UNIT 5

Firewalls- Types of Firewalls, User Management, VPN Security Security Protocols: - security at the
Application Layer- PGP and S/MIME, Security at Transport Layer- SSL and TLS, Security at Network
Layer-IPSec.

Types of Firewall
There are mainly three types of firewalls, such as software firewalls, hardware
firewalls, or both, depending on their structure. Each type of firewall has different
functionality but the same purpose. However, it is best practice to have both to
achieve maximum possible protection.

A hardware firewall is a physical device that attaches between a computer network

and a gateway. For example- a broadband router. A hardware firewall is sometimes
referred to as an Appliance Firewall. On the other hand, a software firewall is a
simple program installed on a computer that works through port numbers and other
installed software. This type of firewall is also called a Host Firewall.

Besides, there are many other types of firewalls depending on their features and the
level of security they provide. The following are types of firewall techniques that can
be implemented as software or hardware:

o Packet-filtering Firewalls
o Circuit-level Gateways
o Application-level Gateways (Proxy Firewalls)
o Stateful Multi-layer Inspection (SMLI) Firewalls
o Next-generation Firewalls (NGFW)
o Threat-focused NGFW
o Network Address Translation (NAT) Firewalls
o Cloud Firewalls
o Unified Threat Management (UTM) Firewalls
Packet-filtering Firewalls
A packet filtering firewall is the most basic type of firewall. It acts like a management
program that monitors network traffic and filters incoming packets based on
configured security rules. These firewalls are designed to block network
traffic IP protocols, an IP address, and a port number if a data packet does not match
the established rule-set.

While packet-filtering firewalls can be considered a fast solution without many

resource requirements, they also have some limitations. Because these types of
firewalls do not prevent web-based attacks, they are not the safest.

Circuit-level Gateways
Circuit-level gateways are another simplified type of firewall that can be easily
configured to allow or block traffic without consuming significant computing
resources. These types of firewalls typically operate at the session-level of the OSI
model by verifying TCP (Transmission Control Protocol) connections and sessions.
Circuit-level gateways are designed to ensure that the established sessions are
protected.

Typically, circuit-level firewalls are implemented as security software or pre-existing

firewalls. Like packet-filtering firewalls, these firewalls do not check for actual data,
although they inspect information about transactions. Therefore, if a data contains
malware, but follows the correct TCP connection, it will pass through the gateway.
That is why circuit-level gateways are not considered safe enough to protect our
systems.

Application-level Gateways (Proxy Firewalls)

Proxy firewalls operate at the application layer as an intermediate device to filter
incoming traffic between two end systems (e.g., network and traffic systems). That is
why these firewalls are called 'Application-level Gateways'.

Unlike basic firewalls, these firewalls transfer requests from clients pretending to be
original clients on the web-server. This protects the client's identity and other
suspicious information, keeping the network safe from potential attacks. Once the
connection is established, the proxy firewall inspects data packets coming from the
source. If the contents of the incoming data packet are protected, the proxy firewall
transfers it to the client. This approach creates an additional layer of security between
the client and many different sources on the network.

Stateful Multi-layer Inspection (SMLI) Firewalls

Stateful multi-layer inspection firewalls include both packet inspection technology
and TCP handshake verification, making SMLI firewalls superior to packet-filtering
firewalls or circuit-level gateways. Additionally, these types of firewalls keep track of
the status of established connections.

In simple words, when a user establishes a connection and requests data, the SMLI
firewall creates a database (state table). The database is used to store session
information such as source IP address, port number, destination IP address,
destination port number, etc. Connection information is stored for each session in
the state table. Using stateful inspection technology, these firewalls create security
rules to allow anticipated traffic.

In most cases, SMLI firewalls are implemented as additional security levels. These
types of firewalls implement more checks and are considered more secure than
stateless firewalls. This is why stateful packet inspection is implemented along with
many other firewalls to track statistics for all internal traffic. Doing so increases the
load and puts more pressure on computing resources. This can give rise to a slower
transfer rate for data packets than other solutions.
Next-generation Firewalls (NGFW)
Many of the latest released firewalls are usually defined as 'next-generation
firewalls'. However, there is no specific definition for next-generation firewalls. This
type of firewall is usually defined as a security device combining the features and
functionalities of other firewalls. These firewalls include deep-packet inspection
(DPI), surface-level packet inspection, and TCP handshake testing, etc.

NGFW includes higher levels of security than packet-filtering and stateful inspection
firewalls. Unlike traditional firewalls, NGFW monitors the entire transaction of data,
including packet headers, packet contents, and sources. NGFWs are designed in such
a way that they can prevent more sophisticated and evolving security threats such as
malware attacks, external threats, and advance intrusion.

