UNLT FIREWALL & TNTRJSTON Ig M

A DETECTION BysTEMTO
4l FREkIALL
41.1 Need of PPoeupal '4M I4
APrebal can be havd1ogre. Softeare or 9 Cormbfnafon
Cf botb, which atl rspecf neteocok traffc passtrg
of
though t Cnd ether qccept oo the mesaf
|based on q set of ules.
The Facoal s q parttfon betoen prfvate Cbustd)
nekoosks qnd publrc (un-usted ) netoork and tt
All spect a t oPl Inspect ll toaPfrc Cpacke)
ich Ps passing ttrough tt.
o s eecive means of protectnq q system og
Netoosk fromn network-based threats cnd at the
Same me tshould qllouos for accessing the
outsde oorldvq
Oorl Wrde
ofde rcq netoorks & fnterhet.
"A frenall s aluays placed at Netorok statety
ateoay Sever to porotect the Pntearal sorce
a potvate netcork foom the publsc netwok.
In qn Orqantsatton they tnstall rreoal| to prevent
OutsiderS Foom cesstig ts on pofvate dat
eSOyTces qnd tu kl| allow thetr employees to
qcçess outsiale PesosTces.
FraoqllAM Conhol the outside'esourcesfbat
Oganl zattbn's employees qt accesstnid27ag
Aorking of frrewau s simtla to q0ujer poqram
-B Oea ntnes each netoork packet to defeme
khether, to, fbrwong 0r

hot.

clAsSMAte PAGE
 DATE

Server
A foewall Cun woTk wth 9 proy
Jhth makes requsts on behalf f hÝrk
Work
Statton ysers n q netoork.
Nomally, a fryecall ts fnstalledfromfnspecal
the netoonk
CompuBet qnd t ts separaBed
hence, the fncomtng dequas cant enter
at Prtvaté netoork esources.
dhrectBy
Bodls
Al toafrc must ass thaouqh the fruall efther
from fnstde to outstde qnd Vce versq. This
s qcfeved by physrcaly blockfng all qcess
to, the loca) netoork except viq the frewal

Only cuthetized ofc Whtch is deftned by the

loch sec oity polfcy wll be allowed to
pass thuugH tho4qh the frrcwal).
aIHeren types of fruoals wtll frmplement
dtfferent ypesof secutty poltcies.
The Frewal fselp s fomyne to penetraHoD.
biond (Proleted) nework Eclera tunfwte
(GA- enleepvist o) netoor k(egIntee

cassMate PAGE
 DATE

1 PACKET FILTERC4P
A outes qs part of 9 frrcoall USually Pertorns
packe+ Fl+eofng to
A packet frlktnq route appltes q set of Tyles
each qnd erery Pncomfrd TP packet qnd then
dectdes eftherto foowotd os dscaad the packet
Tprcaly the souter ts Conftqused te frlter packets
dotng tbwges qnd Comfng Pom the fntrnal n/w.
PrlHeraion ules qe based on fnfomakion of q
netoortk packet.
Source TP qddoess: The Ip addess of the Systes
kho qeneates the IP packet.
Qestinaon TP qddvess he IP qddacss of the other
system Ahee the IP pqcket fs toyoq to eqch.
Source, arnd Bestnatton trgnsport-(eye qddess
The transpot leyel pot number TCP r UDP to
detne applfcatons suc qs SNMP oT TELNET.
"IP Profocol feld : Tt tells the toanspoat protecol
Tnterface fs fo q oouter oho uses thre og moo
ports focom ohfch nterface the packet eame
ohích ntes4ace the pqcket Ps destt ned
for.

Facke
nenet Piva
Nekoork

PAGE
classMate
 DATE

Hgb Gpond

-itcuty ef seMo up of packet fMtoâng

mes
- Lack of Authenicakon.

2 Batefu Packet Prler T4M]

r4l
L Stedefw pocket prlHes undestand oqust and
ePly syston.
yUsuaty the ules of setepel packes qoc speche
only fo he frest packet to one dtaection, 8
thehnew rue s
the fst
Ceated
outboned packe
yoaatcally ate
b All other Padke fn the Comrmunfcatton ce theh
proressed qutmyatcally
Stadefu foewall Can SUppoot for q wider
7ange of paotocols rke fTP, IRC Or H323.

Puekeh paLket Incomlng

cllouc packe!
e.

