UNIT-2

Network and system Security

 2.1 TYPES OF ATTACKS
• Attack: An assault on system security that derives from an intelligent threat: that is, an intelligent act that is a deliberate
attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a
system.
• A security attack is an activity or act made upon a system with the goal to obtain unauthorized access to information or
resources. It is usually carried out by evading security policies that are in place in organizations or individual devices.
• Thus, attack is any action that compromises the security of information owned by an organization. Security attacks can
be classified in three ways:
• General point of view
• Technical point of view
• Implementation point of view

• 2.1.1 General point of view

• As a common non-technical person point of view security attacks can be classified into three types.
• 1. Criminal Attack
• The main aim of attacker in criminal attack is to maximize financial gain or harm to other or the systems. Some of the
examples of criminal attacks are: fraud, scams, identity theft, intelligent property t brand theft etc...
2. Publicity Attack
The sole aim of an attacker in publicity attack is to get publicity instead of
financial gain. Generally, this type of attackers are not usually hardcore
criminals. They are people like students or employees who tries to get
publicity through applying new approach of attack. Example of such attack
is damage or hijacking web page of popular web site.
3. Legal Attack
The aim of the attacker is to exploit the weakness of the judge and the jury
in technological matters. This form of attack is quite new and unique in
which the attacker tries to convince the judge and the jury that there is
inherent weakness in the computer system and he is not responsible for any
wrongful activity.

Ex. Attacker excuse that he has just clicked as the system asked. He done
nothing.
2.1.2 Technical point of view
As a technical point of view, attacks can be grouped into two types:
passive attacks and active attacks

1. Active Attacks
Active attacks are the attacks in which attacker not only observes traffic
but also tries to modify the original message or creates false message.
These kinds of attacks cannot be easily prevented. Such kind of attacks
can be detected with some effort, and attempts can be made to recover
from it.

These attacks can be further classified as depicted in the figure

Masquerade - Pose as another entity.
When an attacker tries to pretends to be another entity, then attack is called masquerade attack. User C might
pose himself as user A and send a message to user B. User B might be let believe that the message indeed came
from user A and he work as on message. Genera masquerade attacks embedded with some other kind of active
attacks.

Modification - Change of original message

Modification attacks are that kind of attacks in which attacker tries to modify the original message. These
attacks are further classified as: Replay attack and alteration attack.
In a replay attack, a user captures a message, and re-sends them. For example, suppose use A wants to transfer
some amount to user C's bank account. User A might send an electro message to bank B, requesting for
transferring fund. User C could capture this message, a send again to bank B. Bank B would have no idea about
this second unauthorized message, a would treat it as second message, and transfers fund two times.
Alteration of messages involves some change in the original message. For example, suppose user A sends
message "Transfer 10000 to B's account to bank ABCL. User C capture this and change it to "Transfer 100000
to B's account. Here the original message is altered in tem of amount.

Denial of Service (DOS) attacks.

Denial Of Service (DOS) attack attempts to make resources unavailable to its legitimate uses For example, an
attacker sends thousands of requests to the server and make it busy. So, server can't response to legitimate user.
2. Passive Attacks
Passive are those attacks in which the attacker just observes or monitors message during
transmission. The aim of an attacker is to obtain information only. The term passive
indicates, no attempt for any modification in original message. Due to this passive attack are
harder to detect. To deal with passive attacks preventive actions are carried out, rather than
detection or corrective actions.

Further classification of passive attacks into two sub-categories. These categories are, namely
release of message contents and traffic analysis.
Release of message Content
Release of message contents attack is very simple to understand. Suppose sender wants to
send confidential message to recipient without being released to any else. But an attacker
accesses this message by somehow. We can prevent release of message attack with
encryption like security mechanism.
Traffic Analysis
Sometime passive attacker collects large number of messages passing through network and
figure out similarities between and sort out some pattern. Such attempt of analyzing
encrypted messages to find out original messages is called traffic analysis.
2.1.3 Implementation point of view
All the discussed attacks above can be further can be classified with implementation
point of view as Application-level attacks and Network level attacks.

1. Application-level Attacks.
These are the attacks in which an attacker attempts to access, modify, or prevent access
to information of a particular application, or the application itself.

Examples: Access someone's credit card information, or change the amount in a

transaction.

