Network Devices: A Cheatsheet

We have already gone through some simple and common network devices like the hub, switch and routers ( refer: link). In this blog, we will go through some other network devices that might be less obviously known.

Firewall: VPN concentrators

A firewall is a network security device that protects certain areas of a network using different techniques like access control lists, stateful packet inspection (SPI), etc. It monitors network traffic and determines what traffic it should allow and what it should block. This decision depends on set security rules. What area of the network the firewall protects depends on the vendor and model.

A term I had to google:
Access Control Lists: ACL contains rules/sets of permissions that grant or deny access to resources.
State Packet inspection: Similar to ACL, SPI is used by firewalls to determine what packets enter through the firewall.

Firewall is the first line of defence in network security and has been for over 25 years. In layman’s language, it could be said that a firewall is a barrier between secured and controlled internal networks that can be trusted and untrusted from outside networks, such as the Internet. A firewall can be hardware, software, software-as-a-service (SaaS), public cloud or private cloud (virtual).

Host Intrusion Detection/Prevention Systems (HIDS/HIPS)

This type of network device is used to protect a host device from external malware or unwanted activity that may impact your device negatively. HIDS detects any possible attack in a host device while HIPS can detect and actively mitigate (which HIDS cannot do, by the way) the attack. HIPS relies on third-party software tools to do this.

So, what happens when HIPS detects some unwanted activity?

Once HIPS detects any malicious activity it takes appropriate action:
1. sending an alarm to the computer user,
2. logging the malicious activity for future investigation,
3. resetting the connection,
4. dropping malicious packets or
5. blocking subsequent traffic from the suspect IP address.

But how does HIPS detect the malicious activity?

Most HIPS (revise with me: Host Intrusion Prevention Systems) use known attack patterns called signatures. Although this method is effective, it can only protect the host from known attacks. Since this method needs a database of signatures or possible attacks, it cannot detect “zero-day” attacks. ( The term “zero-day” refers to the fact that the vendor or developer has only just learned of the flaw — which means they have “zero days” to fix it.)

Another approach taken by HIPS is by establishing what “normal” activity is for the host device and compares current activity with against the “normal”. It detects deviations in bandwidth, protocols and ports (??). When the outlier is above an acceptable level (which usually means that a remote application is trying to open a normally closed port) an intrusion might be in progress. One thing worth noting is that any sudden spike in bandwidth use does not always mean an attack and therefore this approach requires an educated guess to be made and the chance for a false positive is high.

A term I googled:
Ports: A computer port is a virtual point where network connections start and end. Ports are software-based and managed by a computer’s operating system. Each port is associated with a specific process or service. Ports allow computers to easily differentiate between different kinds of traffic: emails go to a different port than webpages, for instance, even though both reach a computer over the same Internet connection.

Is antivirus a Host Intrusion prevention system?

An antivirus detects and blocks malicious files. Historically antivirus and HIPS were different but as the anti-virus software has evolved with time the line separating antivirus from HIPS got blurred.

An anti-virus's primary goal is to detect and block access to malicious files, while a HIPS solution has a broader goal: it may track changes in the file system, analyse log files (system and application logs), check the system components to detect any irregularities, and indeed also try to detect potential malware.

A HIPS solution may be either composed of several different software and the anti-virus be only one of them, or one may go toward all-in-one solutions where a single tool will bundle all these functions. Nowadays end-users' anti-virus is a bit more than a simple anti-virus and thus as mentioned before the line differentiating the two is getting blurred.

• A basic anti-virus, whose only goal is to detect and block access to malicious files, is only a part of a HIPS solution,
• Current end-users' anti-virus programs go well over this, they are often renamed as security suites and are becoming end-users’ HIPS solutions.

Network Intrusion Detection/Prevention System (NIDS/NIPS)

NIDS/NIPS are similar to HIDS/HIPS except that they protect a group of devices rather than one particular host.

Access Points

As discussed previously, an ethernet switch connects devices to the router. Similarly, an access point does the same thing wirelessly. Access point connects the wired internet to wireless devices like PCs (imagine a modem or an internet router).

Visualising an access point

Each access point has a range and devices inside that range are connected to it. If the device moves away and out of the range it will disconnect and connect to another AP if that device moved into that APs range. APs can have 60 simultaneous connections!

Wireless Access Points are widely used in:

1. Businesses: Where multiple devices need to be wirelessly connected to the same network.
2. Hotspots: Places where public access to the internet is provided like cafes, hotels, shopping malls, etc.
3. Home Wireless Networks

There are three types of APs:

1. Consumer APs
   These are just the “wireless routers” found in most of our houses and are used to connect the wired (internet) and wireless clients (PCs, mobile phones, etc) of a home or small business network. They also provide a Wide Area Network (WAN) port for connection to an Internet service provider (ISP). This WAN port is to perform routing between a local network and a remote network (the internet). It is also used a zone separator for a built-in firewall.
2. Enterprise Autonomous APs
   They act as a bridge between the wireless clients on a network and the wired network. These devices may be managed remotely, but the services delivered are all handled within the AP itself.
3. Enterprise lightweight APs
   The difference between autonomous and lightweight APs is that the latter can be remotely controlled. This controller performs a number of functions that are built into autonomous APs. This device is called weightless because of its brainless nature and having to be controlled externally.

Content Filters

Content filters are pretty straightforward. They are used to block and control certain types of data from being passed through the network. Simply put, content filters are devices that scan and remove unwanted content from the network (eg: pornography). This is typically built into modern firewalls and some router platforms. Example: Great Firewall of China.

Load Balancers/Application Delivery Controllers

Their functionality has extended to perform several different activities, including the following:

• Local and global load balancing
• Network and device health monitoring
• TCP multiplexing
  When a user clicks on a webpage, numerous server requests are sent to the web server, each consuming memory and thus slowing down connections. TCP multiplexing is a way around this problem. A TCP multiplexing system receives TCP/IP requests, combines them and applies logic to the opening and closing of server connections.
• Support for common network routing protocols
• Application acceleration
• Denial-of-service protection
• Web application firewall
• Support for virtualization and multi-tenancy

Packet Shapers/Policers

These devices are like the traffic police of the network. They control the flow of data into or out of a specific device. The shaping or policing functionality is typically built into routers (and some switches) to deal with times when network demand exceeds the ability of a device or its port. When there is no congestion in the network, this functionality is not required to be used.