Protection from Cyber attacks and Security Firewall

Cyber Security
Firewall Basics

2
Agenda
• Vulnerability
• Reasons for Cyber Attacks
• Hacker
• Types/Techniques of Cyber Attacks
• Aspects of Cyber Security
• CIA Triad
• Framework for Information Security

3
• Denial-of-Service
• Unauthorized Access
• Execution of Unauthorized Commands
• Breaches of Confidentiality
• Destructive Behavior
The Threats

Basic Security
▫ Backup, Backup, Backup
▫ Control Where Data Is Located
▫ Decentralize Your Security System
▫ Your Operating System May Not Be
Your Friend

Firewall
● A firewall is a security policy enforcement
point that regulates access between
computer networks
● Filters are inherently insecure services
● Controls TCP protocols
– http, smtp, ftp, telnet etc
● Only one of many different security tool’s to
control and regulate network traffic

Firewalls:
Locking Out
The World
A firewall protects networked computers from
intentional hostile intrusion that could compromise
confidentiality or result in data corruption or denial of
service. Firewalls can be either hardware based or
software based. The firewall is usually located at the
intersection (connection) between two networks,
generally a private (corporate) network and a public
network, such as the Internet.

Firewall Terminology
▫ Bastion Host
▫ Router
▫ Access Control List (ACL)
▫ Demilitarized Zone (DMZ)
▫ Proxy
▫ Stateful Inspection
▫ Network Address Translation (NAT)

Firewall Architecture
Overview
● Basic Firewall Components
– Software
– Hardware
– Purpose Built/Appliance based

Firewall Software Types
● Problems to watch for
– Administrative limitations
● Access
● Monitoring
● logging
– Management requirements
● Additional control points
● Additional non-secure applications
required
– Software limitations
● Capacity
● Availability
● Hardware

Packet Filtering Firewalls
● Packet filtering is one of the oldest, and one of the most common types of firewall technologies.
Packet filters inspect each packet of information individually, examining the source and
destination IP addresses and ports. This information is compared to access control rules to
decide
whether the given packet should be allowed through the firewall.
●
●
Packet filters consider only the most basic attributes of each packet, and they don't need to
remember anything about the traffic since each packet is examined in isolation. For this
reason
they can decide packet flow very quickly.
Because every packet of every connection is checked against the access control rules, larger,
complex rule bases decrease performance. And because packet filters can only check low-level
attributes, they are not secure against malicious code hiding in the other layers. Packet filters
are
often used as a first defense in combination with other firewall technologies, and their most
common implementation today is seen in the access control lists of routers at the perimeters of
networks.
●
For simple protocols or one-sided connections, like ICMP or SNMP traps, it is still useful to use
packet filtering technology.

– For drafting security
policies
Zwicky
– BugTraq
– Security
Focus
What Is an AI Firewall?
An artificial intelligence (AI) firewall, a next-generation product of next-
generation firewall (NGFW) product, uses intelligent detection technologies
to improve the detection of advanced threats and unknown threats. NGFW
uses a static rule database to detect threats, which is difficult to manage with
advanced threat variants. The AI

firewall uses the intelligent detection
engine to train threat detection models based on massive samples and
continuously optimizes models based on real-time traffic data, improving
threat detection capabilities.

policies
Zwicky
– BugTraq
– Security
Focus
Why Do We Need the AI Firewall?
Defined by Gartner in 2009, the NGFW deeply integrates basic firewall
services with a variety of security services, such as application identification,
intrusion protection system (IPS), and antivirus for parallel processing and in-
depth traffic security detection. Now, more than 10 years later, with the rapid
development of network cloudification, mobility, and the Internet of Things
(IoT), NGFWs are facing a number of significant challenges, such as
increasing advanced threats and a wide range of variants. The static rule
database-based detection of NGFWs can no longer sufficiently tackle these
challenges.