2. Network-level Attacks
Network level attacks are usually applied to the networks with the aim to reduce the
capabilities of a network by different ways. These attacks may slow down, or
completely halt the computer system network. Once an attacker gets control over
network, he may apply application-level attacks also.
 2.2 DIGITAL SIGNATURE
Confidentiality is achieved by using cryptographic techniques.
Integrity can be achieved by using hashing functions and algorithms like SHA Algorithm and MD5
Message Digest. With the use of various activities by network administrator availability can be maintain.
But how can authenticate that a particular message, data, software or document is specific sender. That
is the case where digital signature plays an important role.
2.2.1 What is Digital Signature?
A digital signature is a mathematical technique used to validate the authenticity and integrity of a digital
document, message or software.
It is the digital equivalent of a handwritten signature or stamped seal, but it offers far more inherent
security. A digital signature is intended to solve the problem of tampering and impersonation in digital
communications.
Digital signatures can provide evidence of origin, identity and status of electronic documents,
transactions or digital messages. Signers can also use them to acknowledge informed consent. In many
countries, digital signatures are considered legally in the same way as traditional handwritten document
signatures.
2.2.2 Properties of Digital Signature?
Message Authentication is the mechanism used to protect sender and receiver of digital da transmission from the third
party. But it does not protect two communicating parties from each other. Several disputes between them arise like
below.
Receiver may forge an original message and claim that it was sent by sender.
E. g. Electronic fund transfer takes place, receiver may increase the amount and claims that larger amount had
arrived from the sender.
 Sender may deny about sent message
E.g. A stockholder sends an instruction to his stockbroker, and then pretends that he never sent such instruction.
In such situations where there is not complete trust between sender and receiver, something more man authentication
is needed. The most attractive solution to this problem is the digital signature.

The digital signature must have the following properties:

 It must verify the author and the date and time of the signature.
 It must authenticate the contents at the time of the signature.
 It must be verifiable by third parties, to resolve disputes.
Thus, the digital signature function includes the authentication as well as integrity functions.
2.2.3 Working of Digital Signature?
Digital signature uses a three kind of algorithms as described below.
Key Generation Algorithms: Digital signatures are electronic signatures
that guarantee a certain sender sent the message. The algorithms which are
used to generate keys are called key generation algorithms
Signing Algorithms: To create a digital signature, hashing algorithms are
used create a one-way hash of the electronic data which is to be transmitted.
The signing algorithm then encrypts the hash value using the sender's private
key (signature key). This encrypted hash value along with original data is
known as the digital signature.
Signature Verification Algorithms: Digital signature Verifier receives
Digital Signature along with the original data. Verifier then uses Verification
algorithm to verify the received digital signature.
The steps followed in creating digital signature and verifying signature are:
1. Hash value is computed by applying hash function on the message and then hash
value is encrypted using private key of sender (Bob) to form the digital signature.
digital signature = encryption (private key of sender, Hash Value) and
Hash Value =Hashing algorithm(message).
2. Digital signature is then transmitted with the original message.
(original message digital signature is transmitted)
3. Receiver decrypts the digital signature using the public key of sender. (This assures
authenticity, as only sender has his private key so only sender can encrypt using his
private key which can thus be decrypted by sender's public key).
4. The receiver now has the Hash from sender side.
5. The receiver can also compute the hash value from the original message. (actual
message is sent with the digital signature).
6. The hash value computed by receiver and the hash value received from the sender
(got by decryption on digital signature) need to be same for ensuring integrity.
Digital signatures are used in various financial
or business transactions like legal documents
and contracts, sales and purchase contracts,
financial documents, health data, shipping
documents etc....
 2.3 PRETTY GOOD PRIVACY (PGP)
2.3.1 Introduction - PGP
 It is commonly used to provide two fundamental services confidentiality and authentication for
electronic mail and file storage.
 It was designed by Phil Zimmermann in 1991.
 It uses best cryptographic algorithms such as RSA, Diffie-Hellman key exchange. DSS for the
public-key encryption (or) asymmetric encryption; CAST-128, 3DES, IDEA is used for
symmetric encryption and SHA-1 is used for hashing purposes.
 PGP software is an open-source software and independent of OS (Operating System) as well as
the processor.
The various services are provided by PGP are as under:
 Authentication
 Confidentiality
 Compression
 Email Compatibility
 Segmentation
2.3.2 E mail Authentication using PGP
Authentication of an email is nothing but to check whether it actually came from the person it says or
not. The Authentication service in PGP is provided as follows.
 As shown in the above figure 2.7, the hashing algorithm SHA-1 is used
and produces a 160- bit output hash value. Then, with use of sender's
private key (KP), hash value is encrypted and it's called as Digital
Signature. The Message is then appended to the signature. Then the
message is compressed to reduce the transmission cost and is sent to the
receiver.
 At the receiver's end, the data is decompressed and the message,
signature are obtained. The signature is then decrypted using the
sender's public key (PU) and the hash value is obtained. From the
message again the hash value is calculated and obtained.
 Both the hash values, one is received from the sender and another is
calculated at receiver side are compared. If both are same, then the
email is authenticated email else it is not.
2.4 Secure Socket Layer And Transport Layer
Security
• Netscape originated SSL. It is transport layer security service.
• Ver 3.0 designed with public input. Subsequently became Internet
standard known as TLS (Transport Layer Security) Version 3.1.

