Debremarkos University

Department of Computer Science

Computer Security
Chapter 5
Security Mechanisms
 5.1 Firewall
• A firewall is a set of related hardware and software programs, deployed strategically between a
company’s private network and one or more unsecured network.
• A firewall functions to protect the resources of the private network from users on the outside
(external) networks.
• The firewall separates the protected, private network (the inside) from the unsecured networks
(the outside) and makes sure that any malicious or unintentional harm will not be done to
internal resources by external forces.
• A firewall is considered essential in the following areas of network applications:
 Access from one or more external unsecured networks (e.g., the Internet) to
applications within the private network
 Access by users within the private network to one or more external unsecured networks
(including the Internet)
 Communication with business partners through an extranet
 Remote access to the intranet
 5.1.1 Classification of Firewalls
• Firewalls can usefully be classified into the following four basic types:
1. Packet filters — The first line of defense in firewall protection, and the most basic, is the
packet filter firewall. Packet filters examine incoming and outgoing packets and apply a fixed
set of rules to the packets to determine whether they will be allowed to pass.
• It simply examines the type of the packet along with the source and destination addresses,
including URLs, domain names, etc., as well as the port combinations, and then it applies
the filtering rules.
2. Circuit-level gateways — This type of firewall has also been called a “stateful inspection”
firewall because packets are handled on a circuit or connection basis.
 In a circuit-level firewall, all connections are monitored, and only those connections that
are found to be valid are allowed to pass through the firewall.
 This generally means that a client behind the firewall can initiate any type of session, but
clients outside the firewall cannot see or connect to a machine protected by the firewall.

3. Application layer gateways (ALGs) — The ALG firewall forces all client applications on
workstations protected by the firewall to use the firewall itself as a gateway. The firewall then
handles packets for each protocol differently.
 Every client program needs to be set up to use a proxy, and not all can do so. Also, the
firewall must have an ALG for each type of protocol that can be used.
 The distinct advantage is obviously that application proxy firewalls are considered to
be very secure.
4. Network address translation (NAT) — Firewalls using NAT and/or port address translation
(PAT) completely hide the network protected by the firewall by translating the outgoing packets
to use different addresses.
 In most implementations there is a single, public IP address used for the entire network.

PAT needs to be added to NAT to handle port conflicts.

 A disadvantage of NAT is that it cannot properly pass protocols containing IP address

information in the data portion of the packet.

 5.2 Proxy server
• A proxy server is a server that acts as an intermediary between a remote user and the servers
that run the desired applications within the protected enterprise network.
• User authorization, if not done in the authentication server, might be done in the proxy server.
• A proxy server receives a request for an Internet service (such as a Web page request) from a
user.
• If the request passes filtering requirements, the proxy server, assuming it is also a cache server,
looks in its local cache of previously downloaded Web pages.
• If it finds the page, it returns it to the user without needing to forward the request to the
Internet.
• If the page is not in the cache, the proxy server, acting as a client on behalf of the user, uses
one of its own IP addresses to request the page from the server out on the Internet.
• When the page is returned, the proxy server relates it to the original request and forwards it to
the user.
• An advantage of a proxy server is that its cache can serve all users. If one or more Internet sites
are frequently requested, these are likely to be in the proxy’s cache, which will improve user
response time.
 5.3 IDS/IPS
• Intrusion detection is the process of monitoring the events occurring in a computer system or
network and analyzing them for signs of possible incidents, which are violations or imminent
threats of violation of computer security policies, acceptable use policies, or standard security
practices.
• Incidents have many causes, such as malware (e.g., worms, spyware), attackers gaining
unauthorized access to systems from the Internet, and authorized users of systems who misuse
their privileges or attempt to gain additional privileges for which they are not authorized.
• Although many incidents are malicious in nature, many others are not; for example, a person
might mistype the address of a computer and accidentally attempt to connect to a different
system without authorization.
• An intrusion detection system (IDS) is software that automates the intrusion detection process.
• An intrusion prevention system (IPS) is software that has all the capabilities of an intrusion
detection system and can also attempt to stop possible incidents.
 Key Functions of IDPS Technologies
• There are many types of IDPS technologies, which are differentiated primarily by the types of
events that they can recognize and the methodologies that they use to identify incidents.
• In addition to monitoring and analyzing events to identify undesirable activity, all types of
IDPS technologies typically perform the following functions:
Recording information related to observed events.
Notifying security administrators of important observed events.
Producing reports.

• IPS technologies are differentiated from IDS technologies by one characteristic: IPS
technologies can respond to a detected threat by attempting to prevent it from succeeding.
• They use several response techniques, which can be divided into the following groups:
 The IPS stops the attack itself.
 The IPS changes the security environment.
 The IPS changes the attack’s content.
 Common Detection Methodologies
• IDPS technologies use many methodologies to detect incidents. signature-based, anomaly-
based, and stateful protocol analysis.
• Most IDPS technologies use multiple detection methodologies, either separately or integrated,
to provide more broad and accurate detection.
 5.4 Virtual Private network

• VPN stands for Virtual Private Network (VPN), that allows a user to connect to a private
network over the Internet securely and privately.
• VPN creates an encrypted connection that is called VPN tunnel, and all Internet traffic and
communication is passed through this secure tunnel.
• Virtual Private Network (VPN) is basically of 2 types:

1. Remote Access VPN: Remote Access VPN permits a user to connect to a private network and
access all its services and resources remotely.
• The connection between the user and the private network occurs through the Internet and
the connection is secure and private.
• Remote Access VPN is useful for home users and business users both.
2. Site to Site VPN: A Site-to-Site VPN is also called as Router-to-Router VPN and is commonly
used in the large companies. Companies or organizations, with branch offices in different
locations, use Site-to-site VPN to connect the network of one office location to the network at
another office location.
• Intranet based VPN: When several offices of the same company are connected using Site-to-
Site VPN type, it is called as Intranet based VPN.
• Extranet based VPN: When companies use Site-to-site VPN type to connect to the office of
another company, it is called as Extranet based VPN.
 n ks !
Th a
an y
M