UNIT 3

Network Security Measures

Firewalls - Introduction

► A firewall forms a barrier through which the traffic going in each

direction must pass. A firewall security policy dictates which traffic is
authorized to pass in each direction.
► A firewall may be designed to operate as a filter at the level of IP
packets, or may operate at a higher protocol layer.
► Firewalls can be an effective means of protecting a local system or
network of systems from network-based security threats while at the
same time affording access to the outside world via wide area
networks and the Internet.
 The Need for Firewalls
► 1. General Need for Firewalls
Firewalls serve as a critical component of cybersecurity by acting as a barrier between
trusted internal networks and untrusted external networks (such as the internet). Their
primary purpose is to monitor and filter incoming and outgoing network traffic based on
predefined security rules. Key reasons why firewalls are essential include:
• Protection Against Unauthorized Access: Prevents hackers and malicious actors from
gaining access to personal or sensitive data.
• Threat Mitigation: Blocks malware, ransomware, and other cyber threats before they
infiltrate a system.
• Traffic Monitoring and Filtering: Allows only legitimate traffic while blocking suspicious or
harmful data packets.
• Data Security and Privacy: Ensures confidential information is protected from
cyberattacks and unauthorized access.
► 2. Need for Firewalls in Organizations
Organizations deal with large amounts of sensitive data, making them prime targets for
cyber threats. Firewalls are crucial in enterprise security strategies for the following
reasons:
• Network Segmentation: Prevents lateral movement of attackers by restricting access
between departments or user groups.
• Regulatory Compliance: Helps businesses meet legal and industry-specific security
standards such as GDPR, HIPAA, and PCI-DSS.
• Prevention of Data Breaches: Blocks unauthorized data transfers and detects
anomalies in network activity.
• Remote Work Security: Ensures secure access to corporate networks through VPN
integration.
• Protection Against Insider Threats: Controls internal user access to prevent accidental
or intentional data leaks.
 Firewall Characteristics
[BELL94b] lists the following design goals for a firewall:
► 1. All traffic from inside to outside, and vice versa, must pass through the
firewall. This is achieved by physically blocking all access to the local
network except via the firewall. Various configurations are possible, as
explained later in this chapter.
► 2. Only authorized traffic, as defined by the local security policy, will be
allowed to pass. Various types of firewalls are used, which implement
various types of security policies, as explained later in this chapter.
► 3. The firewall itself is immune to penetration. This implies the use of a
hardened system with a secured operating system. Trusted computer
systems are suitable for hosting a firewall and often required in
government applications.
► [SMIT97] lists four general techniques that firewalls use to control access and
enforce the site’s security policy. Originally, firewalls focused primarily on service
control, but they have since evolved to provide all four:
► Service control: Determines the types of Internet services that can be accessed,
inbound or outbound. The firewall may filter traffic on the basis of IP address,
protocol, or port number; may provide proxy software that receives and interprets
each service request before passing it on; or may host the server software itself,
such as a Web or mail service.
► Direction control: Determines the direction in which particular service requests
may be initiated and allowed to flow through the firewall.
► User control: Controls access to a service according to which user is attempting to
access it. This feature is typically applied to users inside the firewall perimeter
(local users). It may also be applied to incoming traffic from external users; the
latter requires some form of secure authentication technology, such as is
provided in IPsec (Chapter 8).
► Behavior control: Controls how particular services are used. For example, the
firewall may filter e-mail to eliminate spam, or it may enable external access to
only a portion of the information on a local Web server.
 Fundamental Role of Firewalls in
Network Defense
► 1. Traffic Monitoring and Filtering
• Inspects incoming and outgoing network packets based on predefined security rules.
• Blocks malicious or suspicious traffic while allowing legitimate communications.
► 2. Access Control and Policy Enforcement
• Restricts access to sensitive resources based on user roles, IP addresses, or network zones.
• Implements least privilege principles to minimize attack surfaces.
► 3. Threat Prevention and Mitigation
• Protects against common cyber threats such as malware, phishing, ransomware, and
denial-of-service (DoS) attacks.
• Advanced firewalls (Next-Generation Firewalls) integrate intrusion prevention systems
(IPS) to detect and block real-time threats.
4. Network Segmentation and Isolation Divides networks into secure zones
(e.g., internal, external, and DMZ) to prevent lateral movement of attackers.
Enhances security by limiting the spread of breaches within an organization.

