Firewalls and Intrusion Detection Systems - Cryptography and Network Security Video Lecture - Computer Science Engineering (CSE)

right so in today's class we shall
discuss about firewalls and intuition
detection systems
so essentially today's topic of
discussions will be we shall actually
first discuss about intuition detection
systems we shall consider the
definitions types of in Tudors category
of in Tudors and also what are the
functionalities of intuition detection
systems and see some of the techniques
which are used by these kind of systems
to essentially observe the
vulnerabilities are the other threats to
network then we shall discuss about the
important topic about firewalls consider
the definitions constructions and
discuss some of the principles which are
used behind firewalls so intuition
detection system is essentially the
process of monitoring the events which
occur in a computer system or network
now the science of violations of
computer security policies and so
essentially that which are standard
security practices these are observed by
the intuition detection systems and the
interaction intuition detection system
observes for any possible violations of
what are thought to be secured practices
now there are essentially two important
broad categories of the intuition
detection system as such one is called
the intrusion detection system and the
other one is called the intrusion
detection and prevention system so that
is the so there are essentially two
parts and this is probably difficult to
exactly draw a line between them so one
while concentrates in finding out or
detect the security breaches the other
actually prevents or blocks any threats
so an ID P SS are correct as it is
collectively called has become an very
nice early addition to the security
infrastructure of nearly every
organization so looking into little bit
depths we shall actually see like for
example like there are three types of
into ders so the intruders are broadly
categorized as masqueraders Mis phasers
and clandestine users so masqueraders
are typically outsiders from the trusted
users and I am not authorized
to use the computer systems so
essentially they generally penetrate the
system by by essentially some legitimate
user accounts so basically is kind of
like it like as we have seen in the last
days masquerading attacks in network
protocols so it is like it tries these
kind of attackers tries to mimic or
imitate a legitimate user and create
havoc or create attacks in the network
while on the other hand the miss phaser
is a typical insider and legitimate user
who accesses who actually has got access
of resources and but that but the thing
is that although there are legitimate
users they are essentially accessing
resources which they are not authorized
to use so essentially you can say that
they violate or misuse the privileges
that they are provided with and the
third kind of intruders are known as
clandestine users so they can be both
insiders and outsiders and these type of
intruders typically gain supervisory
access to the system so these are this
can be the broad three categories of
intruders now as we have told that
imitation detection system can actually
broadly be categorized into IDs and IPS
which is the intuition detection system
and the intrusion prevention system
while the first actually concentrates
and automates the intuition detection
process the second one has an additional
feature then it also tries to stop the
intrusions so so we shall actually go
into little bit depth since first of all
we shall actually actually consider some
of the usages of IDS's
so these so as we have seen that IDs s
the normal usage of IDs s are
essentially in monitoring the network
and look for vulnerabilities and also on
the other hand to take some actions to
prevent those attacks but along with it
they also have got some other
functionalities like they do some amount
of quality control in which they
actually not only I mean they they
continuously check that whether your
security policies which are in place are
correct or not so they may take some
steps like like if there are some
incorrect settings to your firewalls
they will do those Corrections they will
raise alerts whenever it sees that the
network traffic is actually not blocking
some some traffic because of configure
so miserly it kind of does a quality
control of the security policies which
are enforced the implementations and
security policies and along with in a
very important way functionality is to
document the existing threat often to an
organization that is the maintained logs
about the threat that the detect so
later on if there are has been some
attacks people can revert back refer to
these logs and can actually see what has
actually gone into the network the other
important functionality is like since
IDPs is are placed it generally deters
individuals from violating security
policies so it is something like as we
know that in shops if there are some CCD
cameras then the thieves are generally
they they essentially shall be probably
has more scared to do some criminal
activity so it's something like if we
know that we are going to continuously
being monitors the users knows that they
are being monitored by ID paces makes
them less likely to commit violations so
this is a kind of functionality which
the IDS is also performs along with it
it also of course definitely performs
the preventive actions and it
essentially adopts several responsive
techniques the responsive techniques
could be like from simply identifying
exactly that which network connections
or which user sessions are creating
threats and to block them or it could be
a drastic measure like even blocking all
accesses to a target to hosts so
depending upon your security measurement
the ideas take some protects it's
preventive actions now the idea says the
IDPs is also changes the security
environments which means that it will
change a security environment to stop an
attack and this could actually include
reconfiguration of the network firewalls
application of patches as we have seen
