Network security applications
網路安全應用
This section of the course covers the topic of network hardening and monitoring. Each device, tool, or security strategy put in place by security analysts further protects—or hardens—the network until the network owner is satisfied with the level of security. This approach of adding layers of security to a network is referred to as defense in depth.
本課程的這一部分涵蓋了網路強化和監控的主題。每一個由安全分析師設置的設備、工具或安全策略都進一步保護或強化網路,直到網路擁有者對安全級別感到滿意為止。這種為網路添加多層安全的方式被稱為縱深防禦。
In this reading, you are going to learn about the role of four devices used to secure a network—firewalls, intrusion detection systems, intrusion prevention systems, and security incident and event management tools. Network security professionals have the choice to use any or all of these devices and tools depending on the level of security that they hope to achieve.
在這篇閱讀中,您將了解四種用於保護網路的設備的角色——防火牆、入侵檢測系統、入侵防禦系統,以及安全事件和事件管理工具。網路安全專業人員可以根據他們希望達到的安全級別選擇使用這些設備和工具中的任何一種或全部。
This reading will discuss the benefits of layered security. Each tool mentioned is an additional layer of defense that can incrementally harden a network, starting with the minimum level of security (provided by just a firewall), to the highest level of security (provided by combining a firewall, an intrusion detection and prevention device, and security event monitoring).
這篇閱讀將討論分層安全的好處。提到的每一個工具都是額外的一層防禦,可以逐步強化網路,從最低的安全級別(僅由防火牆提供)開始,到最高的安全級別(由防火牆、入侵檢測和防禦設備以及安全事件監控的組合提供)。
Take note of where each tool is located on the network. Each tool has its own place in the network’s architecture. Security analysts are required to understand the network topologies shown in the diagrams throughout this reading.
注意每個工具在網路中的位置。每個工具在網路架構中都有其特定的位置。安全分析師需要理解本閱讀中圖示所展示的網路拓撲。
Firewall 防火牆
So far in this course, you learned about stateless firewalls, stateful firewalls, and next-generation firewalls (NGFWs), and the security advantages of each of them.
Most firewalls are similar in their basic functions. Firewalls allow or block traffic based on a set of rules. As data packets enter a network, the packet header is inspected and allowed or denied based on its port number. NGFWs are also able to inspect packet payloads. Each system should have its own firewall, regardless of the network firewall.
Intrusion Detection System
An intrusion detection system (IDS) is an application that monitors system activity and alerts on possible intrusions. An IDS alerts administrators based on the signature of malicious traffic.
The IDS is configured to detect known attacks. IDS systems often sniff data packets as they move across the network and analyze them for the characteristics of known attacks. Some IDS systems review not only for signatures of known attacks, but also for anomalies that could be the sign of malicious activity. When the IDS discovers an anomaly, it sends an alert to the network administrator who can then investigate further.
IDS 被配置為檢測已知攻擊。IDS 系統通常在數據包穿越網絡時嗅探並分析它們,以檢測已知攻擊的特徵。有些 IDS 系統不僅檢查已知攻擊的特徵,還會檢查可能是惡意活動跡象的異常情況。當 IDS 發現異常時,它會向網絡管理員發送警報,讓他們進一步調查。
The limitations to IDS systems are that they can only scan for known attacks or obvious anomalies. New and sophisticated attacks might not be caught. The other limitation is that the IDS doesn’t actually stop the incoming traffic if it detects something awry. It’s up to the network administrator to catch the malicious activity before it does anything damaging to the network.
IDS 系統的限制在於它們只能掃描已知攻擊或明顯的異常。新的和複雜的攻擊可能無法被捕捉到。另一個限制是,即使 IDS 檢測到異常情況,它實際上並不會阻止進入的流量。需要由網絡管理員在惡意活動對網絡造成損害之前加以攔截。
When combined with a firewall, an IDS adds another layer of defense. The IDS is placed behind the firewall and before entering the LAN, which allows the IDS to analyze data streams after network traffic that is disallowed by the firewall has been filtered out. This is done to reduce noise in IDS alerts, also referred to as false positives.
當與防火牆結合使用時,入侵偵測系統(IDS)增加了另一層防禦。IDS 被放置在防火牆之後、進入局域網(LAN)之前,這使得 IDS 能夠在防火牆過濾掉不允許的網路流量後分析數據流。這樣做是為了減少 IDS 警報中的噪音,也就是所謂的誤報。
Intrusion Prevention System
入侵防禦系統
An intrusion prevention system (IPS) is an application that monitors system activity for intrusive activity and takes action to stop the activity. It offers even more protection than an IDS because it actively stops anomalies when they are detected, unlike the IDS that simply reports the anomaly to a network administrator.
入侵防禦系統(IPS)是一種應用程式,用於監控系統活動以檢測入侵行為並採取行動加以阻止。它提供的保護比入侵檢測系統(IDS)更強,因為它在檢測到異常時會主動阻止,而不像 IDS 僅僅將異常報告給網路管理員。
An IPS searches for signatures of known attacks and data anomalies. An IPS reports the anomaly to security analysts and blocks a specific sender or drops network packets that seem suspect.
IPS 會搜尋已知攻擊的特徵和數據異常。IPS 會將異常報告給安全分析師,並封鎖特定的發送者或丟棄看似可疑的網路封包。
The IPS (like an IDS) sits behind the firewall in the network architecture. This offers a high level of security because risky data streams are disrupted before they even reach sensitive parts of the network. However, one potential limitation is that it is inline: If it breaks, the connection between the private network and the internet breaks. Another limitation of IPS is the possibility of false positives, which can result in legitimate traffic getting dropped.
