UNIT 3

NETWORK SECURITY CONTROLS

Network Attacks
1. Malware:
Malicious software which is specifically designed to disrupt, damage, or gain
authorized access to a computer system. Much of the malware out there today is
self-replicating. Once it infects one host, from that host it seeks entry into other
hosts over the Internet, and from the newly infected hosts, it seeks entry into yet
more hosts. In this manner, self-replicating malware can spread exponentially
fast.

2. Virus:
A malware which requires some form of user’s interaction to infect the user’s
device. The classic example is an e-mail attachment containing malicious
executable code. If a user receives and opens such an attachment, the user
inadvertently runs the malware on the device.

3. Worm:
A malware which can enter a device without any explicit user interaction. For
example, a user may be running a vulnerable network application to which an
attacker can send malware. In some cases, without any user intervention, the
application may accept the malware from the Internet and run it, creating a worm.

4. Botnet:
A network of private computers infected with malicious software and controlled as
a group without the owners’ knowledge, e.g. to send spam.

5. DoS (Denial of Service):

A DoS attack renders a network, host, or other pieces of infrastructure unusable by
legitimate users. Most Internet DoS attacks fall into one of three categories:
 Vulnerability attack: This involves sending a few well-crafted messages
to a vulnerable application or operating system running on a targeted host.
If the right sequence of packets is sent to a vulnerable application or
operating system, the service can stop or, worse, the host can crash.
  Bandwidth flooding: The attacker sends a deluge of packets to the targeted
host—so many packets that the target’s access link becomes clogged,
preventing legitimate packets from reaching the server.
 Connection flooding: The attacker establishes a large number of half-open
or fully open TCP connections at the target host. The host can become so
bogged down with these bogus connections that it stops accepting
legitimate connections.

6. DDoS (Distributed DoS):

DDoS is a type of DOS attack where multiple compromised systems, are used to
target a single system causing a Denial of Service (DoS) attack. DDoS attacks
leveraging botnets with thousands of comprised hosts are a common occurrence
today. DDoS attacks are much harder to detect and defend against than a DoS
attack from a single host.

7. Packet sniffer:
A passive receiver that records a copy of every packet that flies by is called a
packet sniffer. By placing a passive receiver in the vicinity of the wireless
transmitter, that receiver can obtain a copy of every packet that is transmitted.
These packets can contain all kinds of sensitive information, including passwords,
social security numbers, trade secrets, and private personal messages. Some of the
best defenses against packet sniffing involve cryptography.

8. IP Spoofing:
The ability to inject packets into the Internet with a false source address is known
as IP spoofing, and is but one of many ways in which one user can masquerade as
another user. To solve this problem, we will need end-point authentication, that is,
a mechanism that will allow us to determine with certainty if a message originates
from where we think it does.

9. Man-in-the-Middle Attack:
As the name indicates, a man-in-the-middle attack occurs when someone between
you and the person with whom you are communicating is actively monitoring,
capturing, and controlling your communication transparently. For example, the
attacker can re-route a data exchange. When computers are communicating at low
levels of the network layer, the computers might not be able to determine with
whom they are exchanging data.

10. Compromised-Key Attack:

A key is a secret code or number necessary to interpret secured information.
Although obtaining a key is a difficult and resource-intensive process for an
attacker, it is possible. After an attacker obtains a key, that key is referred to as a
 compromised key. An attacker uses the compromised key to gain access to a
secured communication without the sender or receiver being aware of the attack.

11. Phishing:
The fraudulent practice of sending emails purporting to be from reputable
companies in order to induce individuals to reveal personal information, such as
passwords and credit card numbers.

12. DNS spoofing:

Also referred to as DNS cache poisoning, is a form of computer security hacking
in which corrupt Domain Name System data is introduced into the DNS resolver’s
cache, causing the name server to return an incorrect IP address.

Intrusion Detection System

An intrusion is an adverse event in which an attacker attempts to gain entry into an

information system or disrupt its normal operations, almost always with the intent
to do harm. An intrusion occurs when an attacker attempts to gain entry into an
organization’s information systems or disrupt their normal operations. Even when such
attacks are self-propagating, as with viruses and distributed denial-of-service attacks, they
are almost always instigated by someone whose purpose is to harm an organization.

Intrusion detection consists of procedures and systems that identify system intrusions.
Information security intrusion detection systems (IDSs) became commercially available
in the late 1990s. An IDS works like a burglar alarm in that it detects a violation and
activates an alarm. This alarm can be a sound, a light or other visual signal, or a silent
warning, such as an e-mail message or pager alert. Intrusion detection system (IDS) is a
system capable of automatically detecting an intrusion into an organization’s
networks or host systems and notifying a designated authority.
Need for Intrusion Monitoring and Detection
 The primary purpose of an IDS is to identify and report intrusions promptly.

 Early detection enables organizations to contain attacks swiftly and mitigate

potential losses.

 Notification is crucial for the effectiveness of an IDS; without it, the system serves
no purpose.

 IDSs aid in detecting attack reconnaissance, such as footprinting and

fingerprinting. Footprinting gathers information about the organization and its
network, while fingerprinting scans for active systems and identifies their services.

 Early warning signs detected by IDSs function like a neighborhood watch,

allowing administrators to prepare for or minimize potential losses from attacks.

 IDSs help protect assets even when networks and systems are exposed to
vulnerabilities or unable to respond to rapidly changing threats.

