Chapter 5

INTRUSION PREVENTION:
Firewalls and Intrusion
Prevention Systems:

By:Gaurav Prasad
firewall • A software or/and Hardware that
monitors and controls incoming and
outgoing network traffic based on
predetermined security rules.
THE NEED FOR FIREWALLS
Notable developments:
• Centralized data processing system, with a central mainframe supporting
a number of directly connected terminals
Local area networks (LANs) interconnecting PCs and terminals to each
other and the mainframe
Premises network, consisting of a number of LANs, interconnecting PCs,
servers, and perhaps a mainframe or two
Enterprise-wide network, consisting of multiple, geographically distributed
premises networks interconnected by a private wide area network (WAN)
• Internet connectivity, in which the various premises networks all hook
into the Internet and may or may not also be connected by a private WAN
Firewall

• . The firewall is inserted between the premises network and the

Internet to establish a controlled link and to erect an outer security
wall or perimeter.
• The aim of this perimeter is to protect the premises network from
Internet-based attacks and to provide a single choke point where
security and auditing can be imposed.
• The firewall may be a single computer system or a set of two or
more systems that cooperate to perform the firewall function.
• The firewall, then, provides an additional layer of defense,
insulating the internal systems from external networks.
• This follows the classic military doctrine of “defense in depth,”
which is just as applicable to IT security
FIREWALL CHARACTERISTICS
lists the following design goals for a firewall:
1. All traffic from inside to outside, and vice versa, must pass
through the firewall. This is achieved by physically blocking all
access to the local network except via the firewall. Various
configurations are possible,
2. Only authorized traffic, as defined by the local security policy,
will be allowed to pass. Various types of firewalls are used, which
implement various types of security policies,
3. The firewall itself is immune to penetration. This implies the use
of a hardened system with a secured operating system. Trusted
computer systems are suitable for hosting a firewall and often
required in government applications.
firewalls focused services
• Service control: Determines the types of Internet services that can be accessed,
inbound or outbound. The firewall may filter traffic on the basis of IP address,
protocol, or port number; may provide proxy software that receives and
interprets each service request before passing it on; or may host the server
software itself, such as a Web or mail service.
• Direction control: Determines the direction in which particular service requests
may be initiated and allowed to flow through the firewall.
• User control: Controls access to a service according to which user is attempting
to access it. This feature is typically applied to users inside the firewall
perimeter (local users). It may also be applied to incoming traffic from external
users; the latter requires some form of secure authentication technology, such as
is provided in IPSec
Cont..
• Behavior control: Controls how particular services are
used. For example, the firewall may filter e-mail to
eliminate spam, or it may enable external access to
only a portion of the information on a local Web server.
The following capabilities are within
the scope of a firewall:
• A firewall defines a single choke point that attempts to keep
unauthorized users out of the protected network, prohibit
potentially vulnerable services from entering or leaving the
network, and provide protection from various kinds of IP spoofing
and routing attacks.
• A firewall provides a location for monitoring security-related events.
Audits and alarms can be implemented on the firewall system.
• A firewall is a convenient platform for several Internet functions
that are not security related. These include a network address
translator, which maps local addresses to Internet addresses, and a
network management function that audits or logs Internet usage.
Cont..
• . A firewall can serve as the platform for IPSec. Using
the tunnel mode capability , the firewall can be used to
implement virtual private networks.
limitations
• The firewall cannot protect against attacks that bypass the firewall.
Internal systems may have dial-out or mobile broadband capability
to connect to an ISP. An internal LAN may support a modem pool
that provides dial-in capability for traveling employees and
telecommuters.
• The firewall may not protect fully against internal threats, such as
a disgruntled employee or an employee who unwittingly
cooperates with an external attacker.
• An improperly secured wireless LAN may be accessed from outside
the organization. An internal firewall that separates portions of an
enterprise network cannot guard against wireless communications
between local systems on different sides of the internal firewall.
Cont..
• A laptop, PDA, or portable storage device may be used
and infected outside the corporate network and then
attached and used internally

