Unit 1: Advanced Computer Networks & Security
Unit 1: Advanced Computer Networks & Security
A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over
digital interconnections to communicate with each other.
Types:
11 Types of Networks in Use Today
Internet Protocol version 4 (IPv4) defines an IP address as a 32-bit number. However, because of the growth of
the Internet and the depletion of available IPv4 addresses, a new version of IP (IPv6), using 128 bits for the IP
address, was standardized in 1998. IPv6 deployment has been ongoing since the mid-2000s.
Network ID–
It is the part of the left-hand IP address that identifies the specific network where the device is located. In the
normal home network, where the device has an IP address 192.168.1.32, the 192.168.1 part of the address will be
the network ID. It is customary to fill in the last part that is not zero, so we can say that the device’s network ID
is 192.168.1.0.
Hosting ID–
The host ID is part of the IP address that was not taken by the network ID. Identifies a specific device (in the
TCP / IP world, we call devices “host”) in that network. Continuing with our example of the IP address
192.168.1.32, the host ID will be 32- the unique host ID on the 192.168.1.0 network.
IP address
IP Address Types:
There are 4 types of IP Addresses- Public, Private, Fixed, and Dynamic. Among them, public and private
addresses are derived from their local network location, which should be used within the network while
public IP is used offline.
Public IP address–
A public IP address is an Internet Protocol address, encrypted by various servers/devices. That’s when you
connect these devices with your internet connection. This is the same IP address we show on our homepage.
So why the second page? Well, not all people speak the IP language. We want to make it as easy as possible
for everyone to get the information they need. Some even call this their external IP address. A public Internet
Protocol address is an Internet Protocol address accessed over the Internet.
Private IP address–
Everything that connects to your Internet network has a private IP address. This includes computers,
smartphones, and tablets but also any Bluetooth-enabled devices such as speakers, printers, or smart TVs.
With the growing internet of things, the number of private IP addresses you have at home is likely to increase.
Your router needs a way to identify these things separately, and most things need a way to get to know each
other. Therefore, your router generates private IP addresses that are unique identifiers for each device that
separates the network.
IP address
Static IP Address–
A static IP address is an invalid IP address. Conversely, a dynamic IP address will be provided by the Dynamic
Host Configuration Protocol (DHCP) server, which can change. The Static IP address does not change but can
be changed as part of normal network management.
Static IP addresses are incompatible, given once, remain the same over the years. This type of IP also helps
you get more information about the device.
Dynamic IP address–
It means constant change. A dynamic IP address changes from time to time and is not always the same. If you
have a live cable or DSL service, you may have a strong IP address. Internet Service Providers (provide
customers with dynamic IP addresses because they are too expensive. Instead of one permanent IP address,
your IP address is taken out of the address pool and assigned to you. After a few days, weeks, or sometimes
even months, that number is returned to the lake and given a new number. Most ISPs will not provide a static
IP address to customers who live there and when they do, they are usually more expensive. Dynamic IP
addresses are annoying, but with the right software, you can navigate easily and for free.
Network Address Translation (NAT)
To access the Internet, one public IP address is needed, but we can use a private IP address in our private
network. The idea of NAT is to allow multiple devices to access the Internet through a single public address. To
achieve this, the translation of a private IP address to a public IP address is required. Network Address
Translation (NAT) is a process in which one or more local IP address is translated into one or more Global IP
address and vice versa in order to provide Internet access to the local hosts. Also, it does the translation of
port numbers i.e. masks the port number of the host with another port number, in the packet that will be
routed to the destination. It then makes the corresponding entries of IP address and port number in the NAT
table. NAT generally operates on a router or firewall.
Network Address Translation (NAT) types
Network Address Translation (NAT) Types –
There are 3 ways to configure NAT:
Static NAT – In this, a single unregistered (Private) IP address is mapped with a legally registered (Public) IP
address i.e one-to-one mapping between local and global addresses. This is generally used for Web hosting.
