you will see it in a different type of solution it Compares Network traffic against known attack patterns or signature database now if match is found the system took is an alert if it's IDs or takes corrective action at its IPS reputation based detection now this system uh reference a data base of non-malicious IP addresses domains or URLs allowing for blocking or altering of traffic associated with these known threats now let's look at a very typical type of algorithm you find in different type of solution the first one is the heuristic based detection it uses algorithm to analyze the behavior the properties of files and programs it works by looking for commands and structures not normally present in an application now let's look at the focus it focuses on examining attributes and behavior of fires and programs in a try to look for any suspicious characteristics of a typical malware in terms of mechanism it uses algorithms to you know to do code analysis and dynamic analysis identifying any malicious activities by their nature rather than by non-signition now adaptability generally static and rule-based you know requiring manual updates for any you know for a new heuristic algorithm to adapt to evolving threats now the scope okay okay Define it mainly in antivirus anti-malware but you still find it in a different type of business applications as well limitation it may produce false positive it is computationally intensive requires much tuning to balance you know efficiency and the false rate uh alarm you know false alarm rates and may not be able to detect all threats you know especially those designed to evade detection let me just give you just just a quick example imagine that you're on corporate Network an employee tried to download the file from email link that does not match any known malware signature however upon execution you know the files start doing like multiple outbound connection or try to scan and and try to encrypt local files seek or try to connect to command and control servers and attempts propagation across the network you know this type of detection system recognize these patterns as a typical of ransomware flags the activity as suspicious alerting the security team to end you know to intervene and prevent you know uh you know uh Ransom attack now in terms of different type of other application you know you see it in transportation business like you know you know used optimize traffic flow around delivery vehicles scheduled flights and training Logistics used to optimize Inventory management Warehouse operations Supply Chain management in finance it can be used to optimize stock trading fraud detection and risk management and Manufacturing used to optimize production scheduling you know quality control and machine maintenance even in healthcare you know it can be used to optimize patient scheduling drug Discovery and medical diagnostic other real life examples you know Netflix it uses a heuristic algorithm to recommend movies and TV shows this user IDM Watson use heuristic algorithm to Daniel's disease and recommend treatment even computer games it can be used to generate realistic and challenging AI opponents in in the computer games spam filters can be used to identify and block spam emails now let's look at another important detection system anomaly based now the first step for anomaly based work if you know very well you know it needs to establish a baseline of normal activity what is normal activity like in terms of user in terms of uh you know Network flows so once it's established a Visa of normal activity it starts detecting any dual Behavior or activity on a network include anything from an authorized access to data to unusual traffic patterns sends an alert if you know active you know you know if any activity deviates significantly from its Baseline so what is the focus it examines large data sets or natural traffic to establish a baseline at the beginning and then then it will start at you know to identify any deviations from the Baseline now mechanism utilizes statistical methods or machine learning to flag anomalies based on predefined conditions or metrics such as frequency volume or sequence adaptability of fin involves continuous learning and it has to continue learning because again this is anomaly based and it has a baseline of normal activity you know this continuous learning Max is very important to refine understanding what is normal behavior from not normal behavior now the scope using Network Security fraud detections and system Health monitoring now it's limitation here sensitive to quality of the Baseline data and that's very important the quality will be like that it makes it different because if the quality of the Baseline data is not good it will produce a lot of false positives and can miss threats that carefully uh you know avoid trigging uh anomaly indicators now let's look at different type of Technologies used here like the first thing let's look at the cyber security now when it comes to malware detection here you know uh you know anomaly based in malware detection system use machine learning to identify patterns in in the malicious code this allows them to detect the new and emerging malware threats and are not you know that are not known to traditional signature based detection systems now for intrusion uh detection here these you know the anomaly based systems you know monitor Network traffic for Army agility patterns such as sudden increase in traffic from a particular IP address or even large number of failed login attempts this allows them to detect malicious activity you know like DRS attacks or Port scared now in terms of behavior analytics you know anomaly based user Behavior analytics system monitor user activity for any uh you know for unusual patterns like logging in from a new location or accessing sensitive files at unusuality time in times now this allows them to malicious activities such as account compromises and Insider threat now it's still you know I mean you'll find it used in a different type of application in different type of business domains like for example for financial fraud detection you know it can detect fraudulent transactions like a credit card an insurance fraud for example you know Banks may use anomaly based detection system to identify unusual patents in customer spending such as sudden spiking charges or purchase from a foreign country now a network intrusion detection system you know it basically you know detect any malicious activity on the computer networks like dos attacks or malware infections for example Network inclusion detection systems May monitor Network traffic for unusually patterns such as sudden increasing traffic from particular IP you know for medical Diagnostics okay it can be used like you know in cases like team to detect any medical condition like cancer or heart diseases by identifying unusually patented in the patient data for example like doctors may use it uh you know to identify unusual patterns in the medical images such as x-rays or MRIs you know also also for industrial
2023-10-03