SlideShare a Scribd company logo
1 of 26
Download to read offline
NETWORK SECURITY
(18EC821)
Dr. Shivashankar
Professor
Department of Electronics & Communication
Engineering
RRIT, Bangalore
1
Dr. Shivashankar, E&CE, RRIT
Course Outcomes
After Completion of the course, student will be able to:
▪Explain network security services and mechanisms and explain security
concepts.
▪Understand the concept of Transport Level Security and Secure Socket
Layer.
▪Explain security concerns in Internet Protocol Security.
▪Explain Intruders, Intrusion detection and Malicious Software.
▪Describe Firewalls, Firewall characteristics, Biasing and Configuration.
▪Text Book:
1. Cryptography and Network Security Principles and Practice, Pearson
Education Inc., William Stallings 5th Edition, ISBN: 978-81-317-6166-3.
2. Cryptography and Network Security, Atul Kahate, TMH, 2003.
▪Reference:
▪Cryptography and Network Security, Behrouz A Forouzan, TMH, 2007.
2
Dr. Shivashankar, E&CE, RRIT
MODULE-5: FIREWALLS
The need for firewalls
• A firewall monitors and filters incoming and outgoing network traffic based on
security policy, allowing approved traffic in and denying all other traffic.
• Firewalls protect any network-connected device and can be deployed as a
software firewall on hosts, as a hardware firewall on a separate network
device, and as a virtual firewall in the private or public cloud.
• The following are notable developments:
➢ Centralized data processing system, with a central mainframe supporting a
number of directly connected terminals
➢ Local area networks (LANs) interconnecting PCs and terminals to each other
and the mainframe
➢ Premises network, consisting of a number of LANs, interconnecting PCs,
servers, and perhaps a mainframe or two
➢ Enterprise-wide network, consisting of multiple, geographically distributed
premises networks interconnected by a private wide area network (WAN).
3
Dr. Shivashankar, E&CE, RRIT
FIREWALL CHARACTERISTICS
The following design goals for a firewall:
1. All traffic from inside to outside, and vice versa, must pass through the firewall.
2. Only authorized traffic, as defined by the local security policy, will be allowed to pass.
3. The firewall itself is immune to penetration. This implies the use of a hardened
system with a secured operating system.
Four general techniques that firewalls use to control access and enforce the site’s security
policy.
1. Service control: Determines the types of Internet services that can be accessed,
inbound or outbound. The firewall may filter traffic on the basis of IP address,
protocol, or port number.
2. Direction control: Determines the direction in which particular service requests may
be initiated and allowed to flow through the firewall.
3. User control: Controls access to a service according to which user is attempting to
access it. This feature is typically applied to users inside the firewall perimeter (local
users).
4. Behavior control: Controls how particular services are used. For example, the firewall
may filter e-mail to eliminate spam, or it may enable external access to only a portion
of the information on a local Web server.
4
Dr. Shivashankar, E&CE, RRIT
Conti…
The following capabilities are within the scope of a firewall:
1. A firewall defines a single choke point that keeps unauthorized users out of
the protected network, prohibits potentially vulnerable services from
entering or leaving the network, and provides protection from various kinds
of IP spoofing and routing attacks.
2. A firewall provides a location for monitoring security-related events. Audits
and alarms can be implemented on the firewall system.
3. A firewall is a convenient platform for several Internet functions that are not
security related. These include a network address translator, which maps
local addresses to Internet addresses, and a network management function
that audits or logs Internet usage.
4. A firewall can serve as the platform for IPsec. Using the tunnel mode
capability, the firewall can be used to implement virtual private networks.
5
Dr. Shivashankar, E&CE, RRIT
Conti…
Firewalls have their limitations, including the following:
1. The firewall cannot protect against attacks that bypass the firewall.
Internal systems may have dial-out capability to connect to an ISP.
2. The firewall may not protect fully against internal threats, such as a
disgruntled employee or an employee who unwittingly cooperates
with an external attacker.
3. An improperly secured wireless LAN may be accessed from outside
the organization. An internal firewall that separates portions of an
enterprise network cannot guard against wireless communications
between local systems on different sides of the internal firewall.
4. A laptop, PDA, or portable storage device may be used and infected
outside the corporate network, and then attached and used internally.
6
Dr. Shivashankar, E&CE, RRIT
TYPES OF FIREWALLS
▪A firewall may act as a packet filter.
▪It can operate as a positive filter, allowing to pass only packets that meet specific
criteria, or as a negative filter, rejecting any packet that meets certain criteria.
Packet Filtering Firewall
• A packet filtering firewall applies a set of rules to each incoming and outgoing IP
packet and then forwards or discards the packet.
• The firewall is typically configured to filter packets going in both directions.
Filtering rules are based on information contained in a network packet:
➢ • Source IP address: The IP address of the system that originated the IP packet
(e.g., 192.178.1.1)
➢ • Destination IP address: The IP address of the system the IP packet is trying to
reach (e.g., 192.168.1.2)
➢ • Source and destination transport-level address: The transport-level (e.g., TCP or
UDP) port number, which defines applications such as SNMP or TELNET
➢ • IP protocol field: Defines the transport protocol
➢ • Interface: For a firewall with three or more ports, which interface of the firewall
7
Dr. Shivashankar, E&CE, RRIT
Conti…
8
Dr. Shivashankar, E&CE, RRIT
(a) General model
(b) Packet filtering firewall (c) Stateful inspection firewall
e) Circuit-level proxy firewall
(d) Application proxy firewall
Conti…
▪The packet filter is typically set up as a list of rules based on
matches to fields in the IP or TCP header.
▪ If there is a match to one of the rules, that rule is invoked to
determine whether to forward or discard the packet.
▪If there is no match to any rule, then a default action is taken.