These are not used in organizations as there are many devices that will need Internet access and to provide
Internet access, a public IP address is needed.
Dynamic NAT – In this type of NAT, an unregistered IP address is translated into a registered (Public) IP
address from a pool of public IP addresses. If the IP address of the pool is not free, then the packet will be
dropped as only a fixed number of private IP addresses can be translated to public addresses.
Port Address Translation (PAT) – This is also known as NAT overload. In this, many local (private) IP addresses
can be translated to a single registered IP address. Port numbers are used to distinguish the traffic i.e., which
traffic belongs to which IP address. This is most frequently used as it is cost-effective as thousands of users
can be connected to the Internet by using only one real global (public) IP address.
IP Subnets
IP Subnets
A subnetwork or subnet is a logical subdivision of an IP network. The practice of dividing a network into two
or more networks is called subnetting.
Computers that belong to the same subnet are addressed with an identical most-significant bit-group in their
IP addresses. This results in the logical division of an IP address into two fields: the network number or routing
prefix and the rest field or host identifier. The rest field is an identifier for a specific host or network interface.
The routing prefix may be expressed in Classless Inter-Domain Routing (CIDR) notation written as the first
address of a network, followed by a slash character (/), and ending with the bit-length of the prefix. For
example, 198.51.100.0/24 is the prefix of the Internet Protocol version 4 network starting at the given address,
having 24 bits allocated for the network prefix, and the remaining 8 bits reserved for host addressing.
Addresses in the range 198.51.100.0 to 198.51.100.255 belong to this network. The IPv6 address specification
2001:db8::/32 is a large address block with 296 addresses, having a 32-bit routing prefix.
The Dynamic Host Configuration Protocol is a network management protocol used on Internet Protocol
networks for automatically assigning IP addresses and other communication parameters to devices
connected to the network using a client–server architecture.
A DHCP Server is a network server that automatically provides and assigns IP addresses, default gateways
and other network parameters to client devices. It relies on the standard protocol known as Dynamic Host
Configuration Protocol or DHCP to respond to broadcast queries by clients.
A DHCP server automatically sends the required network parameters for clients to properly communicate on
the network. Without it, the network administrator has to manually set up every client that joins the network,
which can be cumbersome, especially in large networks. DHCP servers usually assign each client with a
unique dynamic IP address, which changes when the client’s lease for that IP address has expired.
Ports
What is a port?
A port is a virtual point where network connections start and end. Ports are software-based and managed by
a computer's operating system. Each port is associated with a specific process or service. Ports allow
computers to easily differentiate between different kinds of traffic: emails go to a different port than
webpages, for instance, even though both reach a computer over the same Internet connection.
When a computer connects to the internet, it uses an IP address. This is similar to your home’s street address,
telling incoming data where to go and marking outgoing data with a return address for other devices to
authenticate. A proxy server is essentially a computer on the internet that has an IP address of its own.
Some people use proxies for personal purposes, such as hiding their location while watching movies online,
for example. For a company, however, they can be used to accomplish several key tasks such as:
• Improve security
• Secure employees’ internet activity from people trying to snoop on them
• Balance internet traffic to prevent crashes
• Control the websites employees and staff access in the office
• Save bandwidth by caching files or compressing incoming traffic
Proxy Servers
VPN
VPN stands for "Virtual Private Network" and describes the opportunity to establish a protected network
connection when using public networks. VPNs encrypt your internet traffic and disguise your online identity.
This makes it more difficult for third parties to track your activities online and steal data. The encryption takes
place in real time.
Secure encryption: To read the data, you need an encryption key . Without one, it would take millions of years
for a computer to decipher the code in the event of a brute force attack . With the help of a VPN, your online
activities are hidden even on public networks.
Disguising your whereabouts : VPN servers essentially act as your proxies on the internet. Because the
demographic location data comes from a server in another country, your actual location cannot be
determined. In addition, most VPN services do not store logs of your activities. Some providers, on the other
hand, record your behavior, but do not pass this information on to third parties. This means that any potential
record of your user behavior remains permanently hidden.