 Factors like delays in securing systems or infrequent vulnerability checks can

undermine an organization's ability to defend against attacks.

 Even when vulnerabilities are detected in a timely manner, corrective measures

may be delayed due to workload fluctuations.
  Corrective actions, such as installing patches and upgrades, are essential but can
be time-consuming.

 Setting up an IDS to detect attacks exploiting known vulnerabilities is a key part

of defense strategy.

Intrusion Detection for Information System

Security:

Intrusion Detection Methodologies

IDSs use a variety of detection methods to monitor and evaluate network traffic. Three
methods dominate:
• Signature-based detection
• Anomaly-based detection
• Stateful protocol analysis.

1. Signature-Based Detection

An IDS that uses signature-based detection (sometimes called knowledge-based detection

or misuse detection) examines network traffic in search of patterns that match known
signatures—that is, preconfigured, predetermined attack patterns.

Signature-based technology is widely used because many attacks have clear and distinct
signatures:
• Footprinting and fingerprinting activities use Internet Control Message Protocol
(ICMP), DNS querying, and e-mail routine analysis.
• Exploits use a specific attack sequence designed to take advantage of a
vulnerability to gain access to a system.
• DoS and DDoS attacks, during which the attacker tries to prevent the normal
usage of a system, overload the system with requests so that its ability to process
them efficiently is compromised or disrupted.
 A potential problem with the signature-based approach is that new attack patterns
must continually be added to the IDS’s database of signatures; otherwise, attacks that
use new strategies will not be recognized and might succeed. Another weakness of the
signature based method is that a slow, methodical attack involving multiple events
might escape detection.

The only way signature-based detection can resolve this vulnerability is to collect and
analyze data over longer periods of time, a process that requires substantially greater
data storage capability and additional processing capacity. However, detection in real
time becomes extremely unlikely. Similarly, using signature-based detection to
compare observed events with known patterns is relatively simplistic; the
technologies that deploy it typically cannot analyze some application or network
protocols, nor can they understand complex communications.

2. Anomaly-Based Detection

Anomaly-based detection (or behavior-based detection) collects statistical summaries

by observing traffic that is known to be normal. This normal period of evaluation
establishes a performance baseline over a period of time known as the training period.
Once the baseline is established, the IDS periodically samples network activity and
uses statistical methods to compare the sampled activity to the baseline. When the
measured activity is outside the baseline parameters—exceeding what is called the
clipping level ( or threshold)—the IDS sends an alert to the administrator. The
baseline data can include variables such as host memory or CPU usage, network
packet types, and packet quantities.
The profiles compiled by an anomaly-based detection IDS are generally either static
or dynamic. Static profiles do not change until modified or recalibrated by an
administrator. Dynamic profiles periodically collect additional observations on data
and traffic patterns and then use that information to update their baselines. This can
prove to be a vulnerability if the attacker uses a very slow attack, because the system
using the dynamic detection method interprets attack activity as normal traffic and
updates its profile accordingly.

The advantage of anomaly-based detection is that the IDS can detect new types of
attacks because it looks for abnormal activity of any type. Unfortunately, these
systems require much more overhead and processing capacity than signature-based
IDSs because they must constantly compare patterns of activity against the baseline.

Another drawback is that these systems may not detect minor changes to system
variables and may generate many false positives. If the actions of network users or
systems vary widely, with periods of low activity interspersed with periods of heavy
packet traffic, this type of IDS may not be suitable because the dramatic swings will
almost certainly generate false alarms. Because of the complexity of anomaly-based
detection, its impact on the overhead computing load of the host computer, and the
number of false positives it can generate. This type of IDS is less commonly used than
the signature-based type.
3. Stateful Protocol Analysis

An IDS extension of this concept is stateful protocol analysis (SPA). SPA uses the
opposite of a signature approach. Instead of comparing known attack patterns against
observed traffic or data, the system compares known normal protocol profiles against
observed traffic.

Information gathering about a connection:

 When a packet is received by the IDS, it initiates the process of stateful
protocol analysis.
 The IDS extracts relevant information from the packet, including details about
the connection between the host (source) and the remote computer
(destination).
 This connection information is crucial for analyzing the packet in context and
determining if it poses any security risks.

State table:
 A fundamental component of stateful protocol analysis is the state table, also
known as a connection table or stateful inspection table.
 This table serves as a repository for maintaining records of active connections
between computers on the network. Key information stored in the state table
includes:
o Source and destination IP addresses: Identifies the communicating parties.
o Source and destination port numbers: Specifies the application or service
associated with the connection.
o Protocol: Indicates the network protocol being used (e.g., TCP, FTP UDP).
o Each entry in the state table represents a unique connection, allowing the
IDS to track the state and progress of ongoing communications.

Event horizon:
 In the context of stateful protocol analysis, the "event horizon" refers to the
entire duration of an attack or suspicious activity.
 During an attack, the IDS needs to maintain state information consistently to
effectively analyze and respond to malicious behavior.
 This involves tracking the progression of the attack from its initiation to its
conclusion, ensuring that no stage of the attack goes unnoticed.
 By maintaining state information throughout the event horizon, the IDS can
correlate multiple packets or network events to identify patterns indicative of
an attack.
 Timely detection and response during the entire length of the attack are
essential for mitigating potential damage and minimizing the impact on the
network's security.
 Stateful protocol analysis approaches:
 Traffic rate monitoring
monitoring- If IDSS detects sudden increase in traffic it can stop
and reset all TCP traffic.
 Protocol state tracking
tracking- IDS maintains
intains a record of connection’s
connection’ state and
allows packets to pass through if it is an established connection.
 Dynamic Application layer protocol analysis- Can identify applications not
using standard ports.
 IP packet reassembly
reassembly- Can reassemble fragmented packets to prevent
fragments from passing through to the internal network.

