UNLT FIREWALL & TNTRJSTON Ig M
A DETECTION BysTEMTO
4l FREkIALL
41.1 Need of PPoeupal '4M I4
APrebal can be havd1ogre. Softeare or 9 Cormbfnafon
Cf botb, which atl rspecf neteocok traffc passtrg
of
though t Cnd ether qccept oo the mesaf
|based on q set of ules.
The Facoal s q parttfon betoen prfvate Cbustd)
nekoosks qnd publrc (un-usted ) netoork and tt
All spect a t oPl Inspect ll toaPfrc Cpacke)
ich Ps passing ttrough tt.
o s eecive means of protectnq q system og
Netoosk fromn network-based threats cnd at the
Same me tshould qllouos for accessing the
outsde oorldvq
Oorl Wrde
ofde rcq netoorks & fnterhet.
"A frenall s aluays placed at Netorok statety
ateoay Sever to porotect the Pntearal sorce
a potvate netcork foom the publsc netwok.
In qn Orqantsatton they tnstall rreoal| to prevent
OutsiderS Foom cesstig ts on pofvate dat
eSOyTces qnd tu kl| allow thetr employees to
qcçess outsiale PesosTces.
FraoqllAM Conhol the outside'esourcesfbat
Oganl zattbn's employees qt accesstnid27ag
Aorking of frrewau s simtla to q0ujer poqram
-B Oea ntnes each netoork packet to defeme
khether, to, fbrwong 0r
hot.
clAsSMAte PAGE
DATE
Server
A foewall Cun woTk wth 9 proy
Jhth makes requsts on behalf f hÝrk
Work
Statton ysers n q netoork.
Nomally, a fryecall ts fnstalledfromfnspecal
the netoonk
CompuBet qnd t ts separaBed
hence, the fncomtng dequas cant enter
at Prtvaté netoork esources.
dhrectBy
Bodls
Al toafrc must ass thaouqh the fruall efther
from fnstde to outstde qnd Vce versq. This
s qcfeved by physrcaly blockfng all qcess
to, the loca) netoork except viq the frewal
Only cuthetized ofc Whtch is deftned by the
loch sec oity polfcy wll be allowed to
pass thuugH tho4qh the frrcwal).
aIHeren types of fruoals wtll frmplement
dtfferent ypesof secutty poltcies.
The Frewal fselp s fomyne to penetraHoD.
biond (Proleted) nework Eclera tunfwte
(GA- enleepvist o) netoor k(egIntee
cassMate PAGE
DATE
1 PACKET FILTERC4P
A outes qs part of 9 frrcoall USually Pertorns
packe+ Fl+eofng to
A packet frlktnq route appltes q set of Tyles
each qnd erery Pncomfrd TP packet qnd then
dectdes eftherto foowotd os dscaad the packet
Tprcaly the souter ts Conftqused te frlter packets
dotng tbwges qnd Comfng Pom the fntrnal n/w.
PrlHeraion ules qe based on fnfomakion of q
netoortk packet.
Source TP qddoess: The Ip addess of the Systes
kho qeneates the IP packet.
Qestinaon TP qddvess he IP qddacss of the other
system Ahee the IP pqcket fs toyoq to eqch.
Source, arnd Bestnatton trgnsport-(eye qddess
The transpot leyel pot number TCP r UDP to
detne applfcatons suc qs SNMP oT TELNET.
"IP Profocol feld : Tt tells the toanspoat protecol
Tnterface fs fo q oouter oho uses thre og moo
ports focom ohfch nterface the packet eame
ohích ntes4ace the pqcket Ps destt ned
for.
Facke
nenet Piva
Nekoork
PAGE
classMate
DATE
Hgb Gpond
-itcuty ef seMo up of packet fMtoâng
mes
- Lack of Authenicakon.
2 Batefu Packet Prler T4M]
r4l
L Stedefw pocket prlHes undestand oqust and
ePly syston.
yUsuaty the ules of setepel packes qoc speche
only fo he frest packet to one dtaection, 8
thehnew rue s
the fst
Ceated
outboned packe
yoaatcally ate
b All other Padke fn the Comrmunfcatton ce theh
proressed qutmyatcally
Stadefu foewall Can SUppoot for q wider
7ange of paotocols rke fTP, IRC Or H323.
Puekeh paLket Incomlng
cllouc packe!
e.
