Question

How does "encryption in-flight" using IPSec, SSL, or TLS impact the visibility of Network Intrusion Detection/Prevention? Why don't firewalls have the same visibility issue? Why don't Host based Intrusion Detection/Prevention Systems have the same visibility issue? Why don't Proxy Servers have the same visibility issue?

Answer 1

1.How does "encryption in-flight” using
IPSecimpact the visibility of Network Intrusion
Detection/Prevention?

IPsec is a security technology that works with IP. It has
two basic modes. In the first mode, it provides
cryptographic authentication of packets. That way you
can truly trust who they came from. That's not
interesting for a VPN.

However, IPsec’s second mode actually provides an
encrypted tunnel. This is a very commonly used
mechanism for implementing a VPN solution

IPsec, also known as the Internet Protocol Security or
IP Security protocol, defines the architecture for
security services for IP network traffic. IPsec describes
the framework for providing security at the IP layer, as
well as the suite of protocols designed to provide that
security, through authentication and encryption of IP
network packets. Also included in [IPsec are protocols
that define the cryptographic algorithms used to
encrypt, decrypt and authenticate packets, as well as
the protocols needed for secure key exchange and key
management.

2.Why don't firewalls have the same visibility issue?
Originally firewalls provided basic network packet
filtering and routing based on hosts, ports and
protocols. They enforced the boundary between a
network and the rest of the world, and patrolled the
boundaries within that network.

These firewalls were effective at limiting the exposure
of services to iust the computers and networks that
needed access to them, reducing the attack surface
available to hackers and malware on the outside.

Of course attackers don’t stand still so attacks evolved
to exploit the services that firewalls left exposed:
attacking vulnerabilities in applications and servers, or
using social engineering to gain a foothold inside a
network through email or compromised websites.
Firewall technology evolved too, moving up the OS!
stack to Layer 7 where it could identify and control
traffic based on the originating user or application, and
where deep inspection technologies could look for
threats inside the content of application traffic.

3.Why don't Host based Intrusion Detection/Prevention
Systems have the same visibility issue?

Host-based intrusion prevention systems (HIPS) are
software solutions that protect against unauthorized
access and malicious attacks. They are installed directly
on endpoint systems (the host) such as desktops,
laptops, and servers and help prevent malware and
hackers from wreaking havoc on an organization’s IT
infrastructure.

A HIPS is part personal firewall, part intrusion
detection system, and part antivirus/malware. By
integrating many different solutions together in a
single package, a HIPS solution provides more
protection than any of these solutions would on its
own.

On the other hand, a host-based intrusion detection
system (HIDS) alone would only alert you to a
malicious event, while a HIPS can actively take
measures to stop an attack. And unlike a standalone
antivirus solution, which simply detects infected files
based on signatures, a HIPS solution can actively take
measures to secure a system in the face of danger,
such as blocking malicious packets, closing ports, or disabling USB access to minimize damage. HIPS
solutions provide an extra layer of protection in a
multi-layer security system and can be used in
conjunction with network-based intrusion prevention
and detection systems.
Network-based intrusion prevention systems (NIPS)
protect against malicious attacks by analyzing and
filtering suspicious network traffic if necessary. They
are often appliance-based solutions (although open-
source software solutions also exist) that sit inline near
the edge of a network.

4.Why don't Proxy Servers have the same visibility issue?
When proxy servers go down, the calls seem to come
all at once. “Is there a problem with the proxy server?"
"| can't get to my Web site.” "I keep getting this
message saying the computer can't find the server.”
Admittedly, many browsers and proxy servers don't
explain to users what went wrong with their request.
However, you can categorize nearly every proxy server
problem into one of four categories:

The browser or client is misconfigured.

The URL or Web site is down.

Connectivity or network problems exist.

An actual proxy server problem exists.
When | troubleshoot a proxy server call, | always try to
set up my process of elimination according to these
four bullets.
Local Client and Browser Configuration
A misconfigured browser is a common error that proxy
server administrators face. In many environments,
users can modify their browser settings without
restriction, which often leads to users changing
important proxy server settings.
To ensure appropriate proxy server configuration for
every user's browser, you can use system policies to prevent users from altering settings. Windows NT 4.0
first introduced system policies, which mainly covered
desktop and environment settings. Policies that affect
Microsoft Internet Explorer (IE) first appeared in IE 3.0,
but Microsoft later greatly enhanced these policies in
the Internet Explorer Administration Kit.