Threat-focused NGFW
Threat-focused NGFW includes all the features of a traditional NGFW. Additionally,
they also provide advanced threat detection and remediation. These types of
firewalls are capable of reacting against attacks quickly. With intelligent security
automation, threat-focused NGFW set security rules and policies, further increasing
the security of the overall defense system.

In addition, these firewalls use retrospective security systems to monitor suspicious

activities continuously. They keep analyzing the behavior of every activity even after
the initial inspection. Due to this functionality, threat-focus NGFW dramatically
reduces the overall time taken from threat detection to cleanup.

Network Address Translation (NAT) Firewalls

Network address translation or NAT firewalls are primarily designed to access
Internet traffic and block all unwanted connections. These types of firewalls usually
hide the IP addresses of our devices, making it safe from attackers.

When multiple devices are used to connect to the Internet, NAT firewalls create a
unique IP address and hide individual devices' IP addresses. As a result, a single IP
address is used for all devices. By doing this, NAT firewalls secure independent
network addresses from attackers scanning a network for accessing IP addresses.
This results in enhanced protection against suspicious activities and attacks.

In general, NAT firewalls works similarly to proxy firewalls. Like proxy firewalls, NAT
firewalls also work as an intermediate device between a group of computers and
external traffic.
Cloud Firewalls
Whenever a firewall is designed using a cloud solution, it is known as a cloud firewall
or FaaS (firewall-as-service). Cloud firewalls are typically maintained and run on the
Internet by third-party vendors. This type of firewall is considered similar to a proxy
firewall. The reason for this is the use of cloud firewalls as proxy servers. However,
they are configured based on requirements.

The most significant advantage of cloud firewalls is scalability. Because cloud

firewalls have no physical resources, they are easy to scale according to the
organization's demand or traffic-load. If demand increases, additional capacity can
be added to the cloud server to filter out the additional traffic load. Most
organizations use cloud firewalls to secure their internal networks or entire cloud
infrastructure.

Unified Threat Management (UTM) Firewalls

UTM firewalls are a special type of device that includes features of a stateful
inspection firewall with anti-virus and intrusion prevention support. Such firewalls are
designed to provide simplicity and ease of use. These firewalls can also add many
other services, such as cloud management, etc.

Virtual private network

A virtual private network (VPN) is a mechanism for creating a secure connection between a
computing device and a computer network, or between two networks, using an insecure
communication medium such as the public Internet.
VPNs cannot make online connections completely anonymous, but they can increase privacy and
security by encrypting all communication between remote locations over the open Internet. To prevent
disclosure of private information or data sniffing, VPNs typically allow only authenticated remote
access using[clarification needed] tunneling protocols and secure encryption techniques.

The VPN security model provides:

 confidentiality such that even if the network traffic is sniffed at the packet level (see network
sniffer or deep packet inspection), an attacker would see only encrypted data, not the raw
data
 sender authentication to prevent unauthorized users from accessing the VPN
 message integrity to detect and reject any instances of tampering with transmitted
messages

Security protocols
VPN security protocols are sets of rules and processes that dictate how data is transmitted and
encrypted within a Virtual Private Network (VPN). Different protocols offer varying levels of security,
speed, and compatibility. Here are some commonly used VPN security protocols:

1. OpenVPN:
 Description: OpenVPN is an open-source protocol known for its strong security
features and flexibility. It supports various encryption algorithms and is highly
configurable.
 Security: Considered one of the most secure protocols when configured properly.
 Compatibility: Widely supported on various platforms.
2. IPsec (Internet Protocol Security):
 Description: IPsec is a suite of protocols used to secure internet communication by
authenticating and encrypting each data packet in a communication session.
 Security: Provides a high level of security, especially when used in conjunction with
other protocols like L2TP or IKEv2.
 Compatibility: Commonly used on mobile devices and natively supported by many
operating systems.
3. L2TP/IPsec (Layer 2 Tunneling Protocol with IPsec):
 Description: L2TP is often used in combination with IPsec to provide a more secure
and private connection.
 Security: L2TP by itself does not provide encryption, so it's often paired with IPsec
for data encryption and authentication.
 Compatibility: Widely supported on various devices but may be slower than some
other protocols.
4. IKEv2/IPsec (Internet Key Exchange version 2 with IPsec):
 Description: IKEv2 is a tunneling protocol that, when combined with IPsec, offers a
secure and stable connection.
 Security: Provides strong security, and its ability to quickly re-establish a connection
after a brief interruption makes it suitable for mobile devices.
 Compatibility: Commonly used on mobile devices and supported on many platforms.
5. PPTP (Point-to-Point Tunneling Protocol):
 Description: PPTP is an older and less secure protocol that is not recommended for
use due to vulnerabilities.
 Security: Considered insecure due to known vulnerabilities, and it's not
recommended for sensitive data.
 Compatibility: Despite its security shortcomings, it may still be supported by some
devices.
6. WireGuard:
 Description: WireGuard is a relatively new and lightweight open-source protocol
known for its simplicity and efficiency.
  Security: Regarded as secure, with a focus on simplicity and performance.
 Compatibility: Becoming increasingly supported on various platforms.