in the last class like if there are some
vulnerabilities detected in the system
then it is also important to update the
patches so the ID base also does these
functionality of updating the patches
which are suspected to have
vulnerabilities along with it it also
does some amount of normalization which
means that if there are some in the
network track the payload of the network
traffic if it contains some suspected
headers then they are removed this
actually helps to prevent some kind of
attack
and they also often removed the
malicious attachments from incoming
files and passed the clean email to the
recipient so this is also some important
functionality which the ideas ideas
performs now since IDPs technology
actually adapts statistical methods to
compliant the threats to the system so
they have some accompanying attribute of
false positives and false negatives
which comes with any statistical measure
so as we know that false positive me
will indicate that when the IDPs
actually incorrectly identifies a
supposedly harmless activity as
malicious and false negative on the
other hand is like when and IDPs fails
to identify a malicious activity as we
immediately understand that the false
negative is something which is probably
more threatening so therefore the first
objective will be to prevent a reduced
of false negatives and then if there are
some false positives which comes along
with it then additional measures can be
taken to really understand whether the
detected packets are really harmful or
not so there are various detection
sister detection methods which are
followed by IDPs one of the most rather
known techniques or rather most
primitive techniques would be like which
is a signature based intrusion detection
system so in this a signature is
essentially a defined as a pattern that
corresponds to a known threat so
signature based detection is the process
of comparing the signatures which
signifies unknown threat against events
that are observed so this could be a
simple examples could be like for
example there is a telling attempt made
with route as a username so this is a
typical example which is generally
prevented by the IDPs s the other thing
could be like if there are some
attachments which are suspected then the
IDPs actually does the normalization
activity and removes these attachés
allotments but then these are extremely
simple methods are actually which can
use string matching techniques as the
underlying principles and the idea is
that the current packet of the log
entries matched to a list of signatures
and if the match is found then those
packets are blocked or stopped now this
being a very simple technique or of
course it is ineffective against unknown
unknown traits for example is simply
someone who can modify the name of the
subject or maybe modify the name of the
attachments and can go undetected so
they cannot act at the other back drawer
we have the week that point about these
kind of techniques is that they cannot
pay already quest with the corresponding
response like it cannot say like okay
for example of 4:03 which is a I mean I
mean an error status code that which is
the prohibited website which has been
accessed so that it cannot pair with the
corresponding request which has been
made so this inability to order in
capability of remembering previous
requests when processing the correct
current one actually makes a another
actually makes it like that these kind
of detection schemes cannot detect
attacks in that comprise multiple events
that means if none of that is if an
attack is built out of actually multiple
events then these kind of signature
schemes cannot prevent them because it
cannot actually pair the previous
requests with the current one I mean you
cannot remember a history of the
requests and the responses and therefore
these are incapable of preventing
attacks which comprised of multiple
events so the other important detection
scheme which is known is known as the
anomaly based detection scheme now these
Direction schemes are actually based on
the process of comparing definitions of
activities which are supposed to be
normal against observed events to
identify deviations so an eye DPS which
uses anomaly based detection schemes so
essentially it generally builds up
profiles like it builds up the profiles
for the normal behaviors of the users
hosts or network connections or
applications and it matches the present
practive ities at activities with those
profiles now the important advantage
that one can derive out of anomaly based
detection systems is that it can be used
to detect previously unknown threats so
for example like the system
would be based like if there is a
malicious activity suppose a profile is
built out to essentially capture the
power consumption of the of the device
so the idea is that if there has been
some infection from a malware then the
power consumption of the device can
increase so such kind of diction scheme
helps like in the fact you know in
because of the fact that although your
malware's can vary like it can come from
an unknown malware but the technique of
detection is through a means which is
actually immaterial or does not really
depend on the exact mode or form of
attack like for example if it doesn't
actually depend upon which malware it is
attacking because the signature is
something which is quite common and
general like the power consumption of
the computer so this actually helps to
or rather can be very effective in
detecting previously unknown threats now
so therefore talking about profiles
there are generally two ways in which a
profile is built one is called the
static profiles and other one is called
the dynamic profiles now static profiles
are generally not changed for a long
period of time until IDPs specifically
tells it to change it well on the other
and a diving profile continuously
updates with additional events now as we
understand easily that because of the
inherent dynamic behavior of the
networks and systems if you maintain a
static profile then it will get outdated
ready soon on the other hand dynamic