Note:
A firewall may act as a packet filter. It can operate as a positive filter, allowing to pass only
packets that meet specific criteria, or as a negative filter, rejecting any packet that meets
certain criteria
TYPES OF FIREWALLS
• Packet Filtering Firewall
• Stateful Inspection Firewalls
• Application-Level Gateway /Application proxy
• Circuit-Level Gateway /circuit-level proxy
Circuit-Level Gateway /circuit-level
proxy
• Circuit-Level Gateways are specialized firewalls that operate at the
session layer, offering a unique approach to managing and securing
network traffic.
• A circuit level gateway is a solution designed to provide connection
security to internal and external computers in a network's session
layer.
• Its primary function is to manage and control the initiation and
termination of network sessions, thereby offering a unique form of
network security.
• These gateways establish a secure connection between the internal
network and the external network, typically the Internet.
• Once a session is established, the Circuit-Level Gateway Firewall
effectively masks the details of the internal network from the external
world. This is achieved by relaying packets without exposing the
internal IP addresses, thereby providing anonymity and added security.
Cont..
• They do not inspect the contents of each packet deeply;
instead, they validate the legitimacy of the session
based on pre-determined rules and criteria.
• By focusing on the session rather than the individual
packets, these gateways offer a balance between
security and performance, making them ideal for
environments where high throughput and reliable
connectivity are essential.
Circuit-Level Gateways :Work
Session Initiation Process:
• The session initiation process is the first step in the
operation of a Circuit-Level Gateway. When a request to
establish a network session is received, the gateway
scrutinizes the request to ensure it complies with the
network’s security protocols.
• This involves checking the source and destination
addresses, the protocol being used (TCP or UDP), and
other session initiation parameters.
• A circuit level gateway functions as a semi-transparent
bridge between a trusted internal network and an
untrusted external one.
• During operation, a circuit level gateway scrutinizes the
TCP handshaking process to ensure the session initiation
is genuine between trusted clients or servers to trusted
hosts and vice versa. If the initial handshake matches
established security policies, the gateway permits the
connection. It creates a virtual circuit for the duration of
the session, across which all traffic is allowed to flow .
• This type of gateway maintains a table of all established
sessions and their corresponding security attributes. The
attributes include the source and destination IP
addresses and port numbers, as well as session specific
details such as timeouts. The gateway uses this
information to manage ongoing traffic, allowing or
disallowing data packets based on their session's
validity.
• This type of gateway maintains a table of all established
sessions and their corresponding security attributes.
The attributes include the source and destination IP
addresses and port numbers, as well as session specific
details such as timeouts. The gateway uses this
information to manage ongoing traffic, allowing or
disallowing data packets based on their session's
validity.
• While a circuit level gateway effectively confirms the
validity of a TCP connection, it does not inspect the
payload of the data packets. This means that if the
session was established correctly, subsequent traffic,
including
A typical use ofpotentially malicious
circuit-level gateways content,
is a situation could
in which the system pass
administrator trusts the internal users.
through without deeper inspection
 Circuit Level Gateway Features
• Session Layer Operation
• Privacy Preservation
• Standalone System
• Security Policy Enforcement
• Virtual Circuit Connection
• Reporting and Analysis
• 🔠 Mnemonic: "S.P.S.S.V.R" – Super Private Sessions Shield Virtual Reports"
• 🧩 Breakdown of Each Term:
1. S – Session Layer Operation
📶 Operates at the Session Layer (Layer 5) of the OSI model to monitor the beginning and end of communication sessions.
2. P – Privacy Preservation
Masks internal IP addresses from the outside world, maintaining network anonymity.
3. S – Standalone System
🧱 Functions as an independent firewall unit, often between internal LAN and external networks like the Internet.
4. S – Security Policy Enforcement
✅ Ensures only authorized sessions are established based on configured rules and policies.
5. V – Virtual Circuit Connection
🔗 Establishes a trusted virtual circuit before data transfer – like building a temporary tunnel for communication.
6. R – Reporting and Analysis
📊 Can log and analyze session activity to detect abnormal behavior and enhance network monitoring.
• 🧠 Quick Visual to Remember:
• S.P.S.S.V.R.
"Super Private Sessions Shield Virtual Reports"
• A Circuit-Level Gateway is your silent protector, managing sessions like a bouncer, masking identities, enforcing rules, and keeping track of all
activity for your safety.
• Want a flashcard, poster-style visual, or infographic version of this?
Circuit Level Gateway Benefits

