2. NETWORK DEFENCE TOOLS
• 1. Explain what is a computer network .
• 2. Explain what is a firewall.
• 3. List types of firewalls and explain in breif.
• 4. Difference between Packet Filter and Firewall
• 5. Write difference between stateless and statefull firewall.
• 6. Explain what is NAT.
• 7. What is port forwarding.
• 8. Difference between windows firewall and linux firewall
• 9. What is Intrution detection system
3. WHAT IS A COMPUTER NETWORK
A computer network is a group of computer systems and other computing hardware devices that are linked together
through communication channels to facilitate communication and resource-sharing among a wide range of users.
1. Local Area Networks (LAN)
2. Personal Area Networks (PAN)
3. Home Area Networks (HAN)
4. Wide Area Networks (WAN)
5. Campus Networks
6. Metropolitan Area Networks (MAN)
7. Enterprise Private Networks
8. Internetworks
9. Backbone Networks (BBN)
10. Global Area Networks (GAN)
11. The Internet
4.
5. NETWORKS ARE USED TO
1. Facilitate communication via email, video conferencing,
instant messaging, etc.
2. Enable multiple users to share a single hardware device
like a printer or scanner
3. Enable file sharing across the network
4. Allow for the sharing of software or operating programs
on remote systems
5. Make information easier to access and maintain among
network users
6. WHAT IS A FIREWALL
A firewall is software or hardware that checks information coming from the Internet or a network, and
then either blocks it or allows it to pass through to your computer, depending on your firewall settings.
A choke point of control and monitoring
Interconnects networks with differing trust
Imposes restrictions on network services
only authorized traffic is allowed
Auditing and controlling access
can implement alarms for abnormal behavior
Itself immune to penetration
Provides perimeter defence
10. FIREWALLS – PACKET FILTERS
Simplest of components
Uses transport-layer information only
IP Source Address, Destination Address
Protocol/Next Header (TCP, UDP, ICMP, etc)
TCP or UDP source & destination ports
TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
ICMP message type
Examples
DNS uses port 53
No incoming port 53 packets except known trusted servers
11. USAGE OF PACKET FILTERS
• Filtering with incoming or outgoing interfaces
• E.g., Ingress filtering of spoofed IP addresses
• Egress filtering
• Permits or denies certain services
• Requires intimate knowledge of TCP and UDP port utilization on a number of operating systems
12. Every ruleset is followed by an implicit rule
reading like this.
Example 1:
Suppose we want to allow inbound mail
(SMTP, port 25) but only to our gateway
machine. Also suppose that mail from some
particular site SPIGOT is to be blocked.
13. Solution 1:
Example 2:
Now suppose that we want to implement the
policy “any inside host can send mail to the
outside”.
14. Solution 2:
This solution allows calls to come from any
port on an inside machine, and will direct them
to port 25 on the outside. Simple enough…
So why is it wrong?
15. The ACK signifies that the packet is part of an
ongoing conversation
Packets without the ACK are connection
establishment messages, which we are only
permitting from internal hosts
16. SECURITY & PERFORMANCE OF PACKET FILTERS
IP address spoofing
Fake source address to be trusted
Add filters on router to block
Tiny fragment attacks
Split TCP header info over several tiny packets
Either discard or reassemble before check
Degradation depends on number of rules applied at any point
Order rules so that most common traffic is dealt with first
Correctness is more important than speed
17. FIREWALLS – STATEFUL PACKET FILTERS
Traditional packet filters do not examine higher layer context
ie matching return packets with outgoing flow
Stateful packet filters address this need
They examine each IP packet in context
Keep track of client-server sessions
Check each packet validly belongs to one
Hence are better able to detect bogus packets out of context
19. PROXY FIREWALLS
• A proxy firewall is a network security system that protects network resources by filtering messages at
the application layer. A proxy firewall may also be called an application firewall or gateway firewall.
20. FIREWALL GATEWAYS
Firewall runs set of proxy programs
Proxies filter incoming, outgoing packets
All incoming traffic directed to firewall
All outgoing traffic appears to come from firewall
Policy embedded in proxy programs
Two kinds of proxies
Application-level gateways/proxies
Tailored to http, ftp, smtp, etc.
Circuit-level gateways/proxies
Working on TCP level
22. APPLICATION-LEVEL FILTERING
Has full access to protocol
user requests service from proxy
proxy validates request as legal.
then actions request and returns result to user
Need separate proxies for each service
E.g., SMTP (E-Mail)
NNTP (Net news)
DNS (Domain Name System)
NTP (Network Time Protocol)
custom services generally not supported
24. ENFORCE POLICY FOR SPECIFIC PROTOCOLS
• E.g., Virus scanning for SMTP
• Need to understand MIME, encoding, Zip archives
25. NETWORK LAYER FIREWALLS
In Figure 1, a network layer firewall called a ``screened host firewall'' is represented.
In a screened host firewall, access to and from a single host is controlled by means of a
router operating at a network layer. The single host is a bastion host; a highly-defended
and secured strong-point that (hopefully) can resist attacks.
