Network defenses include tools like firewalls, VPNs, and intrusion detection systems that help secure networks and protect them from cyber attacks. Firewalls act as barriers that control incoming and outgoing network traffic according to security policies. VPNs extend private networks over public networks through secure tunnels. Intrusion detection systems monitor network traffic and detect suspicious activity. Denial of service attacks aim to make network services unavailable by overwhelming them with malicious traffic. Distributed denial of service attacks use multiple compromised systems to launch large-scale attacks.

1. Network Defenses

2. Index
• Network defense tools
• Secure protocols
• Firewall
• VPN
• Tor
• I2P
• IDS
• DoS

3. Computer network defense
• Computer network defense is primarily a form of cyber
security and an information assurance measure for securing
military and government information systems from threatening
cyber attacks and intrusions.
• Key objective of CND is to ensure that no unauthorized,
illegitimate or malicious traffic, user or application is given
access to a confidential IT environment/network.

4. Network defense tools
• Intrusion detection system
• Intrusion prevention system
• Firewalls
• Anti-malware
• Traffic shaping and many more.

5. Secure protocols
• The rapid growth of the internet has created a growing demand
for security and privacy in this electronic communication
channel.
• The call for and desire for security and privacy has led to
several security protocols and standards.
• Among these are: Secure Socket Layer (SSL) and Transport
Layer Security (TLS) Protocols; secure IP (IPSec); Secure
HTTP (S-HTTP), secure E-mail ( PGP and S/MIME),
DNDSEC, SSH, and others.

6. Contd…
• Application Layer:
– PGP
– S/MIME
– S-HTTP
– HTTPS
– SET
– KERBEROS
• Transport Layer:
– SSL
– TLS

7. • Network Layer:
– IPSec
– VPN
• Data Link Layer:
– PPP
– RADIUS
– TACACS+

8. Firewalls
• A firewall forms a barrier through which the traffic going in
each direction must pass.
• A firewall security policy dictates which traffic is authorized to
pass in each direction.
• A firewall may be designed to operate as a filter at the level of
IP packets, or may operate at a higher protocol layer.

9. Need of firewall
• Internet connectivity is no longer optional for organizations.
The information and services available are essential to the
organization.
• Internet enables the outside world to reach and interact with
local network assets. Which creates a threat to the
organization.
• When a security flaw iscdiscovered, each potentially affected
system must be upgraded to fix that flaw.
• This is possible and is necessary if only host-based security is
used.
• A widely accepted alternative or at least complement to host-
based security services is the firewall.

10. • The firewall is inserted between the premises network and the
Internet to establish a controlled link and to erect an outer
security wall or perimeter.
• The aim of this perimeter is to protect the premises network
from Internet-based attacks and to provide a single choke point
where security and auditing can be imposed.
• The firewall may be a single computer system or a set of two
or more systems that cooperate to perform the firewall
function.

11. Capabilities of Firewall
• A firewall defines a single choke point that keeps unauthorized
users out of the protected network, prohibits potentially
vulnerable services from entering or leaving the network, and
provides protection from various kinds of IP spoofing and
routing attacks.
• A firewall provides a location for monitoring security-related
eventsAudits and alarms can be implemented on the firewall
system.
• A firewall is a convenient platform for several Internet
functions that are not security related. These include a network
address translator, which maps local addresses to Internet
addresses and a network management function that audits or
logs Internet usage.

12. • A firewall can serve as the platform for IPsec. Using the tunnel
mode capability, the firewall can be used to implement virtual
private networks.

13. Types of Firewall
• Firewall are of following types:
– Packet firewall
– Application proxy firewall
– Stateful inspection firewall
– Circuit- level proxy firewall

14. Packet Firewall
Application
Transport
Internet
Network Access
Physical
End-to-end
transport conn.
End-to-end
transport conn.
Figure:-Packet
filtering firewall

15. Packet Firewall
• A packet filtering firewall applies a set of rules to each
incoming and outgoing IP packet and then forwards or
discards the packet.
• The firewall is typically configured to filter packets going in
both directions (from and to the internal network).
• Filtering rules are based on information contained in a
network packet:
– Source IP address
– Destination IP address
– Source and destination transport-level address
– IP protocol field
– Interface

16. • Typically set up as a list of rules based on matches to fields in
the IP or TCP header. If there is a match to one of the rules,
that rule is invoked to determine whether to forward or discard
the packet. If there is no match to any rule, then a default
action is taken.
– Default = discard: That which is not expressly permitted is prohibited.
– Default = forward: That which is not expressly prohibited is
permitted.
• Initially, everything is blocked, and services must be
added on a case-by-case basis.

17. • Visibility to users diminishes as rules are created.
• The default forward policy increases ease of use for
end users but provides reduced security.

