Presentation

on
Network And Information Security
(22620)

By

Ms.Pritee H. Raut
(Assistant Professor)

COMPUTER ENGINEERING DEPARTMENT

G. H. RAISONI POLYTECHNIC,NAGPUR
 UNIT-4
Firewall & Intrusion Detection System

(MARKS-18)
 Firewall
 A firewall is a network security device that monitors incoming and outgoing network traffic and decides
whether to allow or block specific traffic based on a defined set of security rules.
 A firewall can be hardware, software, or both.
 Its purpose is to establish a barrier between your internal network and incoming traffic from external
sources (such as the internet) in order to block malicious traffic like viruses and hackers.
 Need of firewall
 Firewalls represent a first line of defense in home network security. Your home network is
only as secure as its least protected device. That’s where a network security system comes in.
 An effective, managed firewall will significantly reduce risk to your business. Without a
firewall, your business could easily get into a cyber-attack, causing you to lose all of your
important data. This would not only disrupt business processes, it would also reduce
productivity and likely damage your reputation and brand.
 Types of Firewalls

 Packet-filtering firewalls
 Circuit-level gateways
 Application-level gateways (a.k.a. proxy firewalls)
 Packet Filtering Firewall
 A packet filtering firewall is the most basic type of firewall. It acts like a management
program that monitors network traffic and filters incoming packets based on configured
security rules.
 These firewalls are designed to block network traffic IP protocols, an IP address, and a
port number if a data packet does not match the established rule-set.
 While packet-filtering firewalls can be considered a fast solution without many
resource requirements, they also have some limitations. Because these types of
firewalls do not prevent web-based attacks, they are not the safest.
 For example, a rule could specify to block all incoming traffic from a certain IP address
or disallow all traffic that uses UDP protocol. If there is no match with any predefined
rules, it will take default action. The default action can be to ‘discard all packets’ or to
‘accept all packets’.
Application Gateways (Proxy firewall)

 Proxy firewalls operate at the application layer as an intermediate device to filter incoming
traffic between two end systems (e.g., network and traffic systems). That is why these
firewalls are called 'Application-level Gateways'.
 Unlike basic firewalls, these firewalls transfer requests from clients pretending to be
original clients on the web-server. This protects the client's identity and other suspicious
information, keeping the network safe from potential attacks.
 Once the connection is established, the proxy firewall inspects data packets coming from
the source. If the contents of the incoming data packet are protected, the proxy firewall
transfers it to the client. This approach creates an additional layer of security between the
client and many different sources on the network.
 Circuit-level Gateways
 These types of firewalls typically operate at the session-level of the OSI model by verifying
TCP (Transmission Control Protocol) connections and sessions. Circuit-level gateways are designed
to ensure that the established sessions are protected or safe .

 Typically, circuit-level firewalls are implemented as security software or pre-existing firewalls. Like
packet-filtering firewalls, these firewalls do not check for actual data, although they inspect
information about transactions. Therefore, if a data contains malware, but follows the correct TCP
connection, it will pass through the gateway. That is why circuit-level gateways are not considered
safe enough to protect our systems.
 Firewall Limitations
 Firewalls cannot stop internal users from accessing websites with malicious code, making user education
critical.
 Firewalls cannot protect you from poor decisions.
 Firewalls cannot protect you when your security policy is too weak.
 It cannot stop attacks if the traffic does not pass through them
 They are only as effective as the rules they are configured to enforce.
 Firewalls cannot protect against what has been authorized
 Policies of firewall

 All traffic from inside to outside and vice versa must pass through the firewall.
 To achieve this all access to local network must first be physically blocked and
access only via the firewall should be permitted.
 As per local security policy traffic should be permitted.
 Firewall configuration
Different firewall configuration:

 ScreenHost firewall/Single home bastion

 ScreenHost firewall dual home bastion
 Screened Subnet firewall
Screen Host firewall: single-homed bastion

•In this configuration, there are two firewalls; Application gateway & packet filter which are between the internal
network
•Each & every host of the internal network is connected to application gateway & packet filter firewall.
•The packet filter performs filtering on each & every packet performs the proxy functions.
•The main disadvantage of this approach is if the attacker somehow attacks the packet filter firewall then he can
access the internal system.
Screened Host Firewall Dual Home Bastion:-

• In this configuration there is no end to end connection between the internal host and the packet filter firewall.
• It is used to address the drawback of previous approach.
• The internal host is connected to the application gateway, the application gateway is further connected to packet filter and
the packet filter is connected to internet.
• In this schema if the attacker tries to break the packet filter firewall then he/she has still to break the application gateway to
enter into the internal network. It will provide the security to internal hosts.
 Screened Subnet firewall:

• This is the most secure firewall configuration in which there are three firewalls between the internal and the internet
• If the attacker wants to enter into the private network then he has to break into all the three firewalls.
 DMZ (demilitarized zone)
 In networking, a DMZ refers to a subnet that is physically or logically separated from the internal network.
 A DMZ or demilitarized zone is a perimeter network that protects and adds an extra layer of security to an
organization’s internal local-area network from untrusted traffic.
 It Avoids Outside Users From Getting Direct Access To A Company's Data Server.
 This subnet is used to separate untrusted devices from trusted devices.
 Traditionally, in a DMZ you would put all the devices that are required to be Internet-accessible. These can
include your web servers, an FTP server, email exchange servers, etc. Then, access from the DMZ to the
internal network is further controlled and closely monitored, usually through a firewall.