• Enhanced Network Performance

• Simplified Configuration
• Cost Effectiveness
• Low Resource Utilization
• Streamlined Network Security
Implementation and Configuration

• Strategic Placement:
• Robust Security Policies
• Regular Updates and Maintenance:

Configuration Examples
• Session Timeout Settings: Configure session timeout
intervals to close inactive connections, reducing vulnerability
to unauthorized access.
• Allowed Protocols: Define which protocols (TCP/UDP) are
permitted and under what circumstances, aligning with the
organization’s network usage patterns.
Case Studies and Real-World
Applications
• Enterprise Networks: In corporate environments, Circuit-Level
Gateway Firewalls are integrated with other security systems to
provide fast and secure network access control, especially for
remote access scenarios.
• E-commerce Platforms: They are used to manage secure
sessions for transactions, balancing the need for security and
efficient data flow.

Three notable implementations of circuit-level gateways include

SOCKS, IBM Db2

SOCKS is specified in RFC 1928.

SOCKS
• SOCKS consists of the following components:
• The SOCKS server, which often runs on a UNIX-based firewall.
• The SOCKS client library, which runs on internal hosts protected by the firewall.
• When a TCP-based client wishes to establish a connection to an object that is reachable
only via a firewall (such determination is left up to the implementation), it must open a
TCP connection to the appropriate SOCKS port on the SOCKS server system.
• The SOCKS service is located on TCP port 1080.
• If the connection request succeeds, the client enters a negotiation for the authentication
method to be used, authenticates with the chosen method, and then sends a relay
request.
• The SOCKS server evaluates the request and either establishes the appropriate
connection or denies it.
• UDP exchanges are handled in a similar fashion. In essence, a TCP connection is opened
to authenticate a user to send and receive UDP segments, and the UDP segments are
forwarded as long as the TCP connection is open
Application-Level Gateway /Application proxy
• An application-level gateway, also called an application proxy , acts as a relay of
application-level traffic.
• The user contacts the gateway using a TCP/ IP application, such as Telnet or FTP, and the
gateway asks the user for the name of the remote host to be accessed.
• When the user responds and provides a valid user ID and authentication information, the
gateway contacts the application on the remote host and relays TCP segments containing
the application data between the two endpoints.
• If the gateway does not implement the proxy code for a specific application, the service is
not supported and cannot be forwarded across the firewall.
• Further, the gateway can be configured to support only specific features of an application
that the network administrator considers acceptable while denying all other features.
• 🔒 “No Proxy, No Passage” Rule
• If the gateway doesn't have the specific proxy code for an application,it cannot understand or forward the traffic=
That service is completely blocked by the firewall
• 🧠 Think of It Like This:
• The ALG is like a translator — if it doesn’t speak the language (i.e., the application protocol),
R it can’t interpret the communication, so the message never gets delivered.
• 💡 Quick One-Liner to Recall:
• "Unsupported app = unsupported access. No proxy code, no entry through the firewall."
• Need a chart or flashcard comparing different gateway types and their limitations? I can prep that too!
 Stateful Inspection Firewalls
A stateful firewall is a network security device that monitors and maintains the
context of active connections to make decisions about which packets to allow
through.
•Stateful inspection firewalls permit or deny packets based on preestablished
rules and the ongoing connection state. By operating up to Layers 3 and 4, they
can prevent unwanted access and inspect the contents of incoming traffic for
malicious code.
• Stateful inspection is a method used by firewalls to monitor and track the
characteristics of network connections, such as source and destination IP
addresses or port numbers.
• It records the state of each connection, monitoring for changes and using this
contextual information to make security decisions.
Cont..
• The process involves building and maintaining a state table that
logs every outgoing and incoming packet. Stateful inspection
analyzes the packet header to determine whether it is part of an
existing conversation or if it is a new request.
• If a packet does not match an existing connection in the state
table, it is evaluated against the set of defined firewall rules to
decide whether to allow it to pass.
• Some stateful firewalls also keep track of TCP sequence numbers
to prevent attacks that depend on the sequence number, such as
session hijacking. Some even inspect limited amounts of
application data for some well-known protocols like FTP, IM, and
SIPS commands, in order to identify and track related connections.
Packet filtering
• A packet filtering firewall applies a set of rules to each incoming and
outgoing IP packet and then forwards or discards the packet .
• Filtering rules are based on information contained in a network packet:
• Source IP address: The IP address of the system that originated the IP
packet (e.g., 192.178.1.1)