Prolecked Nho gRéallooèd paakds:
clAsSMate dfscasded PAGE
F: statefu pauket katnd
DATE
LAn applcaon-leve Gatenkxy fs also knoun as prozy Ser ves.
ver
Thiss beause tqchd ke dd Proccy and
about the flo' of appltcafn Jevel' toaftc
bAn nlernal User Cantgds the applcatPon level gansy
ustnq TSIP applfaton, suk as Telnet c FTPoHfTP
TheTapeheatTon level qateoay ofll aks the wer/ host
qbout the emote host th whfch the he Wants q
Connecton forommurfcaton. Sla
Hhen the user proytdes all fnfoan-ton (Pke val? user ID
and quthentccfon nforncton, thu goteDay +Cantacs
the cpplfcateon on the ernote hus qnd 'ocay TeP
seqments Cantafnnq the appl cafkn dat betuween too
endponts.
The seryfce s not supPoo Hed qnd cannot be toougaded
qCrOSS the ffrcal, the ateuay does not Pmplemen
the pooy code for
4 q spectt apdtatton.
Bererel tha qateuzy qac Confrqud to suppot
eateses thot te nehuook dmtntsa
ony
tott consides qceptalale wle deryfrg al other
featuoes
b An applicason level gaeacay
lHoftod. Ffs very àsy to cucdo al
I} has hrah Secustty than packet PlHetrg. o
needs to Soryintze q few qllauate appltcakons.
to
inconn
PAGE
clAsSMate.
DATE
Applfcaton- leve
gateuay
TELNET TosRle
Copmecton FTP
SMTP Connecte
oustde (HTTP Tnstde
Host tost
fe?: Aeoicafton Level Gateu
es.adntades The addion ovehegd fo each
ConnecPon because there qt t0o
two Separate
Connectfons between the end IS and wb
the gatey. The qateway shuujd
fo7uoral toc fn bolh drectens
4Cneu Gatens
o I Can be q specialtz Aucten hot perfoams an
applFcalton evel gatway or Ceriain' aplicattcs.
I W?) not qllow qn ed- to- end TCP Connechon,
but Pt il set up too TCP connectPons3os
- One betoeeh a TCP User oh qn PnDex host
and q gadeutny
- One bekoeen Ua gateoay qre q TeP iSer on
qn outsde host.
clAsSMAte PAGE
DATE
Dter establfshng Ahe Au0o Connectons, he aBevoay
pansmfts the tP Senenls forom one Connectord
to anothe othout exgmtntnd the contets.
The Gecuty functon Wal theck ahrch connecton
S allowed.J
The user of crcut level caBeays sttuatron,
Where the System admt niShutor fausts the fnter!
Users.
C?rait -\evel
outsfde
2connedfon ou
elo
ou
TeteH
6ut) L- connecron
B): cYrcaj} tevel cateaay
The gatsay Can be conttquznd to suppor appltcaton ud
con be nlbound Conneckton8 qnd Csul
0T procy seufce on
Jevel fucrons fo outlbound Connecfons.
Ih thfs, gatuoay qcqufre the the processtnd
overhed ofo ecdmntnd Prcoming applfcutn qat
for prohibrBed unctore but does no that acqulre
datq.
0verheod on
oulgetog
PAGE
classMate
DATE
4R Fireuall poltctes, Conftguraton,Ltmaton
42.1 Frekjal! Polites
FPotuoal poltcies allow al type of toaffe bu!
block Some SeaVPCe IPke telnet/SNMp, and
those qot Used by qn atacker
PoTt umbes
ResbfcHve polfctes block all tofe passinq through
drtdsetd
alou) onhy- toaktc obrch
ffreul! and aow
on
Suth as HITP, POP OsMTP, or SSH
everythinq tha
The mast seue opfon' s bock omeone
{s susprefous and dffer complanin"by
yo can aloo tbe protocols.
Fe oal rule Set
Copmnunicale
allows HTTP,FTP, sSH, DNS potocol to
from ftesna) neftoos td-9nkone to ma
Ds sMTP pootecol to Communfcale
Alows
Alloos sMtp qnd DNs protocol to Communfate
from mafl server
Allows SMTP and Pop3 pootocols to communTaut
foom fnsPde to mas Sesver.ansttoa
Fsrewal! allos only 7eplay packehs.