profiles actually do not suffer from
these deficiency but dynamics profiles
also there is a kind of there is a weak
point about dynamic profiles that they
can actually be used by attackers to
fool a 90 PS because the thing is that
for example an attacker can slowly
increase its activity and initially the
IDPs can think that the rate of increase
is not alarming and therefore what it
will do is it will add the increased
activity into its profile and thus what
what and then once the moment it is it
is it is added the the malicious program
can actually further increase its
activity so in this way it can actually
incremental e increase its activity and
finally can evade the the
the the intuition Direction prevention
systems so therefore this is so if you
used a profile it has to be a
combination of static profiles as well
as dynamic profiles now there is another
problem with IDPs technology implemented
with anomaly detection methods that is
they have the problem of false positives
that is they often treat the benign
activities as malicious events for
example a system where administrators
very typical job could be to include
backup of large files now this could be
actually treated as a profile for an
attack and therefore although this is a
benign activity can actually raise false
alarms in the network so this kind of so
therefore it is often difficult to
decide whether a raised alarm is false
due to the complexity and the number of
events that have resulted in the alarm
and therefore this also needs to be kept
in mind that an anomaly based detection
systems can actually come with the
problem of false positives now the other
important method of rather based on
which the intrusion detection systems
are built on is something which is
called as a stateful protocol analysis
now in this point kind of protocol
analysis they often compared
predetermined profiles of generally
accepted definitions of benign protocols
activities for each protocol State
against observed events to identify
deviations so the idea is that this
these kind of systems also are based on
the profiles but the thing is that these
profiles are actually dependent on the
states of the protocols so therefore
there is a concept of state rather it it
depends upon the concept of states in
the inherent protocol now this actually
the the reason why this stateful
analysis is often useful is because it
helps to monitor the security of a very
common file transfer protocols or
protocols of this nature which has got
inherent States involved so therefore
for example like the FTP or the File
Transfer Protocol session can be
visualized to consist of two states so
one is for example the authenticated
state and the other is the authenticated
State now in the an authenticated
state while there are very few operation
I mean they're I mean they're actually
very there are several operations in the
there are actually very few benign
operations in the unauthenticated State
for example like providing usernames and
passwords and seeing maybe health
manuals okay so therefore the IDPs
actually considers operations which are
benign or malicious depending on the
present state of the protocol so
therefore this is this stateful protocol
analysis is actually useful because it
helps to monitor the security of
protocols which actually have got
inherent States in them so another point
which needs to be kept in mind is that
unlike anomaly based detection schemes
which use hosts or network specific
protocols stateful protocol analysis
relies on vendor
developed Universal profiles that
specify how a protocol should work so
therefore this is actually not dependent
on the host of the network specific
profiles but it is actually specified
previously by the vendor so therefore
whenever a protocol is being developed
the vendor actually is is essentially
specifying what is meant by a benign
profile for example okay so therefore
this is a very significant difference
from the previous that is that that is
the anomaly based detection systems that
is the proof both uses profiles but
there is a difference in the profile
which I animal based detection system
makes and the profile which our users
and the profile which a stateful
protocol harnesses use okay so so
therefore based on the there is also a
further I mean as we have seen that
based on the prevention techniques you
can classify the IDPs technologies
similarly also you can classify your
IDPs technologies depending upon where
it is actually used
so the IDPs technologies often used for
the network it is known as network based
IDPs technologies so they monitor the
network traffic for a particular network
so it basically as also you can have
your wireless based IDPs technologies
which monitor the wireless network
traffic and analyze the suspicious
activities and looks about the security
of wireless networks
and you also have your network based
analysis which actually examines the
network traffic to identify threats that
generate unusual traffic flows such as
the distributed denial of service
attacks or which is commonly called as
the DDoS attacks you also have the host
miss attacks which monitor the
characteristics of a single host and the
events which occurred within that host
for suspicious activity so depending
upon where the IDPs technology has been
used you have got various
classifications of the IDPs technology
now we come into the other part of our
discussion which is the firewalls now
what is a firewall so the firewall is
essentially a single point of Defense
between two networks and is an extremely
important field of study with the
tremendous growth of industry in the
recent days so the access to Internet is
a I mean although it is a great source
of information but of course it comes
with the accompanied problem of that you
have to ensure that there is really
security in I mean security is
maintained in the in the in the
enterprise so therefore all those in
access to Internet comes out with a boon
there is an in fact of opening up the
inside information to the external world
so therefore this is actually a huge