5. Logging and Monitoring for Incident Response Keeps detailed logs of

network activity for security analysis and auditing. Helps security teams
identify potential threats and take proactive measures. By integrating
firewalls into a multi-layered security strategy, organizations can significantly
reduce cyber risks, ensure compliance with security regulations, and
maintain the integrity and confidentiality of their data.
 Packet Filtering
► A packet filtering firewall applies a set of rules to each incoming and outgoing IP packet
and then forwards or discards the packet. The firewall is typically configured to filter
packets going in both directions (from and to the internal network). Filtering rules are
based on information contained in a network packet:
• Source IP address: The IP address of the system that originated the IP packet (e.g.,
192.178.1.1)
• Destination IP address: The IP address of the system the IP packet is trying to reach (e.g.,
192.168.1.2)
► • Source and destination transport-level address: The transport-level (e.g., TCP or UDP)
port number, which defines applications such as SNMP or TELNET
► • IP protocol field: Defines the transport protocol
► • Interface: For a firewall with three or more ports, which interface of the firewall the
packet came from or which interface of the firewall the packet is destined for
► The packet filter is typically set up as a list of rules based on matches to fields in the IP or
TCP header. If there is a match to one of the rules, that rule is invoked to determine
whether to forward or discard the packet. If there is no match to any rule, then a default
action is taken. Two default policies are possible:
► Default = discard: That which is not expressly permitted is prohibited.
► Default = forward: That which is not expressly prohibited is permitted.
The default discard policy is more conservative. Initially, everything is blocked, and services
must be added on a case-by-case basis. This policy is more visible to users, who are more
likely to see the firewall as a hindrance. However, this is the policy likely to be preferred by
businesses and government organizations. Further, visibility to users diminishes as rules are
created. The default forward policy increases ease of use for end users but provides
reduced security; the security administrator must, in essence, react to each new security
threat as it becomes known. This policy may be used by generally more open organizations,
such as universities.
General Model of Firewall
Packet Filtering Firewall
Advantages

Fast and Efficient – Minimal processing overhead

compared to more advanced firewalls.
Simple to Configure – Uses basic rules based on IP
addresses, ports, and protocols.
Low Cost – Available in many routers and network
devices as an in-built feature.
Disadvantages

Limited Security – Cannot inspect packet

contents, making it vulnerable to attacks like
spoofing.
No User Authentication – Cannot differentiate
between legitimate and malicious users.
Difficult to Manage in Large Networks – Rule sets
become complex as network size increases.
Example rule
If an organization wants to block all incoming traffic from the external
IP 192.168.1.100 but allow outgoing traffic to the same IP, a firewall rule
might look like:
Deny Rule: Block incoming traffic from 192.168.1.100 to any destination.
Allow Rule: Permit outgoing traffic from any source to 192.168.1.100.

Use Cases of Packet Filtering Firewalls

• Basic security in routers and switches.
• Protecting internal networks from unauthorized external access.
• Used in small networks where complex filtering isn’t required.
Stateful Inspection Firewall

► A Stateful Inspection Firewall (also called a Dynamic Packet Filtering

Firewall) is an advanced type of firewall that monitors active
connections and tracks the state of network traffic. It operates at the
Network Layer (Layer 3) and Transport Layer (Layer 4) of the OSI
Model but can also inspect some data at the Application Layer
(Layer 7).
 HOW IT WORKS
1.When a packet arrives, the firewall inspects:
Source and Destination IP addresses
•Source and Destination Port numbers
•Protocol type (TCP, UDP, ICMP, etc.)
•Connection state (New, Established, Related, or Invalid)

2. Maintains a State Table

•The firewall keeps track of active connections in a state table.
•If a packet is part of an already established connection, it is allowed without re-evaluating all rules.

3.Validates Packets Against Connection State

•If a packet is new, the firewall checks security rules before allowing it.
•If a packet is part of an existing session, it is allowed without re-evaluation.
•If a packet is not related to an active connection, it is blocked.
Advantages of Stateful Inspection Firewalls
► More Secure than Packet Filtering – Tracks connection states,
reducing the risk of spoofing and unauthorized access.
Improved Performance – Once a connection is established, future
packets pass through faster.
Prevents Unsolicited Traffic – Blocks packets that do not match
existing connections.
► Disadvantages
Higher Resource Usage – Requires more memory and CPU to
maintain connection states.
Vulnerable to DDoS Attacks – Attackers can flood the firewall with
fake connection requests to exhaust resources.
Complex Configuration – Managing stateful rules for large
networks can be challenging.
► Example of Stateful Inspection in Action
1. A user from 192.168.1.10 sends a request to a web server at 203.0.113.5
on port 80.
2. The firewall creates an entry in the state table marking this connection as
active.
3. When the web server responds, the firewall checks the state table and
allows the response.
4. If an unknown IP tries to send a response, the firewall blocks it since there
is no matching request
► Use Cases of Stateful Inspection Firewalls
• Corporate Networks – Protects internal systems from unauthorized access.
• Data Centers – Secures active connections between servers and clients.
• Cloud Environments – Used in cloud-based security solutions
Proxy Firewall