Categories of IDS
IDS in general has three basic types based on its location:
1. Host IDS
2. Network IDS
3. Hybrid IDS

1. Host Intrusion Detection System (HIDS):

A host-based IDS (HIDS) S) resides on a particular computer or server, known as the

host, and monitors activity
tivity only on that system. HIDSs are also known as system
integrity verifiers because they benchmark and monitor the status of key system files and
detect when an intruder creates, modifies, or deletes monitored files.
Most HIDSs work on the principle of configuration or change management, which means
that they record the sizes, locations, and other attributes of system files. The HIDS
triggers an alert when file attributes change, new files are created, or existing files are
deleted. An HIDS can also monitor systems logs for predefined events. The HIDS
examines these files and logs to determine if an attack is under way or has occurred; it
also examines whether the attack is succeeding or was successful. The HIDS maintains
its own log file so that an audit trail is available even when hackers modify files on the
target system to cover their tracks. Once properly configured, an HIDS is very reliable.
An HIDS can also detect when users attempt to modify or exceed their access
authorization level. An example of HIDS usage can be seen on mission-critical machines,
which are not expected to change their layout.

Advantages of HIDS:
 Can detect local events on host systems, catching attacks that may bypass
network-based IDS.
 Operates directly on the host system, allowing processing of decrypted traffic.
 Unaffected by switched network protocols.
 Can identify inconsistencies in application and system program usage through
audit log analysis, aiding in Trojan horse detection.

Disadvantages of HIDS:
 Require more management effort as they are configured and managed on each
host.
 Vulnerable to direct attacks and attacks against the host OS, risking compromise
of HIDS functionality.
  Not optimized for detecting multi-host scanning or attacks from non-host network
devices without complex correlation analysis.
 Susceptible to some DoS attacks.
 Demand large disk space for retaining host OS audit logs, potentially requiring
additional disk capacity.
 Impose performance overhead on host systems, potentially reducing system
performance to unacceptable levels.

2. Network-based Intrusion Detection System (NIDS):

A network-based IDS (NIDS) resides on a computer or appliance connected to a

segment of an organization’s network and monitors traffic on that segment, looking
for indications of ongoing or successful attacks. When the NIDS identifies activity that
it is programmed to recognize as an attack, it responds by sending notifications to
administrators.

When examining incoming packets, an NIDS looks for patterns within network traffic
such as large collections of related items of a certain type, which could indicate that a
DoS attack is under way. NIDS can detect many more types of attacks than a host-based
IDS, but it requires a much more complex configuration and maintenance program. An
NIDS is installed at a specific place in the network, such as inside an edge router, where
it is possible to monitor traffic into and out of a particular network segment.
Advantages of NIDS:
 Effective network design allows monitoring of large networks with few devices.
 NIDSs are passive and can be integrated into existing networks without disrupting
operations.
 Typically not directly susceptible to attack, making them difficult for attackers to
detect.

Disadvantages of NIDS:
 May struggle to keep up with high network volumes, potentially missing attacks.
 Require access to all monitored traffic, which can be challenging in switched
Ethernet networks.
 Unable to analyze encrypted packets, reducing effectiveness.
 Some types of attacks, like those involving fragmented packets, are challenging
for NIDS to detect.

3. Hybrid Intrusion Detection System

Hybrid intrusion detection system is made by the combination of two or more

approaches to the intrusion detection system. In the hybrid intrusion detection system,
the host agent or system data is combined with network information to develop a
complete view of the network system. The hybrid intrusion detection system is more
effective in comparison to the other intrusion detection system. Prelude or Snort is an
example of Hybrid IDS.

Characteristics of IDS
1. ID monitors a whole system or just a part of it.
2. ID occurs either during an intrusion or after it.
3. ID can be stealth or openly advertised.
4. If suspicious activity occurs it produces an alarm and keeps logs that can be used for
reports on long term development.
5. Human (administrator )needed for alarm processing.
6. ID systems can produce an alarm and/or produce an automated response.
Role of Router in IDS
Routers play a crucial role in the broader network infrastructure, and they can contribute
to the effectiveness of an Intrusion Detection System (IDS) in several ways:

 Packet Filtering and Traffic Shaping: By filtering out potentially malicious

traffic before it reaches the internal network, routers can help reduce the workload
on the IDS by limiting the volume of traffic that needs to be analyzed.

 Logging and Monitoring: Routers often have logging capabilities that record
information about network traffic passing through them. IDS can utilize these
router logs as a data source for detecting and analyzing potential security threats.

 Intrusion Detection at the Network Perimeter: Routers are typically positioned

at the network perimeter, making them an ideal location for implementing
network-based IDS sensors. By detecting and alerting on potential threats at the
perimeter, routers contribute to the overall security posture of the network.

 Traffic Redirection for Analysis: Routers can be configured to redirect copies of

network traffic to an IDS sensor or monitoring device for analysis. This allows the
IDS to inspect network traffic without disrupting the flow of data to its intended
destination.

