Dilbert on Network Security


A VPN is designed to allow you to make a secure, private connection over an open network (e.g., the Internet).

I love this description from Tom Leek:

private network is a network consisting of cables and computers which are physically separated from the rest of the World. This makes for good security, and, furthermore, convincingly good security (having security is part of the goal, but you also want to know it).

VPN is the cheap emulation of a private network: the wires are still linked with the Internet; the isolation is done with mathematics (cryptography) instead of physics.

VPNs are somewhat of a commodity these days, and are a wise component to have in your security stack as they:

  • Encrypt traffic from remote endpoints to your corporate network, mitigating eavesdropping and man-in-the-middle-attacks
  • Restrict access to your corporate network unless the client is using a VPN

Nowadays, VPN services have cropped up and started to muddy the waters. Their primary benefit isn’t security, but rather anonymity.

Take Tunnelbear for instance:

Tunnelbear lets you appear as if you’re browsing the web from a different county, hide from shady advertisers, and cover your tracks. Very helpful if you’re trying to evade government oppression; probably not the thing you’re looking for to bolster Acme, Inc.’s network security.

Firewalls, IPS, and IDS

Fellowship of the Token Ring

The line between firewalls, IPS, and IDS has certainly blurred over time. The mutual goal, however, is to detect or prevent malicious network traffic. They come in the form of hardware devices, virtual appliances, or software.

Let’s pick them each apart.


Early firewalls would inspect packet headers to decide whether they should be rejected based on things like flags, protocol type, source address, destination address, source port, and/or destination port. More sophisticated firewalls inspect entire packets. A firewall has a bunch of “pass” rules that dictate what is allowed through.

This is basically your airline check-in desk clerk. He checks your ID. If the ID looks good, you’re in. He doesn’t pat you down or search your pockets.

Intrusion Prevention Systems (IPS)

An IPS is sort of the inverse of a firewall. Instead of looking for reasons to let traffic pass through, it’s looking for reasons to deny traffic. Another distinction is that an IPS analyzes whole packets–both headers and payloads–for malicious content.

Continuing our analogy, IPS is airport security. He’s not only going to check your ID, he’s going to make you empty your pockets and x-ray your bags. And if you’ve got an oversized bottle of hair gel, it’ll be trashed at the gate.

You generally want to deploy your IPS so that it sees as much unencrypted traffic as possible (e.g. “inside” your VPN concentrator). Otherwise it won’t be able to inspect packets. If traffic is encrypted end-to-end, with HTTPS, SFTP, IPsec, SSH, etc., your IPS will be extremely limited.

It’s also a best practice to implement IPS in passive mode with the default policy to start so you can see what traffic would be denied. It can take some time to tweak your policies to find the sweet spot where you’re dropping truly evil packets and not accidentally disrupting the business.

Some things to be aware of:

  • Some IPS’s are only good at blocking known attacks because they use a signature database to decide what is malicious; better ones can do behavioral analysis and understand contexts around your hosts
  • Can’t inspect traffic over encrypted protocols (as mentioned above)
  • Possibility for false-positives to disrupt business

Intrusion Detection Systems (IDS)

IDS predates IPS and is purely about visibility. It’ll report on traffic that appears malicious, but it won’t take action.

Many organizations use an IPS that allows you to set it into passive mode (making it effectively an IDS) or active mode, thus obviating IDS.

IDS doesn’t necessarily have to sit in front of your network because it’s not blocking anything. It can inspect traffic anywhere in your network, which comes in handy. With IDS a network security engineer can spot things like:

  • Users running applications that violate policy
  • Suspicious traffic patterns typical of certain viruses or malware
  • Data exfiltration
  • Keyloggers and Trojans

You can also pipe these alerts to your SIEM.

Next Generation Firewalls (NGFW) and Unified Threat Management (UTM)

Wouldn’t it be great to shed all the network security confusion by squishing firewalls, IPS, and IDS into one thing?

The industry tried. And we got two things: NGFW and UTM. Not because it makes sense to have two things, but because vendors want to sell to different market segments. ??

The goal of NGFW is to “combine traditional port and protocol filtering with IDS/IPS functionality and the ability to detect application-layer traffic; over time they added more features like deep-packet inspection and malware detection.”

But SMBs can’t afford something that’s next-gen! Nor can they handle the complexity of owning both a firewall and IPS, so the more affordable UTM was born. A watered-down, budget version of NGFW with the same promise of being a one-stop-shop for network security.

As Gartner analyst Greg Young puts it:

“The confusion came from SMB vendors trying to move into the enterprise market without making channel and quality changes. It was an intentional campaign to confuse, but very few end users are confused about what they need. It is either a racecar [NGFW] or a family van [UTM].”

Godspeed, newly-minted netsec engineers.

Helpful resources:

← Go back to the intro