► A Proxy Firewall, also known as an Application Layer

Firewall, acts as an intermediary between users and the
internet. Instead of allowing direct communication
between the internal network and external servers, the
proxy firewall processes requests on behalf of the user.
► It operates at the Application Layer (Layer 7) of the OSI
model, meaning it can inspect, filter, and modify web
requests before forwarding them.
How it works
Types of Proxy Firewalls

► Forward Proxy
Protects internal users from external threats.
Used in corporate networks to control employee internet access.
Example: Squid Proxy, Blue Coat ProxySG

► Reverse Proxy
► Protects web servers from external attacks.
► Hides the real IP address of internal servers.
► Example: NGINX, Apache Reverse Proxy
► Advantages of Proxy Firewalls
► Hides Internal Network Details – Prevents attackers from knowing
the real IP addresses of internal systems.
Deep Packet Inspection (DPI) – Can filter traffic based on URLs,
keywords, and file types.
Prevents Direct Attacks – Blocks malicious requests before they
reach internal systems.
Improves Performance – Can cache frequently accessed web
content, reducing bandwidth usage.
► Disadvantages of Proxy Firewalls
► Slower Performance – Processing each request adds latency.
Complex Configuration – Requires proper setup to balance security
and usability.
Limited Support for Some Applications – Certain protocols and
applications may not work correctly behind a proxy.
Use Cases

► Use Cases of Proxy Firewalls

• Corporate Security – Restricts employee access to certain websites
and prevents data leaks.
• Web Server Protection – Shields backend servers from direct attacks.
• Content Filtering – Blocks harmful or inappropriate content in
educational institutions and workplaces.
► A proxy firewall provides strong security at the application level,
making it ideal for web filtering, data protection, and preventing
cyber threats like malware and phishing attacks. However, for
modern security needs, organizations often combine proxy firewalls
with Next-Generation Firewalls (NGFWs) for better overall protection.
Next Gen Firewalls

► Next Generation Firewalls are advanced security devices that go

beyond the capabilities of traditional firewalls. While traditional
firewalls primarily focus on packet filtering and stateful inspection,
NGFWs incorporate additional features such as deep packet
inspection, intrusion prevention systems (IPS), and application
awareness. This multi-layered approach allows organizations to
detect and respond to threats more effectively.
 Circuit Level Gateway Firewall

► A Circuit Level Gateway Firewall operates at the transport layer of the OSI model,
providing a secure communication channel between trusted and untrusted networks.
This document explores the functionality, advantages, and limitations of circuit level
gateway firewalls, as well as their role in modern network security architectures.
► Circuit level gateway firewalls are a type of firewall that manage the connections
between trusted and untrusted networks by monitoring the session establishment and
maintaining the state of the connection. Unlike packet filtering firewalls, which inspect
individual packets, circuit level gateways focus on the context of the communication
sessions, making them more efficient in certain scenarios.
Functionality

► Circuit level gateway firewalls work by establishing a virtual circuit

between the client and the server. When a connection request is
made, the firewall verifies the legitimacy of the request and
establishes a session. Once the session is established, the firewall
allows data to flow between the two endpoints without inspecting
each packet individually. This method enhances performance while
still providing a level of security.
► Advantages
1. Performance: Circuit level gateways can handle high volumes of traffic with minimal
latency due to their session-based approach.
2. Simplicity: They are generally easier to configure and manage compared to more
complex firewalls, such as application layer firewalls.
3. Stateful Inspection: By maintaining the state of connections, these firewalls can
provide a higher level of security than simple packet filters.
► Limitations
1. Limited Inspection: Circuit level gateways do not inspect the content of the packets,
which can leave them vulnerable to certain types of attacks, such as application
layer attacks.
2. Protocol Dependency: They are primarily effective for TCP and UDP traffic, which
may limit their applicability in environments using other protocols.
3. No Application Layer Security: For applications requiring deep packet inspection or
specific application-level security measures, circuit level gateways may not be
sufficient.
Cloud-Based Firewall
(Firewall-as-a-Service, FWaaS)
► In today's digital landscape, the need for robust cybersecurity
measures has never been more critical. Cloud-Based Firewall,
commonly referred to as Firewall-as-a-Service (FWaaS), offers
organizations a scalable and efficient solution to protect their
networks and data from cyber threats. This document explores the
concept of FWaaS, its benefits, and how it differs from traditional
firewall solutions.
► Firewall-as-a-Service (FWaaS) is a cloud-based security solution that
provides organizations with firewall capabilities without the need for
on-premises hardware. FWaaS is delivered as a subscription service,
allowing businesses to leverage advanced security features while
reducing the complexity and cost associated with maintaining
physical firewall appliances.
Benefits