Two default policies are possible:
➢ Default = discard: That which is not expressly permitted is
prohibited.
➢ Default = forward: That which is not expressly prohibited is
permitted.
9
Dr. Shivashankar, E&CE, RRIT
Conti…
▪Some of the attacks that can be made on packet filtering firewalls and the
appropriate countermeasures are the following:
➢ IP address spoofing: The intruder transmits packets from the outside with a
source IP address field containing an address of an internal host. The
countermeasure is to discard packets with an inside source address if the
packet arrives on an external interface. In fact, this countermeasure is often
implemented at the router external to the firewall.
➢ Source routing attacks: The source station specifies the route that a packet
should take as it crosses the Internet, in the hopes that this will bypass
security measures that do not analyze the source routing information. The
countermeasure is to discard all packets that use this option.
➢ Tiny fragment attacks: The intruder uses the IP fragmentation option to
create extremely small fragments and force the TCP header information into a
separate packet fragment. If the first fragment is rejected, the filter can
remember the packet and discard all subsequent fragments
10
Dr. Shivashankar, E&CE, RRIT
Stateful Inspection Firewalls
▪Also known as dynamic packet filtering, is a firewall technology
that monitors the state of active connections and uses this
information to determine which network packets to allow through
the firewall.
▪Stateful inspection is commonly used in place of stateless
inspection, or static packet filtering, and is well suited to
Transmission Control Protocol (TCP) and similar protocols, although
it can also support protocols such as User Datagram Protocol (UDP).
▪It is a network firewall technology used to filter data packets based
on state and context.
▪It operates primarily at the transport and network layers of the
Open Systems Interconnection (OSI) model for how applications
communicate over a network.
11
Dr. Shivashankar, E&CE, RRIT
Application-Level Gateway
▪It also known as application layer gateway, application
gateway, application proxy, or application-level proxy is a security
component that augments a firewall.
▪The user contacts the gateway using a TCP/IP application, such as Telnet
or FTP, and the gateway asks the user for the name of the remote host to
be accessed.
▪When the user responds and provides a valid user ID and authentication
information, the gateway contacts the application on the remote host and
relays TCP segments containing the application data between the two
endpoints.
▪If the gateway does not implement the proxy code for a specific
application, the service is not supported and cannot be forwarded across
the firewall.
▪Application-level gateways tend to be more secure than packet filters.
12
Dr. Shivashankar, E&CE, RRIT
Circuit-Level Gateway
▪A circuit-level gateway firewall helps in providing the security
between UDP and TCP using the connection.
▪It also acts as a handshaking device between trusted clients or servers to
untrusted hosts and vice versa.
▪Circuit Level Gateway the component used are:-
➢ The Destination addresses, Source addresses, and Ports.
➢ The time of delay.
➢ The protocol is being utilized.
➢ The user and the password.
▪Typical use of circuit-level gateways is a situation in which the system
administrator trusts the internal users.
▪The gateway can be configured to support application-level or proxy
service on inbound connections and circuit-level functions for outbound
connections.
13
Dr. Shivashankar, E&CE, RRIT
Firewall Basing
▪It is common to base a firewall on a stand-alone machine running a common
operating system, such as UNIX or Linux.
▪Firewall functionality can also be implemented as a software module in a router
or LAN switch.
Bastion Host
▪A bastion host is a system identified by the firewall administrator as a critical
strong point in the network’s security.
▪Typically, the bastion host serves as a platform for an application-level or circuit-
level gateway.
▪Common characteristics of a bastion host are as follows:
➢ The bastion host hardware platform executes a secure version of its operating
system, making it a hardened system.
➢ Only the services that the network administrator considers essential are
installed on the bastion host. These could include proxy applications for DNS,
FTP, HTTP, and SMTP.
➢ The bastion host may require additional authentication before a user is
allowed access to the proxy services.
14
Dr. Shivashankar, E&CE, RRIT
Host-Based Firewalls
▪It is a software module used to secure an individual host.
▪Like conventional stand-alone firewalls, host-resident firewalls filter and
restrict the flow of packets.
▪A common location for such firewalls is a server.
There are several advantages to the use of a server-based or workstation
based firewall:
➢ Specific corporate security policies for servers can be implemented,
with different filters for servers used for different application.
➢ Protection is provided independent of topology. Thus both internal and
external attacks must pass through the firewall.
➢ Used in conjunction with stand-alone firewalls, the host-based firewall
provides an additional layer of protection.
15
Dr. Shivashankar, E&CE, RRIT
Personal Firewall
▪Personal firewall is a software module on the personal computer.
▪It controls the traffic between a personal computer or workstation on one side and the
Internet or enterprise network on the other side.
▪Personal firewall functionality can be used in the home environment and on corporate
intranets.
▪The primary role of the personal firewall is to deny unauthorized remote access to the
computer.
▪The firewall can also monitor outgoing activity in an attempt to detect and block worms
and other malware.
▪An example of a personal firewall is the capability built in to the Mac OS X operating
system.
The list of inbound services:
➢ Personal file sharing (548, 427)
➢ Windows sharing (139)
➢ Personal Web sharing (80, 427)
➢ Remote login - SSH (22)
➢ FTP access (20-21, 1024-64535 from 20-21)
➢ Remote Apple events (3031) • Printer sharing (631, 515) etc.
16
Dr. Shivashankar, E&CE, RRIT
Firewall Location and Configuration
▪A firewall is positioned to provide a protective barrier between an external,
potentially untrusted source of traffic and an internal network.