Benefits of VPN
Access to regional content: Regional web content is not always accessible from everywhere. Services and
websites often contain content that can only be accessed from certain parts of the world. Standard
connections use local servers in the country to determine your location. This means that you cannot access
content at home while traveling, and you cannot access international content from home. With VPN location
spoofing , you can switch to a server to another country and effectively “change” your location.
Secure data transfer: If you work remotely, you may need to access important files on your company’s
network. For security reasons, this kind of information requires a secure connection. To gain access to the
network, a VPN connection is often required. VPN services connect to private servers and use encryption
methods to reduce the risk of data leakage.
VPN v/s PROXY
VPNs encrypt your traffic while proxy servers don’t. A VPN service protects you from ISP tracking, government
surveillance, and hackers. Proxies don’t, so they should never be used to handle sensitive information;
VPNs work on the operating system level and reroute all your traffic through a VPN server, while proxies work
on the application level and only reroute the traffic of a specific app or browser;
VPNs can be slower than proxies as they need to encrypt your sensitive data; however, there are ways you
can improve your internet connection and browsing speeds;
VPNs are usually paid (you shouldn’t trust free VPN services as they have limitations and tend to mine your
data) while many proxy servers are free;
A VPN connection is more reliable while proxy server connections drop more frequently.
DNS
The DNS recursor (also referred to as the DNS resolver) is a server that receives the query from the DNS client,
and then interacts with other DNS servers to hunt down the correct IP. Once the resolver receives the request
from the client, the resolver then actually behaves as a client itself, querying the other three types of DNS
servers in search of the right IP.
DNS
OSI model
OSI model
We’ll describe OSI layers “top down” from the application layer that directly serves the end user, down to the
physical layer.
7. Application Layer
The application layer is used by end-user software such as web browsers and email clients. It provides
protocols that allow software to send and receive information and present meaningful data to users. A few
examples of application layer protocols are the Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP),
Post Office Protocol (POP), Simple Mail Transfer Protocol (SMTP), and Domain Name System (DNS).
6. Presentation Layer
The presentation layer prepares data for the application layer. It defines how two devices should encode,
encrypt, and compress data so it is received correctly on the other end. The presentation layer takes any data
transmitted by the application layer and prepares it for transmission over the session layer.
OSI model
5. Session Layer
The session layer creates communication channels, called sessions, between devices. It is responsible for
opening sessions, ensuring they remain open and functional while data is being transferred, and closing them
when communication ends. The session layer can also set checkpoints during a data transfer—if the session is
interrupted, devices can resume data transfer from the last checkpoint.
4. Transport Layer
The transport layer takes data transferred in the session layer and breaks it into “segments” on the transmitting
end. It is responsible for reassembling the segments on the receiving end, turning it back into data that can be
used by the session layer. The transport layer carries out flow control, sending data at a rate that matches the
connection speed of the receiving device, and error control, checking if data was received incorrectly and if
not, requesting it again.
OSI model
3. Network Layer
The network layer has two main functions. One is breaking up segments into network packets, and
reassembling the packets on the receiving end. The other is routing packets by discovering the best path across
a physical network. The network layer uses network addresses (typically Internet Protocol addresses) to route
packets to a destination node.
The data link layer establishes and terminates a connection between two physically-connected nodes on a
network. It breaks up packets into frames and sends them from source to destination. This layer is composed
of two parts—Logical Link Control (LLC), which identifies network protocols, performs error checking and
synchronizes frames, and Media Access Control (MAC) which uses MAC addresses to connect devices and
define permissions to transmit and receive data.
1. Physical Layer
The physical layer is responsible for the physical cable or wireless connection between network nodes. It
defines the connector, the electrical cable or wireless technology connecting the devices, and is responsible
OSI model VS. TCP/IP
OSI model VS. TCP/IP
The Transfer Control Protocol/Internet Protocol (TCP/IP) is older than the OSI model and was created by the
US Department of Defense (DoD). A key difference between the models is that TCP/IP is simpler, collapsing
several OSI layers into one:
. TCP/IP is a functional model designed to solve specific communication problems, and which is based on
specific, standard protocols. OSI is a generic, protocol-independent model intended to describe all forms of
network communication.