26. In figure 2, a network layer firewall called a ``screened subnet firewall''
is represented. In a screened subnet firewall, access to and from a whole network is controlled by means
of a router operating at a network layer. It is similar to a screened host, except that it is, effectively, a
network of screened hosts.
27. APPLICATION LAYER FIREWALLS
Application layer firewalls are hosts that run proxy servers, which permit no traffic directly between
networks, and they perform elaborate logging and examination of traffic passing through them.
Since proxy applications are simply software running on the firewall, it is a good place to do logging
and access control.
Application layer firewalls can be used as network address translators, since traffic goes in one side
and out the other after having passed through an application that effectively masks the origin of
the initiating connection.
28. DUAL-HOME GATEWAY
In figure 3, an application layer firewall called a ``dual homed gateway'' is represented.
A dual homed gateway is a highly secured host that runs proxy software. It has two network interfaces,
one on each network, and blocks all traffic passing through it.
29. FIREWALLS AREN’T PERFECT?
• Useless against attacks from the inside
• Evildoer exists on inside
• Malicious code is executed on an internal machine
• Organizations with greater insider threat
• Banks and Military
• Protection must exist at each layer
• Assess risks of threats at every layer
• Cannot protect against transfer of all virus infected programs or files
• because of huge range of O/S & file types
30. UNIFIED THREAT MANAGEMENT
Unified Threat Management (UTM) is an all-in-one network security solution.
UTM provides multiple security features (firewalling, intrusion prevention, anti-virus, etc.)
without the complexity that comes with managing multiple security vendors.
31. PACKET FILTER
packet filtering is the process of passing or
blocking packets at a network interface based
on source and destination addresses, ports,
or protocols.
The process is used in conjunction with
packet mangling and Network Address
Translation (NAT).
Packet filtering is often part of a firewall
program for protecting a local network from
unwanted intrusion.
FIREWALL
packet filtering is the process of passing or
blocking packets at a network interface based
on source and destination addresses, ports,
or protocols.
The process is used in conjunction with
packet mangling and Network Address
Translation (NAT).
Packet filtering is often part of a firewall
program for protecting a local network from
unwanted intrusion.
32. NETWORK ADDRESS TRANSLATION
• RFC-1631
• A short term solution to the problem of the
depletion of IP addresses
• Long term solution is IP v6 (or whatever is finally
agreed on)
• CIDR (Classless InterDomain Routing ) is a possible
short term solution
• NAT is another
• NAT is a way to conserve IP addresses
• Hide a number of hosts behind a single IP address
• Use:
• 10.0.0.0-10.255.255.255,
• 172.16.0.0-172.32.255.255 or
• 192.168.0.0-192.168.255.255 for local networks
33. Network Address Translation (NAT) is a way to map an entire network (or networks) to a single IP
address. NAT is necessary when the number of IP addresses assigned to you by your Internet
Service Provider is less than the total number of computers that you wish to provide Internet
access for.
34. PORT FORWARDING
port forwarding or port mapping is an application of network address
translation (NAT) that redirects a communication request from one address and
port number combination to another while the packets are traversing a network
gateway, such as a router or firewall.
1. Local port forwarding
2. Remote port forwarding
3. Dynamic port forwarding
35.
36. HACKING THROUGH NAT
Static Translation
offers no protection of internal hosts
Internal Host Seduction
internals go to the hacker
e-mail attachments – Trojan Horse virus’
peer-to-peer connections
hacker run porn and gambling sites
solution = application level proxies
State Table Timeout Problem
hacker could hijack a stale connection before it is timed out
very low probability but smart hacker could do it
Source Routing through NAT
if the hacker knows an internal address they can source route a packet to that
host
solution is to not allow source routed packets through the firewall
37. TYPES OF FIREWALLS
1. Network layer firewalls:
Network layer firewalls generally make their decisions based on the source address, destination
address and ports in individual IP packets
2. Application layer firewalls:
Application layer firewalls are hosts that run proxy servers, which permit no traffic directly between
networks, and they perform elaborate logging and examination of traffic passing through them.
3. Proxy firewalls
Proxy firewalls offer more security than other types of firewalls, but at the expense of speed and
functionality, as they can limit which applications the network supports.
4. Unified threat management
A new category of network security products -- called unified threat management (UTM) -- promises
integration, convenience and protection from pretty much every threat out there
38. INTRUTION DETECTION SYSTEM
An intrusion detection system (IDS) is a device or software application that monitors
network or system activities for malicious activities or policy violations and produces
reports to a management station.
1. Anomaly Detection
2. Signature Based Detection
39. ALERTS
• Burglar Alert/Alarm: A signal suggesting that a system has been or is being attacked.
• Detection Rate: The detection rate is defined as the number of intrusion instances detected by the system
(True Positive) divided by the total number of intrusion instances present in the test set.
• False Alarm Rate: defined as the number of 'normal' patterns classified as attacks (False Positive) divided by
the total number of 'normal' patterns.
• ALERT TYPE:-
• True Positive: : Attack - Alert
• False Positive: : No attack - Alert
• False Negative: : Attack - No Alert
• True Negative: : No attack - No Alert