Module-1

Information Security Devices

 Application Firewall
• Application firewall (AF) devices perform a stateful protocol
analysis of the application layer.
• They support numerous common protocols, such as http, sql,
e-mail service (smtp, pop3 and imap), voip and xml.
• Stateful protocol analysis relies on predefined profiles of
acceptable operating modes for the selected protocol, enabling
the identification of potential deviations and irregularities in
the message flow of the protocol through the device.
• Problems may arise if there is a conflict between the operating
mode of a specific protocol, which is defined on the AF
device, and the way in which the protocol is implemented in
the specific version of the application or of the operating
systems used in the network.
 Application Firewall
• The stateful protocol analysis can:
 Determine whether an e-mail message contains a type of
attachment that is not allowed (e.G. Exec files);
 Determine whether instant messaging is used via an HTTP
port;
 Block the connection through which an unwanted command
is executed (e.G., An FTP put command on the FTP server);
 Block access to a page with unwanted active content (e.G.,
Java); identify an irregular sequence of commands exchanged
in the communication between two hosts (e.G., An unusually
large number of repetitions of the same command or the use
of a command before using the command it depends on);
 Application Firewall
• Enable the verification of individual commands and the
minimum and maximum length of appropriate command-line
arguments (e.g., The number of characters used in a username).
• An AF device cannot detect attacks that meet the generally
acceptable procedures of operation of a specific protocol, such as
DoS (denial of service) attacks caused by the repetition of a large
number of acceptable message sequences in a short time interval.
• Due to the complexity of the analysis they perform, and the large
number of concurrent sessions they monitor, the main
disadvantage of the method of stateful protocol analysis is the
intensive use of AF devices.
 Application Proxy Gateway
• Application proxy gateway (APG) devices also perform an analysis
of the traffic flow on the application layer.
• Compared to AF devices, APG devices provide a higher level of
security for individual applications since they never allow a direct
connection between two hosts, and they can perform an inspection
of the content of application-layer messages.
• APG devices contain so-called proxy agents or “intermediaries” in
the communication between two end hosts.
• In this way, they prevent direct communication between them.
• Each successful connection between the end hosts consists of two
connections – one between the client and the proxy server and the
other between the proxy server and the destination device.
 Application Proxy Gateway
• Based on the filtering rules defined on the APG device, proxy
agents decide whether network traffic will be allowed or not.
• Traffic-filtering decisions can also be made based on the
information contained in the header of an application-layer
message or even based on the content conveyed by that message.
In addition, proxy agents can require user authentication.
• There are also APG devices with the capability of packet
decryption, analysis and re-encryption, before a packet is
forwarded to the destination host.
• Packets that cannot be decrypted are simply forwarded through
the device.
 Application Proxy Gateway
• Another deficiency of these devices is the limitation in the number
of services that can be filtered through them.
• Each type of traffic passing through the device requires a specific
proxy agent that acts as an intermediary in the communication.
Consequently, APG devices do not always support the filtering of
new applications or protocols.
• Due to their price, apg devices are commonly used for protecting
data centres or other networks containing publicly available
servers that are of high importance to an organisation.
• In order to reduce the load on apg devices and achieve greater
efficiency, modern networks more frequently use proxy servers
(dedicated proxy servers) that are dedicated to specific services
that are not so sensitive to time delays (e.g., Email or web proxy
servers).
 Dedicated Proxy Server
• Like APG devices, dedicated proxy (DP) servers also have a
role as “intermediaries” in the communication between two
hosts, although their traffic-filtering capabilities are
significantly lower.
• This type of device is intended for the analysis of the
operation of specific services and protocols (e.g., HTTP or
SMTP). Due to their limited traffic-filtering capabilities, DP
devices are deployed behind firewall devices in the network
architecture.
• Their main function is to perform specialized filtering of a
specific type of traffic (based on a limited set of parameters)
and carry out the logging operation.
• The execution of these specific activities significantly reduces
 Dedicated Proxy Server
• The most widely used devices of this type are web proxy
servers. A common example of their use is an HTTP proxy
server (placed behind the firewall device or router), to which
users need to connect when they wish to access external web
servers.
• If an institution has an outgoing connection (uplink) of lower
bandwidth, the use of the caching function is recommended in
order to reduce the level of traffic and improve the response
time.
 Dedicated Proxy Server
• As a result of an increase in the number of available web
applications and the number of threats transferred through the
HTTP protocol, web proxy servers are growing in
significance.