amount of concern for industry so
because they have got their rights and
other thing which if their business
business secrets which if it's leaked
and the entire business can get
compromised or hamper so therefore
understanding and designing our proper
proper firewalls is important and so
looking into this I mean a firewall is
essentially nothing but a router or
maybe a group of routers or computers
which enforce access control between two
networks so there are two networks who
do not trust each other and a farmer is
kind of a guard which sits between them
and tries to enforce the the mechanisms
like access controls between these
networks so typically the firewall
actually uses a pair of mechanisms it
uses a mechanism which is called as
allow which are actually permits the
traffic and the other is of course deny
which actually blocks the traffic now
there are some farmers which actually
emphasis on blocking so while some are
which are not so which are not like like
them so they essentially emphasis on
actually permitting the traffic's now
so therefore up a very common name which
is known as the Demilitarized Zone is
actually a separation between the
external perimeter of a network and the
internal perimeter of a network and the
firewalls are essentially it's kind of
guards which are actually sitting
between the between the internet and the
DMZ that is a demilitarized zone and the
DMZ and the internal network so so
therefore for example when you are
considering an information exchange from
the Internet to the internal network
then you are more bothered about the
integrity you are not actually bothered
about the confidentiality of the data
okay but when it is from the other way
around that is from the internal network
to the Internet you are actually
bothered not only about the integrity
but you're also bothered about the
confidentiality okay so these guards are
technically known as the firewalls
okay so known as the firewalls so
typically there are three kinds of
firewalls which are used so the three
types of firewalls are known as the
packet filters application layer filters
and dynamic filters so we will just have
a quick look into what are these type of
firewalls and what is the basic
principle of working of these all these
firewalls so as the packet filters are
actually the foremost and most primitive
technologies that analyzed Network
traffic's at the transport protocol
layer each IP network packet is examined
to see if it matches a set of rules now
these rules define the fate of the
packet that is either it will be allowed
or it will be blocked
denied now there are some packets which
filter I mean there are some packet
filters which deny a packet if it does
not match with either any allow rule or
any denied rule there are some which
actually allows packet does not match
with any denied rules as I told you that
your your firewalls can actually be more
inclined towards blocking or it can be
also in more inclined towards allowing
the packets okay so that depends upon
the strategy of the of the network and
they do not actually understand the
application layer protocols so they are
actually they analyze the network
traffic at the transport layer protocol
so therefore the packet layer sits on
the transport
and it tries to be the package field
test analyzes the networks at the
transport protocol layer and not at the
application layer protocols so they are
typically kept in the tcp/ip kernel and
I is applied to any incoming packet or
outgoing packet now typically the
factors which controls allow the delay
of the packets are as follows the
physical network interface or the
adapter that the packet arrives on the
address the data is coming from the
address the data is going to the type of
transport layer that is whether it is
TCP or whether it is UDP the transport
layer source port and the transport
layer destination port so these are the
typical factors which are actually
maintained in the allow or the deny
rules of the packet filter and they are
checked they are checked with the
incoming of the outgoing packets if they
match then they are allowed if they are
not then either they are denied there
they're denied they're blocked basically
so the advantages of packet filters are
of course they are fast because they do
minimal security check and they're very
less complicated they do not require the
client computers to be configured
specially and also they seal the
internal IP addresses from the external
world like you do not see exactly what
is the internal IP address of the
network when you are communicating with
the with the network property the
internal IP piece okay so the other but
it also there are some disadvantages
like they do not understand the
application layer protocols and hence
they cannot restrict access to the FTP
services such as the poot and the gate
commands they are stateless and hence
they are not suitable for the
application layer protocols the packet
filters have almost no audit event
generation and alerting mechanism so
they do not do proper amount of
documentation or do not maintain audits
about about the network events now I
will give a brief example like this
example is specifically written by for
this IPFW ADM which is an example of a
cheap packet filtering tool which is the
kernel based tool on linux the principle
and even much of the syntax can be
applied for other kernel interfaces for
packet filtering for any open source
unique system so here is an example I
will not go much but if you do a man of
this IPFW ID
then you will see that there are these
are some of the basic switches which you
have like the packet accounting input
firewall output firewall and the
forwarding firewalls there are a lot of
other switches also like you can also
mention like masquerading capabilities
okay so for other information on the
switches you can actually see the
corresponding main page here is an
example like you can imagine that an
organization uses a private network and
this is the kind of IP which is provided
and the internet service provided as a
sign that the address as mentioned here