 Threat Intelligence Exchange: Routers can exchange threat intelligence data

with centralized security platforms or threat intelligence feeds. This information
sharing enhances the ability of IDS to identify and respond to emerging threats by
providing context and enrichment to the analysis of network traffic.

Challenges for IDS

Although intrusion detection systems are a valuable addition to an organization’s security

infrastructure, they have strengths and weaknesses, like any technology. Here's a
breakdown of the challenges involved:

 Runtime limitations: IDS may face constraints in processing power or memory,

affecting its ability to analyze network traffic in real-time effectively.
  Specification of detection signatures: Creating precise and comprehensive
detection signatures for known threats can be challenging, leading to gaps in
detection coverage.

 Dependence on environment: IDS effectiveness can vary depending on the

network environment, configuration, and complexity, making it difficult to ensure
consistent and accurate detection across different setups.

 High rate of false alarms: False positives, where legitimate activity is incorrectly
flagged as malicious, can overwhelm security teams and reduce trust in IDS alerts,
impacting overall system performance and effectiveness.

 Compensating for weak or missing security mechanisms in the protection

infrastructure, such as firewalls, identification and authentication systems, link
encryption systems, access control mechanisms, and virus detection and
eradication software.

 Instantaneously detecting, reporting, and responding to an attack when there is a

heavy network or processing load.

 Detecting newly published attacks or variants of existing attacks.

 Effectively responding to attacks launched by sophisticated attackers.

 Automatically investigating attacks without human intervention.

 Resisting all attacks that are intended to defeat or circumvent them.

 Compensating for problems with the fidelity of information sources.

 Dealing effectively with switched networks.

Configuring an IDS to respond accurately to threats is difficult. If it wrongly identifies a

threat and takes action like blocking communication, it can cause serious problems.
Potential Solutions
Data mining: The creation of complex database which is used to record data related to
specific activities. Through the data generated, a pattern or model will be developed by
knowledge seeker based on the accumulated data processed by the algorithm
implemented on the front end application.
Machine learning technique: Referring to a system capable of the autonomous
acquisition and integration of knowledge Example:—Alert Classification > true positives
and false positive.
Co-simulation mechanism (based on a biological immune mechanism. Integrating the
misuse detection technique with the anomaly detection technique.

Alert Correlation
“Correlating alarms”: Combining the fragmented information contained in the alert
sequences and interpreting the whole flow of alerts.

Functional requirements:
– Modifying alarms
– Suppressing alarms
– Clearing active alarms
– Generating new alarms
– Delaying alarms

Existing Methods of Alarm Correlation

 Correlating alerts based on the prerequisites of intrusion: Providing a high level
of representation of the correlated alerts, and thus reveals the structure of series of
attacks.
 Correlating alerts based on the similarities between alert features: Grouping
alerts into scenario depending on the number of matching attributes from the most
general to the most specific cases.
 Alarm correlation based on chronicle formalism: Multi-event correlation
component using input IDS alerts.
 Probabilistic approach to alert correlation: Providing a mathematical framework
for fusing alerts that match closely but not perfectly.
Implementing IDS

NIST SP 800-94, Rev. 1 provides the following recommendations for implementation:

 Organizations should ensure that all IDS components are secured appropriately.
IDSs are a prime target for attackers. If they can compromise the IDS, they are
then free to conduct unobserved attacks on other systems.

 Organizations should consider using multiple types of IDS technologies to achieve

more comprehensive and accurate detection and prevention of malicious activity.
Defense in depth, even within IDS technologies, is key to detecting the wide and
varied attack strategies the organization faces.

 Organizations that plan to use multiple types of IDS technologies or multiple

products of the same IDS technology type should consider whether the IDSs
should be integrated. Using integrated technologies provides much easier
configuration and administration. Using a common management platform provides
multi device cross assessments and reporting.

 Before evaluating IDS products, organizations should define the requirements that
the products should meet. Knowing what you need in an IDS can prevent
purchasing a product that does not solve the organization’s problems, and can save
time and money in the long haul.

 When evaluating IDS products, organizations should consider using a combination

of data sources to evaluate the products’ characteristics and capabilities. Vendors
have been known to “influence” reviews by using friendly reviewers or just
writing their own and posting them to review sites. Finding multiple reviews from
different sources should provide more accurate insight into the strengths and
weaknesses of any technology.

IDS Deployment

As an organization selects an IDS and prepares for implementation, planners must select
a deployment strategy that is based on a careful analysis of the organization’s information
security requirements and that integrates with the existing IT infrastructure while causing
minimal impact. Given the highly technical skills required to implement and configure
IDSs and the imperfection of the technology, great care must be taken when deciding
where to locate the components, both in their physical connection to the network and host
devices and in how they are logically connected to each other.
1. Deploying Network-Based IDSs:

The placement of the sensor agents is critical to the operation of all IDSs, but especially
for NIDSs. NIST recommends the following four locations for NIDS sensors, as
illustrated in Figure.:

Location 1: Behind each external firewall, in the network demilitarized zone (DMZ).
This location has the following characteristics:
 The IDS sees attacks that originate from the outside and may penetrate the
network’s perimeter defenses.
 The IDS can identify problems with the network firewall policy or performance.
 The IDS sees attacks that might target the Web server or FTP server, both of
which commonly reside in this DMZ.
 Even if the incoming attack is not detected, the IDS can sometimes recognize
patterns in the outgoing traffic that suggest the server has been compromised.