• Reduced Complexity: Organizations can offload the management

of firewall infrastructure to the service provider, allowing internal IT
teams to focus on other critical tasks.
• Enhanced Security: FWaaS solutions are often updated
automatically, ensuring that organizations benefit from the latest
security features and threat intelligence.
• Improved Performance: Cloud-based firewalls can provide better
performance through load balancing and optimized traffic
management.
• Compliance: Many FWaaS providers offer features that help
organizations meet regulatory compliance requirements, such as
data protection and privacy laws.
Comparing FWaaS to Traditional
Firewalls
► While traditional firewalls require physical hardware and on-premises
management, FWaaS operates entirely in the cloud. This
fundamental difference leads to several advantages for FWaaS,
including:
• Lower Upfront Costs: Traditional firewalls often require significant
capital investment, whereas FWaaS typically operates on a
pay-as-you-go model.
• Flexibility: FWaaS can adapt to changing business needs more
easily than traditional firewalls, which may require hardware
upgrades or replacements.
• Automatic Updates: FWaaS providers handle updates and
maintenance, ensuring that security measures are always current
without requiring manual intervention.
 Intrusion Detection System
An intrusion detection system (IDS) is a network security tool that monitors network
traffic and devices for known malicious activity, suspicious activity or security policy
violations.

An IDS can help accelerate and automate network threat detection by alerting
security administrators to known or potential threats, or by sending alerts to a
centralized security tool. A centralized security tool such as a security information
and event management (SIEM) system can combine data from other sources to
help security teams identify and respond to cyberthreats that might slip by other
security measures.
Types

There are two main types of IDS:

1. Network-Based Intrusion Detection System (NIDS):
1. Monitors network traffic for suspicious activity.
2. Analyzes data packets flowing across the network.
3. Typically deployed at strategic points within the network to capture
traffic.
2. Host-Based Intrusion Detection System (HIDS):
1. Monitors a single host or device for suspicious activity.
2. Analyzes system logs, file integrity, and user activities.
3. Provides detailed insights into the behavior of individual systems.
Working Mechanism
Intrusion Prevention System

► An Intrusion Prevention System (IPS) is a crucial component of

modern cybersecurity strategies, designed to detect and prevent
potential threats to network security in real-time. This document
explores the fundamental aspects of IPS, including its functionalities,
types, and the importance of implementing such systems in
safeguarding sensitive data and maintaining the integrity of network
infrastructures.
► An Intrusion Prevention System is a network security technology that
monitors network traffic for suspicious activity and takes action to
prevent potential threats. Unlike Intrusion Detection Systems (IDS),
which only alert administrators about potential threats, an IPS
actively blocks or mitigates these threats in real-time, providing a
more proactive approach to network security.
Key Functions of an IPS
1. Traffic Monitoring: An IPS continuously analyzes network traffic to identify
patterns that may indicate malicious activity.
2. Threat Detection: Utilizing various detection methods, including
signature-based, anomaly-based, and stateful protocol analysis, an IPS
can identify known and unknown threats.
3. Automated Response: Upon detecting a threat, an IPS can
automatically take predefined actions, such as blocking traffic from a
malicious source or terminating a harmful session.
4. Logging and Reporting: An IPS maintains logs of detected threats and
responses, providing valuable data for security audits and compliance.
5. Integration with Other Security Tools: An IPS can work in conjunction with
firewalls, antivirus software, and other security measures to enhance
overall network protection.
 Type of Intrusion Prevention Systems

1. Network-based IPS (NIPS): Deployed at strategic points within

the network, NIPS monitors traffic to and from all devices on the
network.
2. Host-based IPS (HIPS): Installed on individual devices, HIPS
monitors the behavior of applications and system calls to
detect malicious activity.
3. Wireless IPS (WIPS): Specifically designed to monitor wireless
networks for unauthorized access and attacks.
 Importance of Implementing IPS

• Enhanced Security: An IPS provides an additional layer of defense

against cyber threats, reducing the risk of data breaches and
unauthorized access.
• Real-time Protection: By actively monitoring and responding to threats,
an IPS helps organizations mitigate risks before they escalate into serious
incidents.
• Compliance: Many regulatory frameworks require organizations to
implement security measures like IPS to protect sensitive data, ensuring
compliance with industry standards.
• Cost-Effective: Preventing security incidents can save organizations
significant costs associated with data breaches, including legal fees,
fines, and reputational damage.
Difference between Firewall, IDS and IPS