▪A security administrator must decide on the location and on the number of
firewalls needed.
Demilitarized Zone (DMZ) Networks
• An external firewall is placed at the edge of a local or enterprise network, just
inside the boundary router that connects to the Internet or some wide area
network (WAN).
• One or more internal firewalls protect the bulk of the enterprise network.
Between these two types of firewalls are one or more networked devices in a
region referred to as a DMZ (demilitarized zone) network.
• Systems that are externally accessible but need some protections are usually
located on DMZ networks.
• Typically, the systems in the DMZ require or foster external connectivity, such
as a corporate Web site, an e-mail server, or a DNS (domain name system)
server.
17
Dr. Shivashankar, E&CE, RRIT
Conti…
Internal firewalls serve three purposes:
1. It adds more stringent filtering capability,
compared to the external firewall, in order
to protect enterprise servers and
workstations from external attack.
2. It provides two-way protection with
respect to the DMZ. First, the internal
firewall protects the remainder of the
network from attacks launched from DMZ
systems. Such attacks might originate from
worms, rootkits, bots, or other malware
lodged in a DMZ system. Second, an
internal firewall can protect the DMZ
systems from attack from the internal
protected network.
3. 3Multiple internal firewalls can be used to
protect portions of the internal network
from each other.
18
Dr. Shivashankar, E&CE, RRIT
Figure 22.3 Example Firewall Configuration
Virtual Private Networks
▪In today’s distributed computing environment, the virtual private network (VPN)
offers an attractive solution to network managers.
▪In essence, a VPN consists of a set of computers that interconnect by means of a
relatively unsecure network and that make use of encryption and special
protocols to provide security.
▪At each corporate site, workstations, servers, and databases are linked by one or
more local area networks (LANs).
▪The Internet or some other public network can be used to interconnect sites,
providing a cost savings over the use of a private network and offloading the wide
area network management task to the public network provider.
▪That same public network provides an access path for telecommuters and other
mobile employees to log on to corporate systems from remote sites.
▪.The encryption may be performed by firewall software or possibly by routers.
The most common protocol mechanism used for this purpose is at the IP level
and is known as Ipsec.
19
Dr. Shivashankar, E&CE, RRIT
Conti…
20
Dr. Shivashankar, E&CE, RRIT
Figure 22.4 A VPN Security Scenario
Distributed Firewalls
▪A distributed firewall configuration involves stand-alone firewall devices plus
host based firewalls working together under a central administrative control.
▪Administrators can configure host resident firewalls on hundreds of servers and
workstations as well as configure personal firewalls on local and remote user
systems.
▪Tools let the network administrator set policies and monitor security across the
entire network.
▪These firewalls protect against internal attacks and provide protection tailored
to specific machines and applications.
▪Stand-alone firewalls provide global protection, including internal firewalls and
an external firewall, as discussed previously.
▪An important aspect of a distributed firewall configuration is security
monitoring.
▪Such monitoring typically includes log aggregation and analysis, firewall
statistics, and fine-grained remote monitoring of individual hosts if needed.
21
Dr. Shivashankar, E&CE, RRIT
Conti…
22
Dr. Shivashankar, E&CE, RRIT
Figure 22.5 Example Distributed
Firewall Configuration
Conti…
1. Network layer firewall works as a __________
a) Frame filter
b) Packet filter
c) Content filter
d) Virus filter
2. Network layer firewall has two sub-categories as _________
a) State full firewall and stateless firewall
b) Bit oriented firewall and byte oriented firewall
c) Frame firewall and packet firewall
d) Network layer firewall and session layer firewall
3. A firewall is installed at the point where the secure internal network and untrusted external network meet which
is also known as __________
a) Chock point
b) Meeting point
c) Firewall point
d) Secure point
4. Which of the following is / are the types of firewall?
a) Packet Filtering Firewall
b) Dual Homed Gateway Firewall
c) Screen Host Firewall
d) Dual Host Firewall
5. A proxy firewall filters at _________
a) Physical layer
b) Data link layer
c) Network layer
d) Application layer
23
Dr. Shivashankar, E&CE, RRIT
Conti…
6. A packet filter firewall filters at __________
a) Physical layer
b) Data link layer
c) Network layer or Transport layer
d) Application layer
7. What is one advantage of setting up a DMZ with two firewalls?
a) You can control where traffic goes in three networks
b) You can do stateful packet filtering
c) You can do load balancing
d) Improved network performance
8. What tells a firewall how to reassemble a data stream that has been divided into packets?
a) The source routing feature
b) The number in the header’s identification field
c) The destination IP address
d) The header checksum field in the packet header
9. A stateful firewall maintains a ___________ which is a list of active connections.
a) Routing table
b) Bridging table
c) State table
d) Connection table
10. A firewall needs to be __________ so that it can grow proportionally with the network that it protects.
a) Robust
b) Expansive
c) Fast
d) Scalable
24
Dr. Shivashankar, E&CE, RRIT
Question Bank
1. List three design goals for a firewall and explain.
2. List four techniques used by firewalls to control access and enforce a security
policy and discuss.
3. What information is used by a typical packet filtering firewall and why,
explain.
4. Explain some weaknesses of a packet filtering firewall?
5. What is the difference between a packet filtering firewall and a stateful
inspection firewall?
6. Describe an application-level gateway?
7. Explain circuit-level gateway?
8. What are the common characteristics of a bastion host? Explain.
9. Why is it useful to have host-based firewalls?
10. What is a DMZ network and what types of systems would you expect to find
on such networks?
11. What is the difference between an internal and an external firewall? Give
example
25
Dr. Shivashankar, E&CE, RRIT
Conti…
Thank you
26
Dr. Shivashankar, E&CE, RRIT