Location 2: Outside an external firewall. This location has the following characteristics:
 The IDS documents the number of attacks originating on the Internet that target
the network.
 The IDS documents the types of attacks originating on the Internet that target the
network.

Location 3: On major network backbones. This location has the following

characteristics:
 The IDS monitors a large amount of a network’s traffic, thus increasing its
chances of spotting attacks.
  The IDS detects unauthorized activity by authorized users within the
organization’s security perimeter.

Location 4: On critical subnets. This location has the following characteristics:

 The IDS detects attacks that target critical systems and resources.
 This location allows organizations with limited resources to focus on the most
valuable network assets.

2. Deploying Host-Based IDSs

 Proper implementation of Host-Based IDSs (HIDSs) requires customization to

each host system, making it a meticulous and time-consuming task.

 Deployment strategy begins with implementing HIDSs on the most critical

systems first, which poses a dilemma due to the risk of catastrophic consequences
in case of installation issues.

 Practice implementation on test servers resembling mission-critical systems to

gain experience, identify potential problems, and reduce the risk of complications.

 Installation proceeds until all systems are deployed or until the organization
achieves the planned coverage level.

 Each HIDS should be configured to connect to a central management console for

ease of management, control, and reporting.

 Technicians can install HIDSs on offline systems to develop expertise and identify
problems, while users and managers can learn about HIDS operation through a test
facility connected to the organization's backbone.

 The test facility allows HIDSs to process actual network traffic and technicians to
establish a baseline of normal traffic.

 Training scenarios can be developed during system testing to help users recognize
and respond to common attacks effectively.

 The management team can establish policies for the operation and monitoring of
HIDSs to ensure effective and efficient operation.
Future of IDS
 Potential implementation of Artificial Intelligence techniques on alert correlation.
 Multilayer perception and Support Vector Machine.
 Probabilistic output of these methods support the causal relationships of alerts, which
is helpful for constructing attack scenarios
 Fuzzy Cognitive Modelling.
 A causal knowledge based reasoning mechanism with fuzzy cognitive modelling is
used to correlate alerts by discovering causal relationships in alert data

Firewalls
A firewall acts as a security guard controlling access between an internal, protected
network and an external, untrusted network based on a given security policy. Firewalls
can be an effective means of protecting a local system or network of systems from
network-based security threats while at the same time affording access to the outside
world via wide area networks and the Internet. A firewall may be implemented in
hardware as a stand-alone “firewall appliance” or in software on a PC. In addition, many
routers support basic firewall functionality. A single firewall may be adequate for small
business and homes. However, in several large enterprises, multiple firewalls are
deployed to achieve defense in depth.
The Need For Firewalls
Information systems in corporations, government agencies, and other organizations have
undergone a steady evolution. Internet connectivity is no longer optional for
organizations. The information and services available are essential to the organization.
While the Internet access provides benefits to the organization, it enables the outside
world to reach and interact with local network assets. This creates a threat to the
organization. While it is possible to equip each workstation and server on the premises
network with strong security features, such as intrusion protection, this may not be
sufficient and in some cases is not cost-effective.

• Consider a network with hundreds or even thousands of systems, running various

operating systems, such as different versions of UNIX and Windows.
• When a security flaw is discovered, each potentially affected system must be
upgraded to fix that flaw.
• This requires scalable configuration management to function effectively.
• This is possible and is necessary if only host-based security is used.
• A widely accepted alternative or at least complement to host-based security
services is the firewall.
• The firewall is inserted between the premises network and the Internet to establish
a controlled link and to erect an outer security wall or perimeter.
• The aim of this perimeter is to protect the premises network from Internet-based
attacks and to provide a single choke point where security and auditing can be
imposed.
• The firewall may be a single computer system or a set of two or more systems that
cooperate to perform the firewall function.
• The firewall, then, provides an additional layer of defence, insulating the internal
systems from external networks.

Firewall Characteristics
The following are the design goals for a firewall:
1. All traffic from inside to outside, and vice versa, must pass through the firewall.
This is achieved by physically blocking all access to the local network except via
the firewall.
2. Only authorized traffic, as defined by the local security policy, will be allowed to
pass. Various types of firewalls are used, which implement various types of
security policies.
3. The firewall itself is immune to penetration. This implies the use of a hardened
system with a secured operating system. Trusted computer systems are suitable for
hosting a firewall and often required in government applications.
Types Of Firewall
A firewall can monitor network traffic at a number of levels, from low-level network
packets either individually or as part of a flow, to all traffic within a transport connection,
up to inspecting details of application protocols. The choice of which level is appropriate
is determined by the desired firewall access policy. It can operate as a positive filter,
allowing to pass only packets that meet specific criteria, or as a negative filter, rejecting
any packet that meets certain criteria. Depending on the type of firewall, it may examine
one or more protocol headers in each packet, the payload of each packet, or the pattern
generated by a sequence of packets. In this section, we look at the principal types of
firewalls.

1) Packet Filtering Firewall

A packet filtering firewall applies a set of rules to each incoming and outgoing IP packet
and then forwards or discards the packet. The firewall is typically configured to filter
packets going in both directions (from and to the internal network).