PPveupal) can bl ock eVerything else,
busyrov
clAsSMAte PAGE
DATE
422 Confquraton
o A ffoeil! s q combfnaBon of packet flkr and
applrcaton level gaBecoy. Based On these, theze
thrté) types f cfrguealfon 3.
frrewall
Cbnfgurons.
Screened Hos Grened Host Streened
Artaoal), St ng le Fhreuoall,Bya sybn e
Homed Beslfon Homed BasPon Preual
fit sereenat ttost freoal
StnteHomee Bastion. oi
3 Screehed tost frenoall Stngle -Homed Pasitao
Freoal Conffguogtfon Conssts of to rrts
0 o packeY frlter r0ter.
applrcaion Level gtuoay.
+A packe flHes v0ter tll ehsue thot the
toarc Ps allouwed only ff P 's întendedfo the
examintng the desnarcn
applfcatron qateoayby exainfog
addoess fe
address fed ofUedch ncooig I? peket.
2+ oPl| dlso ensured thatO the outqoing too}fc is
aßooed only f Is oginated foo opplicaftorn
level gataty by eqnihtog the Souvce adres
reld öf evéry otgoing 1P packet.
quteary patorms quhantcakon qs
An aplfcadion"levelqaes
oel 'as pry functfirls
classMate PAGE
DATE
Aritcalton Gatecoy
HTTP
-tr
SMTP
FTP
TELNET
Inetnal' hefwork pe!
fq: Sioqle,,Horodgastoi
|Adantagcs
rapys Secuaily of the ntoork by prfoming
cheks at both lerels- packet and applicafon
level.
- I pzovde flertbilPhy to tbe netcork amtnisbdor to
defbe movt Stcurty polfcres
2savanloqe
Trkeona uses qrt Connecled to the applrantforn
0s wel as pocket fer 00uder, So, f hy FoQ
the packe flter aHqcked then the öboleofe
fotrnl neteoorkpS rposed toi the attaoker. 9Y
blst
classMate PAGE
DATEO
DATE
Qual Home Bastron
To elnotnate the cLolback of 3cened Hos frrecoal!
system (Single tom hnston Fost), Serened Host
Freoa Sytem (Bua)- Home bastto host) fs
Topnend
hosf has
Jn thts Poeoal systerp. tobere 4 basFonokeapal
Huoo netoork cds - One is (sed for
fonncton tOPth the 0utes
In thfs case even f the roue qot compaomfsed
he ipteana network ofll eman unaffccted
Since 4 fs fn the separate netoork 2one
This Coq4aatfon phystoaly separdBes the eeteona
and fnonal neoorks
The packet Prlkectng oouker
Compaorised
Tooffrc befeoren the fotenet dnd othes host on the
Pstvak neok hs to flow though tbe bastfon host.
rtact TPackut
Apitcto Gateony
H1Tp
SMTP Tatene
qetNET,
Tbdeshgl netoookolel
PAGE
classMAte
DATE
Adantgges
Bual Homed hosts can povvide a Very btblevel of
Conbol
Que to ala ome bostton bost, the fhora n/
kf) oemain unaffeced since
netk zone.
Du-honec batop host got epensfvethan
sfoqle homed bstfon host
aScrcened Subnet FPreoal)so)
TS fs one of tbe most secytd Pfreoall Conf
qualfons.
In tthts Confouoateon, uo packet- frlteotnd voutes
ge lgeoone beteoeen btfon ! bost gd the
oteonet and one betoeen +be basion host and
Hhenterrdl netoook.
fthts contqure lfonCeals an solated sub- Mo
cobich may Consst of sPnply tbe bas-fon host
but mayhlso include
Servess and rhate S foo dial-to- capabB Itty.
Typfralyboththe ntnet qnd +be freebal
!
nefeooskbaye docessto hass on the btreened
subnet, bud taofrc
tootc qcrosS
qcTSS the screened
Subnet s blocked. ott01
clasSMAte PAGE
DATE
facket
HTTP
L SMTP
FTP
T6LNET
PackaB frlHkx
Afoltukn
ndtnal nekoonk
fiq& &coeenedOubnef frzeunl.
Advankada
Tbee keveb of defenebe fo thugrt fobuders
The fnstde uter ddvesttses onhy the ertstance
onhy
o the Screened subnet to the Uintern network.
The confftqura lfon canno Pootect the toansfer of
Vfous fofeed Proqms.
