In terms of supervision and IT protection, 4 families of solutions designed to guarantee the best quality of service are historically present on the market: Firewall,Network Intrusion Detection System(NIDS),Network Intrusion Prevention System(NIPS)and monitoring tools. The first 3 are particularly security oriented while the last one allows to go beyond this simple framework to be part of issues such as the quality control of networks or billing.
The following overview presents 4 families of current solutions and opens the perspective of answers for the future.
By blocking unwanted inbound and outbound traffic, firewalls are intended to:
- Prevent basic attacks;
- Prevent network users from accessing certain sites;
- Avoid the use of protocols whose ports are (usually) fixed.
Capable of handling large or even very large speeds (100 Gbps and more), firewalls are limited to simple processing rules. The latter are very often based on a simple correlation between the IP and the port, sometimes a REGEX (ie. regular expression) simple in the data (payload) is also taken into account. This simplicity explains their lack of precision.
Traditional firewalls do not make protocol classification. However, some may embed NIDS within them in order to propose the writing of more precise rules (e.g. instead of blocking the entire web feed, we will only block a particular site). Nevertheless, the flows then treated are significantly lower.
In summary, firewalls are able to take into account large speeds with a small footprint, but with limited protection features.
Network Intrusion Detection System (NIDS)
Generally limited to speeds of the order of 10 Gbit/s, this tool is intended to warn network managers of events of malicious origin. It is based on a more in-depth analysis of the contents of the packets than that of the firewall. It is generally able to decode and use the information conveyed by major protocols (HTTP for example).
Its alerts are based on more complex and advanced detection rules than those of a firewall (mostly SNORT rules). They can be very accurate when they rely on known protocol fields (Host field of the HTTP protocol for example). They can also be much more general and then very similar to those of a firewall. These specificities give the tool a flexibility and precision that the firewall does not have.
In summary, NIDS are able to warn network managers more accurately than a firewall, but are unable to block unwanted flow. Unlike firewalls, the rates supported by NIDS are greatly reduced.
Network Intrusion Prevention System (NIPS)
This tool is nothing more than a merger between a firewall and a NIDS. It therefore makes it possible to block traffic more precisely than a firewall. Despite these particularly interesting functional characteristics, NIPS does not solve the problem of low throughput supported by NIDS.
Monitoring tools allow monitoring, usually delayed, of the state of the network. These tools are available in two main families.
The first, called specialized, is made for the in-depth study of specific business protocols. It is limited to low speeds (1-10 Gbit/s) and is intended to provide a comprehensive view of certain parts of the network.
The second, more general, is made for a global study of the network by means of summary statistics on the sessions viewed. It is usually integrated with network equipment (mainly routers) and supports higher speeds (up to 100 Gbps). It can also, if necessary, make a brief sampling of the packets passing over the network (of the order of one packet out of 10,000).
In summary, monitoring tools are able, depending on their family, to provide a fine but partial view of the network or an overview but not very detailed.
A common engine: protocol analysis
The tools previously discussed all need to identify and extract information from communication protocols. There are different ways to approach this analysis: it can be succinct and fast like the one performed in firewalls or more accurate and slower like the one found in NIDS.
The brief analysis is based solely on the ports in order to “identify” the protocols, which implies many false detections. The in-depth analysis, on the other hand, dives into the heart of the packets in order to recognize the signatures of the protocols which theoretically offers a very good level of confidence.
In addition, this deep analysis involves many calculation operations which limits the supported throughput. In addition, to guarantee suitable flows, it deliberately closes its eyes to the increasing complexity of the networks and is limited to the beginning of analysis from layer 3 (non-management of tunnelling).
In summary, it is indisputable that protocol analysis is vital to network supervision. It is also undeniable that the reliability of current solutions is hampered by the explosion in flows and the increasing complexity of networks.
NANO Corp: next-generation solutions for monitoring your networks
With revolutionary protocol analysis technology, NANO Corp solutions complement and enhance the current tools in place on your systems.