Prolecked Nho gRéallooèd paakds:

clAsSMate dfscasded PAGE

F: statefu pauket katnd

 DATE

LAn applcaon-leve Gatenkxy fs also knoun as prozy Ser ves.

ver
Thiss beause tqchd ke dd Proccy and
about the flo' of appltcafn Jevel' toaftc
bAn nlernal User Cantgds the applcatPon level gansy
ustnq TSIP applfaton, suk as Telnet c FTPoHfTP
TheTapeheatTon level qateoay ofll aks the wer/ host
qbout the emote host th whfch the he Wants q
Connecton forommurfcaton. Sla
Hhen the user proytdes all fnfoan-ton (Pke val? user ID
and quthentccfon nforncton, thu goteDay +Cantacs
the cpplfcateon on the ernote hus qnd 'ocay TeP
seqments Cantafnnq the appl cafkn dat betuween too
endponts.
The seryfce s not supPoo Hed qnd cannot be toougaded
qCrOSS the ffrcal, the ateuay does not Pmplemen
the pooy code for
4 q spectt apdtatton.
Bererel tha qateuzy qac Confrqud to suppot
eateses thot te nehuook dmtntsa
ony
tott consides qceptalale wle deryfrg al other
featuoes
b An applicason level gaeacay
lHoftod. Ffs very àsy to cucdo al

I} has hrah Secustty than packet PlHetrg. o

needs to Soryintze q few qllauate appltcakons.
to
inconn
PAGE
clAsSMate.
 DATE

Applfcaton- leve
gateuay
TELNET TosRle
Copmecton FTP
SMTP Connecte
oustde (HTTP Tnstde
Host tost

fe?: Aeoicafton Level Gateu

es.adntades The addion ovehegd fo each
ConnecPon because there qt t0o
two Separate
Connectfons between the end IS and wb
the gatey. The qateway shuujd
fo7uoral toc fn bolh drectens

4Cneu Gatens
o I Can be q specialtz Aucten hot perfoams an
applFcalton evel gatway or Ceriain' aplicattcs.
I W?) not qllow qn ed- to- end TCP Connechon,
but Pt il set up too TCP connectPons3os
- One betoeeh a TCP User oh qn PnDex host
and q gadeutny
- One bekoeen Ua gateoay qre q TeP iSer on
qn outsde host.

clAsSMAte PAGE
 DATE

Dter establfshng Ahe Au0o Connectons, he aBevoay

pansmfts the tP Senenls forom one Connectord
to anothe othout exgmtntnd the contets.
The Gecuty functon Wal theck ahrch connecton
S allowed.J
The user of crcut level caBeays sttuatron,
Where the System admt niShutor fausts the fnter!
Users.

C?rait -\evel
outsfde
2connedfon ou
elo
ou
TeteH
6ut) L- connecron

B): cYrcaj} tevel cateaay

The gatsay Can be conttquznd to suppor appltcaton ud
con be nlbound Conneckton8 qnd Csul
0T procy seufce on
Jevel fucrons fo outlbound Connecfons.
Ih thfs, gatuoay qcqufre the the processtnd
overhed ofo ecdmntnd Prcoming applfcutn qat
for prohibrBed unctore but does no that acqulre
datq.
0verheod on
oulgetog

PAGE
classMate
 DATE

4R Fireuall poltctes, Conftguraton,Ltmaton

42.1 Frekjal! Polites

FPotuoal poltcies allow al type of toaffe bu!

block Some SeaVPCe IPke telnet/SNMp, and
those qot Used by qn atacker
PoTt umbes
ResbfcHve polfctes block all tofe passinq through
drtdsetd
alou) onhy- toaktc obrch
ffreul! and aow
on
Suth as HITP, POP OsMTP, or SSH
everythinq tha
The mast seue opfon' s bock omeone
{s susprefous and dffer complanin"by
yo can aloo tbe protocols.
Fe oal rule Set
Copmnunicale
allows HTTP,FTP, sSH, DNS potocol to
from ftesna) neftoos td-9nkone to ma
Ds sMTP pootecol to Communfcale
Alows

