NIS 4 Unit
NIS 4 Unit
A DETECTION BysTEMTO
4l FREkIALL
41.1 Need of PPoeupal '4M I4
APrebal can be havd1ogre. Softeare or 9 Cormbfnafon
Cf botb, which atl rspecf neteocok traffc passtrg
of
though t Cnd ether qccept oo the mesaf
|based on q set of ules.
The Facoal s q parttfon betoen prfvate Cbustd)
nekoosks qnd publrc (un-usted ) netoork and tt
All spect a t oPl Inspect ll toaPfrc Cpacke)
ich Ps passing ttrough tt.
o s eecive means of protectnq q system og
Netoosk fromn network-based threats cnd at the
Same me tshould qllouos for accessing the
outsde oorldvq
Oorl Wrde
ofde rcq netoorks & fnterhet.
"A frenall s aluays placed at Netorok statety
ateoay Sever to porotect the Pntearal sorce
a potvate netcork foom the publsc netwok.
In qn Orqantsatton they tnstall rreoal| to prevent
OutsiderS Foom cesstig ts on pofvate dat
eSOyTces qnd tu kl| allow thetr employees to
qcçess outsiale PesosTces.
FraoqllAM Conhol the outside'esourcesfbat
Oganl zattbn's employees qt accesstnid27ag
Aorking of frrewau s simtla to q0ujer poqram
-B Oea ntnes each netoork packet to defeme
khether, to, fbrwong 0r
hot.
clAsSMAte PAGE
DATE
Server
A foewall Cun woTk wth 9 proy
Jhth makes requsts on behalf f hÝrk
Work
Statton ysers n q netoork.
Nomally, a fryecall ts fnstalledfromfnspecal
the netoonk
CompuBet qnd t ts separaBed
hence, the fncomtng dequas cant enter
at Prtvaté netoork esources.
dhrectBy
Bodls
Al toafrc must ass thaouqh the fruall efther
from fnstde to outstde qnd Vce versq. This
s qcfeved by physrcaly blockfng all qcess
to, the loca) netoork except viq the frewal
cassMate PAGE
DATE
1 PACKET FILTERC4P
A outes qs part of 9 frrcoall USually Pertorns
packe+ Fl+eofng to
A packet frlktnq route appltes q set of Tyles
each qnd erery Pncomfrd TP packet qnd then
dectdes eftherto foowotd os dscaad the packet
Tprcaly the souter ts Conftqused te frlter packets
dotng tbwges qnd Comfng Pom the fntrnal n/w.
PrlHeraion ules qe based on fnfomakion of q
netoortk packet.
Source TP qddoess: The Ip addess of the Systes
kho qeneates the IP packet.
Qestinaon TP qddvess he IP qddacss of the other
system Ahee the IP pqcket fs toyoq to eqch.
Source, arnd Bestnatton trgnsport-(eye qddess
The transpot leyel pot number TCP r UDP to
detne applfcatons suc qs SNMP oT TELNET.
"IP Profocol feld : Tt tells the toanspoat protecol
Tnterface fs fo q oouter oho uses thre og moo
ports focom ohfch nterface the packet eame
ohích ntes4ace the pqcket Ps destt ned
for.
Facke
nenet Piva
Nekoork
PAGE
classMate
DATE
Hgb Gpond
Applfcaton- leve
gateuay
TELNET TosRle
Copmecton FTP
SMTP Connecte
oustde (HTTP Tnstde
Host tost
4Cneu Gatens
o I Can be q specialtz Aucten hot perfoams an
applFcalton evel gatway or Ceriain' aplicattcs.
I W?) not qllow qn ed- to- end TCP Connechon,
but Pt il set up too TCP connectPons3os
- One betoeeh a TCP User oh qn PnDex host
and q gadeutny
- One bekoeen Ua gateoay qre q TeP iSer on
qn outsde host.
clAsSMAte PAGE
DATE
C?rait -\evel
outsfde
2connedfon ou
elo
ou
TeteH
6ut) L- connecron
PAGE
classMate
DATE
clAsSMAte PAGE
DATE
422 Confquraton
o A ffoeil! s q combfnaBon of packet flkr and
applrcaton level gaBecoy. Based On these, theze
thrté) types f cfrguealfon 3.
frrewall
Cbnfgurons.