18. Attack on packet firewall
• IP address spoofing
• Source routing attack
• Tiny fragment attack

19. Stateful Inspection Firewall
• when an application that uses TCP creates a session with a
remote host, it creates a TCP connection in which the TCP port
number for the remote (server) application is a number less
than 1024.
• TCP port number for the local application is a number between
1024 and 65535.
• The numbers less than 1024 are the “well-known” port
numbers and are assigned permanently to particular
applications.

20. • A simple packet filtering firewall must permit inbound
network traffic on all these high-numbered ports for TCP-
based traffic to occur.
• This creates a vulnerability that can be exploited by
unauthorized users.
• This firewall tightens up the rules for TCP traffic by creating a
directory of outbound TCP connections.
• It reviews the same packet information as a packet filtering
firewall, but also records information about TCP connections.

21. Application
Transport
Internet
Network Access
Physical
End-to-end
transport conn.
End-to-end
transport conn.
State
info.
Figure:-Stateful
Inspection firewall

22. Application Proxy Firewall
Application
Transport
Internet
Network Access
Physical
Application
Transport
Internet
Network Access
Physical
Internal
transport
conn.
External
transport
conn.
Application proxy

23. Application Proxy Firewall
• Also known as application level gateway.
• acts as a relay of application-level traffic.
• The user contacts the gateway using a TCP/IP application,
such as Telnet or FTP, and the gateway asks the user for the
name of the remote host to be accessed.
• When the user responds and provides a valid user ID and
authentication information, the gateway contacts the
application on the remote host and relays TCP segments
containing the application data between the two endpoints.

24. • If the gateway does not implement the proxy code for a
specific application, the service is not supported and cannot be
forwarded across the firewall.
• It tend to be more secure than packet filters.
• A prime disadvantage of this type of gateway is the additional
processing overhead on each connection.

25. Circuit-level Proxy Firewall
Application
Transport
Internet
Network Access
Physical
Application
Transport
Internet
Network Access
Physical
Internal
transport
conn.
External
transport
conn.
Circuit level proxy

26. Circuit level proxy Firewall
• This can be a stand-alone system or it can be a specialized
function performed by an application-level gateway for certain
applications.
• It does not permit an end-to-end TCP connection.
• The gateway sets up two TCP connections
– one between itself and a TCP user on an inner host and
– one between itself and a TCP user on an outside host.
• Once the two connections are established, the gateway
typically relays TCP segments from one connection to the
other without examining the contents.

27. • A typical use of circuit-level gateways is a situation in which
the system administrator trusts the internal users.
• Example of a circuit-level gateway implementation is the
SOCKS package.
– designed to provide a framework for client-server applications in both
the TCP and UDP domains to conveniently and securely use the
services of a network firewall.
– The protocol is conceptually a “shim-layer” between the application
layer and the transport layer, and as such does not provide network
layer gateway services, such as forwarding of ICMP messages.

28. • SOCKS consists of the following components:
– The SOCKS server, which often runs on a UNIX-based firewall.
SOCKS is also implemented on Windows systems.
– The SOCKS client library, which runs on internal hosts protected by
the firewall.
– SOCKS-ified versions of several standard client programs such as FTP
and TELNET.
• The implementation of the SOCKS protocol typically
involves either the relinking of TCP-based client
applications, or the use of alternate dynamically loaded
libraries, to use the appropriate encapsulation outines in
the SOCKS library.

29. Limitation of Firewall
• The firewall cannot protect against attacks that bypass the
firewall.
• The firewall may not protect fully against internal threats, such
as a disgruntled employee or an employee who unwittingly
cooperates with an external attacker.
• An improperly secured wireless LAN may be accessed from
outside the organization. An internal firewall that separates
portions of an enterprise network cannot guard against
wireless communications between local systems on different
sides of the internal firewall.
• Infected device that are then attached and used internally.

30. Virtual Private Network
• Extends a private network across a public network, and
enables users to send and receive data across shared or public
networks.
• Applications running across a VPN may therefore benefit from
the functionality, security, and management of the private
network.
• How security is ensured?
• Use of secure tunnel
• Authentication method – to gain access to vpn

31. Tunneling
• A virtual point-to-point connection
made through a public network. It transports
encapsulated datagrams.
Two types of end points:
-Remote Access
- Site-to-Site

32. Site-to-site VPNs

33. How VPN works
• Two connections – one is made to the Internet and the
second is made to the VPN.
• Datagrams – contains data, destination and source
information.
• Firewalls – VPNs allow authorized users to pass
through the firewalls.
• Protocols – protocols create the VPN tunnels.