as the gateway and this is the mail
server so that was this is the policy
the policy is like to allow all the
outgoing TCP connections the policy
could be to allow incoming smtp and dns
to external mail servers and it could be
to block all other traffic's okay so
therefore depending upon the policies
different kind of rules are set like for
example these are the some of the
commands which have been provided here
so these block of commands are generally
placed in a system boot file so
therefore it could be like an RC dot
local on a UNIX system and neither kind
of executed so you can see like there
are various features like forwarding
denying which particular IP is being
denied ok you can also have add your
masquerading capabilities and these are
so therefore these are the basic rules
which are set by using this IPFW ADM
command now whenever a packet incoming
packet and outgoing packet comes in then
these will be changed checked against
these tools and depending upon these
routes either they will be allowed or
they will be denied so this is an
example of a cheap packet filtering tool
but often useful in the lock space
systems so as opposed to this you have
got the other firewall so he is known as
a circuit level firewalls and the
circuit level firewalls are similar in
operation to the packet filters but they
operate of the transport and the session
layers so the biggest difference between
a packet filtering firewall and a
circuit level firewall is that a circuit
level firewalls actually validates the
TCP and UDP sessions before opening a
connection or circuit through the
firewall but once this connection is
established and the firewall maintains a
table of valid connections and let's
read a pass through when the session
information matches an entry in the
table so therefore it actually does our
checking before opening up the
connection but once the connection is
opened up it does not do
checking of the incoming packets so
therefore you can immediately understand
that a circuit level firewalls can
actually be sometimes faster than a
packet level they are the previous kind
of firewalls okay so therefore it can be
faster than the packet filters okay now
the stable entry is removed and a
circuit is closed to when the session is
terminated to validate a session these
kind of firewalls does examine each
connection setup to ensure that it
follows a legitimate handshake for the
transport layer protocol TCP is a widely
used protocol and it actually uses the
handshake and the firewall maintains a
virtual circuit table which stores the
connections DT connection details namely
the session state and the sequencing
information of the successful connection
so you see that it can be actually
maintain some amount of state
information and also some amount of
sequencing information now when a
connection is set up the circuit level
firewalls the following it will store
like the unique session identifier for
the connection okay and it will also
store the state of the connection namely
handshake established or closing it will
store the sequencing information stored
the source IP address from which the
data has arrived it will store the
destination IP address where the data is
to be delivered that is where it is
going to the physical network interface
through which the data arrives the
physical network network interface
through which the packet goes out so you
see that most of the storages are
exactly the same as that of the packet
filter the thing which is different is
this sequencing information and the
state information okay so therefore this
is a significant difference of what is
stored compared to the previous packet
filters okay now the circuit level
firewalls can detect TCP so therefore
the circuit level firewalls check the
header information content in the
network packets to see whether it has
the necessary permission to be
transmitted these firewalls have limited
understanding of the protocols used in
the networks they won't only detect one
transport layer protocol which is the
TCP and therefore and like the packet
filters the rules are skipped in the TCP
kernel okay so they are kept in the TCP
kernel just like the packet filters
not talking about security these farmers
perform an email security check compared
to the application layer firewalls as we
will see that is only those network
connections that are associated with the
existing ones are allowed but once the
connection is allowed all packets
associated with the connection are
allowed without further security checks
so once it is allowed then there is no
like once a connection has been allowed
and it is included in the work virtual
circuit table then the packets are not
screened or not analyzed so it does more
probably security check compared to the
packet filters ok but it actually does
less compared to the application layer
firewalls which we will discuss next the
method is hence fast and performs a
limited amount of state taking however
they perform limited checks to detect
whether the packet data has been
modified or spoofed so there is an
amount of authentication involved in
this kind of firewalls they check the
data content in the transport protocol
header complies with the definition of
the corresponding protocol so like
packet filters these firewalls also
perform network address translation to
hide the internal addresses from the
external one so this feature is like
similar to the packet filters with the
internal there is an performed there is
a network address translation which
actually hides the internal addresses
from the external world now the
advantages are of course as you
understand that they are faster they are
faster than the application layer
firewalls they are more secure than the
packet filter firewalls they maintain
limited state information they maintain
some amount of sequencing information
they protect against spoofing of the
packets they also shield internal IP
addresses from the external networks by
performing the network address
translation so these are some of the
advantages the disadvantages are that it