policies
Zwicky
– BugTraq
– Security
Focus
As shown in the preceding figure, in addition to traditional threats such as
viruses and Trojan horses, advanced threats, for example, advanced
persistent threats (APTs), are constantly evolving. As a result, attacks such
as ransomware and M2M attacks are becoming increasingly diversified, due
to huge economic benefits. Advanced threats are more covert and spread
faster, and up to 70% of network attack traffic is encrypted.

policies
Zwicky
– BugTraq
– Security
Focus
Facing the rapidly changing threat types, traditional NGFWs must address
the following challenges:
Signature-based threat detection cannot cope with advanced and
unknown threats.
Signature-based threat detection relies on signature databases (static rule
databases). Signatures in a signature database describe known threats and
the database has a limited capacity. The signature database cannot detect
unknown and variant advanced threats. This leads to the high false positive
rate of threat detection and delayed threat response.

policies
Zwicky
– BugTraq
– Security
Focus
Multi-layer, three-dimensional, and more covert threats occur, and systems
are unable to mitigate the entire kill chain through signature matching.
The popularization of IoT brings more security threats. According to statistics,
the number of threats from the intranet increases significantly, indicating that
the attacks are not limited to the external network. Hackers infiltrate from the
outside, gain remote control, spread to the inside, steal, and destroy
important data, forming a complete kill chain. The NGFW matches packet
content against signatures and cannot identify the entire kill chain process.
As a result, the NGFW cannot accurately mitigate attacks.
In addition, threats are becoming more covert. Most threats are hidden within
encrypted channels. Using signatures to match against traffic cannot extract
the features of such encrypted traffic. The firewalls must be able to analyze
data from all aspects without decrypting the data, so that any threats can be
exposed.

policies
Zwicky
– BugTraq
– Security
Focus
Threat handling is labor intensive and time consuming.
As firewall deployment is not a one-time operation, follow-up O&M is critical.
Administrators need to continuously tune policies to cope with changing threats,
analyze attack logs, promptly handle threat events, and strengthen enterprise
facilities. However, these tasks depend on the skill level of administrators and are
complex, and the effect cannot be ensured. Firewalls must have automated data
analysis and threat handling capabilities.
To sum up, NGFWs must be upgraded to cope with the continuous evolution of
networks and threats. In this regard, the development of AI technologies brings new
opportunities for firewalls. Huawei has launched AI firewalls that leverage intelligent
detection technology. They use machine learning and in-depth learning to build threat
detection models, greatly improving the accuracy and timeliness of threat detection. In
addition, the automatic handling technology is introduced to automatically commission
policies and analyze threat traffic, relieving the pressure on O&M.

policies
Zwicky
– BugTraq
– Security
Focus
Differences Between AI Firewalls and NGFWs
The main NGFW capabilities defined by Gartner are application identification and IPS
integration for in-depth traffic detection. As mentioned above, NGFWs need to be
upgraded, and vendors are embracing new technologies to enhance firewall functions.
However, there is no standard industry definition of next-generation NGFW product.
The following table lists the major differences between AI firewalls and NGFWs.

policies
Zwicky
– BugTraq
– Security
Focus
Differences Between AI Firewalls and NGFWs
The main advantage of AI firewalls lies in intelligence.
The AI firewalls not only leverage signatures to mechanically identify known threats,
but also use a large number of samples and algorithms to train threat detection
models, enabling detection of advanced and unknown threats. However, higher
requirements are imposed on computing hardware in order to maximize this newly
introduced intelligent detection technology.
The AI firewall must provide dedicated hardware for intelligent detection
computing to improve threat detection performance

policies
Zwicky
– BugTraq
– Security
Focus
AI Firewall Detection of Advanced Threats
AI firewalls can detect advanced threats. Well, what is the implementation? AI firewalls
are intelligent, as evidenced by the embedded intelligent detection engine which
detects advanced threats based on a threat detection model created through machine
learning.
The detection models used by the intelligent detection engine come from the following:
Cloud Sample Training (Supervised Learning)The cloud uses supervised
learning to train millions of samples, extracts threat detection models, and delivers
the models to firewalls for detection.
Local Learning (Unsupervised Learning)Unsupervised learning is used locally,
and the learning is performed continuously by extracting data from live network
traffic.