34. Four critical functions
• Authentication – validates that the data was sent from
the sender.
• Access control – limiting unauthorized users from
accessing the network.
• Confidentiality – preventing the data to be read or
copied as the data is being transported.
• Data Integrity – ensuring that the data has not been
altered

35. Secure VPN protocols
• Internet Protocol Security (Ipsec)
• Transport Layer Security (SSL/TLS)
• Datagram Transport Layer Security (DTLS)
• Microsoft Point-to-Point Encryption (MPPE)
• Microsoft Secure Socket Tunneling Protocol (SSTP)
• Multi Path Virtual Private Network (MPVPN)
• Secure Shell (SSH) VPN

36. VPN Basic architechture

37. Types of VPN
• The security of VPN technologies falls into three types: trusted
VPNs, secure VPNs, and hybrid VPNs.
 Trusted VPNs
 In these VPNs a customer trusted the VPN provider to safeguard his or
her privacy and security by maintaining the integrity of the circuits.
This security is based on trust.
 Secure VPN
 Networks that are constructed using encryption are called secure VPNs.
Secure VPNs are more secure than trusted VPNs.
 Hybrid VPNs
 Hybrid VPN is the newest type of VPN technologies that substitutes the
Internet for the telephone system as the underlying structure for
communications.

38. Tor
• Tor is free software for enabling anonymous communication.
• Using Tor makes it more difficult to trace Internet activity to
the user.
• Tor's intended use is to protect the personal privacy of its
users, as well as their freedom and ability to conduct
confidential communication by keeping their Internet activities
from being monitored.
• An adversary may try to de-anonymize the user by some
means. One way this may be achieved is
by exploiting vulnerable software on the user's computer.

39. History
• Created by the US Naval Research Lab.
• The reasons for the government's involvement in the Tor
Project are as confusing as they are schizophrenic
• The government wants to continue to use the Tor network to
obfuscate the source of its attacks, to infiltrate civil rights
movements, and to enable its spies to communicate
intelligence securely and effectively.
• On the other hand, they gave the public a tool that would allow
anyone to obfuscate the source of their attacks and hide, or
information, from the government.

40. Working of Tor

41. Contd…

42. Contd…

43. Circuit Establishment

44. Onion Routing
• A circuit is built incrementally one hop by one hop
• Onion-like encryption
– Alice negotiates an AES key with each router
– Each router knows only its predecessor and successor
– Only the Exit router (OR3) can see the message, however it does not
know where the message is from.

45. Figure:Onion Routing

46. Vulnerability in Tor
• Exit Node Vulnerability
• Keyloggers, Malware and Spyware on the client
machine
• Keyloggers, Malware and Spyware on the server
machine
• Compromized Exit nodes created by governments
• Hackers hack hackers! Tor network is full of them
• ISP's may be able to apply correlation attacks

47. I2P
• I2P-Invisible Internet Project
• It is an anonymous overlay network - a network within a
network.
• It is intended to protect communication from dragnet
surveillance and monitoring by third parties such as ISPs.
• Used by many people who care about their privacy: activists,
oppressed people, journalists and whistleblowers, as well as
the average person.
• The continued goal of I2P is to make attacks more and more
difficult to mount.
• I2P is available on desktops, embedded systems (like the
Raspberry Pi) and Android phones.

48. What can you do with I2P
• Email:-Integrated web mail interface, plugin for serverless
email.
• Web browsing:- Anonymous websites, gateways to and from
the public Internet.
• Blogging and forums:- Blogging and Syndie plugins.
• Website hosting:-Integrated anonymous web server.
• Real-time chat:- Instant messaging and IRC clients.
• File sharing:- ED2K and Gnutella clients, integrated
BitTorrent client.
• Decentralized file storage:- Tahoe-LAFS distributed
filesystem plugin

49. Intrusion Detection System
• IDS is a system that monitors network traffic for suspicious
activity and issues alerts when such activity is discovered.
• Anomaly detection and reporting is the primary function.
• Some intrusion detection systems are capable of taking actions
when malicious acitivity or anomalous traffic is detected,
including blocking traffic sent from suspicious IP addresses.
• They are also prone to false alarms (false positives).

50. Types of IDS
• Network intrusion detection system (NIDS)
– It is deployed at a strategic point or points within the network
– monitor inbound and outbound traffic to and from all the devices on
the network.
• Host intrusion detection systems (HIDS)
– It run on all computers or devices in the network with direct access to
both the internet and the enterprise internal network.
• Signature-based intrusion detection systems
– It monitor all the packets traversing the network and compares them
against a database of signatures or attributes of known malicious
threats, much like antivirus software.

51. • Anomaly-based intrusion detection systems
– monitor network traffic and compare it against an established baseline
to determine what is considered normal for the network with respect to
bandwidth, protocols, ports and other devices.
– This type of IDS alerts administrators to potentially malicious activity.

52. How HIDS different from NIDS
• HIDS have an advantage over NIDS that they may be able to
detect anomalous network packets that originate from inside
the organization or malicious traffic that a NIDS has failed to
detect.
• HIDS may also be able to identify malicious traffic that
originates from the host itself, as when the host has been
infected with malware and is attempting to spread to other
systems.