cannot restrict access to protocol
subsets other than the DCP ok so it is
only specified to DCB they have got
limited audit event generation
capabilities so this is kind of limited
and they cannot perform security checks
or higher-level protocols so if you have
got any higher level protocols then
these are not meant for them so as
opposed to this we have got the the
application layer firewalls now the
application layer firewalls is a third
generation firewall technology that even
it's the network packets for valid data
at the application layer before allowing
a connection so an application layer
firewalls a third generation firewall
which will actually perform the rather
or will evaluate whether a particular
data is valid or rather is allowed or
not and it actually examines later in
all network packets at the application
layer and maintains a complete list of
list of connection States and sequencing
information so here the documentation or
the auditing is much more complete as
opposed to the previous firewalls
it actually maintains a complete list of
the states of the connections and the
corresponding sequence informations now
further other security items that appear
only in the application they are
protocols like user passwords and
service requests are also validated so
here we see that these kind of firewalls
are actually meant for the higher level
protocols they have got more state
information and they maintain a better
sequencing information of of of I mean
of the other corresponding protocols now
the application layer firewalls use
special-purpose programs which are
actually called proxy services to
maintain data transfer through a
firewall for a specific service such as
FTP or HTTP HTTP now proxy services are
there for special purpose programs which
are used inherently in these kind of
firewalls
now proxy services are dedicated to a
particular protocol and provide
increased security checks access
controls and generate appropriate audit
records now these proxy services of
course you and as you understand that if
they perform so much amount of auditing
and it performs so much amount of
security check it comes with the
accompanying disadvantage of making the
system must slow ok so therefore these
kind of firewalls are is the application
layer firewalls are in any slow in
nature
ok extremely slow so proxy services
actually do not allow the direct
connection between the real service and
the user so they will they sit they sit
between the user and the real server and
a handles and inspects each and every
communication between them but of course
it mayn't ensures that it is a
transparent it's it's transparently that
is the user and the real
but doesn't understand that a proxy
server a program is actually monitoring
them now my practice always has got
typically two components and it is often
implemented as a single executable one
is the server and the client the proxy
server and the proxy client now the
proxy server and the proxy so when it
has got the functions like this like it
when a real client wants to communicate
to an external service in the network
like FTP or telnet the request is
directed to the proxy server because the
users default gateway is set to the
proxy server so therefore when a real
client wants to communicate or others
you can think like it wants you can
imagine like the Kerberos network that
it there is a user which wants to access
an external service in the Internet then
the the the request is first directed to
the proxy server so the proxy server
actually is sitting here because the
users default gateway said to the proxy
server okay so the proxy server gets the
information and then evaluates the
request and decides to deny or Ally
depending upon its rules ok and which
are actually maintained by the network
and the proxy servers are aware of the
protocols and therefore allow only
complying packets between the protocol
definitions ok now they also perform
auditing user authentication and caching
services which were not performed by the
previous firewalls so after that on the
other hand once a packet from the real
client is allowed by the proxy server
the packet is forwarded to the proxy
client so the proxy client receives it
after this who conducts the actual
service server I mean actual service
providing server ok that is the external
that is the server which is sitting in
the external network and the proxy
client subsequently relays back the
information sent by the actual server to
the proxy server who decides whether to
send the information to the actual
client so the proxy service is thus you
see this it is transparent to the user
who believes that it is actually
communicating directly with the service
in the internet but actually it is
communicating why are the proxy server
and the proxy client which together
actually makes the proxy service
so therefore proxy services as you
understand are slow because it makes the
entire network slow so high
the proxy services are implemented on
the top of the firewalls hosts network
stack and operate only in the
application layer of the operating
system hence each packet must pass
through the low-level protocols in the
kernel before being passed to the top of
the stack to the application layer for
its auto analysis by the proxy services
so the idea is that the proxy service or
proxy services are implemented using the
network stacks okay so therefore the
idea is that whenever a packet comes it
has to move through the network stack
and come to the server or the service
and be analyzed and again when it is
communicated back it is again to plop it
is again to pass through the stack and
go back so therefore the idea is that
the entire process becomes extremely
slow and therefore I mean you know I
mean I mean if you want for example
speed in your network then you have to
actually use it carefully like you have
to use it
so I mean if you want kind of kind of s
I mean your time is also a constant like
if you if you want like it has to be
kind of a just become performed online
or it has to be performed in real time
