Network and Information Security(NIS)

Unit.4 firewall and intrusion detection systems

C22620.d: Apply measures to prevent attacks on network using firewall.

DEPARTMENT OF COMPUTER ENGINEERING

1.Firewall :Need of Firewall,
2.types of firewall- Packet Filters,
3.Stateful Packet Filters,
4.Application Gateways,
5.Circuit gateways.
6.Configuration,limitations,
7.DMZ.
8.Intrusion Detection System Vulnerability Assessment,
9.Misuse detection, Anomaly Detection,
10.Network-Based IDS,
11.Host-Based IDS,
12.Honeypots

DEPARTMENT OF COMPUTER ENGINEERING

Need of Firewall
• Centralized data processing system, with a central mainframe supporting a
number of directly connected terminals
• Premises network, consisting of a number of LANs, interconnecting PCs,
servers, and perhaps a mainframe or two
• Enterprise-wide network, consisting of multiple, geographically distributed
premises networks interconnected by a private wide area network (WAN)
• Internet connectivity, in which the various premises networks all hook into
the Internet and may or may not also be connected by a private WAN
• Internal network and hosts are unlikely to be properly secured.
• Internet is a dangerous place with criminals, users from competing
companies, disgruntled ex-employees, spies from unfriendly countries,
vandals, etc.
• To prevent an attacker from launching denial of service attacks on network
resource.
• To prevent illegal modification/access to internal data by an outsider attacker.

DEPARTMENT OF COMPUTER ENGINEERIN

G
What Firewalls do
• Protects the resources of an internal network.
- Restrict external access.
- Log Network activities.
-Intrusion detection
-DoS
- Act as intermediary
• Centralized Security Management
-Carefully administer one firewall to control internet traffic
of many machines.
-Internal machines can be administered with less care.

DEPARTMENT OF COMPUTER ENGINEERIN

G
Firewall
A Firewall is simply a program or hardware device that filters
the information coming through the internet connection into
your private network or computer system.
• Is hardware, software, or a combination of both used to
prevent unauthorized programs or Internet users from
accessing a private network and/or a single computer.

DEPARTMENT OF COMPUTER ENGINEERING

Firewall
Hardware Firewalls
• Protect an entire network
• Implemented on the router level
• Usually more expensive, harder to configure
Software Firewalls
• Protect a single computer
• Usually less expensive, easier to configure

DEPARTMENT OF COMPUTER ENGINEERING

Top 10 Firewalls

DEPARTMENT OF COMPUTER ENGINEERING

Firewall
Hardware Firewalls
• Protect an entire network
• Implemented on the router level
• Usually more expensive, harder to configure
Software Firewalls
• Protect a single computer
• Usually less expensive, easier to configure

DEPARTMENT OF COMPUTER ENGINEERING

How does a software firewall work
Inspects each individual “packet” of data as it arrives at either
side of the firewall. Determines whether it should be allowed
to pass through or if it should be blocked.

DEPARTMENT OF COMPUTER ENGINEERIN

G
Types of Firewall
1. Packet filter (Stateless & Stateful)
2. Application-level gateway
3. Circuit-level gateway

These three
categories, however,
are not mutually
exclusive. Modern
firewalls have a mix
of abilities that may
place them in more
than one of the three
categories.

DEPARTMENT OF COMPUTER ENGINEERIN

G
Packet Filtering Firewall
It looks at each packet entering or leaving the network and
accepts or rejects it based on user-defined rules.

A packet filtering firewall applies a set of rules to each incoming and outgoing IP packet
and then forwards or discards the packet

DEPARTMENT OF COMPUTER ENGINEERIN

G
Packet Filtering Firewall
The firewall is typically configured to filter packets going in
both directions (from and to the internal network).
Filtering rules are based on information contained in a network
packet:
• Source IP address: The IP address of the system that originated the IP
packet (e.g.,192.178.1.1)
• Destination IP address: The IP address of the system the IP
packet is trying to reach (e.g.,192.168.1.2)
• Source and destination transport-level address: The transport-
level (e.g.,TCP or UDP) port number, which defines applications
such as SNMP or TELNET
• IP protocol field : Defines the transport protocol
• Interface: For a firewall with three or more ports, which
interface of the firewall the packet came from or which interface
of the firewall DEPARTMENT OF COMPUTER ENGINEERIN
G
Packet Filtering Firewall
The packet filter is typically set up as a list of rules based on
matches to fields in the IP or TCP header. If there is a match to
one of the rules, that rule is invoked to determine whether to
forward or discard the packet. If there is no match to any rule,
then a default action is taken.
Two default policies are possible:
• Default = discard: That which is not expressly permitted is prohibited.
• Default = forward: That which is not expressly prohibited is permitted.