53. Contd…
• In HIDS, anti-threat applications such as firewalls, antivirus
software and spyware-detection programs are installed on
every network computer while in NIDS, anti-threat software is
installed only at specific points such as servers.

54. Denial of Service
• Objective  make a service unusable, usually by
overloading the server or network
• Consume host resources
– TCP SYN floods
– ICMP ECHO (ping) floods
• Consume bandwidth
– UDP floods
– ICMP floods

55. Denial of Service
• Crashing the victim
– Ping-of-Death
– TCP options (unused, or used incorrectly)
• Forcing more computation
– Taking long path in processing of packets

56. Simple Dos
• The Attacker usually spoofed source address to hide origin
• Easy to block
Attacker
Victim Victim Victim

57. Coordinate DOS
• The first attacker attacks a different victim to cover up the real
attack
• The Attacker usually spoofed source address to hide origin
• Harder to deal with
AttackerAttackerAttacker
VictimVictimVictim

58. Distributed DOS
• DDoS attacks present a significant security threat to
corporations.
• In this attack, an attacker is able to recruit a number
of hosts throughout the Internet to simultaneously or
in a coordinated fashion launch an attack upon the
target.
• When this attack comes from a single host or network
node, then it is simply referred to as a DoS attack

59. Attacker
Handler Handler
AgentAgent Agent Agent Agent
Victim

60. DDoS Attack Description
• A DDoS attack attempts to consume the target’s resources so
that it cannot provide service.
• the resource consumed is either an internal host resource on
the target system or data transmission capacity in the local
network to which the target is attacked.
• A simple example of an internal resource attack is the SYN
flood attack.

61. Internet Target
Web
ServerAttacker
Slave
1
Slave
2
Slave
3
1
2
3

62. 1. The attacker takes control of multiple hosts over the Internet,
instructing them to contact the target Web server.
2. The slave hosts begin sending TCP/IP SYN
(synchronize/initialization) packets, with erroneous return IP
address information, to the target.
3. Each SYN packet is a request to open a TCP connection. For
each such packet, the Web server responds with a SYN/ACK
(synchronize/acknowledge) packet, trying to establish a TCP
connection with a TCP entity at a spurious IP address. The
Web server maintains a data structure for each SYN request
waiting for a response back and becomes bogged down as
more traffic floods in.The result is that legitimate
connections are denied while the victim machine is waiting to
complete bogus “half-open” connections.

63. • Attack that consumes data transmission resources.
1. The attacker takes control of multiple hosts over the
Internet, instructing them to send ICMP ECHO
packets3 with the target’s spoofed IP address to a
group of hosts that act as reflectors, as described
subsequently.
2. Nodes at the bounce site receive multiple spoofed
requests and respond by sending echo reply packets
to the target site.
3. The target’s router is flooded with packets from the
bounce site, leaving no data transmission capacity
for legitimate traffic.

64. Classify DDOS attack
• Direct DDoS attack
– The attacker is able to implant zombie software on a
number of sites distributed throughout the Internet.
– The DDoS attack involves two levels of zombie machines:
master zombies and slave zombies.
– The hosts of both machines have been infected with
malicious code.
– The attacker coordinates and triggers the master zombies,
which in turn coordinate and trigger the slave zombies.
– The use of two levels of zombies makes it more difficult to
trace the attack back to its source and provides for a more
resilient network of attackers.

65. • Reflector DDoS attack
– In this type of attack, the slave zombies construct packets
requiring a response that contains the target’s IP address as
the source IP address in the packet’s IP header.
– These packets are sent to uninfected machines known as
reflectors.
– The uninfected machines respond with packets directed at
the target machine.

66. – A reflector DDoS attack can easily involve more machines
and more traffic than a direct DDoS attack and hence be
more damaging.
– Tracing back the attack or filtering out the attack packets is
more difficult because the attack comes from widely
dispersed uninfected machines.

67. DDOS Countermeasures
• Attack prevention and preemption (before the
attack):
– These mechanisms enable the victim to endure
attack attempts without denying service to
legitimate clients.
– Techniques include enforcing policies for resource
consumption and providing backup resources
available on demand.
– In addition, prevention mechanisms modify
systems and protocols on the Internet to reduce the
possibility of DDoS attacks.

68. • Attack detection and filtering (during the attack):
– These mechanisms attempt to detect the attack as it
begins and respond immediately.
– This minimizes the impact of the attack on the
target.
– Detection involves looking for suspicious patterns
of behavior.
– Response involves filtering out packets likely to be
part of the attack.

69. • Attack source traceback and identification (during
and after the attack):
– This is an attempt to identify the source of the
attack as a first step in preventing future attacks.
– However, this method typically does not yield
results fast enough, if at all, to mitigate an ongoing
attack.