. In TCP/IP, most applications use all the layers, while in OSI simple applications do not use all seven layers.
Only layers 1, 2 and 3 are mandatory to enable any data communication.
ROUTER
A router is a networking device that forwards data packets between computer networks. Routers perform the
traffic directing functions on the Internet. Data sent through the internet, such as a web page or email, is in the
form of data packets.
ROUTER
Features of Routers
• A router is a layer 3 or network layer device.
• It connects different networks together and sends data packets from one network to another.
• A router can be used both in LANs (Local Area Networks) and WANs (Wide Area Networks).
• It transfers data in the form of IP packets. In order to transmit data, it uses IP address mentioned in the
destination field of the IP packet.
• Routers have a routing table in it that is refreshed periodically according to the changes in the network. In
order to transmit data packets, it consults the table and uses a routing protocol.
• In order to prepare or refresh the routing table, routers share information among each other.
• Routers provide protection against broadcast storms.
• Routers are more expensive than other networking devices like hubs,bridges and switches.
SWITCHES
A switch is a device in a computer network that connects other devices together. Multiple data cables are
plugged into a switch to enable communication between different networked devices. Switches manage the
flow of data across a network by transmitting a received network packet only to the one or more devices for
which the packet is intended. Each networked device connected to a switch can be identified by its network
address, allowing the switch to direct the flow of traffic maximizing the security and efficiency of the network.
A switch is more intelligent than an Ethernet hub, which simply retransmits packets out of every port of the
hub except the port on which the packet was received, unable to distinguish different recipients, and
achieving an overall lower network efficiency.
SWITCHES features
Endpoint security is the practice of securing endpoints or entry points of end-user devices such as desktops,
laptops, and mobile devices from being exploited by malicious actors and campaigns. Endpoint security
systems protect these endpoints on a network or in the cloud from cybersecurity threats. Endpoint security
has evolved from traditional antivirus software to providing comprehensive protection from sophisticated
malware and evolving zero-day threats.
Organizations of all sizes are at risk from nation-states, hacktivists, organized crime, and malicious and
accidental insider threats. Endpoint security is often seen as cybersecurity's frontline and represents one of the
first places organizations look to secure their enterprise networks.
As the volume and sophistication of cybersecurity threats have steadily grown, so has the need for more
advanced endpoint security solutions. Today’s endpoint protection systems are designed to quickly detect,
analyze, block, and contain attacks in progress. To do this, they need to collaborate with each other and with
other security technologies to give administrators visibility into advanced threats to speed detection and
remediation response times.
END POINT Security solutions
• Laptops
• Tablets
• Mobile devices
• Smart watches
• Printers
• Servers
• ATM machines
• Medical devices
Active Directory
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is
included in most Windows Server operating systems as a set of processes and services. Initially, Active
Directory was used only for centralized domain management. However, Active Directory eventually became
an umbrella title for a broad range of directory-based identity-related services.
A server running the Active Directory Domain Service (AD DS) role is called a domain controller. It
authenticates and authorizes all users and computers in a Windows domain type network, assigning and
enforcing security policies for all computers, and installing or updating software. For example, when a user
logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and
determines whether the user is a system administrator or normal user. Also, it allows management and
storage of information, provides authentication and authorization mechanisms, and establishes a framework
to deploy other related services: Certificate Services, Active Directory Federation Services, Lightweight
Directory Services, and Rights Management Services.
TOR network
Tor, short for The Onion Router, is free and open-source software for enabling anonymous communication. It
directs Internet traffic through a free, worldwide, volunteer overlay network, consisting of more than six
thousand relays, for concealing a user's location and usage from anyone conducting network surveillance or
traffic analysis. Using Tor makes it more difficult to trace the Internet activity to the user. Tor's intended use is
to protect the personal privacy of its users, as well as their freedom and ability to conduct confidential
communication by keeping their Internet activities unmonitored.