• Destination IP address: The IP address of the system the IP packet is
trying to reach (e.g., 192.168.1.2)
• Source and destination transport-level address: The transport-level (e.g.,
TCP or UDP) port number, which defines applications such as SNMP or
TELNET
• IP protocol field: Defines the transport protocol
• Interface: For a firewall with three or more ports, which interface of the
firewall the packet came from or which interface of the firewall the packet
is destined for
IPTABLES
iptables
packet
flow
diagram
• Great! You're looking at the packet flow diagram in
the Linux Netfilter framework (iptables) — this is
the internal path a network packet takes as it passes
through different stages (chains and tables) in the
kernel’s packet filtering system.
• 🔄 High-Level Overview:
• The diagram shows how packets move through various
Netfilter hooks:
• Major Tables:
1. raw – used for configuring exemptions from connection
tracking.
2. mangle – for specialized packet alterations (TTL, TOS,
marks).
3. nat – for Network Address Translation (e.g.,
source/destination NAT).
4. filter – the actual firewall rules (accept, drop, reject).
• 🧭 Packet Flow (From Top to Bottom):
• ✅ Incoming Packets (FROM Network):
1. PREROUTING – First stop: any incoming packet goes
here (mangle → raw → nat)
2. Routing Decision – Linux kernel checks if the packet is
for the local system or to be forwarded.
1. If for this host → goes to INPUT chain (mangle → filter →
local process)
2. If to be routed → goes to FORWARD chain (mangle →
filter)
• Local Process Outbound Packets:
3. After local processing, packets go through:
3. OUTPUT (raw → mangle → nat → filter)
4. Then another Routing Decision
5. Then finally POSTROUTING (mangle → nat) → to network
• 🔁 Forwarded Packets:
• If packets are just being routed (not meant for this host), they go from:
• PREROUTING → Routing Decision → FORWARD → POSTROUTING → Network
• ❓ Your Question: ip route add ???
• This is pointing at the Routing Decision box in the middle — here’s what’s happening:
• When you use:
• ip route add <destination> via <gateway> You're adding entries to the routing table that control how the Routing Decision is made.
• 💡Example:
• ip route add 192.168.2.0/24 via 192.168.1.1 This tells the kernel: "To reach the 192.168.2.0/24 network, forward packets via gateway 192.168.1.1."
• 🔂 Routing Decision Points (Red Boxes)
• There are three Routing Decision boxes:
1. After PREROUTING — determines if the packet is for the local machine or should be forwarded
2. After OUTPUT — decides how the locally generated packet is routed
3. Before POSTROUTING — confirms final routing before sending out
• Each is influenced by entries you create using ip route add.
• 🧠 To Remember the Flow:
• "PREROUTING → Routing → INPUT/OUTPUT/FORWARD → POSTROUTING"
• Let me know if you'd like a cleaned-up version of this diagram or a simplified version for quick recall!
Attacks that can be made on packet filtering
firewalls and the appropriate countermeasures
• IP address spoofing:
• The countermeasure is to discard packets with an inside source
address if the packet arrives on an external interface. In fact, this
countermeasure is often implemented at the router external to the
firewall
• Source routing attacks:A countermeasure is to discard all packets that
use source routing information.
• Tiny fragment attacks :
• A tiny fragment attack can be defeated by enforcing a rule that the
first fragment of a packet must contain a predefined minimum amount
of the transport header. If the first fragment is rejected, the filter can
remember the packet and discard all subsequent fragments.
FIREWALL BASING
• It is common to base a firewall on a stand-alone
machine running a common operating system, such
as UNIX or Linux. Firewall functionality can also be
implemented as a software module in a router or
LAN switch.
Bastion Host
• Bastion host serves as a platform for an application-
level or circuit-level gateway. Common characteristics of
a bastion host are as follows:
• The bastion host hardware platform executes a secure
version of its operating system, making it a hardened
system.
• Only the services that the network administrator
considers essential are installed on the bastion host.
These could include proxy applications for DNS, FTP,
HTTP, and SMTP.
• The bastion host may require additional authentication
before a user is allowed access to the proxy services
Host-Based Firewalls
• A host-based firewall is a software module used to
secure an individual host. Such modules are available in
many operating systems or can be provided as an add-
on package. Like conventional stand-alone firewalls,
host-resident firewalls filter and restrict the flow of
packets. A common location for such firewalls is a
server.
Personal Firewall
• A personal firewall controls the traffic between a
personal computer or workstation on one side and the
Internet or enterprise network on the other side.
Personal firewall functionality can be used in the home
environment and on corporate intranets.
• Typically, the personal firewall is a software module on
the personal computer. In a home environment with
multiple computers connected to the Internet, firewall
functionality can also be housed in a router that
connects all of the home computers to a DSL, cable
modem, or other Internet interface.
FIREWALL LOCATION AND CONFIGURATIONS
DMZ Networks