policies
Zwicky
– BugTraq
– Security
Focus
Supervised learning and unsupervised learning can more effectively detect malicious
files that are frequently mutated, detect compromised hosts and remotely controlled
zombies, monitor encrypted data that is sent and stolen, and identify malicious
behavior, such as slow and distributed brute force attacks. During the learning process,
mass data analysis is leveraged to train and generate threat detection models, and the
models are continuously optimized based on live network data for self-evolution. The
updated model trained on the cloud is delivered directly to a firewall without the need to
upgrade system software.

policies
Zwicky
– BugTraq
– Security
Focus
AI firewall intelligent detection engine

An advanced threat is often an organized and planned attack process. The AI

firewall offers multiple
technologies designed to block attacks on key kill chain nodes:
External Penetration Phase: The first step in an attack is to spread malicious files onto the intranet via USB
and phishing emails. The kill chain is stopped as soon as the spread of malicious software is blocked on
the node.
AI firewall uses intelligent malicious file detection algorithm to extract file functions, instead of using
traditional static rules database to detect malicious files, greatly improving the detection rate.
Interaction between an attacker and a compromised host: A host running malware becomes a compromised
host. An attacker communicates with the compromised host through a command and control (C&C) channel.
For example, the attacker sends instructions to the compromised host and the compromised host
sends data.
AI Firewall provides C&C channel detection and domain name detection based on Domain Generation
Algorithm (DGA) to block unauthorized communications. To obfuscate the communication process, C&C
traffic is usually encrypted in transit. The AI

firewall can detect encrypted traffic without decryption and
ensures that C&C traffic cannot be masked.– For drafting security policies
Zwicky
– BugTraq
– Security
Focus

An advanced threat is often an organized and planned attack process. The AI

firewall offers multiple
technologies designed to block attacks on key kill chain nodes:
External Penetration Phase: The first step in an attack is to spread malicious files onto the intranet via USB
and phishing emails. The kill chain is stopped as soon as the spread of malicious software is blocked on
the node.
AI firewall uses intelligent malicious file detection algorithm to extract file functions, instead of using
traditional static rules database to detect malicious files, greatly improving the detection rate.
Interaction between an attacker and a compromised host: A host running malware becomes a compromised
host. An attacker communicates with the compromised host through a command and control (C&C) channel.
For example, the attacker sends instructions to the compromised host and the compromised host
sends data.
AI Firewall provides C&C channel detection and domain name detection based on Domain Generation
Algorithm (DGA) to block unauthorized communications. To obfuscate the communication process, C&C
traffic is usually encrypted in transit. The AI

firewall can detect encrypted traffic without decryption and
ensures that C&C traffic cannot be masked.– For drafting security policies
Zwicky
– BugTraq

The process of the proposed system has the minimum possibility of packet drops and can
deeply identify a packet is really containing rejected contents or not. That can free this system
from risks. The workflow of the system is discussed in following subsections:
1. Make up list categories for incoming packets. Here, Firewall list up the connection of
packets into three categories (fig 4). Established list contains the connections of trusted packets.
Deny list contains the connections are blocked. Third list is additional list containing the
connections of packets are not sure about those are safe or not.
Zwicky
– BugTraq
– Security
Focus
Explanation of workflow of AI Firewall

– BugTraq
2. Ready for checking. A firewall
normally set connection of a
packet to the established list, if
anyhow it entered into the own
system. If that packet have risk
materials then it become unable to
detect for a traditional firewall. To
remove this risk condition this
firewall always continue an
enquiry to check established
connections (fig 5) are trusted or
not. Here shown some rules are
produced for exceptional packets
by the system itself according to a
packet.