DEPARTMENT OF COMPUTER ENGINEERIN

G
DEPARTMENT OF COMPUTER ENGINEERIN
G
Stateless Firewalls
Stateless firewalls are some of the oldest
firewalls on the market and have been
around for almost as long as the web itself.
The purpose of stateless firewalls is to
protect computers and networks —
specifically: routing engine processes and
resources.
They provide this security by filtering the packets of incoming
traffic distinguishing between udp/tcp traffic and port numbers.
The packets are either allowed entry onto the network or denied
access based either their source or destination address or some
other static information such as the traffic type (udp/tcp).
These days completely stateless firewalls are far and few
inbetween.
DEPARTMENT OF COMPUTER ENGINEERIN
G
Stateful Firewalls
Stateful firewalls are a more advanced,
modern extension of stateless packet
filtering firewalls in that they are
continuously able to keep track of the
state of the network and the active
connections it has such as TCP streams or
user datagram protocol (UDP)
communication.
The ability to acknowledging & utilize the context of incoming
traffic and data packets is one of the principle advantages
stateful firewalls have over their stateless cousins, allowing them
to understand how to tell the difference between legitimate and
malicious traffic or packets.
DEPARTMENT OF COMPUTER ENGINEERIN
G
Packet Filtering Firewall

Packet Filtering Firewall

Advantage : Disadvantage :
 Cost  Can work only on the
 Low resource usage network layer
 Best suited for smaller  Do not support complex rule
network based support
 Vulnerable to spoofing
DEPARTMENT OF COMPUTER ENGINEERING
Application level gateway Firewall

DEPARTMENT OF COMPUTER ENGINEERIN

G
Application level gateway Firewall

Application-level Gateway
– Also called proxy server
– Acts as a relay of application-level traffic

• Advantages:
– Higher security than packet filters
– Only need to scrutinise a few allowable applications
– Easy to log and audit all incoming traffic

• Disadvantages:
– Additional processing overhead on each connection
(gateway as splice point)

DEPARTMENT OF COMPUTER ENGINEERIN

G
Circuit-level Gateway Firewall

Circuit-level Gateway
 Stand-alone system or
 Specialized function performed by an Application-level
Gateway
 Sets up two TCP connections
 The gateway typically relays TCP segments from one
connection to the other without examining the contents
 The security function consists of determining which
connections will be allowed
 Typically use is a situation in which the system administrator
trusts the internal users

DEPARTMENT OF COMPUTER ENGINEERIN

G
Circuit-level Gateway Firewall

Advantage :
 comparatively inexpensive
and provide Anonymity to the
private network.

Disadvantage :
 do not filter Individual
Packets

DEPARTMENT OF COMPUTER ENGINEERIN

G
Demilitarized Zone (DMZ)

• The demilitarized Zone (DMZ) is a term used in the military to

define a buffer area between two enemies.
• e.g. DMZ between North and South Korea.
• DMZ is one of the most important zoning term used in
network security.
• A DMZ is the zone in the network that is segregated from the
rest of the network due to the nature of the devices contained
on it.
• The devices are often servers that need to be accessed from
public networks DMZ is usually a subnet that typically resides
between the private network and the public network.
• Connections from the public network terminate on the DMZ
devices.

