Chapter Five

Security Mechanisms
Firewall
 The term firewall has been around for
quite some time and originally was
used to define a barrier constructed to
prevent the spread of fire from one
part of a building or structure to
another
 A network firewall is a system or group of systems used to control access
between two networks: a trusted network and an untrusted network,
using pre-configured rules or filters
 A network firewall provides a barrier between networks that prevents or
denies unwanted or unauthorized traffic
 Used to implement and enforce a security policy for communication
between networks

04/20/2024 Compiled by: Naol G. (MSc.) 2

 Firewalls are combinations of hardware and software
 Firewalls can be composed of a single router, multiple routers, a single host
system or multiple hosts running firewall software, hardware appliances
specifically designed to provide firewall services, or any combinations
 They vary greatly in design, functionality, architecture, and cost
 A firewall is also called a Border Protection Device (BPD) in certain military
contexts where a firewall separates networks by creating perimeter
networks in a DMZ “Demilitarized Zone”
 DMZ is a sub network that contains an organization’s external facing
services like Web services, Mail services, FTP Services, etc.

04/20/2024 Compiled by: Naol G. (MSc.) 3

 It is more feasible to secure a community of users by putting some control
at the entrance rather than trying to secure every host (Boarder Security)
 This is done in the real world
o Countries protect themselves at their borders
o Neighborhoods protect the whole neighbors
 A firewall provides secured access between two networks
 When information moves from the Internet to the internal network,
confidentiality is not an issue. However, integrity is. The firewall must not
accept messages that will cause servers to work incorrectly or to crash
 When information moves from the internal network to the Internet,
confidentiality and integrity are both concerns. The firewall must ensure
that no confidential information goes to the Internet and that the
information that reaches the Internet is correct

04/20/2024 Compiled by: Naol G. (MSc.) 4

Firewall – Design Goals
 All traffic from outside to inside must pass through the firewall (physically
blocking all access to the local network except via the firewall)
 Only authorized traffic (defined by the local security policy) will be
allowed to pass
 The firewall itself is immune to penetration (use of trusted system with a
secure operating system)
 Internal clients are generally allowed to create connections to outside
hosts, and external hosts are usually prevented from initiating connection
attempts (except on machines in the DMZ)

04/20/2024 Compiled by: Naol G. (MSc.) 5

Firewall - Features
 Port Control: allow some (e.g., 80 for a Web server, 25 for a mail server, 21
and 20 for FTP server) and deny others
 Network Address Translation (NAT): translates the IP addresses of internal
hosts to hide them from outside monitoring; NATs were originally designed to
solve the IP address depletion problem
 Application Monitoring
 Packet Filtering: rejects TCP/IP packets from unauthorized hosts; rejects
connection attempts to unauthorized services
 Data encryption: confidentiality of outgoing packets
 Content Filtering: to block internal users from accessing certain types of
content by category, such as hate group propaganda, pornography, etc.
 Virus Scanning
 Popup advertisement blocking/Spam protection
 Spyware protection
04/20/2024 Compiled by: Naol G. (MSc.) 6
Types of Firewalls
 Firewalls can be categorized depending on
1. The firewall methodology
2. Whether the communication is being done between a single
node and the network, or between two or more networks
3. Whether the communication state is being tracked at the
firewall or not
1. By the Firewall Methodology
 Packet Filtering Firewall
 Stateful Packet Inspection Firewall
 Application Gateways/Proxies
 Adaptive Proxies
 Circuit Level Gateway

04/20/2024 Compiled by: Naol G. (MSc.) 7

Packet Filtering Firewall

 A packet filtering firewall does exactly what its name implies - it filters
packets
 As each packet passes through the firewall (in both directions), it is
examined and information contained in the header is compared to a
pre-configured set of rules or filters
 An allow or deny decision is made based on the results of the
comparison
 Each packet is examined individually regardless of other packets that
are part of the same connectionCompiled by: Naol G. (MSc.)
04/20/2024 8
 Untrusted Firewall Trusted
Packet Packet Allow Packet
Network Rule Set Network