 For example, a business may have an intranet comprised of employee workstations. The company's public
servers, such as the web server and mail server could be placed in a DMZ so they are separate from the
workstations. If the servers were compromised by an external attack, the internal systems would be unaffected.
What is one advantage of setting up a DMZ with two firewalls? (sample paper)

 You can do load balancing

Explanation: In a topology with a single firewall serving both internal and external users (LAN and WAN),
it acts as a shared resource for these two zones
 Intrusion Detection System (IDS)
 An intrusion detection system (IDS) is a tool or software that works with your network to keep it secure and
flag when somebody is trying to break into your system.
 As mentioned, an IDS is somewhat like a alarm. It watches the activity going on around it and tries to identify
undesirable activity.
 IDSs are typically divided into two main categories, depending on how they monitor activity:

 Host-based IDS
Examines activity on an individual system, such as a mail server, web server, or individual PC. It is concerned
only with an individual system and usually has no visibility into the activity on the network or systems around it.
 Network-based IDS
Examines activity on the network itself. It has visibility only into the traffic crossing the network link it is
monitoring and typically has no idea of what is happening on individual systems.
Whether or not it is network- or host-based, an IDS will typically consist of several specialized

components working together, as illustrated in Figure

Traffic collector (or sensor):
This component collects activity/events for the IDS to examine. On host-based IDS, this could be log files, audit logs, or
traffic coming to or leaving a specific system. On a network-based IDS, this is typically a mechanism for copying traffic off
the network link-basically functioning as a sniffer. This component is often referred to as a sensor.

Analysis engine:
This component examines the collected network traffic and compares it to known patterns of suspicious or malicious activity
stored in the signature database. The analysis engine is the "brain" of the IDS.

Signature database:
The signature database is a collection of patterns and definitions of known suspicious or malicious activity.

User interface and reporting:

This component interfaces with the human element, providing alerts whenever required. Because of this user can interact with
and operate the IDS.
 Categories HIDS NIDS

1. Definition Host Intrusion Detection System Network Intrusion Detection System

2. Type It doesn’t work in real-time Operates in real-time

HIDS is related to just a single system, as the name suggests it is only NIDS is concerned with the entire network system, NIDS examines the activities
3. Concern
concerned with the threats related to the Host system/computer, and traffic of all the systems in the network.

HIDS can be installed on each and every computer or server i.e., anything NIDS being concerned with the network is installed at places like routers or servers
4. Installation Point
that can serve as a host. as these are the main intersection points in the network system

HIDS operates by taking the snapshot of the current status of the system and
Execution comparing it against some already stored malicious tagged snapshots stored NIDS works in real-time by closely examining the data flow and immediately
5. Process in the database, this clearly shows that there is a delay in its operation and reporting anything unusual.
activities

Information HIDS are more informed about the attacks as they are associated with system As the network is very large making it hard to keep track of the integrating
6. about attack files and processes. functionalities, they are less informed of the attacks

Ease of As it needs to be installed on every host, the installation process can be

7. Installation
Few installation points make it easier to install NIDS
tiresome.

8. Response Time Response time is slow Fast response time

 Honeypot
 Honeypot is a network-attached system used as a trap to lure cyber-attackers to detect and study
the tricks and types of attacks used by hackers. An intentionally compromised computer system
allows attackers to exploit vulnerabilities so you can study them to improve your security policies.
 Honeypots are mostly used by large companies and organizations involved in cybersecurity. It
helps cybersecurity researchers to learn about the different type of attacks used by attackers.
 Firewall IDS
 A firewall is a hardware and/or software which functions in a  An Intrusion Detection System (IDS) is a software or hardware
networked environment to block unauthorized access while device installed on the network (NIDS) or host (HIDS) to detect
permitting authorized communications. and report intrusion attempts to the network.

 A firewall can block an unauthorized access to network (E.g. A  An IDS can only report an intrusion; it cannot block it (E.g. A
watchman standing at gate can block a thief) CCTV camera which can alert about a thief but cannot stop it)

 A firewall cannot detect security breaches for traffic that does not  IDS is fully capable of internal security by collecting information
pass through it (E.g. a gateman can watch only at front gate. He is from a variety of system and network resources and analyzing the
not aware of wall-jumpers) symptoms of security problems

 Firewall doesn’t inspect content of permitted traffic. (A gateman  IDS keeps a check of overall network
will never suspect an employee of the company )

 No man-power is required to manage a firewall.  An administrator (man-power) is required to respond to threats

issued by IDS

 Firewalls are most visible part of a network to an outsider. Hence,  IDS are very difficult to be spotted in a network (especially stealth
more vulnerable to be attacked first. (A gateman will be the first mode of IDS).
person attacked by a thief!!)