HLBR - Hogwash Light BR

Translated from http://hlbr.sourceforge.net/ips.html by André Bertelli Araújo (lliberte a gmail com).
Last update: 18 Dec 05.

IPS Definition

IPS (Intrusion Prevention System) is a system similar to an IDS (Intrusion Detection System), but with the goal of actively preventing an attack, not only detecting it. The difference between the two is that an IPS, in addition of being able to detect anomalous traffic, is also able to handle it. This way, it's possible to achieve a higer degree of network security. IPS are components in a firewall system. 

Firewall systems

Many don't know the correct meaning of the word firewall. Firewall is an integrated protection system used in computer networks. This system is made of packet filters, state filters, IDS, IPS, proxies, network antivirus, etc. So, for example, it is wrong that a machine running Iptables is the firewall of a network. That's because Iptables is merely a packet and states filter. It can only analyse data from the headers of the IP packets passing through it (this means only source and destination addresses, source and destination ports, transport protocol used, and so on). A packet and states filter can't, for example, analyse the contents of a packet (payload). Assuming that any machine in the internet can connect to the port 80 of our web server or to the port 25 of our e-mail server, a packet with an attack or virus will pass through Iptables and will get in our network. Iptables only checks the packet source and destination, ignoring its contents.

The following picture shows an example of a firewall system. The gray area represents the system.

Firewall Sysytem

In this case the IPS used, HLBR, was positioned before the iptables packet filter. This way we can even protect the iptables machine itself. It is also clear from the picture that it isn't possible to provide a reasonable degree of security to a network only with a machine running a packet and states filter (as people usually do).

Now, look at the following picture:

Firewall System

Another HLBR was connected between the internal network and the network servers, in order to provide an even higher degree of security to these servers. Also, a honeypot or honeynet was implemented just after the Internet, because HLBR can divert the attacks to that honeypot/net.

The most important conclusion is that a firewall system must be made from several security elements. Each element works in a different way and one doesn't replace the others.
SourceForge.net Logo