• Consequently, many equipment manufacturers today add the
functionality of various firewall technologies to the standard
web proxy servers, thus increasing their traffic-filtering
capabilities.
 Web application firewall (WAF)
• Web application firewalls are built to provide web applications
security by applying a set of rules to an HTTP conversation.
Because applications are online, they have to keep certain
ports open to the internet.
• This means attackers can try specific website attacks against
the application and the associated database, such as cross-site
scripting (XSS) and SQL injection.
• While proxy firewalls generally protect clients, WAFs protect
servers. Another great feature of WAFs is that they detect
distributed denial of service (DDoS) attacks in their early
stages, absorb the volume of traffic and identify the source of
the attack.
Solutions Combining Traffic Filtering with
Other Technologies
• In addition to their basic purpose of blocking
unwanted traffic, firewall devices often combine their
filtering functionality with other technologies,
primarily routing.
• It is the other way around with routers.
• As a result, NAT (network address translation) is
sometimes considered to be a firewall technology,
although essentially it is a routing technology.
• Other related functionalities, such as VPN and IDP,
are often available on firewall devices.
 NAT (Network Address Translation)
• NAT is a technology that enables devices that use private IP
addresses to communicate with devices on the internet. This
technology translates private IP addresses, which can be used
by devices within a local area network (LAN), into publicly
available internet addresses.
• The application of NAT technology may limit (intentionally or
unintentionally) the number of available services, i.e., It may
disable the functioning of the services that require direct, end-
to-end connectivity (e.g., Voip).
• There are three types of NAT translations:
– dynamic,
– static and
– PAT.
 Dynamic NAT
• Dynamic NAT uses a set of publicly available IP addresses,
successively assigning them to hosts with private IP addresses.
• When a host with a private IP address needs to communicate
with a device on the internet, dynamic NAT translates its
private IP address into a publicly available IP address, by
taking the first available IP address from a defined pool of
publicly available IP addresses.
• Dynamic NAT is suitable for client computers.
 Static NAT
• It provides one-to-one mapping between the private IP
address of a host and the public IP address assigned to it. In
this manner, the host with a private IP address always appears
on the internet with the same public IP address.
• This is the main difference between static and dynamic
translation. Static NAT is suitable for servers.
• In both types of translation mentioned above, each private IP
address is translated into a separate, public IP address.
• In order to support a sufficient number of simultaneous user
sessions, an organisation using dynamic and/or static NAT
needs to have a sufficient number of public IP addresses.
 PAT
• (Port address translation or so-called NAT overload) performs
mapping between several private IP addresses and one or more
public IP addresses. The mapping of each private IP address is
performed by way of the port number of the public IP address.
• PAT translation ensures that each client on a LAN that
establishes a connection with a device on the internet is
assigned a different port number of the public IP address.
• The response from the internet, which comes as a result of the
request, is sent to the port from which the request was
forwarded.
• In this manner, a device that performs the translation (a router,
firewall or server) knows to which host from the LAN it
should forward the packet.
 Proxy server
• Proxy servers act as negotiators for requests from client
software seeking resources from other servers.
• A client connects to the proxy server and requests some
service (for example, a website); the proxy server evaluates
the request and then allows or denies it.
• Most proxy servers act as forward proxies and are used to
retrieve data on behalf of the clients they serve.
 Proxy server
• In organizations, proxy servers are usually used for traffic
filtering (web filters) and performance improvement (load
balancers).
 Proxy server
• Web filter
– Web filters prevent users’ browsers from loading certain
pages of particular websites.
– URL filtering involves blocking websites (or sections of
websites) based solely on the URL, restricting access to
specified websites and certain web-based applications.
– This is in contrast to content filtering systems, which block
data based on its content rather than from where the data
originates.
 Proxy server
• Web filter
– Microsoft, for example, implemented a phishing filter,
which acted as a URL filter for their browser, and then
replaced it with the SmartScreen filter, which runs in the
background and sends the address of the website being
visited to the SmartScreen filter server, where it is
compared against a list that is maintained of phishing and
malware sites.
– If a match is found, a blocking web page appears and
encourages you to not continue.
 Proxy server
• Web filter
– Web filter appliances have additional technologies to block
malicious internet web sites.
– They have a database of malware sites but also you can
create your own list or policy of blocked web sites.
– You can apply site whitelisting or blacklisting, see every
user’s full web site history, inspect cached pages, and even
detect the amount of downloaded traffic.