More Related Content

What's hot

OSI Transport Layer
OSI Transport LayerOSI Transport Layer
OSI Transport LayerSachii Dosti
 
Networking Standards And Protocols
Networking Standards And ProtocolsNetworking Standards And Protocols
Networking Standards And ProtocolsSteven Cahill
 
Configuration of bus topology in cisco packet tracer by Tanjilur Rahman
Configuration of bus topology in cisco packet tracer by Tanjilur RahmanConfiguration of bus topology in cisco packet tracer by Tanjilur Rahman
Configuration of bus topology in cisco packet tracer by Tanjilur RahmanTanjilurRahman6
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat ManagementLokesh Sharma
 
Introduction to Data Center Network Architecture
Introduction to Data Center Network ArchitectureIntroduction to Data Center Network Architecture
Introduction to Data Center Network ArchitectureAnkita Mahajan
 
Firewall & packet filter new
Firewall & packet filter newFirewall & packet filter new
Firewall & packet filter newKarnav Rana
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
RSTP (rapid spanning tree protocol)
RSTP (rapid spanning tree protocol)RSTP (rapid spanning tree protocol)
RSTP (rapid spanning tree protocol)Netwax Lab
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Peter R. Egli
 
QoS marking on cisco IOS Router
QoS marking on cisco IOS RouterQoS marking on cisco IOS Router
QoS marking on cisco IOS RouterNetProtocol Xpert
 

What's hot (20)

CCNA Report
CCNA ReportCCNA Report
CCNA Report
 
21 Scheme_MODULE-2_CCN.pdf
21 Scheme_MODULE-2_CCN.pdf21 Scheme_MODULE-2_CCN.pdf
21 Scheme_MODULE-2_CCN.pdf
 
OSI Transport Layer
OSI Transport LayerOSI Transport Layer
OSI Transport Layer
 
Networking Standards And Protocols
Networking Standards And ProtocolsNetworking Standards And Protocols
Networking Standards And Protocols
 
Configuration of bus topology in cisco packet tracer by Tanjilur Rahman
Configuration of bus topology in cisco packet tracer by Tanjilur RahmanConfiguration of bus topology in cisco packet tracer by Tanjilur Rahman
Configuration of bus topology in cisco packet tracer by Tanjilur Rahman
 
UTM Unified Threat Management
UTM Unified Threat ManagementUTM Unified Threat Management
UTM Unified Threat Management
 
Firewalls
FirewallsFirewalls
Firewalls
 
21 Scheme_ MODULE-3_CCN.pdf
21 Scheme_ MODULE-3_CCN.pdf21 Scheme_ MODULE-3_CCN.pdf
21 Scheme_ MODULE-3_CCN.pdf
 
Computer Network - Unit 1
Computer Network - Unit 1Computer Network - Unit 1
Computer Network - Unit 1
 
Introduction to Data Center Network Architecture
Introduction to Data Center Network ArchitectureIntroduction to Data Center Network Architecture
Introduction to Data Center Network Architecture
 
Firewall & packet filter new
Firewall & packet filter newFirewall & packet filter new
Firewall & packet filter new
 
Router and types
Router and types Router and types
Router and types
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
Firewalls
FirewallsFirewalls
Firewalls
 
Bgp
BgpBgp
Bgp
 
RSTP (rapid spanning tree protocol)
RSTP (rapid spanning tree protocol)RSTP (rapid spanning tree protocol)
RSTP (rapid spanning tree protocol)
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
Firewall
FirewallFirewall
Firewall
 
Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)Overview of SCTP (Stream Control Transmission Protocol)
Overview of SCTP (Stream Control Transmission Protocol)
 
QoS marking on cisco IOS Router
QoS marking on cisco IOS RouterQoS marking on cisco IOS Router
QoS marking on cisco IOS Router
 

Similar to Network Security_Dr Shivashankar_Module 5.pdf

Cryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdfCryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdfahmeddeath6
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet BawaPuneet Bawa
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Information Security (Firewall)
Information Security (Firewall)Information Security (Firewall)
Information Security (Firewall)Zara Nawaz
 
firewall as a security measure (1)-1.pptx
firewall as a security measure (1)-1.pptxfirewall as a security measure (1)-1.pptx
firewall as a security measure (1)-1.pptxShreyaBanerjee52
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's TypesHem Pokhrel
 
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...ams1ams11
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2sweta dargad
 
firrewall and intrusion prevention system.pptx
firrewall and intrusion prevention system.pptxfirrewall and intrusion prevention system.pptx
firrewall and intrusion prevention system.pptxfatimagull32
 
Firewalls and packet filters
Firewalls and packet filtersFirewalls and packet filters
Firewalls and packet filtersMOHIT AGARWAL
 
Module 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 PresentationModule 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 Presentation9921103075
 
Chapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf   S.pdfChapter_Five Compueter secuityryhf   S.pdf
Chapter_Five Compueter secuityryhf S.pdfAschalewAyele2
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Radhika Talaviya
 

Similar to Network Security_Dr Shivashankar_Module 5.pdf (20)

Cryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdfCryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdf
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet Bawa
 
Firewall and its Types
Firewall and its TypesFirewall and its Types
Firewall and its Types
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Information Security (Firewall)
Information Security (Firewall)Information Security (Firewall)
Information Security (Firewall)
 
firewall as a security measure (1)-1.pptx
firewall as a security measure (1)-1.pptxfirewall as a security measure (1)-1.pptx
firewall as a security measure (1)-1.pptx
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's Types
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
Firewall configuration
Firewall configurationFirewall configuration
Firewall configuration
 
[9] Firewall.pdf
[9] Firewall.pdf[9] Firewall.pdf
[9] Firewall.pdf
 
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
 
firrewall and intrusion prevention system.pptx
firrewall and intrusion prevention system.pptxfirrewall and intrusion prevention system.pptx
firrewall and intrusion prevention system.pptx
 
Firewalls and packet filters
Firewalls and packet filtersFirewalls and packet filters
Firewalls and packet filters
 
Module 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 PresentationModule 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 Presentation
 
Firewall
FirewallFirewall
Firewall
 
Chapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf   S.pdfChapter_Five Compueter secuityryhf   S.pdf
Chapter_Five Compueter secuityryhf S.pdf
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
 
Firewall
FirewallFirewall
Firewall
 
internet-firewalls
internet-firewallsinternet-firewalls
internet-firewalls
 

More from Dr. Shivashankar

21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS
21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS
21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaSDr. Shivashankar
 
21 SCHEME_21EC53_VTU_MODULE-4_COMPUTER COMMUNCATION NETWORK.pdf
21 SCHEME_21EC53_VTU_MODULE-4_COMPUTER COMMUNCATION NETWORK.pdf21 SCHEME_21EC53_VTU_MODULE-4_COMPUTER COMMUNCATION NETWORK.pdf
21 SCHEME_21EC53_VTU_MODULE-4_COMPUTER COMMUNCATION NETWORK.pdfDr. Shivashankar
 
Wireless Cellular Communication_Module 3_Dr. Shivashankar.pdf
Wireless Cellular Communication_Module 3_Dr. Shivashankar.pdfWireless Cellular Communication_Module 3_Dr. Shivashankar.pdf
Wireless Cellular Communication_Module 3_Dr. Shivashankar.pdfDr. Shivashankar
 