Drop
Inward Flow

Packet is Blocked or Discarded

Untrusted Firewall Trusted

Packet Allow Packet Packet
Network Rule Set Network

Drop
Outward Flow

04/20/2024 Packet is Blocked orNaol

Compiled by: Discarded
G. (MSc.) 9
 The packet filter is typically set up as a list of rules based on matches to
fields in the IP or TCP or UDP, etc. header. If there is a match to one of the
rules, that rule is invoked to determine whether to forward or discard the
packet. If there is no match to any rule, then a default action is taken. Two
default policies are possible:
 Default = Discard: Everything not specifically permitted is denied – this
is a pessimistic approach
 Default = Forward: Everything not specifically denied is permitted –
this is an optimistic approach
 The default discard policy is more conservative; However, this is the policy
likely to be preferred by businesses and government organizations
 The default forward policy increases ease of use for end users but
provides reduced security; this policy may be used by generally more
open organizations, such as Universities

04/20/2024 Compiled by: Naol G. (MSc.) 10

 We use packet filters to instruct a firewall to drop traffic that meets certain
criteria
 For example, we could create a filter that would drop all Ping requests
 We can also configure filters with more complex exceptions to a rule
 Packet filtering rules or filters can be configured to allow or deny traffic based on
one or more of the following variables
 Source and Destination IP address
 Protocol type (TCP, UDP, ICMP, OSPF, etc.)
 TCP or UDP source and destination port
 TCP flag bits: SYN, ACK, etc.
 ICMP message type
 Different rules for datagrams leaving and entering the network
 Different rules for the different router interfaces

04/20/2024 Compiled by: Naol G. (MSc.) 11

 A network administrator configures the firewall based on the policy of the
organization
 e.g., Policies and corresponding filtering rules for an organization’s network
130.207/16 with Web server at 130.207.244.203
Policy Firewall Setting
No outside Web access Drop all outgoing packets to any
IP address, port 80
No incoming TCP connections, Drop all incoming TCP SYN
except those for organization’s packets to any IP except
public Web server only 130.207.244.203, port 80
Prevent Web-radios from Drop all incoming UDP packets -
consuming bandwidth except DNS packets
Prevent the network from Drop all ICMP ping packets going
being used for a smurf attack to a “broadcast” address (e.g.,
130.207.255.255)
Prevent the network from Drop all outgoing ICMP TTL
being tracerouted
04/20/2024
expired traffic
Compiled by: Naol G. (MSc.) 12
 A packet filtering firewall is often called a network layer firewall because
the filtering is primarily done at the network layer (layer three) or the
transport layer (layer four) of the TCP/IP reference model

Application

Transport
Packet Filters
Network

Data Link

Physical

04/20/2024 Compiled by: Naol G. (MSc.) 13

 Firewall rules are implemented in routers with access control lists,
with each router interface having its own list; the following is an
example access control list for a stateless filter for an organization
222.22/16

* UDP Port 53 is for DNS

04/20/2024 Compiled by: Naol G. (MSc.) 14
 Rules are applied to each datagram that passes through the interface
from top to bottom
 The first two rules together allow internal users to surf the Web: The first
rule allows any TCP packet with destination port 80 to leave the
organization’s network; the second rule allows any TCP packet with source
port 80 and the ACK bit set to enter the organization’s network
 The third and fourth rules together allow DNS packets to enter and leave
the organization’s network
 In summary, this rather restrictive access control list blocks all traffic
except Web traffic initiated from within the organization and DNS traffic

04/20/2024 Compiled by: Naol G. (MSc.) 15

 Advantages of Packet filtering
 Simplicity
 Transparency to users
 High speed
 Disadvantages of Packet filtering
 Difficulty of setting up packet filter rules
 Lack of Authentication

04/20/2024 Compiled by: Naol G. (MSc.) 16

Stateful Packet Inspection Firewall
 Stateful packet inspection uses the same fundamental packet screening
technique that packet filtering does
 In addition, it examines the packet header information from the network
layer to the application layer to verify that the packet is part of a legitimate
connection and the protocols are behaving as expected