Tor enables its users to surf the Internet, chat and send instant messages anonymously, and is used by a wide
variety of people for both licit and illicit purposes. Tor has, for example, been used by criminal enterprises,
hacktivism groups, and law enforcement agencies at cross purposes, sometimes simultaneously
TOR network
UNIT 2
Advanced Computer Networks & Security
Networking Devices Layer wise
1. Physical Layer – Physical layer of TCP/IP model is responsible for physical connectivity of two devices.
Some of the devices used in Physical layers are,
Hubs: Hubs are devices commonly used to connect segments of a LAN. It contains multiple input/output
ports. when signal is at any input port, this signal will be made at all output ports except the one it is
coming from.
Cables: In Wired network architecture (e.g Ethernet), cables are used to interconnect the devices. some
of the types of cables are coaxial cable, optical fiber cable, and twisted pair cable.
Modem: Modem stands for MOdulator/DEModulator. A modem converts digital signals generated by the
computer into analog signals which, then can be transmitted over cable line and transforms incoming
analog signals into digital equivalents.
Repeaters: Repeaters are used in transmission systems to regenerate analog or digital signals distorted by
transmission loss. Analog repeaters can only amplify the signal whereas a digital repeaters can reproduce
a signal to near its original quality.
Contd.
2. Data Link Layer – Data Link layer is responsible to transfer data hop by hop (i.e within same LAN, from one
device to another device) based on the MAC address. Some of the devices used in Data Link layer are,
Bridges: A bridge is a type of computer network device that provides interconnection with other networks
that use the same protocol, connecting two different networks together and providing communication
between them.
Network Interface Card: Network interface card is an electronic device that is mounted on ROM of the com
that connects a computer to a computer network, usually a LAN. It is considered a piece of computer
hardware. Most modern computers support an internal network interface controller embedded in the
motherboard directly rather than provided as an external component.
Contd.
3. Network Layer – The network layer is responsible for creating routing table, and based on routing table, forwarding of the input request.
Some of the Devices used in Network Layer are,
Routers: A router is a switch like device that routes/forwards data packets based on their IP addresses. Routers normally connect Local Area
Network (LANs) and Wide Are Network (WANs) together and have a dynamically updating routing table based on which they make
decisions on routing the incoming packets.
Brouters: A bridge router or brouter is a network device that works as a bridge and as a router. The brouter routes packets for known
protocols and simply forwards all other packets as a bridge would. Brouters operate at both the network layer for routable protocols (or
between network with different data link layer protocol ex. one is running on ethernet (802.3) and other network is running on Token ring
(802.5)) and at the data link layer for non-routable protocols (or both network are using same data link layer protocol).
Contd.
Gateways: In computer networking, a gateway is a component that is part of two networks, which use different protocols. The
gateway is a protocol converter which will translate one protocol into the other. A router is a special case of a gateway.
Firewall: A firewall is a system designed to prevent unauthorized access to or from a private network, some of the functionalities of
firewall are, packet filtering and as a proxy server.
5. Application Layer – Application layer is the topmost layer of TCP/IP Model that provides the interface between the applications and
network. Application layer is used exchange messages. Some of the devices used in Application layer are,
Virus – A malware which requires some form of user’s interaction to infect the user’s device. The classic example is an e-mail
attachment containing malicious executable code. If a user receives and opens such an attachment, the user inadvertently runs the
malware on the device.
Worm – A malware which can enter a device without any explicit user interaction. For example, a user may be running a vulnerable
network application to which an attacker can send malware. In some cases, without any user intervention, the application may
accept the malware from the Internet and run it, creating a worm.
Network Attacks
Botnet – A network of private computers infected with malicious software and controlled as a group without the
owners’ knowledge, e.g. to send spam.