Wireless Cellular Communication_Mudule2_Dr.Shivashankar.pdf
Wireless Cellular Communication_Mudule2_Dr.Shivashankar.pdfWireless Cellular Communication_Mudule2_Dr.Shivashankar.pdf
Wireless Cellular Communication_Mudule2_Dr.Shivashankar.pdfDr. Shivashankar
 
Network Security_Module_2.pdf
Network Security_Module_2.pdfNetwork Security_Module_2.pdf
Network Security_Module_2.pdfDr. Shivashankar
 

More from Dr. Shivashankar (8)

21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS
21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS
21 Scheme_21EC53_MODULE-5_CCN_Dr. ShivaS
 
21 SCHEME_21EC53_VTU_MODULE-4_COMPUTER COMMUNCATION NETWORK.pdf
21 SCHEME_21EC53_VTU_MODULE-4_COMPUTER COMMUNCATION NETWORK.pdf21 SCHEME_21EC53_VTU_MODULE-4_COMPUTER COMMUNCATION NETWORK.pdf
21 SCHEME_21EC53_VTU_MODULE-4_COMPUTER COMMUNCATION NETWORK.pdf
 
Wireless Cellular Communication_Module 3_Dr. Shivashankar.pdf
Wireless Cellular Communication_Module 3_Dr. Shivashankar.pdfWireless Cellular Communication_Module 3_Dr. Shivashankar.pdf
Wireless Cellular Communication_Module 3_Dr. Shivashankar.pdf
 
Wireless Cellular Communication_Mudule2_Dr.Shivashankar.pdf
Wireless Cellular Communication_Mudule2_Dr.Shivashankar.pdfWireless Cellular Communication_Mudule2_Dr.Shivashankar.pdf
Wireless Cellular Communication_Mudule2_Dr.Shivashankar.pdf
 
Network Security_Module_2.pdf
Network Security_Module_2.pdfNetwork Security_Module_2.pdf
Network Security_Module_2.pdf
 
MODULE-3_CCN.pptx
MODULE-3_CCN.pptxMODULE-3_CCN.pptx
MODULE-3_CCN.pptx
 
MODULE-1_CCN.pptx
MODULE-1_CCN.pptxMODULE-1_CCN.pptx
MODULE-1_CCN.pptx
 
MODULE-2_CCN.pptx
MODULE-2_CCN.pptxMODULE-2_CCN.pptx
MODULE-2_CCN.pptx
 

Recently uploaded

Introduction to Arduino Programming: Features of Arduino
Introduction to Arduino Programming: Features of ArduinoIntroduction to Arduino Programming: Features of Arduino
Introduction to Arduino Programming: Features of ArduinoAbhimanyu Sangale
 
"United Nations Park" Site Visit Report.
"United Nations Park" Site  Visit Report."United Nations Park" Site  Visit Report.
"United Nations Park" Site Visit Report.MdManikurRahman
 
Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...IJECEIAES
 
Autodesk Construction Cloud (Autodesk Build).pptx
Autodesk Construction Cloud (Autodesk Build).pptxAutodesk Construction Cloud (Autodesk Build).pptx
Autodesk Construction Cloud (Autodesk Build).pptxMustafa Ahmed
 
21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docx21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docxrahulmanepalli02
 
Linux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message QueuesLinux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message QueuesRashidFaridChishti
 
Interfacing Analog to Digital Data Converters ee3404.pdf
Interfacing Analog to Digital Data Converters ee3404.pdfInterfacing Analog to Digital Data Converters ee3404.pdf
Interfacing Analog to Digital Data Converters ee3404.pdfragupathi90
 
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...josephjonse
 
Lab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docxLab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docxRashidFaridChishti
 
Insurance management system project report.pdf
Insurance management system project report.pdfInsurance management system project report.pdf
Insurance management system project report.pdfKamal Acharya
 
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfInstruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfEr.Sonali Nasikkar
 
Final DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualFinal DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualBalamuruganV28
 
SLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptxSLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptxCHAIRMAN M
 
ALCOHOL PRODUCTION- Beer Brewing Process.pdf
ALCOHOL PRODUCTION- Beer Brewing Process.pdfALCOHOL PRODUCTION- Beer Brewing Process.pdf
ALCOHOL PRODUCTION- Beer Brewing Process.pdfMadan Karki
 
Passive Air Cooling System and Solar Water Heater.ppt
Passive Air Cooling System and Solar Water Heater.pptPassive Air Cooling System and Solar Water Heater.ppt
Passive Air Cooling System and Solar Water Heater.pptamrabdallah9
 
Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..MaherOthman7
 
Diploma Engineering Drawing Qp-2024 Ece .pdf
Diploma Engineering Drawing Qp-2024 Ece .pdfDiploma Engineering Drawing Qp-2024 Ece .pdf
Diploma Engineering Drawing Qp-2024 Ece .pdfJNTUA
 
Seizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networksSeizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networksIJECEIAES
 
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdflitvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdfAlexander Litvinenko
 
Electrical shop management system project report.pdf
Electrical shop management system project report.pdfElectrical shop management system project report.pdf
Electrical shop management system project report.pdfKamal Acharya
 

Recently uploaded (20)

Introduction to Arduino Programming: Features of Arduino
Introduction to Arduino Programming: Features of ArduinoIntroduction to Arduino Programming: Features of Arduino
Introduction to Arduino Programming: Features of Arduino
 
"United Nations Park" Site Visit Report.
"United Nations Park" Site  Visit Report."United Nations Park" Site  Visit Report.
"United Nations Park" Site Visit Report.
 
Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...
 