Alloos sMtp qnd DNs protocol to Communfate

from mafl server
Allows SMTP and Pop3 pootocols to communTaut
foom fnsPde to mas Sesver.ansttoa
Fsrewal! allos only 7eplay packehs.
PPveupal) can bl ock eVerything else,
busyrov

clAsSMAte PAGE
 DATE

422 Confquraton
o A ffoeil! s q combfnaBon of packet flkr and
applrcaton level gaBecoy. Based On these, theze
thrté) types f cfrguealfon 3.
frrewall
Cbnfgurons.
Screened Hos Grened Host Streened
Artaoal), St ng le Fhreuoall,Bya sybn e
Homed Beslfon Homed BasPon Preual

fit sereenat ttost freoal

StnteHomee Bastion. oi

3 Screehed tost frenoall Stngle -Homed Pasitao

Freoal Conffguogtfon Conssts of to rrts
0 o packeY frlter r0ter.
applrcaion Level gtuoay.
+A packe flHes v0ter tll ehsue thot the
toarc Ps allouwed only ff P 's întendedfo the
examintng the desnarcn
applfcatron qateoayby exainfog
addoess fe
address fed ofUedch ncooig I? peket.
2+ oPl| dlso ensured thatO the outqoing too}fc is
aßooed only f Is oginated foo opplicaftorn
level gataty by eqnihtog the Souvce adres
reld öf evéry otgoing 1P packet.
quteary patorms quhantcakon qs
An aplfcadion"levelqaes
oel 'as pry functfirls
classMate PAGE
 DATE

Aritcalton Gatecoy

HTTP
-tr
SMTP
FTP
TELNET

Inetnal' hefwork pe!

fq: Sioqle,,Horodgastoi

|Adantagcs
rapys Secuaily of the ntoork by prfoming
cheks at both lerels- packet and applicafon
level.
- I pzovde flertbilPhy to tbe netcork amtnisbdor to
defbe movt Stcurty polfcres
2savanloqe
Trkeona uses qrt Connecled to the applrantforn
0s wel as pocket fer 00uder, So, f hy FoQ
the packe flter aHqcked then the öboleofe
fotrnl neteoorkpS rposed toi the attaoker. 9Y
blst

classMate PAGE
 DATEO
DATE

Qual Home Bastron

To elnotnate the cLolback of 3cened Hos frrecoal!
system (Single tom hnston Fost), Serened Host
Freoa Sytem (Bua)- Home bastto host) fs
Topnend
hosf has
Jn thts Poeoal systerp. tobere 4 basFonokeapal
Huoo netoork cds - One is (sed for
fonncton tOPth the 0utes
In thfs case even f the roue qot compaomfsed
he ipteana network ofll eman unaffccted
Since 4 fs fn the separate netoork 2one
This Coq4aatfon phystoaly separdBes the eeteona
and fnonal neoorks
The packet Prlkectng oouker
Compaorised
Tooffrc befeoren the fotenet dnd othes host on the
Pstvak neok hs to flow though tbe bastfon host.
rtact TPackut
Apitcto Gateony
H1Tp
SMTP Tatene
qetNET,
Tbdeshgl netoookolel

PAGE
classMAte
 DATE

Adantgges
Bual Homed hosts can povvide a Very btblevel of
Conbol
Que to ala ome bostton bost, the fhora n/
kf) oemain unaffeced since
netk zone.

Du-honec batop host got epensfvethan

sfoqle homed bstfon host
aScrcened Subnet FPreoal)so)
TS fs one of tbe most secytd Pfreoall Conf
qualfons.
In tthts Confouoateon, uo packet- frlteotnd voutes
ge lgeoone beteoeen btfon ! bost gd the
oteonet and one betoeen +be basion host and
Hhenterrdl netoook.
fthts contqure lfonCeals an solated sub- Mo
cobich may Consst of sPnply tbe bas-fon host
but mayhlso include
Servess and rhate S foo dial-to- capabB Itty.
Typfralyboththe ntnet qnd +be freebal
!

nefeooskbaye docessto hass on the btreened

subnet, bud taofrc
tootc qcrosS
qcTSS the screened
Subnet s blocked. ott01

clasSMAte PAGE
 DATE

facket
HTTP
L SMTP
FTP
T6LNET
PackaB frlHkx
Afoltukn
ndtnal nekoonk
fiq& &coeenedOubnef frzeunl.

Advankada
Tbee keveb of defenebe fo thugrt fobuders
The fnstde uter ddvesttses onhy the ertstance
onhy
o the Screened subnet to the Uintern network.