Filtering rules are based on information contained in a network packet:

 Source IP address: The IP address of the system that originated the IP packet (e.g.,
192.178.1.1)
 Destination IP address: The IP address of the system the IP packet is trying to
reach (e.g., 192.168.1.2)
 Source and destination transport-level address: The transport-level (e.g., TCP
or UDP) port number, which defines applications such as SNMP or TELNET
 IP protocol field: Defines the transport protocol
 Interface: For a firewall with three or more ports, which interface of the firewall
the packet came from or which interface of the firewall the packet is destined for.
The packet filter is typically set up as a list of rules based on matches to fields in the IP or
TCP header. If there is a match to one of the rules, that rule is invoked to determine
whether to forward or discard the packet. If there is no match to any rule, then a default
action is taken.

Two default policies are possible:

1. Default = discard: That which is not expressly permitted is prohibited. In other
words, if the packet doesn't meet the criteria specified by any of the rules, it will
be rejected or dropped.
2. Default = forward: That which is not expressly prohibited is permitted. If the
packet doesn't meet the criteria specified by any of the rules that prohibit its
forwarding, it will be allowed to continue its journey through the network.

 The default discard policy is more conservative. Initially, everything is blocked,

and services must be added on a case-by-case basis. This policy is more visible to
users, who are more likely to see the firewall as a hindrance.
 This is the policy likely to be preferred by businesses and government
organizations. Further, visibility to users diminishes as rules are created.
 The default forward policy increases ease of use for end users but provides
reduced security; the security administrator must, in essence, react to each new
security threat as it becomes known. This policy may be used by generally more
open organizations, such as universities.
 One advantage of a packet filtering firewall is its simplicity. Also, packet filters
typically are transparent to users and are very fast.

The following are the weaknesses of packet filter firewalls:

1. Limited Protection: packet filter firewalls do not examine upper-layer data, they
cannot prevent attacks that employ application-specific vulnerabilities or
functions. For example, a packet filter firewall cannot block specific application
commands; if a packet filter firewall allows a given application, all functions
available within that application will be permitted.

2. Restricted Logging Capability: Because of the limited information available to the

firewall, the logging functionality present in packet filter firewalls is limited.
Packet filter logs normally contain the same information used to make access
control decisions (source address, destination address, and traffic type).

3. Limited Support for Advanced Authentication: Most packet filter firewalls lack
support for advanced user authentication methods, primarily because of their
inability to handle upper-layer functionalities.
 4. Vulnerability to Protocol Exploits: Packet filter firewalls are susceptible to attacks
exploiting TCP/IP specification and protocol stack vulnerabilities, such as network
layer address spoofing. They often fail to detect altered OSI Layer 3 addressing
information, which is commonly exploited by intruders to bypass firewall security
controls.
5. Configuration Vulnerabilities: The simplicity of access control decisions in packet
filter firewalls makes them prone to security breaches caused by
misconfigurations. Accidentally allowing traffic types, sources, or destinations
contrary to an organization's security policy is a common risk.

2) Stateful Inspection Firewalls (SPI)

SPI firewalls, also called stateful inspection firewalls, keep track of each network
connection between internal and external systems using a state table. A state table tracks
the state and context of each packet in the conversation by recording which station sent
what packet and when. Like first-generation firewalls, stateful inspection firewalls
perform packet filtering, but they take it a step further. Whereas simple packet-filtering
firewalls only allow or deny certain packets based on their address, a stateful firewall can
expedite incoming packets that are responses to internal requests. If the stateful firewall
receives an incoming packet that it cannot match in its state table, it refers to its Access
Control List (ACL) to determine whether to allow the packet to pass.

The primary disadvantage of this type of firewall is the additional processing required to
manage and verify packets against the state table. Without this processing, the system is
vulnerable to a DoS or DDoS attack. In such an attack, the system receives a large
number of external packets, which slows the firewall because it attempts to compare all
of the incoming packets first to the state table and then to the ACL.
On the positive side, these firewalls can track connectionless packet traffic, such as UDP
and remote procedure calls (RPC) traffic. Some stateful firewalls also keep track of
TCP sequence numbers to prevent attacks that depend on the sequence number, such as
session hijacking. Some even inspect limited amounts of application data for some
well-known protocols like FTP, IM and SIPS commands, in order to identify and track
related connections. Dynamic SPI firewalls keep a dynamic state table to make changes
to the filtering rules within predefined limits, based on events as they happen.

3) Application-Level Firewall / Application-Level Gateway

A packet filtering firewall, even with the added functionality of stateful packet
inspection, is still severely limited. It understands the network and transport layer headers
but is indifferent to the application being run. What is needed is a firewall that can
examine the application payload and scan packets for worms, viruses, spam mail, and
inappropriate content.

A special kind of application-level firewall is built using proxy agents. Such a “proxy
firewall” or “application proxy” acts as an intermediary between the client and server.
The client establishes a TCP connection to the proxy and the proxy establishes another
TCP connection with the server. To a client, the proxy appears as the server and to the
sever, the proxy appears as the client. Since there is no direct connection between the
client and server, worms and other malware will not be able to pass between the two,
assuming that the proxy can detect and filter out the malware. Hence, the presence of the
proxy enhances security.
  The gateway/proxy can be configured to support only specific features of an
application that the network administrator considers acceptable while denying all
other features.
 Application-level gateways tend to be more secure than packet filters. Rather than
trying to deal with the numerous possible combinations that are to be allowed and
forbidden at the TCP and IP level, the application-level gateway need only
scrutinize a few allowable applications. In addition, it is easy to log and audit all
incoming traffic at the application level.
 A prime disadvantage of this type of gateway is the additional processing
overhead on each connection. In effect, there are two spliced connections between
the end users, with the gateway at the splice point, and the gateway must examine
and forward all traffic in both directions.