PGP
o PGP stands for Pretty Good Privacy (PGP) which is invented by Phil Zimmermann.

o PGP was designed to provide all four aspects of security, i.e., privacy, integrity,
authentication, and non-repudiation in the sending of email.

o PGP uses a digital signature (a combination of hashing and public key encryption) to provide
integrity, authentication, and non-repudiation. PGP uses a combination of secret key
encryption and public key encryption to provide privacy. Therefore, we can say that the
digital signature uses one hash function, one secret key, and two private-public key pairs.

o PGP is an open source and freely available software package for email security.

o PGP provides authentication through the use of Digital Signature.

o It provides confidentiality through the use of symmetric block encryption.

o It provides compression by using the ZIP algorithm, and EMAIL compatibility using the radix-
64 encoding scheme.

Note:
M – Message
H – Hash Function
Ks – A random Session Key created for Symmetric Encryption purpose
DP – Public-Key Decryption Algorithm
EP – Public-Key Encryption Algorithm
DC – Asymmetric Decryption Algorithm
EC – Symmetric Encryption Algorithm
KPb – A private key of user B used in Public-key encryption process
KPa – A private key of user A used in Public-key encryption process
PUa – A public key of user A used in Public-key encryption process
PUb – A public key of user B used in Public-key encryption process
|| – Concatenation
Z – Compression Function
Z-1 – Decompression Function
Following are the steps taken by PGP to create
secure e-mail at the sender site:
o The e-mail message is hashed by using a hashing function to create a digest.
o The digest is then encrypted to form a signed digest by using the sender's private
key, and then signed digest is added to the original email message.
o The original message and signed digest are encrypted by using a one-time secret key
created by the sender.
o The secret key is encrypted by using a receiver's public key.
o Both the encrypted secret key and the encrypted combination of message and digest
are sent together.

PGP at the Sender site (A)

Following are the steps taken to show how PGP

uses hashing and a combination of three keys to
generate the original message:
o The receiver receives the combination of encrypted secret key and message digest is
received.
o The encrypted secret key is decrypted by using the receiver's private key to get the
one-time secret key.
o The secret key is then used to decrypt the combination of message and digest.
o The digest is decrypted by using the sender's public key, and the original message is
hashed by using a hash function to create a digest.
o Both the digests are compared if both of them are equal means that all the aspects of
security are preserved.
PGP at the Receiver site (B)
S/MIME

S/MIME, which stands for Secure/Multipurpose Internet Mail Extensions, is a standard for public key
encryption and signing of MIME data (Multipurpose Internet Mail Extensions). MIME is a standard
that extends the format of email messages to support text in character sets other than ASCII, as well
as attachments of audio, video, images, and application programs.

S/MIME adds a layer of security to email messages by allowing the sender to digitally sign and/or
encrypt the message content. Here's a brief overview of the two main functions of S/MIME:

Digital Signing:

Authentication: The sender's digital signature helps verify the authenticity of the message. The
recipient can be sure that the message has not been tampered with during transit and that it indeed
comes from the claimed sender.

Integrity: The digital signature ensures the integrity of the message. If the message is altered in any
way, the signature will be invalidated.

Encryption:

Confidentiality: S/MIME allows for the encryption of the message content. This means that even if
the message is intercepted during transmission, the interceptor cannot understand the content
without the appropriate decryption key.

S/MIME uses a public key infrastructure (PKI) to manage the necessary keys. Each user has a pair of
cryptographic keys: a public key that others can use to encrypt messages to the user, and a private
key that only the user knows and uses to decrypt received messages and to sign messages.

To use S/MIME, both the sender and the recipient must have a digital certificate containing their
public key. These certificates are issued by trusted certificate authorities (CAs).

S/MIME is commonly used in corporate environments and other settings where secure
communication is essential, such as government agencies and financial institutions. Email clients like
Microsoft Outlook and Mozilla Thunderbird often support S/MIME for secure email communication.

Secure Socket Layer (SSL)

Secure Socket Layer (SSL) provides security to the data that is transferred between web browser and
server. SSL encrypts the link between a web server and a browser which ensures that all data passed
between them remain private and free from attack.

Secure Socket Layer Protocols:

SSL record protocol

Handshake protocol
Change-cipher spec protocol
Alert protocol
SSL Protocol Stack:

SSL Record Protocol:

SSL Record provides two services to SSL connection.