Autodesk Construction Cloud (Autodesk Build).pptx
Autodesk Construction Cloud (Autodesk Build).pptxAutodesk Construction Cloud (Autodesk Build).pptx
Autodesk Construction Cloud (Autodesk Build).pptx
 
21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docx21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docx
 
Linux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message QueuesLinux Systems Programming: Semaphores, Shared Memory, and Message Queues
Linux Systems Programming: Semaphores, Shared Memory, and Message Queues
 
Interfacing Analog to Digital Data Converters ee3404.pdf
Interfacing Analog to Digital Data Converters ee3404.pdfInterfacing Analog to Digital Data Converters ee3404.pdf
Interfacing Analog to Digital Data Converters ee3404.pdf
 
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
 
Lab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docxLab Manual Arduino UNO Microcontrollar.docx
Lab Manual Arduino UNO Microcontrollar.docx
 
Insurance management system project report.pdf
Insurance management system project report.pdfInsurance management system project report.pdf
Insurance management system project report.pdf
 
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfInstruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
 
Final DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manualFinal DBMS Manual (2).pdf final lab manual
Final DBMS Manual (2).pdf final lab manual
 
SLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptxSLIDESHARE PPT-DECISION MAKING METHODS.pptx
SLIDESHARE PPT-DECISION MAKING METHODS.pptx
 
ALCOHOL PRODUCTION- Beer Brewing Process.pdf
ALCOHOL PRODUCTION- Beer Brewing Process.pdfALCOHOL PRODUCTION- Beer Brewing Process.pdf
ALCOHOL PRODUCTION- Beer Brewing Process.pdf
 
Passive Air Cooling System and Solar Water Heater.ppt
Passive Air Cooling System and Solar Water Heater.pptPassive Air Cooling System and Solar Water Heater.ppt
Passive Air Cooling System and Solar Water Heater.ppt
 
Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..Maher Othman Interior Design Portfolio..
Maher Othman Interior Design Portfolio..
 
Diploma Engineering Drawing Qp-2024 Ece .pdf
Diploma Engineering Drawing Qp-2024 Ece .pdfDiploma Engineering Drawing Qp-2024 Ece .pdf
Diploma Engineering Drawing Qp-2024 Ece .pdf
 
Seizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networksSeizure stage detection of epileptic seizure using convolutional neural networks
Seizure stage detection of epileptic seizure using convolutional neural networks
 
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdflitvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
litvinenko_Henry_Intrusion_Hong-Kong_2024.pdf
 
Electrical shop management system project report.pdf
Electrical shop management system project report.pdfElectrical shop management system project report.pdf
Electrical shop management system project report.pdf
 