The confftqura lfon canno Pootect the toansfer of

Vfous fofeed Proqms.
FIlteging done b soPHore's froeuoal! Can decride
45ers sstem's peofoomahce.

elassmate PAGE
 DATE

4.R Rlheulal LhotaPon

Countti knoon hvehts
4

ebeicaioinds Can qdapt: bfrCniminals

t¡n exploit Conftquratfon 0T, rod loop
sienaypted tooci to bide
holes Use
malftous actvites
Qe ine
Sata engfneertng, aHacks : frreoallsatadks, such
ectve qgainst soctal engneerfn
qs phiskhq odeidual úsens
dhtch tonge
Ipabflrty to deect all types o atacks :
Prewal mfght not be able to Tdebtff/ more
(ormplex atacks |gke zeo-coy Vulneabiltes
qdvanced Peasisten ttoeats (APTS) and Sacal
enqfneesinq atack.
Useas Can bypass the Joeuoad] : ffseucal) (un
no poeVent uSers qHacker foom draltng
fn to oT Du of e intona netoosk.d'

passuo7d poltcy : Preoals Canno enforce

pAssord po litfes Prevent misuse of
Pass oordg
eralcfous cde &FrtOdlls Cannot Stop intrndl
Usas oom accessinq AebsHes oith malftous
code.
clasSMAte PAGE
 DATE

CompablHy
Issyes
fsys: feuwrdl/ Com C ae
Vendoss
Compat
LDhen s cting

DMZ (Berdltr'zd Kone) -4m

0 Small
smal netoork
fnstoted gs
patvate netooztk
neutocy Zone"
and the eustde Companys
publfc netbok.
oublde sRrS
to q Cornp4ny's dat sevesA DMz ß an
ophona Seaue approaxh to q
qd as 4
Berver.

The typfaa080 Doz Corfquaation hes 4 Sepanate

Compuft host n neooa ohfch'ieves
Yom rS oithin the tvae nekoork
4 oeh Stte or tte publfc nettoork

Toen OPk host ioifates Gessiors for such

ON the pabltc neeoot tobich Geves
tts but f4 fs nano aoe
aole to ntate q ses?on
back nto he Poiate netoojk on
packes ohh bas been ruuted

-|The pblfc netooks es wbo (ar outstde the

Compaty Ca qccess has
classate PAGE
 DATE

Tbe publtc nedokk ysers who de outside

the Can aeccis enly the pmz hoc
I can sor be Companyb web pages wbtch
to tbe
Can be served t0

Henct, Dr2 Cant qfve qeces to other Conpan

data.

Toknal pvaer 2+01

tttt

DM 2

clASSMAte PAGE
 DATE

A3 ntnston Beacon Ssern (Ibs)

431TDS
Inbuston Betecton is the pooaess f montofng
ot the evert
oo netecork happentg
Totusfon Belecton paocess qnalyzes them or
posstble încidents, ohtch qat tbrgts
Computr Secuoty Poltctes standard Seuity
Ppackkes U
qeceptable yse polictes.
An inbusion Qetecton sgem (Ibs) is Same
hoyse a case of an
fobusfon the Ips
System w qoovide Sorme

An TDS oatehs thu Gunoundn g bchvityand ttes to

Tdenhtfy ndeirabie ackvty
The mahn purpose of 0s Pss to
to dcnt1fy Suspeceus
which deviatefrom nomal
mabdouSdclasi
|sahavioys, caliog ; Kând classily' thejiachvcty
possi ble thun eoy te the chvity
(and

clAsSMAte PAGE
 DATE

Host Based ns
The examire mail
atvihy on
Tndividual Sjstem Ike qo dlt
Web seryex orfndividua PC

4 Concerned only wth individual system

qrd usally hau n0 ViSTbPITHy Potothe
Dthe nefwok ox Sfstem qround
NefwoTk Based IDS
ote The examine qcttvity
on the network selt. Tt hasvistbi lPty only
foto tte trotc monftoofn # Cxosstng the
netoork Ink & typtcally bas no fded o
ohat happentng o0 Pndivtdua system.
Cormponens o Ds

atabase
Netoosk Analyspo
Colleater Engthe Inkaat

Lod Repos
Prles
PAGE
 DATE OL
1 TrayiC Collectoi
Tt is ysed to collec the traktte qctvity os event
the eVcnt Can dualt Ales'or fohHc
be loq fties dH+
Cominq Jeaying
3 Analysis Endtne
Mtsuse deecteon
AnomaUy detecion
Exqmine atthe netwot trattc campared ot
koany tsh4 patD of Suspicious malcrous actvfhy.