DoS (Denial of Service) – A DoS attack renders a network, host, or other pieces of infrastructure unusable by legitimate
users. Most Internet DoS attacks fall into one of three categories :
• Vulnerability attack: This involves sending a few well-crafted messages to a vulnerable application or operating
system running on a targeted host. If the right sequence of packets is sent to a vulnerable application or operating
system, the service can stop or, worse, the host can crash.
• Bandwidth flooding: The attacker sends a deluge of packets to the targeted host—so many packets that the target’s
access link becomes clogged, preventing legitimate packets from reaching the server.
• Connection flooding: The attacker establishes a large number of half-open or fully open TCP connections at the target
host. The host can become so bogged down with these bogus connections that it stops accepting legitimate
connections.
Network Attacks
DDoS (Distributed DoS) – DDoS is a type of DOS attack where multiple compromised systems, are used to target a
single system causing a Denial of Service (DoS) attack. DDoS attacks leveraging botnets with thousands of comprised
hosts are a common occurrence today. DDoS attacks are much harder to detect and defend against than a DoS attack
from a single host.
Packet sniffer – A passive receiver that records a copy of every packet that flies by is called a packet sniffer. By placing
a passive receiver in the vicinity of the wireless transmitter, that receiver can obtain a copy of every packet that is
transmitted! These packets can contain all kinds of sensitive information, including passwords, social security
numbers, trade secrets, and private personal messages. some of the best defenses against packet sniffing involve
cryptography.
IP Spoofing – The ability to inject packets into the Internet with a false source address is known as IP spoofing, and is
but one of many ways in which one user can masquerade as another user. To solve this problem, we will need
end-point authentication, that is, a mechanism that will allow us to determine with certainty if a message originates
from where we think it does.
Network Attacks
Phishing – The fraudulent practice of sending emails purporting to be from reputable companies in
order to induce individuals to reveal personal information, such as passwords and credit card
numbers.
DNS spoofing – Also referred to as DNS cache poisoning, is a form of computer security hacking in
which corrupt Domain Name System data is introduced into the DNS resolver’s cache, causing the
name server to return an incorrect IP address.
Rootkit – Rootkits are stealthy packages designed to benefit administrative rights and get the right
of entry to a community tool. Once installed, hackers have complete and unrestricted get right of
entry to the tool and can, therefore, execute any movement including spying on customers or
stealing exclusive data with no hindrance.
Firewall
In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall
typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.
Purpose: Firewalls provide protection against outside cyber attackers by shielding your computer or network from malicious or unnecessary network traffic. Firewalls can also
prevent malicious software from accessing a computer or network via the internet.
Packet filtering firewalls are the oldest, most basic type of firewalls. Operating at the network layer, they simply check a data packet for its source IP and destination
IP, the protocol, source port and destination port against predefined rules to determine whether to pass or discard the packet. Packet filtering firewalls are essentially
stateless, monitoring each packet independently without any track of the established connection or the packets that have passed through that connection previously.
This makes these firewalls very limited in their capacity to protect against advanced threats and attacks.
Packet filtering firewalls are fast, cheap and effective. But the security they provide is very basic. Since these firewalls cannot examine the content of the data
packets, they are incapable of protecting against malicious data packets coming from trusted source IPs. Being stateless, they are also vulnerable to source routing
attacks and tiny fragment attacks. But despite their minimal functionality, packet filtering firewalls paved the way for modern firewalls that offer stronger and deeper
security.
4 Types of Firewall
2. Circuit-level gateways
Working at the session layer, circuit-level gateways verify established Transmission Control Protocol (TCP) connections and keep track of the active sessions. They
are quite similar to packet filtering firewalls in that they perform a single check and utilize minimal resources. However, they function at a higher layer of the Open
Systems Interconnection (OSI) model. Primarily, they determine the security of an established connection. When an internal device initiates a connection with a
remote host, circuit-level gateways establish a virtual connection on behalf of the internal device to keep the identity and IP address of the internal user hidden.