How It Works (Referring to Your

Diagram):
1.🌐 Internet → Boundary router →
External firewall
2.External firewall allows access to
DMZ servers (web, mail, DNS).
3.Internal firewall protects the
Internal Protected Network
(application servers, workstations).
4.Only strictly filtered traffic can
go between DMZ and internal
network.
Virtual Private Networks

Flow Summary
1.User System: Sends a
secure IP packet using IPSec.
2.Over the Network: Secure
IP packet travels encrypted
across the public network.
3.Firewall with IPSec:
1. Receives the secure IP
packet.
2. Authenticates and
decrypts it.
3. Reconstructs the
original IP packet.
4.Destination System:
Receives the plain IP packet
safely.
Distributed Firewalls
INTRUSION PREVENTION SYSTEMS
• 1. An IPS is an inline network-based IDS (NIDS) that has
the capability to block traffic by discarding packets as
well as simply detecting suspicious traffic. Alternatively,
the IPS can monitor ports on a switch that receives all
traffic and then send the appropriate commands to a
router or firewall to block traffic. For host-based
systems, an IPS is a host-based IDS that can discard
incoming traffic.
• .An IPS is a functional addition to a firewall that adds
IDS types of algorithms to the repertoire of the firewall.
 Host-Based IPS

• A host-based IPS (HIPS) makes use of both signature and anomaly detection
techniques to identify attacks.ie Signature-based and anomaly-based
detections are the two main methods of identifying.
• A signature-based IDS conducts ongoing monitoring of network traffic and
seeks out sequences or patterns of inbound network traffic that matches an
attack signature.
• An attack signature can be identified based on network packet headers,
destination or source network addresses; sequences of data that correspond
to known malware or other patterns, sequences of data or series of packets
that are known to be associated with a particular attack.
• You'e provided a grea explanation! Here's a cleaned-up and slightly more structured version for clarity, which you can use in a report, slide, or
answer format:
• 🔍 Host-Based Intrusion Prevention System (HIPS)
• A Host-Based Intrusion Prevention System (HIPS) utilizes both signature-based and anomaly-based detection techniques to
effectively identify and prevent cyberattacks on individual host systems.
• 🧩 Detection Techniques Used in HIPS:
• ✅ 1. Signature-Based Detection:
• This method continuously monitors network or host-level traffic for specific patterns or sequences that match known attack signatures.
• Attack signatures can include:
• Specific network packet headers.
• Recognized source or destination IP addresses.
• Payload patterns matching known malware.
• Series of packets or behaviors associated with previously identified attacks.
• 🧠 Example: Detecting a SQL injection attack by identifying a pattern like OR '1'='1' in HTTP requests.
• ⚠️2. Anomaly-Based Detection:
• In this method, HIPS learns what is considered normal behavior for the system or user.
• It then flags deviations from the norm that may indicate malicious activity.
• Useful for detecting zero-day attacks or new threats that don’t match any known signature.
• 🧠 Example: A sudden spike in CPU usage by an unknown process, or an authorized user accessing sensitive files at odd hours.
• ✅ Summary:
• HIPS offers a layered defense mechanism, combining the reliability of signature-based detection with the adaptability of anomaly-
based detection to secure the host system from both known and unknown threats.
• Let me know if you'd like a comparison table between signature vs anomaly-based detection or want to include how HIPS differs from NIPS
(Network-based IPS).
Anomaly-based IDS
It identifies intrusions by monitoring system activities and
categorizing them as either normal or anomalous.
Understanding typical behavior patterns to identify malicious
activity deviations helps in spotting potential threats.
• Anomaly-based IDS operates in two phases: training to
establish a normal behavior profile and testing to compare
ongoing activities against this profile. Establishing normal
behavior baselines allows these systems to detect deviations
that could signal malicious activity.
HIPS include the following
• Modification of system resources: Rootkits, Trojan
horses, and backdoors operate by changing system
resources, such as libraries, directories, registry settings,
and user accounts.
• Privilege-escalation exploits: These attacks attempt to
give ordinary users root access.
• Buffer-overflow exploits:
• Access to e-mail contact list:
• Directory traversal:
lists the following as areas for which
a HIPS typically offers desktop
protection:
• System calls:
• File system access:
• System registry settings:
• Host input/output:
Network-Based IPS
• A network-based IPS (NIPS) is in essence an inline NIDS
with the authority to d iscard packets and tear down
TCP connections. As with a NIDS, a NIPS makes use of
techniques such as signature detection and anomaly
detection.
General methods used by a NIPS
device to identify malicious packets
• Pattern matching:
• Protocol anomaly:
• Traffic anomaly:
• Statistical anomaly:
 This diagram illustrates the architecture of a Unified Threat Management (UTM) Appliance,
which is a comprehensive security solution integrating multiple security functions into a single
UNIFIED THREAT device to monitor, analyze, and control network traffic from entry to exit.
🔄 Workflow Overview:
MANAGEMENT UTM appliace 1.Raw Incoming Traffic enters the UTM appliance.