then you actually have to use these kind
of firewalls in a more sensible manner
okay so so that is one challenging part
of these kind of firewalls so the
advantages are that they enforce and
understand high level protocols like
HTTP and FTP they maintain information
about the communications passing through
the firewalls or servers ok so it has
got lot of state informations they can
be used to deny access to certain
network services while allowing others
so they are also capable of processing
and manipulating the packet data they do
not allow direct communication between
the external servers and internal
systems therefore it seems the internal
IP addresses from the outside network
they are transferring between the user
and the external network they provide
features like HTTP object caching URL
filtering and user authentication they
are good at generating auditing records
which actually can allow or help the
administrators to monitor threats to the
firewalls now it has got some
disadvantages as well as we know one of
them is the speed they required
oppressing the native network stack on
the firewall service
so they need these kind of modifications
they do not allow network servers to run
on the firewall servers as a proxy
servers use the same port to listen okay
so they are slow and thus lead to
degradation in performance they are not
scalable as each new network services
adds on to the number of proxy services
which are required proxy services
require modifications to client
procedures they rely on operating system
support and thus are vulnerable to bugs
in the system so therefore if there are
bugs in the systems like as we have seen
in the previous cases about there could
be bugs in the standard c library then
it causes security concerns in a
security provided by the application
layer firewalls so therefore they are -
I mean they actually rely on the
operating system so if there are bugs in
the operating system then these kind of
firewalls can be vulnerable to threats
now we have got a fourth generation
firewall which is actually called known
as the dynamic packet filters so these
dynamic packet filters are actually the
fourth generation firewalls will allow
modifications of the security tools on
the fly so therefore it's a kind as the
name suggests it is dynamic so therefore
the the security rules are not static
and they are kind of modified on the fly
okay now these technologies most
suitable for providing limited support
for the UDP transport protocol so as we
have seen that it actually extends to
the UDP transport protocols like which
was not supported by the application
layer firewalls and so this firewall
associates all the UDP packets that
cross from the internal network to the
external networks or vice versa with a
virtual connection if a response packet
is generated and sent back to the
original requester then a virtual
connection is established and the packet
is allowed to pass the firewall server
so therefore we see that one of the
advantages of this is that this supports
the UDP packets and it maintains a
dynamic set of rules which are actually
which allows or denies an incoming or
outgoing
but it this is as opposed to the so
therefore this is as opposed to the
previous things as we have seen here
like when we consider the Sarki level
protocols then they only were used to
eject one the the transport layer
protocols which is the TCP so therefore
they were not applicable for the UDP but
on the other hand this is actually
helping us to extend the security checks
to the UDP networks ever you do
protocols as well so now the information
corresponding to a virtual connection is
remembered for a small unit of time so
therefore if there is no response during
this time then the time frame within the
time frame then the virtual connection
is invalidated so therefore in this kind
of dynamic packet or this kind of
filters in dynamic packet filters there
is a response if the response packet is
generated and sent back to the original
requester then a virtual connection is
established and the packets are allowed
to pass the firewall server but if the
response is not received within a
particular time quanta then this virtual
connection in stopped and the packets
are not allowed to pass so if no
response is received within this time
frame then the virtual connection is
actually invalidated now the response
packet that is allowed back must contain
a destination address that matches the
original source address our transport
layer destination port that so therefore
there is a it has it has to have a
destination address that matches the
original source address and a transport
their destination port that matches the
original source port and the same
transport layer protocol type that is
the exact transport layer protocol type
which is which is being used now this
feature is useful for allowing
applications layer protocols like the
DNS or the domain name the domain name
systems so the summary of what we have
seen here is that application layer
firewalls so if I if we do I mean we
would be interested to understand about
about a comparison among the existing
firewall technologies so therefore the
application layer firewalls are the most
secure secured among the existing
firewall technologies
and they are more secure than the
dynamic firewalls which are again more
secure than the circuit level firewalls
which are in turn more secure than the
packet level filters so therefore the
you can say that the most secured among
all the firewalls is the application
layer firewalls and the least secured is
the packet level firewalls okay however
performance wise the application layer
firewalls or the filters or firewalls
are actually slowest they are the
slowest because as we see all that
because of the proxy services the proxy
services are inherently slow they
essentially inspect each and every
packet which is being communicated by
the user with the external service and
therefore they are essentially slow in
nature and also they are to perform or
they're to essentially each and every
packet has to pass through the entire