DEPARTMENT OF COMPUTER ENGINEERIN

G
Demilitarized Zone (DMZ)

• A DMZ is a computer network that sits between a trusted

internal network, such as a corporate private LAN, and an
untrusted external network, such as the public Internet

DEPARTMENT OF COMPUTER ENGINEERIN

G
INTRUSION DETECTION SYSTEMS (IDS)

• Intrusion
A set of actions aimed to compromise the security goals,
namely Integrity, confidentiality, or availability, of a
computing and networking resource
• Intrusion detection
The process of identifying and responding to intrusion
activities
• Intrusion prevention
Extension of ID with exercises of access control to protect
computers from exploitation

DEPARTMENT OF COMPUTER ENGINEERIN

G
INTRUSION DETECTION SYSTEMS (IDS)
Host-based IDS Examines activity on an individual system, such as a mail
server, web server, or individual PC. It is concerned only with an individual
system and usually has no visibility into the activity on the network or systems
around it.
Network-based IDS Examines activity on the network itself. It has visibility
only into the traffic crossing the network link it is monitoring and typically has
no idea of what is happening on individual systems.

DEPARTMENT OF COMPUTER ENGINEERIN

G
INTRUSION DETECTION SYSTEMS (IDS)
Traffic collector (or sensor):
This component collects activity/events for the IDS to examine.
On host-based IDS, this could be log files, audit logs, or traffic
coming to or leaving a specific system.
On a network-based IDS, this is typically a mechanism for copying
traffic off the network link-basically functioning as a sniffer.
This component is often referred to as a sensor.
Analysis engine: This component examines the collected network traffic
and compares it to known patterns of suspicious or malicious activity
stored in the signature database. The analysis engine is the "brains" of the
IDS.
Signature database: The signature database is a collection of patterns
and definitions of known suspicious or malicious activity.
User interface and reporting: This component interfaces with the human
element, providing alerts when appropriate and giving the user a means to
interact with and operate the IDS.
DEPARTMENT OF COMPUTER ENGINEERIN
G
Host-based IDS

HIDS:- A host-based intrusion

detection system (HIDS) is a system
that run on individual hosts and
monitors a computer system
• Detect an intrusion and/or misuse,
and responds by logging the activity
• It is an agent that monitors and
analyzes whether anything or
anyone, whether internal or external,
has bypass the system’s security
policy.
• Tools like : Samhain, Ossec

DEPARTMENT OF COMPUTER ENGINEERIN

G
Network-based IDS

NIDS:- NIDS is placed within the network to monitor traffic to and

from all devices on network
• NIDS scan all inbound and outbound traffic
• NIDS tools operate by inspecting traffic that occurs between
hosts.
• Tools like: Snort, Suricata, Bro, Kismet

DEPARTMENT OF COMPUTER ENGINEERIN

G
DEPARTMENT OF COMPUTER ENGINEERIN
G
DEPARTMENT OF COMPUTER ENGINEERIN
G
Honeypot

Honeypot is a computer security mechanism that is used to prevent

unauthorized attacks on computer systems. It mainly consists of a
computer, some data, and a network site that appears to be part of
the network, but it is actually isolated and monitored. It seems to
contain useful information to the attackers but it is used as a bait.

DEPARTMENT OF COMPUTER ENGINEERIN

G
Types of Honeypots

Production Honeypots – Production Honeypots are placed inside a

production network along with other production servers. They
capture limited information for the attackers.
Production Honeypots are low interaction honeypots and they are
easier to deploy. They are usually used by an organization to
improve the overall state of security.
Research Honeypots – This type of honeypots is used primarily by
research, military or government organizations. They run to gather
information about the motives and tactics of the attackers, most of
the time they capture extensive information and are complex to
deploy.

DEPARTMENT OF COMPUTER ENGINEERIN

G
1. List types of firewall. (2 R)
2. Demonstrate configuration of firewall settings for any operating system (4 A)
3. State difference between firewall and Intrusion Detection System. (4 A)
4. Define DMZ with suitable diagram. (4 R)
5. Describe with suitable diagram Intrusion Detection System. (6 U)
6. Describe the following i) packet filter firewall ii) Application Gateway (6 U)
7. State types of Firewalls. (4 R)
8. Demonstrate the advantages of setting up a DMZ with two firewalls. (4 A)
9. Show difference between Firewall and Instrusion Detection System? (4 A)
10.Describe the following (4 U)
1. Host based IDS.
2. Network based IDS.
11. List Need and Importance of Information? State the Information Classification
. (4 U)
12.Explain configuration of firewalls (4 U)

DEPARTMENT OF COMPUTER ENGINEERIN

G