You intend to monitor, detect, and prevent unknown malicious traffic on your network. Which of the following is the best solution?
A. An appliance that authenticates devices to grant network access
B. A host that examines and filters network packets between zones
C. A device that imitates a legitimate server and behaves like “baiting” a suspect
D. A node that blocks traffic by comparing a sample of traffic against a known baseline
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. A node that blocks traffic by comparing a sample of traffic against a known baseline.
It’s not effective to detect unknown malicious traffic by signature-matching mechanisms or static/predefined firewall policies. Preventing unknown malicious traffic requires active actions; honeypots or padded cells are passive measures for monitoring and detecting intrusions.
Intrusion Prevention System
Anomaly-based IPS can block traffic by comparing a sample of traffic against a known baseline.
The detection method employed may be signature or anomaly-based. Predefined signatures are patterns of well-known network attacks. The IPS compares packet flows with the signature to see if there is a pattern match. Anomaly-based intrusion detection systems uses heuristics to identify threats, for instance comparing a sample of traffic against a known baseline.
Source: Check Point
Network Access Control (NAC)
Network Access Control (NAC) can be enforced by implementing an appliance that authenticates devices to grant network access. Network Access Control builds a known security context by authenticating devices or users for network access. It’s not effective for unknown malicious traffic because it won’t observe or inspect the network traffic. Blacklists or whitelists of MAC addresses and 802.1X authentication are common NAC mechanisms.
A traditional firewall examines and filters network packets between zones based on predefined policies that won’t act on unknown malicious traffic effectively.
Next-generation firewalls (NGFW) can operate at the application level and support grouping resources into microsegments. If employed in a Zero Trust architecture, it prevents lateral movement and provides better visibility. Anomaly-based IPS can be implemented as one of its security features.
The following are NGFW features mentioned by Imperva:
- Blocking threats at the network edge
- Reverse proxy/web gateway
- Intrusion Detection and Prevention Systems (IDS/IPS)
A next generation firewall (NGFW) provides capabilities beyond that of a stateful network firewall, technology that was first pioneered in 1994 by Check Point Software Technologies. A stateful firewall is a network security device that filters incoming and outgoing network traffic based upon Internet Protocol (IP) port and IP addresses. By intelligently inspecting the payload of some packets, new connection requests can be associated with existing legitimate connections. A next generation firewall adds additional features such as application control, integrated intrusion prevention (IPS) and often more advanced threat prevention capabilities like sandboxing.
Source: Check Point
A honeypot imitates a legitimate server and behaves like “baiting” a suspect. It’s good at detecting intrusion and monitoring attacker’s behavior, but acts passively and won’t prevent unknown malicious traffic.
- Network Access Control
- Captive portal
- Honeypot (computing)
- What is an Intrusion Prevention System – IPS
- Next Generation Firewalls (NGFW)
- What is a Next Generation Firewall (NGFW)?
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.