network stack so that actually makes the
entire process extremely slow and there
are also a large number of auditing
involved therefore application layer
firewalls actually performs lot of
auditing so therefore everything
actually comes around with an a
comparing timing world okay so therefore
it is really slow in nature on the other
hand the packet level filters are
actually quite fast because they do some
minimal checks a point to be noted is
actually the circuit level firewalls are
often faster than a packet level filter
so this is kind of a point which is to
be stressed so as we have seen that
although the packet the the circuit
level firewalls has got more security
than the packet level firewalls but they
are actually more sometimes more faster
than the packet level filters so so
there because they often do not perform
extensive security checks other than
whether a network packet is associated
with a valid connection so as we have
seen that once a packet a network packet
is associated with a valid connection
they do not perform extensive security
checks so therefore then the packets are
subsequently passed without checking so
packet filters have got on the other
hand a large set of allow and denied
rules so therefore if there is a huge I
mean large in a large network then
actually there will be a huge number of
allow and denied denied rules which can
actually make your packet filters slower
than the circuit level firewalls now the
other important or the other
accompanying question which can come up
is like is an IDs a substitute for
firewall or an firewall me a substitute
substitute for an ideas okay so the
message is that I mean they are not
actually competing technologies okay so
therefore it is a kind of accompanying
or complementing technology so an ideas
may only detect and one about security
violation so the idea of an IDs is kind
of to do the visualization it will
observe the network and see that whether
there are any existing security
violations on the other hand a firewall
will not read actually not nasal
necessarily notify about a security
violation
so therefore the I as we have said that
I DIDS although it prevents the main job
of an IDs is actually to monitor the
network and to see where whether there
are any security violations and actually
document and odd perform auditing that
is it actually helps the system
administrator to understand the security
threats the Java firewall is on the
other hand not to notify the security
violation that is not the prime
directive of a firewall it is it may be
is to simply block the attack or take
some actions or take some or block the
attack or block the action which
actually violates the security policy of
the firewall so it could like without
even notifying the network administrator
it can simply block the particular
attack and can prevent threats to the
network so in practice it is actually
good to combine both our ideas and a
firewall and ideas so we can say that an
IDs once while the firewall blocks okay
so therefore the object being objective
of an ideas is to one well the main
objective of a firewall is actually to
block no but but but actually then new
generation it is generally combined like
we cannot we do not generally draw a
line between IDs and a firewall so it is
a kind of a combined technology nowadays
and for example we can find in the not
own internal internet security where an
IDs and a firewall is being combined
okay so here is a swab in an exercise
which you can try is that the UNIX
utility as we have said this IPFW ADM
can be used for controlling all incoming
outgoing and forwarding our packets okay
so we can do this we can install this
packet from this particular URL which is
provided
and use the we can use the utility to
create a firewall with the following
capabilities like we can try to deny all
the incoming outgoing and forwarding of
packets we can flush the rules and start
from the beginning okay so log and track
any packets which are coming through the
external parameter it could be the
Gateway and pretending to be arriving
from an internal IP that is a case of
spoofing okay so therefore this can be
tackled we can also configure such that
configure using these IPFW ADM tool such
that any packets which have actually
been originated from internal network
but masquerading as coming from the IP
of the external parameter should be
denied okay so these are some of the
important steps which can be taken by
this kind of packet filters all other
outgoing packets should be allowed that
is those packets which have originated
from the IP of the external perimeter
and are being sent through that should
be allowed okay now we can also
configure such that masquerading is
prevented from a particular IP in your
network so these are some of the some
some some policies which can be enforced
in our network and we can actually try
to see that whether we can use the IPFW
ADM tool and we can enforce these
policies okay
so note that you should be install and
run this IPFW ADM tool binary as a root
okay to your system so therefore this
can be a simple exercise which we can
practice to understand the basics of
packet filtering now some of the
references that we have followed for our
text are these books so this this book
like this guide to intrusion detection
and privacy is apparent prevention
systems IDPs so this is this is an inn
and also you can refer to evaluation of
firewall industry the corresponding URL
is given it says his code documentation
the other reference is internet
firewalls and some frequently asked
questions and it is a very interesting
read so therefore all of you are
encouraged to read this it is a very
nice read and next we shall take up the
topic of cycle analysis of cryptographic
implementations so this will be the
concluding topic so we have till now
talked about some of the
important parts of network security and
we shall actually conclude our our
discussions and class with an important
topic which is called a site analysis
without which the discussion of
cryptography and security will not be
complete
you