Application
Stateful
Transport Inspection

Network

Data Link

Physical

04/20/2024 Compiled by: Naol G. (MSc.) 17

 As packets pass through the firewall, packet header information is examined and fed
into a connection state table where it is stored. The packets are compared to pre-
configured rules or filters and allow or deny decisions are made based on the results
of the comparison
 The data in the connection state table is then used to evaluate subsequent packets
to verify that they are part of the same connection
 Decisions based on one or more of the following
 Source and Destination IP address
 Protocol type (TCP, UDP, ICMP, OSPF, etc.)
 TCP or UDP source and destination port
 TCP flag bits: SYN, ACK, etc
 ICMP message type
 Different rules for datagrams leaving and entering the network
 Different rules for the different router interfaces
 Connection state
04/20/2024 Compiled by: Naol G. (MSc.) 18
 The connection state is derived from information gathered in previous
packets
 It is an essential factor in making the decision for new communication
attempts
 Stateful packet inspection compares the packets against the rules or filters
and then checks the connection state table to verify that the packets are
part of a valid, established connection
 By having the ability to "remember" the status of a connection, this method
of packet screening is better equipped to guard against attacks than
standard packet filtering

04/20/2024 Compiled by: Naol G. (MSc.) 19

 Stateful filters track all ongoing TCP connections in a connection state table.
This is possible because the firewall can observe the beginning of a new
connection by observing a three-way handshake (SYN, SYNACK, and ACK); and
it can observe the end of a connection when it sees a FIN packet for the
connection;
 The firewall can also assume that the connection is over when it hasn’t seen
any activity over the connection for, say, 60 seconds
 The following connection state table (for an organization 222.22/16) indicates
that there are currently three ongoing TCP connections, all of which have
been initiated from within the organization

04/20/2024 Compiled by: Naol G. (MSc.) 20

 Source Destination Source Destination Flag Check
Action Protocol
Address Address Port Port bit Connection
Outside of
Allow 222.22/16 TCP >1023 80 Any
222.22/16
Outside of
Allow 222.22/16 TCP 80 >1023 Ack x
222.22/16
Outside of
Allow 222.22/16 UDP >1023 53 -
222.22/16
Outside of
Allow 222.22/16 UDP 53 >1023 - x
222.22/16
Deny All All All All All All

An example access control list for a stateful filter

 Additionally, the stateful filter includes a new column, “check
connection,” in its access control list
 Note that this table is identical to the access control list in the stateless
packet filter, except now it indicates that the connection should be
checked for two of the rules
04/20/2024 Compiled by: Naol G. (MSc.) 21
Application Gateway/Proxies

 Acts as a relay of application-level traffic

 The user contacts the gateway using a TCP/IP application, such as Telnet or
FTP, and the gateway asks the user for the name of the remote host to be
accessed. When the user responds and provides a valid user ID and
authentication information, the gateway checks if the user has permission to
access the server on the outside world and if so contacts the application on
the remote host and relays TCP segments containing the application data
between the two endpoints
04/20/2024 Compiled by: Naol G. (MSc.) 22
 This type of firewall operates at the application layer. For source and
destination endpoints to be able to communicate with each other, a proxy
service must be implemented for each application protocol
 If the gateway does not implement the proxy code for a specific
application, the service is not supported and cannot be forwarded across
the firewall
 Hence, the application gateway/proxy acts as an intermediary between the
two endpoints
 This packet screening method breaks the client/server model in that two
connections are required: one from the source to the gateway/proxy and
one from the gateway/proxy to the destination
 The gateways/proxies are carefully designed to be reliable and secure
because they are the only connection points between the two networks