 Confidentiality

 Message Integrity

In the SSL Record Protocol application data is divided into fragments. The fragment is compressed
and then encrypted MAC (Message Authentication Code) generated by algorithms like SHA (Secure
Hash Protocol) and MD5 (Message Digest) is appended. After that encryption of the data is done and
in last SSL header is appended to the data.

Handshake Protocol:
Handshake Protocol is used to establish sessions. This protocol allows the client and server to
authenticate each other by sending a series of messages to each other. Handshake protocol uses four
phases to complete its cycle.

 Phase-1: In Phase-1 both Client and Server send hello-packets to each other. In this IP
session, cipher suite and protocol version are exchanged for security purposes.

 Phase-2: Server sends his certificate and Server-key-exchange. The server end phase-2 by
sending the Server-hello-end packet.

 Phase-3: In this phase, Client replies to the server by sending his certificate and Client-
exchange-key.

 Phase-4: In Phase-4 Change-cipher suite occurs and after this the Handshake Protocol ends.

SSL Handshake Protocol Phases diagrammatic representation

Change-cipher Protocol:

This protocol uses the SSL record protocol. Unless Handshake Protocol is completed, the SSL record
Output will be in a pending state. After the handshake protocol, the Pending state is converted into
the current state.
Change-cipher protocol consists of a single message which is 1 byte in length and can have only one
value. This protocol’s purpose is to cause the pending state to be copied into the current state.

Alert Protocol:

This protocol is used to convey SSL-related alerts to the peer entity. Each message in this protocol
contains 2 bytes.

The level is further classified into two parts:

Warning (level = 1):

This Alert has no impact on the connection between sender and receiver. Some of them are:

Bad certificate: When the received certificate is corrupt.

No certificate: When an appropriate certificate is not available.
Certificate expired: When a certificate has expired.
Certificate unknown: When some other unspecified issue arose in processing the certificate,
rendering it unacceptable.
Close notify: It notifies that the sender will no longer send any messages in the connection.

Unsupported certificate: The type of certificate received is not supported.

Certificate revoked: The certificate received is in revocation list.

TLS Protocol
 TLS protocol has same objectives as SSL.

 It enables client/server applications to communicate in a secure manner by authenticating,

preventing eavesdropping and resisting message modification.

 TLS protocol sits above the reliable connection-oriented transport TCP layer in the
networking layers stack.

 The architecture of TLS protocol is similar to SSLv3 protocol. It has two sub protocols: the TLS
Record protocol and the TLS Handshake protocol.

 Though SSLv3 and TLS protocol have similar architecture, several changes were made in
architecture and functioning particularly for the handshake protocol.
Comparison of TLS and SSL Protocols

There are main eight differences between TLS and SSLv3 protocols. These are as follows −

 Protocol Version − The header of TLS protocol segment carries the version number 3.1 to
differentiate between number 3 carried by SSL protocol segment header.

 Message Authentication − TLS employs a keyed-hash message authentication code (H-MAC).

Benefit is that H-MAC operates with any hash function, not just MD5 or SHA, as explicitly
stated by the SSL protocol.

 Session Key Generation − There are two differences between TLS and SSL protocol for
generation of key material.

o Method of computing pre-master and master secrets is similar. But in TLS protocol,
computation of master secret uses the HMAC standard and pseudorandom function
(PRF) output instead of ad-hoc MAC.

o The algorithm for computing session keys and initiation values (IV) is different in TLS
than SSL protocol.

 Alert Protocol Message −

o TLS protocol supports all the messages used by the Alert protocol of SSL, except No
certificate alert message being made redundant. The client sends empty certificate
in case client authentication is not required.

o Many additional Alert messages are included in TLS protocol for other error
conditions such as record_overflow, decode_error etc.

 Supported Cipher Suites − SSL supports RSA, Diffie-Hellman and Fortezza cipher suites. TLS
protocol supports all suits except Fortezza.

 Client Certificate Types − TLS defines certificate types to be requested in

a certificate_request message. SSLv3 support all of these. Additionally, SSL support certain
other types of certificate such as Fortezza.

 CertificateVerify and Finished Messages −

o In SSL, complex message procedure is used for the certificate_verify message. With
TLS, the verified information is contained in the handshake messages itself thus
avoiding this complex procedure.

o Finished message is computed in different manners in TLS and SSLv3.

 Padding of Data − In SSL protocol, the padding added to user data before encryption is the
minimum amount required to make the total data-size equal to a multiple of the cipher’s
block length. In TLS, the padding can be any amount that results in data-size that is a
multiple of the cipher’s block length, up to a maximum of 255 bytes.