• SSL Architecture
• SSL is designed to make use of TCP to provide a reliable end-to-end
secure service.
SSL Architecture
Layer-
1

Layer-
2
SSL Protocol Stack
• SSL is not a single protocol but rather two layers of
protocols.
• The SSL Record Protocol provides basic security services to
various higher layer protocols.
• In particular, the Hypertext Transfer Protocol (HTTP),
which provides the transfer service for Web client/server
interaction.
• Three higher-layer protocols are defined as part of SSL:
1. The Handshake Protocol,
2. The Change Cipher Spec Protocol
3. The Alert Protocol.
• These SSL-specific protocols are used in the management
of SSL exchanges.
 SSL Record Protocol
• The SSL Record Protocol provides two services for SSL
connections:
• Confidentiality: The Handshake Protocol defines a shared secret
key that is used for conventional encryption of SSL payloads.
• Message Integrity: The Handshake Protocol also defines a
shared secret key that is used to form a message authentication
code (MAC).
 SSL Record Protocol
• The Record Protocol takes an application message to be transmitted,
fragments the data into manageable blocks, optionally compresses the
data, applies a MAC, encrypts, adds a header, and transmits the
resulting unit in a TCP segment.
1. The first step is fragmentation. Each upper-layer message is
fragmented into blocks of 214 bytes (16384 bytes) or less.
2. Next, compression is optionally applied. Compression must be
lossless and may not increase the content length by more than 1024
bytes.
3. The next step in processing is to compute a message authentication
code over the compressed data. For this purpose, a shared secret
key is used.
4. The compressed message plus the MAC are encrypted using
symmetric encryption. Encryption may not increase the content
length by more than 1024 bytes, so that the total length may not
exceed 214 + 2048.
 Handshake Protocol
• This protocol allows the server and client to authenticate
each other and to negotiate an encryption and MAC
algorithm and cryptographic keys to be used to protect
data sent in an SSL record.
• The Handshake Protocol is used before any application
data is transmitted.
• The Handshake Protocol consists of a series of messages
exchanged by client and server. message has three fields:
• The handshaking is done in four phases.
A. PHASE 1. ESTABLISH SECURITY CAPABILITIES
B. PHASE 2. SERVER AUTHENTICATION AND KEY EXCHANGE
C. PHASE 3. CLIENT AUTHENTICATION AND KEY EXCHANGE
D. PHASE 4. FINALIZING THE HANDSHAKE PROTOCOL
 Details of Phases
• This phase is used to initiate a logical connection and to
establish the security capabilities that will be associated
with it. The exchange is initiated by the client.
• After Phase-1, client and server know the version of
SSL, algorithm for exchange of keys, message
authentication code and encryption. Also it knows
compression model and two random numbers for
key generation.
• After Phase-2, server is authenticated to client and
client knows the public key of the server.
• After Phase-3, the client is authenticated to the
server. Both client and the server know the
cryptographic secret of RSA which is used by them.
• After Phase-4, the client and server are connected
and ready to exchange data.
SSL Handshake
Protocol
Change Cipher Spec Protocol
• The Change Cipher Spec Protocol is one of the three SSL-specific
protocols that use the SSL Record Protocol, and it is the simplest.
• This protocol consists of a single message, which consists of a single
byte with the value 1.
• The server and client cannot use parameters for cryptographic
secrets until they send or receive a special message called the
Change Cipher Spec message, which is generated and exchanged
during handshake protocol.
• The sender and receiver need two state: pending and active state.
The pending state keep track record of the parameters and secrets.
• The active state holds the parameters and secrets which are used by
record protocol to sign/verify or encrypt/decrypt messages.
• The sole purpose of this message is to cause the pending state to be
copied into the current state, which updates the cipher suite to be
used on this connection.
Alert Protocol
• The Alert Protocol is used to convey SSL-related alerts to the peer
entity. As with other applications that use SSL, alert messages are
compressed and encrypted, as specified by the current state.
• Each message in this protocol consists of two bytes.
• The first byte takes the value warning (1) or fatal (2) to convey the
severity of the message. If the level is fatal, SSL immediately
terminates the connection.
• The second byte contains a code that indicates the specific alert.
• fatal: unexpected message, bad record MAC, decompression failure,
handshake failure, illegal parameter
• warning: close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired, certificate unknown
 2.5 IPSEC
2.5.1 Introduction-- IPsec
IPsec (Internet Protocol Security) is a large set of protocols and algorithms. Internet
Engineering Task Force (IETF), developed the IPsec protocols for the purpose of
providing security at the IP layer through authentication and encryption of IP network
packets.
 Originally, it was defined with two protocols for securing the IP packets which were
Authentication Header (AH) and Encapsulating Security Payload (ESP).
 The former protocol i.e. AH provides data integrity and non-replay services, and the
latter protocol i.e. ESP encrypts and authenticates data.
Thus, IPsec provides the basic services as listed below:
 Confidentiality
 Authentication
 Integrity
 Non-Replay
2.5.2 IP Security
Architecture
1. Architecture:
Architecture or IP
Security Architecture
covers the general
concepts, definitions,
protocols, algorithms,
and security
requirements of IP
Security technology.
[Fig. 2.: IP Security Architecture)
2. ESP Protocol:
ESP (Encapsulation Security Payload) provides a confidentiality service.
Encapsulation Security Payload is implemented in either two ways:
 ESP with optional Authentication.
 ESP with Authentication.