FIlteging done b soPHore's froeuoal! Can decride
45ers sstem's peofoomahce.
elassmate PAGE
DATE
4.R Rlheulal LhotaPon
Countti knoon hvehts
4
ebeicaioinds Can qdapt: bfrCniminals
t¡n exploit Conftquratfon 0T, rod loop
sienaypted tooci to bide
holes Use
malftous actvites
Qe ine
Sata engfneertng, aHacks : frreoallsatadks, such
ectve qgainst soctal engneerfn
qs phiskhq odeidual úsens
dhtch tonge
Ipabflrty to deect all types o atacks :
Prewal mfght not be able to Tdebtff/ more
(ormplex atacks |gke zeo-coy Vulneabiltes
qdvanced Peasisten ttoeats (APTS) and Sacal
enqfneesinq atack.
Useas Can bypass the Joeuoad] : ffseucal) (un
no poeVent uSers qHacker foom draltng
fn to oT Du of e intona netoosk.d'
passuo7d poltcy : Preoals Canno enforce
pAssord po litfes Prevent misuse of
Pass oordg
eralcfous cde &FrtOdlls Cannot Stop intrndl
Usas oom accessinq AebsHes oith malftous
code.
clasSMAte PAGE
DATE
CompablHy
Issyes
fsys: feuwrdl/ Com C ae
Vendoss
Compat
LDhen s cting
DMZ (Berdltr'zd Kone) -4m
0 Small
smal netoork
fnstoted gs
patvate netooztk
neutocy Zone"
and the eustde Companys
publfc netbok.
oublde sRrS
to q Cornp4ny's dat sevesA DMz ß an
ophona Seaue approaxh to q
qd as 4
Berver.
The typfaa080 Doz Corfquaation hes 4 Sepanate
Compuft host n neooa ohfch'ieves
Yom rS oithin the tvae nekoork
4 oeh Stte or tte publfc nettoork
Toen OPk host ioifates Gessiors for such
ON the pabltc neeoot tobich Geves
tts but f4 fs nano aoe
aole to ntate q ses?on
back nto he Poiate netoojk on
packes ohh bas been ruuted
-|The pblfc netooks es wbo (ar outstde the
Compaty Ca qccess has
classate PAGE
DATE
Tbe publtc nedokk ysers who de outside
the Can aeccis enly the pmz hoc
I can sor be Companyb web pages wbtch
to tbe
Can be served t0
Henct, Dr2 Cant qfve qeces to other Conpan
data.
Toknal pvaer 2+01
tttt
DM 2
clASSMAte PAGE
DATE
A3 ntnston Beacon Ssern (Ibs)
431TDS
Inbuston Betecton is the pooaess f montofng
ot the evert
oo netecork happentg
Totusfon Belecton paocess qnalyzes them or
posstble încidents, ohtch qat tbrgts
Computr Secuoty Poltctes standard Seuity
Ppackkes U
qeceptable yse polictes.
An inbusion Qetecton sgem (Ibs) is Same
hoyse a case of an
fobusfon the Ips
System w qoovide Sorme
An TDS oatehs thu Gunoundn g bchvityand ttes to
Tdenhtfy ndeirabie ackvty
The mahn purpose of 0s Pss to
to dcnt1fy Suspeceus
which deviatefrom nomal
mabdouSdclasi
|sahavioys, caliog ; Kând classily' thejiachvcty
possi ble thun eoy te the chvity
(and
clAsSMAte PAGE
DATE
Host Based ns
The examire mail
atvihy on
Tndividual Sjstem Ike qo dlt
Web seryex orfndividua PC
4 Concerned only wth individual system
qrd usally hau n0 ViSTbPITHy Potothe
Dthe nefwok ox Sfstem qround
NefwoTk Based IDS
ote The examine qcttvity
on the network selt. Tt hasvistbi lPty only
foto tte trotc monftoofn # Cxosstng the
netoork Ink & typtcally bas no fded o
ohat happentng o0 Pndivtdua system.
Cormponens o Ds
atabase
Netoosk Analyspo
Colleater Engthe Inkaat
Lod Repos
Prles
PAGE
DATE OL
1 TrayiC Collectoi
Tt is ysed to collec the traktte qctvity os event
the eVcnt Can dualt Ales'or fohHc
be loq fties dH+
Cominq Jeaying
3 Analysis Endtne
Mtsuse deecteon
AnomaUy detecion
Exqmine atthe netwot trattc campared ot
koany tsh4 patD of Suspicious malcrous actvfhy.