Network Security_Dr Shivashankar_Module 5.pdf

  • 1. NETWORK SECURITY (18EC821) Dr. Shivashankar Professor Department of Electronics & Communication Engineering RRIT, Bangalore 1 Dr. Shivashankar, E&CE, RRIT
  • 2. Course Outcomes After Completion of the course, student will be able to: ▪Explain network security services and mechanisms and explain security concepts. ▪Understand the concept of Transport Level Security and Secure Socket Layer. ▪Explain security concerns in Internet Protocol Security. ▪Explain Intruders, Intrusion detection and Malicious Software. ▪Describe Firewalls, Firewall characteristics, Biasing and Configuration. ▪Text Book: 1. Cryptography and Network Security Principles and Practice, Pearson Education Inc., William Stallings 5th Edition, ISBN: 978-81-317-6166-3. 2. Cryptography and Network Security, Atul Kahate, TMH, 2003. ▪Reference: ▪Cryptography and Network Security, Behrouz A Forouzan, TMH, 2007. 2 Dr. Shivashankar, E&CE, RRIT
  • 3. MODULE-5: FIREWALLS The need for firewalls • A firewall monitors and filters incoming and outgoing network traffic based on security policy, allowing approved traffic in and denying all other traffic. • Firewalls protect any network-connected device and can be deployed as a software firewall on hosts, as a hardware firewall on a separate network device, and as a virtual firewall in the private or public cloud. • The following are notable developments: ➢ Centralized data processing system, with a central mainframe supporting a number of directly connected terminals ➢ Local area networks (LANs) interconnecting PCs and terminals to each other and the mainframe ➢ Premises network, consisting of a number of LANs, interconnecting PCs, servers, and perhaps a mainframe or two ➢ Enterprise-wide network, consisting of multiple, geographically distributed premises networks interconnected by a private wide area network (WAN). 3 Dr. Shivashankar, E&CE, RRIT
  • 4. FIREWALL CHARACTERISTICS The following design goals for a firewall: 1. All traffic from inside to outside, and vice versa, must pass through the firewall. 2. Only authorized traffic, as defined by the local security policy, will be allowed to pass. 3. The firewall itself is immune to penetration. This implies the use of a hardened system with a secured operating system. Four general techniques that firewalls use to control access and enforce the site’s security policy. 1. Service control: Determines the types of Internet services that can be accessed, inbound or outbound. The firewall may filter traffic on the basis of IP address, protocol, or port number. 2. Direction control: Determines the direction in which particular service requests may be initiated and allowed to flow through the firewall. 3. User control: Controls access to a service according to which user is attempting to access it. This feature is typically applied to users inside the firewall perimeter (local users). 4. Behavior control: Controls how particular services are used. For example, the firewall may filter e-mail to eliminate spam, or it may enable external access to only a portion of the information on a local Web server. 4 Dr. Shivashankar, E&CE, RRIT
  • 5. Conti… The following capabilities are within the scope of a firewall: 1. A firewall defines a single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks. 2. A firewall provides a location for monitoring security-related events. Audits and alarms can be implemented on the firewall system. 3. A firewall is a convenient platform for several Internet functions that are not security related. These include a network address translator, which maps local addresses to Internet addresses, and a network management function that audits or logs Internet usage. 4. A firewall can serve as the platform for IPsec. Using the tunnel mode capability, the firewall can be used to implement virtual private networks. 5 Dr. Shivashankar, E&CE, RRIT
  • 6. Conti… Firewalls have their limitations, including the following: 1. The firewall cannot protect against attacks that bypass the firewall. Internal systems may have dial-out capability to connect to an ISP. 2. The firewall may not protect fully against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker. 3. An improperly secured wireless LAN may be accessed from outside the organization. An internal firewall that separates portions of an enterprise network cannot guard against wireless communications between local systems on different sides of the internal firewall. 4. A laptop, PDA, or portable storage device may be used and infected outside the corporate network, and then attached and used internally. 6 Dr. Shivashankar, E&CE, RRIT
  • 7. TYPES OF FIREWALLS ▪A firewall may act as a packet filter. ▪It can operate as a positive filter, allowing to pass only packets that meet specific criteria, or as a negative filter, rejecting any packet that meets certain criteria. Packet Filtering Firewall • A packet filtering firewall applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet. • The firewall is typically configured to filter packets going in both directions. Filtering rules are based on information contained in a network packet: ➢ • Source IP address: The IP address of the system that originated the IP packet (e.g., 192.178.1.1) ➢ • Destination IP address: The IP address of the system the IP packet is trying to reach (e.g., 192.168.1.2) ➢ • Source and destination transport-level address: The transport-level (e.g., TCP or UDP) port number, which defines applications such as SNMP or TELNET ➢ • IP protocol field: Defines the transport protocol ➢ • Interface: For a firewall with three or more ports, which interface of the firewall 7 Dr. Shivashankar, E&CE, RRIT
  • 8. Conti… 8 Dr. Shivashankar, E&CE, RRIT (a) General model (b) Packet filtering firewall (c) Stateful inspection firewall e) Circuit-level proxy firewall (d) Application proxy firewall
  • 9. Conti… ▪The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header. ▪ If there is a match to one of the rules, that rule is invoked to determine whether to forward or discard the packet. ▪If there is no match to any rule, then a default action is taken. Two default policies are possible: ➢ Default = discard: That which is not expressly permitted is prohibited. ➢ Default = forward: That which is not expressly prohibited is permitted. 9 Dr. Shivashankar, E&CE, RRIT
  • 10. Conti… ▪Some of the attacks that can be made on packet filtering firewalls and the appropriate countermeasures are the following: ➢ IP address spoofing: The intruder transmits packets from the outside with a source IP address field containing an address of an internal host. The countermeasure is to discard packets with an inside source address if the packet arrives on an external interface. In fact, this countermeasure is often implemented at the router external to the firewall. ➢ Source routing attacks: The source station specifies the route that a packet should take as it crosses the Internet, in the hopes that this will bypass security measures that do not analyze the source routing information. The countermeasure is to discard all packets that use this option. ➢ Tiny fragment attacks: The intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into a separate packet fragment. If the first fragment is rejected, the filter can remember the packet and discard all subsequent fragments 10 Dr. Shivashankar, E&CE, RRIT
  • 11. Stateful Inspection Firewalls ▪Also known as dynamic packet filtering, is a firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall. ▪Stateful inspection is commonly used in place of stateless inspection, or static packet filtering, and is well suited to Transmission Control Protocol (TCP) and similar protocols, although it can also support protocols such as User Datagram Protocol (UDP). ▪It is a network firewall technology used to filter data packets based on state and context. ▪It operates primarily at the transport and network layers of the Open Systems Interconnection (OSI) model for how applications communicate over a network. 11 Dr. Shivashankar, E&CE, RRIT
  • 12. Application-Level Gateway ▪It also known as application layer gateway, application gateway, application proxy, or application-level proxy is a security component that augments a firewall. ▪The user contacts the gateway using a TCP/IP application, such as Telnet or FTP, and the gateway asks the user for the name of the remote host to be accessed. ▪When the user responds and provides a valid user ID and authentication information, the gateway contacts the application on the remote host and relays TCP segments containing the application data between the two endpoints. ▪If the gateway does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the firewall. ▪Application-level gateways tend to be more secure than packet filters. 12 Dr. Shivashankar, E&CE, RRIT
  • 13. Circuit-Level Gateway ▪A circuit-level gateway firewall helps in providing the security between UDP and TCP using the connection. ▪It also acts as a handshaking device between trusted clients or servers to untrusted hosts and vice versa. ▪Circuit Level Gateway the component used are:- ➢ The Destination addresses, Source addresses, and Ports. ➢ The time of delay. ➢ The protocol is being utilized. ➢ The user and the password. ▪Typical use of circuit-level gateways is a situation in which the system administrator trusts the internal users. ▪The gateway can be configured to support application-level or proxy service on inbound connections and circuit-level functions for outbound connections. 13 Dr. Shivashankar, E&CE, RRIT