[Fig. ESP Packet Format]

 Security Parameter Index (SPI): This parameter is used by Security
Association. It is used to give a unique number to the connection built
between the Client and Server.
 Sequence Number: Unique Sequence numbers are allotted to every
packet so that on the receiver side packets can be arranged properly.
 Payload Data: Payload data means the actual data or the actual
message. The Payload data is in an encrypted format to achieve
confidentiality.
 Padding: Extra bits of space are added to the original message in order
to ensure confidentiality. Padding length is the size of the added bits of
space in the original message.
 Next Header: Next header means the next payload or next actual data.
 Authentication Data: This field is optional in ESP protocol packet
format.
3. Encryption algorithm:
The encryption algorithm is the document that describes various
encryption algorithms used for Encapsulation Security Payload.
4. AH Protocol:
AH (Authentication Header) Protocol provides both Authentication and
Integrity service. Authentication Header is implemented in one way only:
Authentication along with Integrity.

(Fig. AH Packet Format)

5. Authentication Algorithm:
The authentication Algorithm contains the set of documents that describe
the authentication algorithm used for AH and for the authentication
option of ESP.

6. DOI (Domain of Interpretation):

DOI is the identifier that supports both AH and ESP protocols. It contains
values needed for documentation related to each other.

7. Key Management:
Key Management contains the document that describes how the keys are
exchanged between sender and receiver.
2.6 HTTPS (CONNECTION INITIATION & CLOSURE)
2.6.1 Introduction - HTTPS
• Hypertext transfer protocol secure (HTTPS) is the
secure version of HTTP, which is the primary protocol
used to send data between a web browser and a
website.
• HTTPS is particularly important when users transmit
sensitive data, such as by logging credentials for a bank
account, email service, or health insurance provider.
• In modern web browsers such as Chrome, websites
that do not use HTTPS are marked differently than
those that are.
 Working of HTTPS
• HTTPS uses an encryption protocol to encrypt the communication
data.
• The protocol used for this encryption is called Transport Layer
Protocol (TLS), formerly it was known as Secure Socket Layer (SSL).
• This protocol uses an asymmetric public key infrastructure. It uses
two different keys: the private key and the public key.
• When information is sent over regular HTTP, the information is
broken into packets of data that can be easily "sniffed using free
software. This makes communication over an unsecure medium,
such as public Wi-Fi, highly vulnerable to interception.
• With HTTPS, traffic is encrypted such that even if the packets are
sniffed or otherwise intercepted. they will come across as
nonsensical characters.
[Fig. 2.18: Working with HTTPS]
 2.6.3 Difference between HTTP and HTTPS
HTTP HTTPS
The full form of HTTP is Hypertext Transfer The full form of HTTPS is Hypertext Transfer Protocol
Protocol. Secure.
It operates on application layer. It operates at the transport layer.
The data is transferred in plain text form. The data is transferred in encrypted form, i.e.,
ciphertext.