Screened Hos Grened Host Streened
Artaoal), St ng le Fhreuoall,Bya sybn e
Homed Beslfon Homed BasPon Preual
Aritcalton Gatecoy
HTTP
-tr
SMTP
FTP
TELNET
fq: Sioqle,,Horodgastoi
|Adantagcs
rapys Secuaily of the ntoork by prfoming
cheks at both lerels- packet and applicafon
level.
- I pzovde flertbilPhy to tbe netcork amtnisbdor to
defbe movt Stcurty polfcres
2savanloqe
Trkeona uses qrt Connecled to the applrantforn
0s wel as pocket fer 00uder, So, f hy FoQ
the packe flter aHqcked then the öboleofe
fotrnl neteoorkpS rposed toi the attaoker. 9Y
blst
classMate PAGE
DATEO
DATE
PAGE
classMAte
DATE
Adantgges
Bual Homed hosts can povvide a Very btblevel of
Conbol
Que to ala ome bostton bost, the fhora n/
kf) oemain unaffeced since
netk zone.
clasSMAte PAGE
DATE
facket
HTTP
L SMTP
FTP
T6LNET
PackaB frlHkx
Afoltukn
ndtnal nekoonk
fiq& &coeenedOubnef frzeunl.
Advankada
Tbee keveb of defenebe fo thugrt fobuders
The fnstde uter ddvesttses onhy the ertstance
onhy
o the Screened subnet to the Uintern network.
elassmate PAGE
DATE
CompablHy
Issyes
fsys: feuwrdl/ Com C ae
Vendoss
Compat
LDhen s cting
tttt
DM 2
clASSMAte PAGE
DATE
clAsSMAte PAGE
DATE
Host Based ns
The examire mail
atvihy on
Tndividual Sjstem Ike qo dlt
Web seryex orfndividua PC
atabase
Netoosk Analyspo
Colleater Engthe Inkaat
Lod Repos
Prles
PAGE
DATE OL
1 TrayiC Collectoi
Tt is ysed to collec the traktte qctvity os event
the eVcnt Can dualt Ales'or fohHc
be loq fties dH+
Cominq Jeaying
3 Analysis Endtne
Mtsuse deecteon
AnomaUy detecion
Exqmine atthe netwot trattc campared ot
koany tsh4 patD of Suspicious malcrous actvfhy.
8 Srcndtyot Eatabase
Storts collecton of pathen cn and defnaton
of knouQS malciow' or Susptcho us qctuity
1
to. provide Interfhce tobuais element
Pro vide altet whuvez requuscd.
Basic Compon<ntsHIDS
-Clec' te aetivity s events o ramine
Can be log file au dio Ples logs
Teovlng
Sysem
O Anahsis Engtne
- evamine Ohe collecked netoork toaic
- an pat t to knoon patens of
6uspictous 07 Poaltc fous acvity stod
fn 'Stqpatune Botabase.
gneuse Batabase
It Ps q collecion pattesns & deini4
Ons of kpoon Suspfctous es malfcTods
actvtày
sesToteface 6
6Repoaing
Repootinq
1nferfeco oth hebumon elemen
Providlng alters 4 diving the user's
meqns to nteract operate
the IDs.
4.31.
Honeypos dx tue Ponovahon ?o Pobuston pelefon
Tebrolo
classMite PAGE
DATE
compater
Netoortk
Inteone
Honey
pot
clAsSMAte PAGE
UNIT 4
IMP Ouestfons DATE
8Pototl 17g)290
st
aefne
OORgeoence between NIDs and HIDs
Sescobe HTDs Componens ofth (abelled diq2
)Descofbe NTDS Coponents oth fabeled tg
clAsSMAte PAGE