  • 14. Firewall Basing ▪It is common to base a firewall on a stand-alone machine running a common operating system, such as UNIX or Linux. ▪Firewall functionality can also be implemented as a software module in a router or LAN switch. Bastion Host ▪A bastion host is a system identified by the firewall administrator as a critical strong point in the network’s security. ▪Typically, the bastion host serves as a platform for an application-level or circuit- level gateway. ▪Common characteristics of a bastion host are as follows: ➢ The bastion host hardware platform executes a secure version of its operating system, making it a hardened system. ➢ Only the services that the network administrator considers essential are installed on the bastion host. These could include proxy applications for DNS, FTP, HTTP, and SMTP. ➢ The bastion host may require additional authentication before a user is allowed access to the proxy services. 14 Dr. Shivashankar, E&CE, RRIT
  • 15. Host-Based Firewalls ▪It is a software module used to secure an individual host. ▪Like conventional stand-alone firewalls, host-resident firewalls filter and restrict the flow of packets. ▪A common location for such firewalls is a server. There are several advantages to the use of a server-based or workstation based firewall: ➢ Specific corporate security policies for servers can be implemented, with different filters for servers used for different application. ➢ Protection is provided independent of topology. Thus both internal and external attacks must pass through the firewall. ➢ Used in conjunction with stand-alone firewalls, the host-based firewall provides an additional layer of protection. 15 Dr. Shivashankar, E&CE, RRIT
  • 16. Personal Firewall ▪Personal firewall is a software module on the personal computer. ▪It controls the traffic between a personal computer or workstation on one side and the Internet or enterprise network on the other side. ▪Personal firewall functionality can be used in the home environment and on corporate intranets. ▪The primary role of the personal firewall is to deny unauthorized remote access to the computer. ▪The firewall can also monitor outgoing activity in an attempt to detect and block worms and other malware. ▪An example of a personal firewall is the capability built in to the Mac OS X operating system. The list of inbound services: ➢ Personal file sharing (548, 427) ➢ Windows sharing (139) ➢ Personal Web sharing (80, 427) ➢ Remote login - SSH (22) ➢ FTP access (20-21, 1024-64535 from 20-21) ➢ Remote Apple events (3031) • Printer sharing (631, 515) etc. 16 Dr. Shivashankar, E&CE, RRIT
  • 17. Firewall Location and Configuration ▪A firewall is positioned to provide a protective barrier between an external, potentially untrusted source of traffic and an internal network. ▪A security administrator must decide on the location and on the number of firewalls needed. Demilitarized Zone (DMZ) Networks • An external firewall is placed at the edge of a local or enterprise network, just inside the boundary router that connects to the Internet or some wide area network (WAN). • One or more internal firewalls protect the bulk of the enterprise network. Between these two types of firewalls are one or more networked devices in a region referred to as a DMZ (demilitarized zone) network. • Systems that are externally accessible but need some protections are usually located on DMZ networks. • Typically, the systems in the DMZ require or foster external connectivity, such as a corporate Web site, an e-mail server, or a DNS (domain name system) server. 17 Dr. Shivashankar, E&CE, RRIT
  • 18. Conti… Internal firewalls serve three purposes: 1. It adds more stringent filtering capability, compared to the external firewall, in order to protect enterprise servers and workstations from external attack. 2. It provides two-way protection with respect to the DMZ. First, the internal firewall protects the remainder of the network from attacks launched from DMZ systems. Such attacks might originate from worms, rootkits, bots, or other malware lodged in a DMZ system. Second, an internal firewall can protect the DMZ systems from attack from the internal protected network. 3. 3Multiple internal firewalls can be used to protect portions of the internal network from each other. 18 Dr. Shivashankar, E&CE, RRIT Figure 22.3 Example Firewall Configuration
  • 19. Virtual Private Networks ▪In today’s distributed computing environment, the virtual private network (VPN) offers an attractive solution to network managers. ▪In essence, a VPN consists of a set of computers that interconnect by means of a relatively unsecure network and that make use of encryption and special protocols to provide security. ▪At each corporate site, workstations, servers, and databases are linked by one or more local area networks (LANs). ▪The Internet or some other public network can be used to interconnect sites, providing a cost savings over the use of a private network and offloading the wide area network management task to the public network provider. ▪That same public network provides an access path for telecommuters and other mobile employees to log on to corporate systems from remote sites. ▪.The encryption may be performed by firewall software or possibly by routers. The most common protocol mechanism used for this purpose is at the IP level and is known as Ipsec. 19 Dr. Shivashankar, E&CE, RRIT
  • 20. Conti… 20 Dr. Shivashankar, E&CE, RRIT Figure 22.4 A VPN Security Scenario
  • 21. Distributed Firewalls ▪A distributed firewall configuration involves stand-alone firewall devices plus host based firewalls working together under a central administrative control. ▪Administrators can configure host resident firewalls on hundreds of servers and workstations as well as configure personal firewalls on local and remote user systems. ▪Tools let the network administrator set policies and monitor security across the entire network. ▪These firewalls protect against internal attacks and provide protection tailored to specific machines and applications. ▪Stand-alone firewalls provide global protection, including internal firewalls and an external firewall, as discussed previously. ▪An important aspect of a distributed firewall configuration is security monitoring. ▪Such monitoring typically includes log aggregation and analysis, firewall statistics, and fine-grained remote monitoring of individual hosts if needed. 21 Dr. Shivashankar, E&CE, RRIT
  • 22. Conti… 22 Dr. Shivashankar, E&CE, RRIT Figure 22.5 Example Distributed Firewall Configuration
  • 23. Conti… 1. Network layer firewall works as a __________ a) Frame filter b) Packet filter c) Content filter d) Virus filter 2. Network layer firewall has two sub-categories as _________ a) State full firewall and stateless firewall b) Bit oriented firewall and byte oriented firewall c) Frame firewall and packet firewall d) Network layer firewall and session layer firewall 3. A firewall is installed at the point where the secure internal network and untrusted external network meet which is also known as __________ a) Chock point b) Meeting point c) Firewall point d) Secure point 4. Which of the following is / are the types of firewall? a) Packet Filtering Firewall b) Dual Homed Gateway Firewall c) Screen Host Firewall d) Dual Host Firewall 5. A proxy firewall filters at _________ a) Physical layer b) Data link layer c) Network layer d) Application layer 23 Dr. Shivashankar, E&CE, RRIT
  • 24. Conti… 6. A packet filter firewall filters at __________ a) Physical layer b) Data link layer c) Network layer or Transport layer d) Application layer 7. What is one advantage of setting up a DMZ with two firewalls? a) You can control where traffic goes in three networks b) You can do stateful packet filtering c) You can do load balancing d) Improved network performance 8. What tells a firewall how to reassemble a data stream that has been divided into packets? a) The source routing feature b) The number in the header’s identification field c) The destination IP address d) The header checksum field in the packet header 9. A stateful firewall maintains a ___________ which is a list of active connections. a) Routing table b) Bridging table c) State table d) Connection table 10. A firewall needs to be __________ so that it can grow proportionally with the network that it protects. a) Robust b) Expansive c) Fast d) Scalable 24 Dr. Shivashankar, E&CE, RRIT
  • 25. Question Bank 1. List three design goals for a firewall and explain. 2. List four techniques used by firewalls to control access and enforce a security policy and discuss. 3. What information is used by a typical packet filtering firewall and why, explain. 4. Explain some weaknesses of a packet filtering firewall? 5. What is the difference between a packet filtering firewall and a stateful inspection firewall? 6. Describe an application-level gateway? 7. Explain circuit-level gateway? 8. What are the common characteristics of a bastion host? Explain. 9. Why is it useful to have host-based firewalls? 10. What is a DMZ network and what types of systems would you expect to find on such networks? 11. What is the difference between an internal and an external firewall? Give example 25 Dr. Shivashankar, E&CE, RRIT