^.^;

Firewall & IDS/IPS

Deploy pfSense, Palo Alto, Suricata and Snort rules. Custom threat signatures. Protect your network perimeter.

AdvancedPhase 3: Password SecurityInteractive Traffic Simulator

Firewall, IDS, and IPS: The Defense Trinity

These three technologies form the foundation of network security. Firewalls filter traffic based on rules. IDS (Intrusion Detection Systems) monitor and alert on suspicious activity. IPS (Intrusion Prevention Systems) actively block threats in real-time.

🔥 Firewall

Acts as a barrier between networks

  • • Packet filtering (IP, port, protocol)
  • • Stateful inspection (tracks connections)
  • • Application-layer filtering (L7)
  • • NAT and VPN support

👁️ IDS

Monitors and alerts (passive)

  • • Signature-based detection
  • • Anomaly detection (ML/statistical)
  • • Protocol analysis
  • • Out-of-band monitoring

🛡️ IPS

Detects AND blocks (active)

  • • Inline deployment (in traffic path)
  • • Real-time threat blocking
  • • Signature + behavioral analysis
  • • Can drop malicious packets

Enterprise Solutions

Next-Gen Firewalls (NGFW)

Palo Alto Networks:

App-ID, User-ID, Content-ID, Threat Prevention

Fortinet FortiGate:

SD-WAN, AI-powered security, high performance

Cisco Firepower:

Integrated IPS, malware defense, URL filtering

pfSense (Open Source):

FreeBSD-based, Snort/Suricata integration, free

IDS/IPS Systems

Snort:

Open-source IDS/IPS, rule-based, widely deployed

Suricata:

Multi-threaded, GPU acceleration, IPS + NSM

Zeek (Bro):

Network monitoring, deep protocol analysis

Security Onion:

All-in-one distro (Suricata + Zeek + ELK)

Detection Methods

Signature-Based:

Match known attack patterns (e.g., Snort rules for SQL injection, shellcode). Fast but can't detect zero-days.

Anomaly-Based:

Establish baseline behavior, alert on deviations (e.g., unusual traffic volume, new protocols). Detects novel attacks but higher false positives.

Protocol Analysis:

Decode protocols (HTTP, DNS, SMB) and detect violations (e.g., malformed packets, protocol abuse).

Heuristic/Behavioral:

Use ML or statistical models to identify suspicious behavior patterns (e.g., port scanning, data exfiltration).

Deployment Architecture

IDS: Passive Mode (SPAN/TAP)

IDS receives a copy of traffic (doesn't sit in traffic path)

Internet → Firewall → Switch (SPAN port) → IDS

└─→ Internal Network (traffic flows normally)

✓ No impact on network performance if IDS fails

⚠ Cannot block attacks in real-time

IPS: Inline Mode

IPS sits in the traffic path (active blocking)

Internet → Firewall → IPS → Internal Network
(all traffic must pass through IPS)

✓ Can drop malicious packets in real-time

⚠ IPS failure = network outage (requires HA)

Snort Rule Examples

Detect SQL Injection attempt:
alert tcp any any -> any 80 (msg:"SQL Injection attempt"; content:"union select"; nocase; sid:1000001;)
Block ICMP flood (DDoS):
drop icmp any any -> $HOME_NET any (msg:"ICMP flood detected"; threshold:type both,track by_src,count 100,seconds 1; sid:1000002;)
Detect port scan (Nmap SYN scan):
alert tcp any any -> $HOME_NET any (flags:S; threshold:type both,track by_src,count 20,seconds 60; msg:"Port scan detected"; sid:1000003;)

Best Practices

Defense in Depth: Use firewall + IDS/IPS together (layered security)
Regular Rule Updates: Keep signatures current (Snort, Suricata rulesets updated weekly)
Tune for Environment: Reduce false positives by customizing rules for your network
SIEM Integration: Forward IDS/IPS alerts to Splunk/ELK for correlation
High Availability: Deploy IPS in HA pairs to avoid single point of failure
SSL/TLS Inspection: Decrypt HTTPS traffic to inspect (with proper legal/privacy considerations)

Evasion Techniques Attackers Use

  • Fragmentation: Split attacks across multiple packets to evade signature matching
  • Encryption: Use SSL/TLS to hide payloads (requires IDS/IPS with decrypt capability)
  • Obfuscation: Encode payloads (Base64, URL encoding) to bypass simple string matching
  • Timing Attacks: Slow scans below threshold detection (e.g., 1 port/hour)
  • Polymorphic Malware: Change signature on each execution to evade detection

Firewall & IDS/IPS Simulator

Switch between modes to see how firewalls, IDS, and IPS handle malicious traffic differently.

0
Total Packets
0
Clean Traffic
0
Alerts Generated
0
Threats Blocked

Detection Rules

SQL Injection Detection
Pattern: union select | Action: block
Port Scan Detection
Pattern: SYN flood | Action: alert
DDoS Protection
Pattern: ICMP flood | Action: block
Malware Signature
Pattern: eval(base64 | Action: block

Security Alerts

No alerts yet. Send traffic to generate alerts.

Traffic Log

SourceDestPortProtocolPayloadThreatStatus
No traffic yet. Click "Send Traffic Packet" to start.
Current Mode: FIREWALL

Firewall mode only allows/blocks based on IP, port, and protocol. No deep packet inspection.

Terms of ServiceLicense AgreementPrivacy Policy
Copyright © 2025 JMFG. All rights reserved.