– BugTraq
3. When a packet satisfies AI rules. After matching with all the AI rules, It assumes that the
packet is trusted (fig 6). Then the connection is made with the established list and give
permission to access the system. It assumes that the packet is not trusted.

– BugTraq
4. When a packet does not satisfies AI rules. If anyhow the packet does not matched the
AI rules because of unnecessary codes, following thing happens (shown in fig 7)

– BugTraq
5. If a packet is not understandable. A packet which is not understandable with the entire
processing rules including AI rules, it will not be dropped. This packet will stored in a new file for
further checking if somehow AI can process it later by some rules (fig 8).

– BugTraq
6. A traditional firewall basically do. It can’t produce AI rules by itself. Just can match some
predefined rules to the packet headers. If matched, then make a connection; otherwise block the
packet (fig 9).

– BugTraq
Types of Firewall
There are three types of firewall. They are-
1. Stateless
(packet-filtering)
firewall
2. Statefull firewall
3. Application
layer (Proxy)
firewall
A stateless firewall monitors each
packet individually and isolately. It
allows or denies packets without
knowing the packets content and
connection state. A packet-filtering
firewall gives permission to packet
for passing through by checking
its source and destination
address, protocol and destination
port number. If these are not
match with the firewall rules then
the packet is dropped.
This firewall is more effective
then the stateless firewall. It
consists a list of all trusted
connection that are already
established. When firewall gets
a new packet, it is checked with
the list. If it is matched then the
packet is through without further
checking. If it is not matched,
the packet is sent for checked
with the initial rules for new
connection.
Application layer or proxy firewall
examines the packet at the application
layer acting as a intermediary between the
client and the server. This firewall
examines the entire network packet rather
than just the network address and the port
number. In case of outgoing, server allows
most of the packets, because the server is
usually trustworthy to itself. Still the
outgoing rule set in a way that can be used
to prevent the server from unwanted
communication or malicious executable
attackers.

– BugTraq
Pros and Cons of firewall:
1. Attacks that are prepared by the process itself, can not be handled.
2. If an unauthorized user already gained access, this system is ineffective to work on this.
3. In stateless filtering, there is needed more time to establish or drop connection because it
checks each packet individually.
4. As it checks some definite number of port number and destination number without
knowing the content of the packet, it is not suitable for all trusted packet if it does not
consist those numbers.
5. In statefull filtering, there is no rule for new packets.
6. As intermediary layer, proxy firewall is always slow and time consuming.
7. Sometimes, these process drop some trusted packet

– BugTraq
Conclusion
A good example of how AI Based Next Generation Firewalls (NGFW) protect an organization is
viewed from a broader perspective. Embedded ML algorithms identify and block suspicious files,
without employing any form of previous, signature-based databases to compare the existing
cyber threats. ML algorithms are used to detect specific behaviours of a file, If the file meets the
specific threshold, the file is isolated and analyzed.
A file is isolated and studied if it meets certain thresholds after being detected by the ML
algorithm to exhibit certain characteristics. NGFW Firewall improves the detection of suspicious
files with each application of the ML algorithm by learning from the previously tested behaviour.
Users do not see any reduction in network response time as NGFW firewalls avoid using any
offline technology that slows down network performance.
Anti-malware software employs heuristic analysis-based detection approaches from a subtle,
device-level perspective. In other words, AI detects potential infections that have never been
seen before.
Antivirus software operates uniquely. Antivirus software employs signature-based detection,
which compares the signature of a known virus to a signature that has already been identified
and stored in the signature database. Antivirus software will not be able to stop the online threat if
it has never encountered this infection.

Free templates for all your presentation needs
Ready to use,
professional and
customizable
100% free for personal
or commercial use
Blow your audience
away with attractive
visuals
For PowerPoint and
Google Slides
40

Protection from Cyber attacks and Security Firewall

More Related Content

Similar to Protection from Cyber attacks and Security Firewall

Recently uploaded

Protection from Cyber attacks and Security Firewall