Devices that pick up the raw data - firewalls, IPS devices, application logs, authentication logs, etc.
. Systems to make sense of all the diverse information picked up by sensors - SIEM consoles, proprietary consoles, etc.
. Simple blocks of data examined - not their own devices, usually part of another device or server; commonly used in Linux
. State based advanced filtering by ip address, port, app, and content; commonly placed on the network ingress/egress; sometimes placed on internal networks
. An intermediate server making requests on behalf of the client which can do filtering
. This appliance is installed on side of a VPN connection and another on the other end of the VPN tunnel; uses L2TP
. HTTPS requires encrypted handshake for communication, so takes a lot load - this device strips off the SSL as a device in the middle so web server doesn't have to decrypt
. Placed between the users and the service - with multiple was to distribute
. Lowering the probability of attack by using cloud service to filter, or use on site tools such as IP address rules; firewalls shoud have some functionality
. To capture packets, must have tools to get the raw data into an analysis tool - this is a physical way - see diagram
. To capture packets, must have tools to get the raw data into an analysis tool - this is a software tap built into a switch; not as good
.
|