04/20/2024 Compiled by: Naol G. (MSc.) 23

 Application Application Gateways

Transport

Network

Data Link

Physical
Advantages
 Higher security than packet filters
 Only need to scrutinize a few allowable applications
 Easy and audit all incoming traffic
Disadvantage
 A different application gateway is required for each application
 Additional processing overhead on each connection
04/20/2024 Compiled by: Naol G. (MSc.) 24
Adaptive Proxies
 Also known as dynamic proxies
 Developed as an enhanced form of application gateways/proxies, combining
the merits of both application gateways/proxies and packet filtering
 Note that proxies were originally designed to make the WWW faster
Circuit-Level Gateway/Circuit-Level Proxy
 It sets up two TCP connections; one between itself and a TCP user on an inner
host and one between itself and a TCP user on an outside host
 The gateway typically relays TCP segments from one connection to the other
without examining the contents
 The security function consists of determining which connections will be
allowed
 Unlike a packet filtering firewall, a circuit-level gateway does not examine
individual packets. Instead, circuit-level gateways monitor TCP or UDP sessions
04/20/2024 Compiled by: Naol G. (MSc.) 25
 Once a session has been established, it leaves the port open to allow all
other packets belonging to that session to pass. The port is closed when
the session is terminated
 Circuit-level gateways operate at the transport layer (layer 4)

04/20/2024 Compiled by: Naol G. (MSc.) 26

2. With regard to the scope of filtered communications
 Done between a single node and the network, or between two or
more networks
 Personal Firewall, a software application which normally filters
traffic entering or leaving a single computer
 Network Firewall, normally running on a dedicated network
device or computer positioned on the boundary of two or more
networks
3. Whether the firewall keeps track of the state of network connections or
treats each packet in isolation
 Stateful firewall
 Stateless firewall

04/20/2024 Compiled by: Naol G. (MSc.) 27

There are problems that Firewalls can’t solve
Example
 Let’s say that the only thing we allow through our firewall is e-mail
 An employee gets a message from a branch office asking him to e-mail a
CAD file to them
 The employee looks at the From address, verifies that it is correct, clicks
Reply, attaches the file, and unknowingly sends the CAD file to the
hackers who forged the e-mail request because the Reply-to address
isn’t the same as the From address
 The firewall can’t do about it because many users have different From
and Reply-to addresses for valid reasons (for example, they send e-mail
from multiple e-mail addresses but only want to receive mail at one)
 Try it by opening any spam and clicking on Reply (try until you get
different From and Reply-to addresses)
04/20/2024 Compiled by: Naol G. (MSc.) 28
Firewall Location and Configurations
 A firewall can be internal or external
 An external firewall is placed at the edge of a local or enterprise network,
just inside the boundary router that connects to the Internet
 One or more internal firewalls protect the bulk of the enterprise network
 Between these two types of firewalls are one or more networked devices in
a region referred to as a DMZ (demilitarized zone) network
 Systems that are externally accessible but need some protections are
usually located on DMZ networks. Typically, the systems in the DMZ require
external connectivity, such as a corporate Web site, an e-mail server, or a
DNS server

04/20/2024 Compiled by: Naol G. (MSc.) 29

 Internet

Boundary
Router

DMZ
External
Firewall

E-mail DNS Web

Server LAN
Server Server(s)
Switch
External Facing Services

Internal Protected Network

Internal
Firewall

Application and Database

Servers LAN
Switch

Workstations
04/20/2024 Compiled by: Naol G. (MSc.) 30
Example Firewall Configuration
 The external firewall provides a measure of access control and protection for
the DMZ systems consistent with their need for external connectivity
 The external firewall also provides a basic level of protection for the
remainder of the enterprise network
 Internal firewalls serve three purposes
1. The internal firewall adds more stringent filtering capability, compared to
the external firewall, in order to protect enterprise servers and
workstations from external attack
2. The internal firewall provides two-way protection with respect to the
DMZ. First, the internal firewall protects the remainder of the network
from attacks launched from DMZ systems. Such attacks might originate
from worms, bots, or other malware lodged in a DMZ system. Second, an
internal firewall can protect the DMZ systems from attack from the
internal protected network
04/20/2024 Compiled by: Naol G. (MSc.) 31
3. Multiple internal firewalls can be used to protect portions of the
internal network from each other. For example, firewalls can be
configured so that internal servers are protected from internal
workstations and vice versa