8 Srcndtyot Eatabase
Storts collecton of pathen cn and defnaton
of knouQS malciow' or Susptcho us qctuity
1
to. provide Interfhce tobuais element
Pro vide altet whuvez requuscd.
4a2uheo bi liy Assessment
ONehoork scanning' Lguntifyng epen ports, savkees and
9 Thre Beecton Aauulin
defecf qnonahes aknbwn atdik Sign afur,
cassmate PAGE
DATE
Rsk Analysis - Eietluating th Seveoity of
deBected lnealolHo
9Thctdent Respo nse - Atrtnq sCuvy team, o
take appaop>Tafe actons
Compltance Checking- Ensuofnq Sysens qcldhe
stansards
to Secuatty polteres and
48.3fssuse Dekchon
signatur Batabase The IDS maïntafns q Colleciyn
ßf Knoon atak
ataek patteons
Tral,ic Analysis - Inconfng data packe's qnd
O rhonito ed.
1systemn c t ie
Peten atchng- TDS campe oel- ime
qcfvity wth knoon ateck Snatuoes
Alest Geneafon - T motch s found, q0 alrt
?s totggezcd or futthea nvesHqatfon.ob
434 Bekecfon Anomly
o (an Pdentiy uro-day atacks and nove explors
Expotk
le plust to change tn System behaytour over
+prhe.
3 Soes no oequire Canstar updat
achvites orinuouly icatie
classMate PAGE
4.844
DATE II
Host based IntUSPon BeBecBron system CHID3) runs
|on hdepeden oss erAekecfon
docetsystem
en 4he neto0 Tk
A HTDS montoss the: fncomfnq ard
packets oom the deviees ony and oll outgofning
the admimjstrator ao
S0soicin e oy makious acHvity
suspiclous achtiy
Shapshot of extstnq system les am
camperocs Y4 oth tbe Docvious snapshot.
(4) ahdlytca les weot edted deleled
alest s Sent to tbe ddmintsbtoro to
fnvatgtte
CHca Stgpaturt
rles Batab qse
Tratc Andlysts 20. User
Collefor InBeatdce
Engin
Loq Alda Rebots)
Sorage
classMAte HIDS PAGE
DATE
Basic Compon<ntsHIDS
-Clec' te aetivity s events o ramine
Can be log file au dio Ples logs
Teovlng
Sysem
O Anahsis Engtne
- evamine Ohe collecked netoork toaic
- an pat t to knoon patens of
6uspictous 07 Poaltc fous acvity stod
fn 'Stqpatune Botabase.
gneuse Batabase
It Ps q collecion pattesns & deini4
Ons of kpoon Suspfctous es malfcTods
actvtày
sesToteface 6
6Repoaing
Repootinq
1nferfeco oth hebumon elemen
Providlng alters 4 diving the user's
meqns to nteract operate
the IDs.
4.31.
Honeypos dx tue Ponovahon ?o Pobuston pelefon
Tebrolo
classMite PAGE
DATE
Honey pots qestyntd encce and
to purpogey'malicos
engaye
decefye hackers and
acttvttes pesfoomed oves sdeny.
the Tntesnet.
Hypeypots desigd to 4h foll ooinq
2ivert attenton of potentfcl attackes
J collt nfoornaPon abou ?ntuder's eacon
provtcle encouoqement to the atacker
qs toy for Soe trme.
Hone poBs destqned fos 2importan goals.
1 make them look- IPke ful ea)- 1Pfe system.
2 o not alow tegtmaBe to know qbout
qccess them
web serve
compater
Netoortk
Inteone
Honey
pot
clAsSMAte PAGE
UNIT 4
IMP Ouestfons DATE
8Pototl 17g)290
st
Ghak tha ork?ng of freuogll sade -the Dees?
qdvantagu and dâs- advantagca
exofbe Vaofous polPcPes o fouoall
Ahe help of gkatch
shee he IPmftatton of reuoa) P
O Rescofbe Dz fn detefl oth the help of Dg
aefne
OORgeoence between NIDs and HIDs
Sescobe HTDs Componens ofth (abelled diq2
)Descofbe NTDS Coponents oth fabeled tg
clAsSMAte PAGE