Circuit-level gateways are cost-efficient, simplistic and have barely any impact on a network’s performance. However, their inability to inspect the content of data
packets makes them an incomplete security solution on their own. A data packet containing malware can bypass a circuit-level gateway easily if it has a legitimate
TCP handshake. That is why another type of firewall is often configured on top of circuit-level gateways for added protection.
4 Types of Firewall
3. Stateful inspection firewalls
A step ahead of circuit-level gateways, stateful inspection firewalls, in addition to verifying and keeping track of established connections, also perform packet
inspection to provide better, more comprehensive security. They work by creating a state table with source IP, destination IP, source port and destination port once a
connection is established. They create their own rules dynamically to allow expected incoming network traffic instead of relying on a hardcoded set of rules based
on this information. They conveniently drop data packets that do not belong to a verified active connection.
Stateful inspection firewalls check for legitimate connections as well as source and destination IPs to determine which data packets can pass through. Although these
extra checks provide advanced security, they consume a lot of system resources and can slow down traffic considerably. Hence, they are prone to DDoS (distributed
denial-of-service attacks).
4 Types of Firewall
4. Application-level gateways (proxy firewalls)
Application-level gateways, also known as proxy firewalls, are implemented at the application layer via a proxy device. Instead of an outsider accessing your internal
network directly, the connection is established through the proxy firewall. The external client sends a request to the proxy firewall. After verifying the authenticity of
the request, the proxy firewall forwards it to one of the internal devices or servers on the client’s behalf. Alternatively, an internal device may request access to a
webpage, and the proxy device will forward the request while hiding the identity and location of the internal devices and network.
Unlike packet filtering firewalls, proxy firewalls perform stateful and deep packet inspection to analyze the context and content of data packets against a set of
user-defined rules. Based on the outcome, they either permit or discard a packet. They protect the identity and location of your sensitive resources by preventing a
direct connection between internal systems and external networks. However, configuring them to achieve optimal network protection can be a bit hard. You must
also keep in mind the tradeoff—a proxy firewall is essentially an extra barrier between the host and the client, causing considerable slowdowns.
ACL
Access Control List (ACL) refers to a specific set of rules used for
filtering network traffic, especially in computer security settings.
ACLs also allow specific system objects such as directories or
file access to authorized users and denies access to
unauthorized users.
Packet Filtering
Packet filtering is a firewall technique used to control network
access by monitoring outgoing and incoming packets and
allowing them to pass or halt based on the source and
destination Internet Protocol (IP) addresses, protocols and ports.
DMZ
In computer security, a DMZ or demilitarized zone (sometimes
referred to as a perimeter network or screened subnet) is a
physical or logical subnetwork that contains and exposes an
organization's external-facing services to an untrusted, usually
larger, network such as the Internet.
IDS/IPS
An intrusion detection system (IDS; also intrusion protection system or IPS) is a device
or software application that monitors a network or systems for malicious activity or
policy violations. Any intrusion activity or violation is typically reported either to an
administrator or collected centrally using a security information and event management
(SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm
filtering techniques to distinguish malicious activity from false alarms.
IDS types range in scope from single computers to large networks. The most common
classifications are network intrusion detection systems (NIDS) and host-based intrusion
detection systems (HIDS). A system that monitors important operating system files is an
example of an HIDS, while a system that analyzes incoming network traffic is an
example of an NIDS. It is also possible to classify IDS by detection approach. The most
well-known variants are signature-based detection (recognizing bad patterns, such as
malware) and anomaly-based detection (detecting deviations from a model of "good"
traffic, which often relies on machine learning). Another common variant is
reputation-based detection (recognizing the potential threat according to the reputation
scores). Some IDS products have the ability to respond to detected intrusions. Systems
with response capabilities are typically referred to as an intrusion prevention system.
Intrusion detection systems can also serve specific purposes by augmenting them with
custom tools, such as using a honeypot to attract and characterize malicious traffic.