8 Srcndtyot Eatabase
Storts collecton of pathen cn and defnaton
of knouQS malciow' or Susptcho us qctuity

1
to. provide Interfhce tobuais element
Pro vide altet whuvez requuscd.

4a2uheo bi liy Assessment

ONehoork scanning' Lguntifyng epen ports, savkees and
9 Thre Beecton Aauulin
defecf qnonahes aknbwn atdik Sign afur,
cassmate PAGE
 DATE

Rsk Analysis - Eietluating th Seveoity of

deBected lnealolHo

9Thctdent Respo nse - Atrtnq sCuvy team, o

take appaop>Tafe actons

Compltance Checking- Ensuofnq Sysens qcldhe

stansards
to Secuatty polteres and
48.3fssuse Dekchon
signatur Batabase The IDS maïntafns q Colleciyn
ßf Knoon atak
ataek patteons
Tral,ic Analysis - Inconfng data packe's qnd
O rhonito ed.
1systemn c t ie
Peten atchng- TDS campe oel- ime
qcfvity wth knoon ateck Snatuoes
Alest Geneafon - T motch s found, q0 alrt
?s totggezcd or futthea nvesHqatfon.ob
434 Bekecfon Anomly
o (an Pdentiy uro-day atacks and nove explors
Expotk
le plust to change tn System behaytour over
+prhe.
3 Soes no oequire Canstar updat
achvites orinuouly icatie
classMate PAGE
4.844
DATE II

Host based IntUSPon BeBecBron system CHID3) runs

|on hdepeden oss erAekecfon
docetsystem
en 4he neto0 Tk
A HTDS montoss the: fncomfnq ard
packets oom the deviees ony and oll outgofning
the admimjstrator ao
S0soicin e oy makious acHvity
suspiclous achtiy
Shapshot of extstnq system les am
camperocs Y4 oth tbe Docvious snapshot.
(4) ahdlytca les weot edted deleled
alest s Sent to tbe ddmintsbtoro to
fnvatgtte
CHca Stgpaturt
rles Batab qse

Tratc Andlysts 20. User

Collefor InBeatdce
Engin

Loq Alda Rebots)

Sorage
classMAte HIDS PAGE
 DATE

Basic Compon<ntsHIDS
-Clec' te aetivity s events o ramine
Can be log file au dio Ples logs
Teovlng
Sysem
O Anahsis Engtne
- evamine Ohe collecked netoork toaic
- an pat t to knoon patens of
6uspictous 07 Poaltc fous acvity stod
fn 'Stqpatune Botabase.
gneuse Batabase
It Ps q collecion pattesns & deini4
Ons of kpoon Suspfctous es malfcTods
actvtày
sesToteface 6
6Repoaing
Repootinq
1nferfeco oth hebumon elemen
Providlng alters 4 diving the user's
meqns to nteract operate
the IDs.

4.31.
Honeypos dx tue Ponovahon ?o Pobuston pelefon
Tebrolo
classMite PAGE
 DATE

Honey pots qestyntd encce and

to purpogey'malicos
engaye
decefye hackers and
acttvttes pesfoomed oves sdeny.
the Tntesnet.
Hypeypots desigd to 4h foll ooinq
2ivert attenton of potentfcl attackes
J collt nfoornaPon abou ?ntuder's eacon
provtcle encouoqement to the atacker
qs toy for Soe trme.
Hone poBs destqned fos 2importan goals.
1 make them look- IPke ful ea)- 1Pfe system.
2 o not alow tegtmaBe to know qbout
qccess them
web serve

compater
Netoortk

Inteone
Honey
pot

clAsSMAte PAGE
 UNIT 4
IMP Ouestfons DATE

8Pototl 17g)290
st

Ghak tha ork?ng of freuogll sade -the Dees?

qdvantagu and dâs- advantagca

exofbe Vaofous polPcPes o fouoall

Ahe help of gkatch

shee he IPmftatton of reuoa) P
O Rescofbe Dz fn detefl oth the help of Dg

aefne
OORgeoence between NIDs and HIDs
Sescobe HTDs Componens ofth (abelled diq2
)Descofbe NTDS Coponents oth fabeled tg

clAsSMAte PAGE