By default, this protocol operates on port number 80. By default, this protocol operates on port number 443.
The URL start with http:// The URL start with https://
This protocol does not need any certificate. But this protocol requires an SSL (Secure Socket
Layer) certificate.
Communication carried out without encryption. Communication carried out with encryption.
Faster than HTTPS. Slower than HTTP.
It is un-secure. It is highly secure.
Examples of HTTP websites are Educational Sites, Examples of HTTPS websites are shopping websites,
Internet Forums, etc. banking websites, etc.
 2.6.4 Advantages of HTTPS
• Secure Communication: HTTPS establishes a secure communication
link between the communicating system by providing encryption
during transmission
• Data Integrity: By encrypting the data, HTTPS ensures data integrity.
This implies that even i the data is compromised at any point; the
hackers won't be able to read or modify the data being exchanged
• Privacy and Security: HTTPS prevents attackers from accessing the
data being exchanged passively, thereby protecting the privacy and
security of the users.
• Faster Performance: HTTPS encrypts the data and reduces its size.
Smaller size accounts for faster data transmission in the case of
HTTPS
 2.7 MALICIOUS SOFTWARE
2.7.1 What is Malware ?
Malware "A short name of malicious software, is an umbrella term that describes any malicious program or code
that is harmful to systems. It is specifically designed to disrupt, damage, or gain unauthorized access to a computer
system."
How can malware affect your system ?
 Your computer slows down.
 Your screen is inundated with annoying ads.
 Your system crashes
 You notice a mysterious loss of disk space.
 There's a weird increase in your system's Internet activity.
 Your browser settings change.
 homepage changed or you have new toolbars, extensions, or plugins installed etc.
 Your antivirus product stops working and you cannot turn it back on, leaving you unprotected against the
malware that disabled it.
 You lose access to your files or your entire computer.
Adware, Spyware, Virus, Worms, Trojans, Ransomware, Rootkit, keylogger etc. are the
various forms of malware. Each of these have different working method and affects our
system or network very differently,

2.7.2 Common types of Malwares:

1. Virus
A virus is a piece of program code (malicious software) that attaches itself to legitimate
program code, and runs when the legitimate program runs. It can then infect other programs
in that computer, or programs that are in other computers but on the same network. Virus is
capable to delete all the files from the current user's computer, and virus can self-propagate
by sending its code to all other users whose email addresses are stored in the currently
infected computer system.
Virus Lifecycle
During its lifetime, a virus goes through four phases as depicted in the below figure.
(a) Dormant Phase: During this phase the virus is in
idle mode.

(b) Propagation Phase: In this phase, a virus

propagate itself by copying self-code, and each copy
starts creating more and more copies of itself.

(c) Triggering Phase: A dormant virus is triggered

based on a certain action or event (e.g. certain key
press, a certain date or time is reached, etc).