04/20/2024 Compiled by: Naol G. (MSc.) 32

Proxy server
 A proxy server is a computer or system that acts as a gateway between an
endpoint device (web browser or computer) and a destination server (web
address) that delivers a requested service.
 Here are some of the most common use cases of proxy servers:
 Network filtering
 Caching
 Load balancing
 Bypassing restrictions
 Masking the IP address
 Providing SSL encryption and decryption
 Routing

04/20/2024 Compiled by: Naol G. (MSc.) 33

Types of proxy servers
 Proxy servers can be categorized in several ways based on their
functionality and protocols. Here we’ll take a look at the most common
proxy server types.
 Proxy servers by traffic flow
 Forward proxy
 A forward proxy is a proxy server acting on behalf of the client to
request resources from the internet. The forward proxy is located on
the client’s network, so it’s also known as a client-side proxy
 The internet sees the forward proxy as the client, while the client sees
the forward proxy as the internet. Forward proxies hide the client’s IP
address and identity, help bypass content filters, and access restricted
websites

04/20/2024 Compiled by: Naol G. (MSc.) 34

Types of proxy servers /Cont…
 Reverse proxy
 A reverse proxy is a proxy server acting on behalf of the web server to
receive requests from clients. Since a reverse proxy is located on the
server’s network, it’s also called a server-side proxy.
 The web server sees the reverse proxy as the client, while the client sees
the reverse proxy as the web server. A proxy server helps the web server
remain hidden from clients, playing a critical role in ensuring the reliability,
security, and performance of web applications.
 Servers can use reverse proxies for load balancing, caching, and security.
Reverse proxies can also provide a single access point to multiple web
servers, making managing and scaling web applications easier.

04/20/2024 Compiled by: Naol G. (MSc.) 35

Types of proxy servers /Cont…
 Proxy servers by anonymity level
 Transparent proxy
 A transparent proxy is an intermediary server that doesn’t hide the client’s
IP address.
 Transparent proxies don’t provide anonymity. They reveal your identity to
the server, making them useless for increasing privacy online.
 Anonymous proxy
 An anonymous proxy is an intermediary server that hides the user’s IP
address from web servers. But the anonymous proxy can reveal other
information, such as the client’s browser type, language settings, or
operating system.
 High anonymity proxy
 A high anonymity proxy server is an intermediary that hides the user’s IP
address and other identifying information sent in the HTTP headers, such as
browser type or operating system
04/20/2024 Compiled by: Naol G. (MSc.) 36
Types of proxy servers /Cont…
 Proxy servers by accessibility
 Public proxy
 A public proxy is a proxy server open to anyone. You can access it without
needing to pass authentication.
 Shared proxy
 A shared proxy is a proxy server used by many users. They share the
same IP address and port, but their online activities are kept separate
through various software and hardware configurations. It’s also called a
semi-dedicated proxy.
 Private proxy
 A private proxy is a proxy server only used by a single user or
organization. Private proxies provide a dedicated IP address and port to
the user, so they’re also called dedicated proxies.

04/20/2024 Compiled by: Naol G. (MSc.) 37

Virtual Private Networks
 A VPN consists of a set of computers that are interconnected by means
of a relatively unsecured network and that make use of encryption and
special protocols to provide security
 At each corporate site, workstations, servers, and databases are linked
by one or more LANs
 There are three different protocols that are used to create VPNs: Point-
to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP),
and IP Security (IPsec)

04/20/2024 Compiled by: Naol G. (MSc.) 38

 A VPN Security Scenario using IPsec
04/20/2024 Compiled by: Naol G. (MSc.) 39
Intrusion Detection/Prevention
 Firewalls generally don’t detect internal attacks or attacks once the
system is compromised
 An Intrusion Detection System (IDS) sends an alert to the administrator
in an e-mail message or to the network management system or could
simply be logged for future inspection
 An Intrusion Prevention System (IPS) tries to take corrective measures
once it detects a threat (e.g., denying a malicious process access to local
system resources or dropping packets); it is proactive
 We will use the term IDS to mean both IDS and IPS since both work the
same way except the last stage