IPS(如同 IDS)位於網路架構中的防火牆後方。這提供了高水平的安全性,因為風險數據流在到達網路的敏感部分之前就被中斷。然而,一個潛在的限制是它是在線的:如果它出現故障,私有網路與互聯網之間的連接就會中斷。IPS 的另一個限制是可能出現誤報,這可能導致合法的流量被丟棄。
Full packet capture devices
全封包擷取設備
Full packet capture devices can be incredibly useful for network administrators and security professionals. These devices allow you to record and analyze all of the data that is transmitted over your network. They also aid in investigating alerts created by an IDS.
全封包擷取設備對於網路管理員和安全專業人員來說非常有用。這些設備允許您記錄和分析在您的網路上傳輸的所有數據。它們還有助於調查由入侵偵測系統(IDS)創建的警報。
Security Information and Event Management
安全資訊與事件管理
A security information and event management system (SIEM) is an application that collects and analyzes log data to monitor critical activities in an organization. SIEM tools work in real time to report suspicious activity in a centralized dashboard. SIEM tools additionally analyze network log data sourced from IDSs, IPSs, firewalls, VPNs, proxies, and DNS logs. SIEM tools are a way to aggregate security event data so that it all appears in one place for security analysts to analyze. This is referred to as a single pane of glass.
安全資訊與事件管理系統(SIEM)是一種應用程式,用於收集和分析日誌數據,以監控組織中的關鍵活動。SIEM 工具實時運作,並在集中式儀表板上報告可疑活動。SIEM 工具還分析來自 IDS、IPS、防火牆、VPN、代理伺服器和 DNS 日誌的網路日誌數據。SIEM 工具是一種聚合安全事件數據的方法,使所有數據都集中在一個地方供安全分析人員分析。這被稱為單一視窗。
Below, you can review an example of a dashboard from Google Cloud’s SIEM tool, Chronicle. Chronicle is a cloud-native tool designed to retain, analyze, and search data.
以下是您可以查看的來自 Google Cloud 的 SIEM 工具 Chronicle 的儀表板範例。Chronicle 是一個雲端原生工具,旨在保留、分析和搜索數據。
Splunk is another common SIEM tool. Splunk offers different SIEM tool options: Splunk Enterprise and Splunk Cloud. Both options include detailed dashboards which help security professionals to review and analyze an organization's data. There are also other similar SIEM tools available, and it's important for security professionals to research the different tools to determine which one is most beneficial to the organization.
Splunk 是另一個常見的 SIEM 工具。Splunk 提供不同的 SIEM 工具選項:Splunk Enterprise 和 Splunk Cloud。這兩個選項都包含詳細的儀表板,幫助安全專業人員審查和分析組織的數據。還有其他類似的 SIEM 工具可用,安全專業人員需要研究不同的工具,以確定哪一個對組織最有利。
A SIEM tool doesn’t replace the expertise of security analysts, or of the network- and system-hardening activities covered in this course, but they’re used in combination with other security methods. Security analysts often work in a Security Operations Center (SOC) where they can monitor the activity across the network. They can then use their expertise and experience to determine how to respond to the information on the dashboard and decide when the events meet the criteria to be escalated to oversight.
SIEM 工具並不能取代安全分析師的專業知識,或本課程中涵蓋的網路和系統強化活動,但它們與其他安全方法結合使用。安全分析師通常在安全運營中心(SOC)工作,在那裡他們可以監控整個網路的活動。然後,他們可以利用自己的專業知識和經驗來決定如何回應儀表板上的信息,並決定何時事件符合升級監管的標準。
Key takeaways 關鍵要點
Devices / Tools 設備 / 工具 | Advantages 優點 | Disadvantages 缺點 |
|---|---|---|
Firewall 防火牆 | A firewall allows or blocks traffic based on a set of rules. | A firewall is only able to filter packets based on information provided in the header of the packets. |
Intrusion Detection System (IDS) | An IDS detects and alerts admins about possible intrusions, attacks, and other malicious traffic. | An IDS can only scan for known attacks or obvious anomalies; new and sophisticated attacks might not be caught. It doesn’t actually stop the incoming traffic. |
Intrusion Prevention System (IPS) | An IPS monitors system activity for intrusions and anomalies and takes action to stop them. | An IPS is an inline appliance. If it fails, the connection between the private network and the internet breaks. It might detect false positives and block legitimate traffic. |
Security Information and Event Management (SIEM) | A SIEM tool collects and analyzes log data from multiple network machines. It aggregates security events for monitoring in a central dashboard. | A SIEM tool only reports on possible security issues. It does not take any actions to stop or prevent suspicious events. |
Each of these devices or tools cost money to purchase, install, and maintain. An organization might need to hire additional personnel to monitor the security tools, as in the case of a SIEM. Decision-makers are tasked with selecting the appropriate level of security based on cost and risk to the organization. You will learn more about choosing levels of security later in the course.
這些設備或工具的購買、安裝和維護都需要花費金錢。組織可能需要聘請額外的人員來監控安全工具,例如在使用 SIEM 的情況下。決策者的任務是根據成本和組織風險來選擇適當的安全級別。在課程的後續部分,您將學習更多關於選擇安全級別的內容。