(d) Execution Phase: The actual work of the virus

starts in this phase, which could be harmless (just
display some message on screen) or destructive (delete
a file or corrupt a file).
Types of Viruses
Viruses can be classified into different categories on the base of their working and implementation
(a) Parasitic Virus: Such a virus attaches itself to executable and keeps replicating. When an
infected file is executed, the virus attaches to other executable files. This is the most common type
of virus.
(b) Memory-resident Virus: This virus resides in main memory and then infects every
executable program that is executed.
(c) Boot sector Virus: That infects the master boot record of the disk and spreads on the disk
during booting process of the computer.
(d) Stealth Virus: This virus has an in-built intelligence, due to which it can prevent anti-virus
software programs from detecting it
(e) Polymorphic Virus: Such virus continuously changes its signature (identity) on every
execution, so it makes difficult to detect it.
(f) Metamorphic Virus: It changes its signature like a polymorphic virus, and also rewrites itself
So, it becomes even more harder to detect it than polymorphic virus
2. Worms
Worms are Similar in concept to a virus, but different in implementation
point of view. The big difference between virus and worm is (1) A virus
can modify a program to which it is attached but a worm, does not modify
a program. (2) Worms can spread across systems on their own, whereas
viruses need some triggering action from a user in order to initiate the
infection.
Thus, the basic aim of virus is to destroy files in the system whereas aim of
worm is to replicate itself repeatedly and consuming system resources, by
this way slow down system or network performance.
3. Keyloggers
Keyloggers, also known as keystroke loggers or keyboard capturing
software, are tools or programs designed to record and monitor keystrokes
on a computer or mobile device.
Types of keyloggers
There are several types of keyloggers, each with its own characteristics and methods of operation. Here are
some common types of keyloggers

1. Hardware Keyloggers: Hardware keyloggers are physical devices that are physically attached between the
keyboard and the computer or inserted into the USB port. They record keystrokes directly from the keyboard.

2. Software Keyloggers: Software keyloggers are programs or malicious software installed on a computer or
mobile device. They run in the background and record keystrokes, capturing the information entered by the
user.

3. Memory-Injection Keyloggers: Memory-injection keyloggers inject malicious code into running processes
or the memory of a target system. They intercept and record keystrokes by hooking into the operating system's
keyboard events

4. Form Grabbing Keyloggers: Form grabbing keyloggers target web browsers and capture information
submitted through online forms.
4. Trojan horse
A Trojan, or Trojan horse, is one of the most dangerous malware types. It usually represents
itself as something useful in order to trick you. Once it's on your system, the attackers
behind the Trojan gain unauthorized access to the affected computer. From there, Trojans
can be used to steal financial information or install other forms of malware, often
ransomware
5. Rootkit
Rootkit is a form of malware that provides the attacker with administrator privileges on the
infected system, also known as "root" access. Typically, it is also designed to stay hidden
from the user, other software on the system, and the operating system itself.
6. Adware
Adware is unwanted software designed to throw advertisements up on your screen, most
often within a web browser. Typically, it uses an underhanded method to either disguise
itself as legitimate, or piggyback on another program to trick you into installing it on your
PC, tablet, or mobile device.
7. Spyware
Spyware is malware that secretly observes the computer user's activities without
permission and reports it to the software's author.
8. Backdoors
Backdoor allows someone to enter your house, not from the legal way that is the front
door. In technical terms, the backdoor is any sort of method which allows hacker, or even
government to access your system without your permission. A Backdoor can be installed
on your system by hackers in the form of some malware application or using your
device's software vulnerabilities.

All the malware like rootkits, Trojans, spyware, keyloggers, worms and even
ransomware are considered to be backdoors if installed in user's devices without their
permission or knowledge.
 2.8 FIREWALL
2.8.1 Need of Firewall
The unparalleled improvement in the internet technology has opened
the possibilities to connect any computer with any other computer in
the world. It's a great advantage for the individual as well as business
houses or organisations.
But the problems with the large organisations are:
(1) They have large amount of confidential data that must be keep
secret from their business rivals.
(2) They must have mechanism that can protect these valuable and
confidential information from outsider. Firewall is a such mechanism
which protects individual or corporate network from outside attacker.
 2.8.2 What is Firewall ?
A firewall is a network security device or software that acts as a barrier
between an internal network and external networks or the internet.
Its primary purpose is to monitor and control incoming and outgoing
network traffic based on predetermined security rules.
Conceptually, a firewall can be compared with a security person standing
outside a house of nation's president. He physically checks person who
enters into or exit from the house. If security person finds a suspicious
person, he stops that person. Firewall also works like security person and
checks every data packet enters or exits from the private network.
Firewalls are designed to prevent unauthorized access to network by
filtering and blocking potentially harmful or malicious traffic while
allowing legitimate communication to pass through. They examine
network packets, which are small units of data, and apply rules to
determine whether the packets should be allowed or blocked.
 Fig. 2.20: Firewall working Architecture