04/20/2024 Compiled by: Naol G. (MSc.) 40

 An IDS gathers and analyzes information from various areas within a
computer or a network to identify possible security breaches
 It detects both intrusions and misuse
 Intrusion detection functions include
 Monitoring and analyzing both user and system activities
 Analyzing system configurations and vulnerabilities
 Assessing system and file integrity
 Ability to recognize patterns typical of attacks
 Analysis of abnormal activity patterns
 Tracking user policy violations
 IDS and Firewall products
 Commercial: McAfee, Cisco, Check Point
 Open Source: Snort
04/20/2024 Compiled by: Naol G. (MSc.) 41
IDS Categorization
There are a number of ways in which Intrusion Detection Systems can be
categorized
 Misuse detection versus anomaly detection
 Passive systems versus reactive systems
 Network-based systems versus host-based systems
Misuse Detection vs. Anomaly Detection
 An IDS that uses misuse detection analyzes the information it gathers and
compares it to large databases of attack signatures (IDS signatures); similar
to a virus-detection system
 Anomaly detection tries to detect intrusion attempts and notify the
administrator

04/20/2024 Compiled by: Naol G. (MSc.) 42

 The system looks for any anomalous behavior; any activity that does not
match the pattern of normal user access is noted and logged
 With anomaly-based IDS, it can take some time to create what is
considered “normal” activity patterns. While these activity patterns are
being established, a high rate of false alarms may be experienced
 Note also that, if the network already contains malicious code, then the
activity of this code would be considered normal
Passive Systems Versus Reactive Systems
 In a passive system, the IDS detects a potential security breach, logs the
information, and signals an alert. In a reactive system, the IDS responds to
the suspicious activity by logging off a user or reprogramming the firewall
to block network traffic from the suspected malicious source

04/20/2024 Compiled by: Naol G. (MSc.) 43

Network-Based System Versus Host-Based System
 In a network-based system, the individual packets flowing through a network
are analyzed
 This system can detect malicious packets that are designed to be overlooked
by a firewall’s simplistic filtering rules
 In a host-based system, the activity of each individual computer or host is
examined
IDS Approaches
Preemptive Blocking
 This approach seeks to prevent intrusions before they occur
 This is done by noting any danger signs of impending threats and then
blocking the user or IP address from which these signs originate

04/20/2024 Compiled by: Naol G. (MSc.) 44

 For example, if a particular IP address is the source of frequent port scans
and other scans of a system, then block that IP address at the firewall
 But there is a risk of blocking out legitimate users. It is better if a human
administrator makes the decision whether or not to block the suspicion
Intrusion Deflection
 An attempt is made to attract the intruder to a subsystem set up for the
purpose of observing her/him. This is done by tricking the intruder into
believing that s/he has succeeded in accessing system resources when, in
fact, s/he has been directed to a specially designed environment
 This is often done by using what is commonly referred to as a honey pot
 A honey pot assumes that an attacker is able to breach a network security

04/20/2024 Compiled by: Naol G. (MSc.) 45

 Create a server that has fake but attractive data such as account numbers or
research and just a little less secure than a real server. Then, since none of
the actual users ever access this server, monitoring software is installed to
alert when someone does access this server
 A honey pot achieves two goals
 First, it will take the attacker’s attention away from the data to be protected
 Second, it will provide interesting and valuable data, thus leading the
attacker to stay connected to the fake server, giving time to try and track
them
 There are commercial solutions for honey pots, like Specter
(www.specter.com/default50.htm)
 Check also www.honeypots.org for more information on honey pots in
general, and on specific implementations

04/20/2024 Compiled by: Naol G. (MSc.) 46

 End of Chapter-5
Questions?
Read More…..

04/20/2024 Compiled by: Naol G. (MSc.) 47