Classification of Intrusion Detection
System:
Network Intrusion Detection System (NIDS):
Network intrusion detection systems (NIDS) are set up at a planned point within the network to examine traffic from all devices on the network. It performs an
observation of passing traffic on the entire subnet and matches the traffic that is passed on the subnets to the collection of known attacks. Once an attack is identified or
abnormal behavior is observed, the alert can be sent to the administrator. An example of an NIDS is installing it on the subnet where firewalls are located in order to see
if someone is trying crack the firewall.
Host intrusion detection systems (HIDS) run on independent hosts or devices on the network. A HIDS monitors the incoming and outgoing packets from the device only
and will alert the administrator if suspicious or malicious activity is detected. It takes a snapshot of existing system files and compares it with the previous snapshot. If
the analytical system files were edited or deleted, an alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission critical
machines, which are not expected to change their layout.
Classification of Intrusion Detection
System:
Protocol-based Intrusion Detection System (PIDS):
Protocol-based intrusion detection system (PIDS) comprises of a system or agent that would consistently resides at the front end of a server, controlling and interpreting the protocol between a
user/device and the server. It is trying to secure the web server by regularly monitoring the HTTPS protocol stream and accept the related HTTP protocol. As HTTPS is un-encrypted and before
instantly entering its web presentation layer then this system would need to reside in this interface, between to use the HTTPS.
Application Protocol-based Intrusion Detection System (APIDS) is a system or agent that generally resides within a group of servers. It identifies the intrusions by monitoring and interpreting the
communication on application specific protocols. For example, this would monitor the SQL protocol explicit to the middleware as it transacts with the database in the web server.
Hybrid intrusion detection system is made by the combination of two or more approaches of the intrusion detection system. In the hybrid intrusion detection system, host agent or system data is
combined with network information to develop a complete view of the network system. Hybrid intrusion detection system is more effective in comparison to the other intrusion detection system.
Prelude is an example of Hybrid IDS.
Detection Method of IDS
Signature-based Method:
Signature-based IDS detects the attacks on the basis of the specific patterns such as number of bytes or number of 1’s or number of 0’s
in the network traffic. It also detects on the basis of the already known malicious instruction sequence that is used by the malware. The
detected patterns in the IDS are known as signatures. Signature-based IDS can easily detect the attacks whose pattern (signature)
already exists in system but it is quite difficult to detect the new malware attacks as their pattern (signature) is not known.
Anomaly-based Method:
Anomaly-based IDS was introduced to detect the unknown malware attacks as new malware are developed rapidly. In anomaly-based
IDS there is use of machine learning to create a trustful activity model and anything coming is compared with that model and it is
declared suspicious if it is not found in model. Machine learning based method has a better generalized property in comparison to
signature-based IDS as these models can be trained according to the applications and hardware configurations.
Detection Method of IDS
Policy-Based IPS/IDS
This type of traffic matching can be implemented based on the security policy for your network. For example, if your company has a security policy
that states that no Telnet traffic should be used (for security reasons) on specific areas of your network, you can create a custom rule that states that
if TCP traffic is seen destined to port 23 (which is the well-known port for Telnet) to a device in the part of the network for which Telnet is not
permitted, the IPS can generate an alert and drop the packet. If this is configured as IDS, it could simply generate an alert (but cannot drop the
packet on its own because IDS is in promiscuous mode, and not inline).
Honeypots are decoy computer resources set up for the purpose of monitoring and logging the activities of entities that probe, attack or
compromise them. Activities on honeypots can be considiered suspicious by definition, as there is no point for benign users to interact with these
systems. Honeypots come in many shapes and sizes; examples include dummy items in a database, low-interaction network components like
preconfigured traffic sinks, or full-interaction hosts with real operating systems and services. Honeypots are easy to use, capture the required
information and mainly used by the corporate companies to secure their networks from the online hackers and unauthorized users. Most honeypots
are installed and configured inside the firewall programs so that they can be better controlled.