Firewalls play a crucial role in network security by protecting against various

threats, such as unauthorized access attempts, malware infections, distributed
denial-of-service (DDoS) attacks, and data breaches. They are an essential
component of a comprehensive security strategy and are commonly used in both
home networks and large-scale enterprise environments.
 2.8.3 Types of Firewalls
• Firewalls can be implemented in various forms. On the base of
implementation firewalls can be classified in two categories
• Network Based Firewall
• Host Based Firewall
1. Network Based Firewall
• Network Firewalls are the devices that are used to prevent private
networks from unauthorized access. The major purpose of the network
firewall is to protect an inner network by separating it from the outer
network. Inner Network can be simply called a network created inside
an organization and a network that is not in the range of inner network
can be considered as Outer Network.
Types of Network based firewalls

• Packet filtering firewall (First Generation firewall)

• As the name suggest Packet filtering firewall is used to
monitor incoming and outgoing packets, and decide
whether to allow them or stop based on protocols,
ports, source and destination IP addresses, and other
factors.
• Every packet is handled separately by packet firewalls.
Packet filtering firewalls are also known as static
firewall.
[Fig. 2.21: Filtering Rule Table]
 Working of packet filter firewall
(a) Receive each incoming packet to the packet filter
node which is also called filtering router or screening
router.
(b) Apply set of predefined rules on each packet, if there
is a match with one of the set rules decide whether to
accept or discard the packet based on that rule. For
example, a rule coul specify: disallow all incoming traffic
from an IP address 157.28.19.14
(c) If there is no match with any rule, take the default
action. The default can be discarding a packets or
accept all packets.
 Stateful Inspection Firewall (Second generation Firewall)
• Stateful inspection firewalls include both packet filtering and TCP
handshake verification, making stateful inspection firewalls superior to
packet-filtering firewalls.
• When a user establishes a connection and requests data, the firewall
creates a database (state table). The database is used to store session
information such as source IP address, port numbe destination IP
address, destination port number, etc. Connection information is stored
for each session in the state table. Using stateful inspection technology,
these firewalls create security rules to allow anticipated traffic.
• In most cases, stateful inspection firewalls are implemented as
additional security levels Advantage of this firewall is more secure than
stateless firewall. The disadvantage is it increases the load and puts
more pressure on computing resources. So, it leads to slower transfer
rate for data packets than other solutions.
 Next Generation Firewalls
Many of the latest released firewalls are usually defined as 'next-
generation firewalls'. However there is no specific definition for next-
generation firewalls.
This type of firewall is usually define: as a security device combining
the features and functionalities of other firewalls. These firewall
include deep-packet inspection (DPI), surface-level packet inspection,
and TCP handshake testing etc.
NGFW includes higher levels of security than packet-filtering and
stateful inspection firewalls. Unlike traditional firewalls, NGFW
monitors the entire transaction of data, including packet headers,
packet contents, and sources.
NGFWs are designed in such a way that they can prevent more
sophisticated and evolving security threats such as malware attacks,
external threats, and advance intrusion.
 2. Host Based Firewall
These are software applications installed on individual
computers or devices to control traffic to and from that
specific device.