– Analyzing this information will help you to understand
how your users work on the internet and what their
interests are, so it can be a great advantage in insider threat
prevention.
 Proxy server
• Network load balancer (NLB)
– Load balancers are physical units that direct computers to
individual servers in a network based on factors such as
server processor utilization, number of connections to a
server or overall server performance.
– Organizations use load balancers to minimize the chance
that any particular server will be overwhelmed and to
optimize the bandwidth available to each computer in the
network.
– A load balancer can be implemented as a security software
or hardware solution, and it is usually associated with a
device — a router, a firewall, a network address translation
(NAT) appliance and so on.
 Proxy server
• Network load balancer (NLB)
– A load balancer splits the traffic intended for a website into
individual requests that are then rotated to redundant
servers as they become available.
– A key issue with load balancers is scheduling —
determining how to split up the work and distribute it
across servers.
 Proxy server
• Network load balancer (NLB)
– There are several load balancing methods:
• Round-robin
• Affinity
• Least connection
• Agent-based adaptive load balancing
• Chained failover
• Weighted response time
• Software-defined networking
 Proxy server
• Network load balancer (NLB)
– Round-robin
• The first client request is sent to the first group of
servers, the second is sent to the second, and so on.
When it reaches the last group of servers in the list, the
load balancer starts over with the first group of servers.
 Proxy server
• Network load balancer (NLB)
– Affinity
• Affinity minimizes response time to clients by using different
methods for distributing client requests. It has three types:
– No affinity — NLB does not associate clients with a
particular group of servers; every client request can be load
balanced to any group of servers.
– Single affinity — NLB associates clients with particular
groups of servers by using the client’s IP address. Thus,
requests coming from the same client IP address always reach
the same group of servers.
– Class C affinity —NLB associates clients with particular
groups of servers by using the Class C portion of the client’s
IP address. Thus, clients coming from the same Class C
address range always access the same group of servers.
 Proxy server
• Network load balancer (NLB)
– Least connection — This method takes the current
server load into consideration. The current request
goes to the server that is servicing the least number of
active sessions at the current time.
– Agent-based adaptive load balancing — Each server
in the pool has an agent that reports on its current load
to the load balancer. This real time information is used
when deciding which server is best placed to handle a
request.
– Chained failover — The order of servers is
configured (predefined) in a chain.
 Proxy server
• Network load balancer (NLB)
– Weighted response time — Response information from a
server health check is used to determine which server is
responding the fastest at a particular time.
– Software-defined networking — This approach combines
information about upper and lower networking layers. This
allows information about the status of the servers, the
status of the applications running on them, the health of the
network infrastructure, and the level of congestion on the
network to all play a part in the load balancing decision
making.
 Spam filter
• A mail gateway can be used not only to route mail but to
perform other functions as well, such as encryption or, to a
more limited scope, DLP.
• More commonly, spam filters can detect unwanted email and
prevent it from getting to a user’s mailbox. Spam filters judge
emails based on policies or patterns designed by an
organization or vendor.
• More sophisticated filters use a heuristic approach that
attempts to identify spam through suspicious word patterns or
word frequency.
 Spam filter
• The filtering is done based on established rules, such as
blocking email coming from certain IP addresses, email that
contains particular words in the subject line, and the like.
• Although spam filters are usually used to scan incoming
messages, they can also be used to scan outgoing messages to
help identify internal PCs that might have contracted a virus.
 VPN (virtual private network)
• VPN (virtual private network) technology is used to increase
the security of data transfer through a network infrastructure
that does not provide a sufficient degree of data security.
• It enables the encryption and decryption of network traffic
between external networks and an internal, protected network.
• VPN functionality can be available on firewall devices or
implemented on VPN servers that are placed behind firewall
devices in the network architecture.
• In many cases, the implementation of VPN services on a
firewall device itself is the most optimal solution.
 VPN (virtual private network)
• Placing a VPN server behind the firewall device requires the
VPN traffic to pass through the firewall device in an encrypted
form.
• As result, the firewall device cannot perform an inspection,
access control or logging of the network traffic, and therefore
cannot scan it for certain security threats.
• However, regardless of the place of the implementation, the
VPN service requires the application of certain filtering rules
of the firewall device in order to enable its uninterrupted
operation.
• Accordingly, special attention should always be paid to
making sure that the appropriate protocols and the TCP/UDP
services that are necessary for the functioning of the chosen
VPN (virtual private network)