4) Circuit-Level Gateway

A fourth type of firewall is the circuit-level gateway or circuit-level proxy. This can be a
stand-alone system or it can be a specialized function performed by an application-
level gateway for certain applications.

 Unlike application gateway, a circuit-level gateway does not permit an end-to-

end TCP connection; rather, the gateway sets up two TCP connections, one
between itself and a TCP user on an inner host and one between itself and a TCP
user on an outside host.

 Once the two connections are established, the gateway typically relays TCP
segments from one connection to the other without examining the contents.
The security function consists of determining which connections will be allowed.
A common scenario for employing circuit-level gateways is when the system
administrator has trust in internal users. In such cases, the gateway can be set up to
facilitate application-level or proxy services for inbound connections while using circuit-
level functions for outbound connections. In this configuration, the gateway can incur
the processing overhead of examining incoming application data for forbidden
functions but does not incur that overhead on outgoing data.

 An example of a circuit-level gateway implementation is the SOCKS package

 SOCKS is a protocol for client-server applications to securely use network firewall
services.
 It acts as a middle layer between the application and transport layers.
 SOCKS operates on TCP and UDP domains but does not handle network layer
gateway services like ICMP forwarding.
 Clients connect to the SOCKS server on port 1080 to establish a connection.
 After connecting, the client negotiates authentication methods and sends a relay
request.
 The SOCKS server evaluates the request and either allows or denies the connection.
 UDP exchanges follow a similar process, with TCP connections used for
authentication before transmitting UDP segments.
 The TCP connection must remain open for UDP segments to be forwarded.

Bastion host
It is a system identified by the firewall administrator as a critical strong point in the
network’s security. The Bastion host serves as a platform for an application level and
circuit level gateway.
Common characteristics of a Bastion host are as follows:
 The Bastion host hardware platform executes a secure version of its operating
system, making it a trusted system.
 Only the services that the network administrator considers essential are installed
on the Bastion host.
 It may require additional authentication before a user is allowed access to the
proxy services.
 Each proxy is configured to support only a subset of standard application’s
command set.
 Each proxy is configured to allow access only to specific host systems.
 Each proxy maintains detailed audit information by logging all traffic, each
connection and the duration of each connection.
 Each proxy is independent of other proxies on the Bastion host.
 A proxy generally performs no disk access other than to read its initial
configuration file.
 Each proxy runs on a non-privileged user in a private and secured directory on the
Bastion host.

Configuring and Setting Up Firewalls

There are 3 common firewall configurations.
1. Screened host firewall, single-homed bastion configuration
2. Screened host firewall, dual homed bastion configuration
3. Screened subnet firewall configuration

1. Screened host firewall, single-homed bastion configuration

 In this configuration, the firewall consists of two systems: a packet filtering router
and a bastion host.
 Typically, the router is configured so that for traffic from the internet, only IP
packets destined for the bastion host are allowed in.
 For traffic from the internal network, only IP packets from the bastion host are
allowed out.
 The bastion host performs authentication and proxy functions.
 This configuration has greater security than simply a packet filtering router or an
application level gateway alone, for two reasons:
o This configuration implements both packet level and application level
filtering, allowing for considerable flexibility in defining security policy.
o An intruder must generally penetrate two separate systems before the
security of the internal network is compromised.
  Imagine you have a house with only one entrance, and there's a security guard
stationed there. This security guard checks everyone who enters the house. In this
setup, your house is like your network, and the security guard is your firewall.
 The firewall (security guard) inspects all incoming traffic from the internet (people
trying to enter the house) and only allows authorized traffic (people with proper
identification) to pass through to the internal network.
 This configuration is called "single-homed" because the firewall has only one
network interface connected to the internal network (your house).

2. Screened host firewall, dual homed bastion configuration

In the previous configuration, if the packet filtering router is compromised, traffic could
flow directly through the router between the internet and the other hosts on the private
network. This configuration physically prevents such a security break.
  Now, imagine you have a house with two entrances: one facing the street and
another facing a backyard. There's a security guard stationed at each entrance.
 In this setup, one security guard checks incoming traffic from the street (internet),
while the other checks traffic from the backyard (a trusted network, such as your
workplace network).
 Both security guards only allow authorized traffic to enter the house, ensuring that
both external and internal traffic meet security requirements.
 This configuration is called "dual-homed" because the firewall has two network
interfaces—one connected to the internet and the other to the internal network.

3. Screened subnet firewall configuration

In this configuration, two packet filtering routers are used, one between the bastion host
and internet and one between the bastion host and the internal network. This
configuration creates an isolated sub network, which may consist of simply the bastion
host but may also include one or more information servers and modems for dial-in
capability. Typically both the internet and the internal network have access to hosts on
the screened subnet, but traffic across the screened subnet is blocked.

 Imagine you have a house with a front yard, a fence, and a backyard. The front
yard faces the street (internet), the backyard is your internal network, and the
fence is your firewall.
 The firewall (fence) separates the front yard (internet) from the backyard (internal
network) and inspects all traffic passing through.
 Additionally, there's a guard stationed at the gate of the fence who checks
incoming traffic from the street (internet) before allowing it into the backyard
(internal network).
 This configuration creates a "screened subnet" or "demilitarized zone (DMZ)"
between the internet and the internal network, providing an extra layer of security
 for servers or services that need to be accessible from the internet while keeping
the internal network protected.