PRODUCTS architecture. Traffic passes through various processing and security layers.
2.The result is Clean Controlled Traffic sent to the internal network.
🧱 Main Components Explained:
🔁 Routing Module
•Manages the direction of incoming and outgoing data packets to ensure correct delivery.
🔐 VPN Module (Top & Bottom)
•Ensures secure communication channels using encrypted tunnels, for both incoming and
outgoing traffic.
🧱 Firewall Module
•Acts as a gatekeeper by applying security rules to block or allow traffic based on IPs, ports,
protocols, etc.
🧠 Data Analysis Engine (Central Core)
The heart of UTM that connects multiple engines and modules to:
•Correlate findings from different security components.
•Make real-time decisions on threats.
•Collaborate with the logging/reporting system.
⚙️Security Engines Connected to the Core:
🦠 Antivirus Engine
•Scans for known malware signatures in files or traffic.
IDS (Intrusion Detection System) Engine
•Monitors for suspicious activities and alerts admins.
🚫 IPS (Intrusion Prevention System) Engine
•Blocks malicious activity detected in real time.
🧪 Heuristic Scan Engine
•Detects unknown or modified threats by behavior analysis and rules.
📉 Anomaly Detection Engine
•Identifies deviations from normal behavior, useful for detecting zero-day attacks.
🔍 Activity Inspection Engine
•Examines actions of users/applications to detect policy violations or insider threats.
🌐 Filtering & Additional Modules:
🌍 Web Filtering Module
•Blocks access to malicious or unwanted websites.
📧 Antispam Module
•Filters out junk or malicious emails.
📶 Bandwidth Shaping Module
•Controls bandwidth usage to prioritize important traffic and avoid congestion.
📊 Logging and Reporting Module
•Records all activities for:
The following functions are
• 1. Inbound traffic is decrypted if necessary before its
initial inspection. If the device functions as a VPN
boundary node, then IPSec decryption would take place
here.
2. An initial firewall module filters traffic, discarding packets that violate rules and/or passing
packets that conform to rules set in the firewall policy.
3. Beyond this point, a number of modules process individual packets and flows of packets at
various protocols levels. In this particular configuration, a data analysis engine is responsible for
keeping track of packet flows and coordinating the work of antivirus, IDS, and IPS engines.
4. The data analysis engine also reassembles multipacket payloads for content analysis by the
antivirus engine and the Web filtering and antispam modules.
5. Some incoming traffic may need to be reencrypted to maintain security of the flow within the
enterprise network.
6. All detected threats are reported to the logging and reporting module, which is used to issue
alerts for specified conditions and for forensic analysis.
7. The bandwidth-shaping module can use various priority and quality-of-service (QoS)
algorithms to optimize performance.
As an example of the scope of a UTM appliance
END