Devices that pick up the raw data - firewalls, IPS devices, application logs, authentication logs, etc.
.
Systems to make sense of all the diverse information picked up by sensors - SIEM consoles, proprietary consoles, etc.
.
Simple blocks of data examined - not their own devices, usually part of another device or server; commonly used in Linux
.
State based advanced filtering by ip address, port, app, and content; commonly placed on the network ingress/egress; sometimes placed on internal networks
.
An intermediate server making requests on behalf of the client which can do filtering
.
This appliance is installed on side of a VPN connection and another on the other end of the VPN tunnel; uses L2TP
.
HTTPS requires encrypted handshake for communication, so takes a lot load - this device strips off the SSL as a device in the middle so web server doesn't have to decrypt
.
Placed between the users and the service - with multiple was to distribute
.
Lowering the probability of attack by using cloud service to filter, or use on site tools such as IP address rules; firewalls shoud have some functionality
.
To capture packets, must have tools to get the raw data into an analysis tool - this is a physical way - see diagram
.
To capture packets, must have tools to get the raw data into an analysis tool - this is a software tap built into a switch; not as good
.
|