They provide an added layer of security, especially

when devices are connected to untrusted networks.
 2.8.4 Advantages of Firewalls
1. Preventing unwanted access: By restricting incoming traffic from specific IP
addresses or networks, firewalls can stop hackers and other bad actors from getting
easy access to a system or network, safeguarding against unauthorized access.
2. Avoiding malware and additional dangers: Prevention of malware and other
threats: Firewalls can be configured to stop traffic that is connected to known
malware or other security issues, helping to thwart these types of attacks
3. Control of network access: Firewalls can be used to restrict access to specific
servers or applications, as well as to specific network resources or services, by
limiting access to designated persons or groups.
4. Network activity monitoring: Firewalls can be configured to log and monitor every
activity on the network.
5. Regulation compliance: Many industries are bound by rules that demand the
usage of firewalls or other security measures. Organizations can comply with these
rules and prevent any fines or penalties by using a firewall.
6. Network segmentation: By using firewalls to split up a bigger network into smaller
subnets, the attack surface is reduced and the security level is raised.
Disadvantages of using Firewall
1. Complexity: Set up of firewall can be time-consuming
and difficult, especially for bigger networks or
companies with a wide variety of devices.
2. Limited Visibility: Firewalls can only observe and
manage traffic at the network level.
3. False sense of security: Some businesses may place
an excessive amount of reliance on their firewall and
disregard other crucial security measures like endpoint
security or intrusion detection systems.
4. Limited adaptability: Because firewalls are frequently rule-
based, they might not be able respond to fresh security threats
5. Performance Impact: Network performance can be significantly
impacted by firewalls, particularly in the case of lot of traffic.
6. Limited scalability: Because firewalls are only able to secure
one network, businesses that have several networks must
deploy many firewalls, which can be expensive.
7. Limited VPN support: Some firewalls might not allow complex
VPN features like split tunneling which could restrict the
experience of a remote worker.
8. Cost: Purchasing many devices or add-on features for a firewall
system can be expensive, especially for businesses.
 2.9 PROXY SERVER
2.9.1 Proxy servers and its working
The proxy server is a computer on the internet that accepts the incoming
requests from the client and forwards those requests to the destination server. It
works as a gateway between the end-user and the internet. It plays an
intermediary role between users and targeted websites or servers.
There are two main purposes of proxy server:

To keep the system behind it anonymous.

To speed up resource access using concept of caching
Working mechanism of proxy server:

Works as gateway between clients and internet

[Fig. 2.22: Working of proxy server)

The proxy server accepts the request from the client and produces a
response based on the following conditions

1. If the requested data or page exists in the local cache, the proxy
server itself provides the required data or page to the client.
2. If the requested data or page does not exist in the local cache, the
proxy server forwards that request to destination server

3. The proxy servers transfer the replies to the client and also being
cached to them.

Therefore, it can be said that the proxy server acts as a client as well as
the server.
2.9.2 Types of proxy servers
1.Open or Forward Proxy Server:
Forward proxy server refers to those sorts of intermediaries that get demands
from web clients and afterward peruse destinations to gather the mentioned
information. After collecting the data from sites, it forwards the data to the
internet users directly. It bypasses the firewall made by authorities.

2. Reverse Proxy Server:

It is a proxy server that is installed in the neighborhood of multiple other
internal resources. It validated and processes a transaction in such a way that
the clients do not communicate directly. The most popular reverse proxies are
Varnish and Squid.
[Fig. 2.23: Forward Proxy V/s Reverse proxy]
3.Transparent Proxy:
It is a proxy server that does not modify the request or response
beyond what is required for proxy authentication and identification. It
works on port 80.
4.Non-Transparent Proxy:
It is an intermediary that alters the solicitation reaction to offer some
extra types of assistance to the client. Web demands are
straightforwardly shipped off the intermediary paying little mind to
the worker from where they started.
5.Web Proxy Server:
The proxy server targeted to the WWW is called a web proxy server.
6.Public Proxy
A public proxy is available free of cost. It is perfect for the user for whom cost is a major
concern while security and speed are not. Its speed is usually slow. Using a public proxy puts the
user at high because information can be accessed by others on the internet
7.Residential Proxy:
It assigns an IP address to a specific device. All requests made by the client channelled through
the device. It is ideal for the users who want to verify ads that display on their websites. Using
the resident proxy server, we can block unwanted and suspicious ads from competitors. In
comparison to other proxy servers, the residential proxy server is more reliable.
8.HTTP Proxy:
HTTP proxies are those proxy servers that are used to save cache files of the browsed websites.
saves time and enhances the speed because cached files reside in the local memory. If the user
again wants to access the same file proxy itself provides the same file without actually browsing
the pages
2.9.3 Need for using proxy servers

 It reduces the chances of data breaches

 It adds a layer of security between server and outside traffic..

 It also protects from hackers.

 It filters the requests

 It improves the security and enhances the privacy of the user

 It hides the identity (IP address) of the user.

 It controls the traffic and prevents crashes.