This configuration offers several advantages:

 There are now three levels of defense to thwart intruders.

 The outside router advertises only the existence of the screened subnet to the
internet; therefore the internal network is invisible to the internet.
 Similarly, the inside router advertises only the existence of the screened subnet to
the internal network; therefore the systems on the internal network cannot
construct direct routes to the internet.

Examining Firewall In The Context Of IDS

IDSs and Next-Generation Firewalls are both network security solutions. What
differentiates an IDS from a firewall is its purpose.

 An IDS device monitors passively, describing a suspected threat when it’s

happened and signaling an alert. IDS watches network packets in motion. This
allows incident response to evaluate the threat and act as necessary. It does not,
however, protect the endpoint or network.
 A firewall monitors actively, looking for threats to prevent them from becoming
incidents. Firewalls are capable of filtering and blocking traffic. They allow traffic
based on preconfigured rules, relying on ports, destination addresses and the
source.
 Firewalls reject traffic that does not follow firewall rules. However, if an attack is
coming from inside the network, the IDS will not generate an alert.

Network Intrusion Prevention

Intrusion Prevention System (IPS): An IPS system capable of automatically responding
to a detected intrusion and preventing it from successfully attacking the organization by
means of an active response.

A current extension of IDS technology is the intrusion prevention system (IPS), which
can prevent an intrusion from successfully attacking the organization by means of an
active response. Because we seldom find an IPS that does not also have detection
capabilities, the term intrusion detection and prevention system (IDPS) is commonly
used.
 • Intrusion prevention systems are contemplated as augmentation of Intrusion
Detection Systems (IDS) because both IPS and IDS operate network traffic and
system activities for malicious activity.
• IPS typically record information related to observed events, notify security
administrators of important observed events and produce reports.
• Many IPS can also respond to a detected threat by attempting to prevent it from
succeeding. They use various response techniques, which involve the IPS stopping
the attack itself, changing the security environment or changing the attack’s
content.

How Does an IPS Work?

Intrusion prevention systems work by scanning all network traffic. There are a number of
different threats that an IPS is designed to prevent. The IPS performs real-time packet
inspection, deeply inspecting every packet that travels across the network. If any
malicious or suspicious packets are detected, the IPS will carry out one of the following
actions:
 Terminate the TCP session that has been exploited and block the offending source
IP address or user account from accessing any application, target hosts or other
network resources unethically.
 Reprogram or reconfigure the firewall to prevent a similar attack occurring in the
future.
 Remove or replace any malicious content that remains on the network following
an attack. This is done by repackaging payloads, removing header information and
removing any infected attachments from file or email servers.

Types of IPS
There are two main types of IPS:
• Network-Based IPS: A Network-Based IPS is installed at the network perimeter
and monitors all traffic that enters and exits the network.
• Host-Based IPS: A Host-Based IPS is installed on individual hosts and monitors
the traffic that goes in and out of that host.
Why Do You Need an IPS?
An IPS is an essential tool for network security. Here are some reasons why:
• Protection Against Known and Unknown Threats: An IPS can block known
threats and also detect and block unknown threats that haven’t been seen before.
• Real-Time Protection: An IPS can detect and block malicious traffic in real-time,
preventing attacks from doing any damage.
• Compliance Requirements: Many industries have regulations that require the use
of an IPS to protect sensitive information and prevent data breaches.
• Cost-Effective: An IPS is a cost-effective way to protect your network compared
to the cost of dealing with the aftermath of a security breach.
• Increased Network Visibility: An IPS provides increased network visibility,
allowing you to see what’s happening on your network and identify potential
security risks.

Detection Method of Intrusion Prevention System

• Signature-based detection:
Signature-based IPS operates packets in the network and compares with pre-built
and preordained attack patterns known as signatures.

• Statistical anomaly-based detection:

Anomaly based IPS monitors network traffic and compares it against an
established baseline. The baseline will identify what is normal for that network
and what protocols are used. However, It may raise a false alarm if the baselines
are not intelligently configured.

• Stateful protocol analysis detection:

This IPS method recognizes divergence of protocols stated by comparing observed
events with pre-built profiles of generally accepted definitions of not harmful
activity.

IPS System Configuration

1. Define security policies: Identify security goals, threat types, acceptable network
behavior, and compliance needs.
2. Choose deployment mode: Decide if the IPS will actively monitor in-line or
passively analyze out-of-band network traffic.
3. Configure network interfaces: Set up IPS network connections with proper IP
addresses, subnet masks, and gateway settings.
4. Update signature database: Regularly refresh the IPS signature database for the
latest threat intelligence.
5. Define signature policies: Specify the types of threats to detect, sensitivity levels,
and blocking actions.
6. Set up alerting and logging: Configure mechanisms to alert administrators and log
IPS events for analysis.
7. Configure blocking actions: Define actions for the IPS to take upon detecting
threats, such as blocking traffic or sending alerts.
8. Implement bypass mechanisms: Establish bypass systems for continuous network
connectivity during IPS maintenance or failure.
9. Test and validate configuration: Thoroughly test the IPS in a controlled
environment to ensure effective threat detection without disrupting normal traffic.
10. Monitor and fine-tune: Continuously monitor IPS performance, adjusting settings
and updating policies to adapt to changing threats and network conditions.