Network Security

Network security is any activity designed to protect the usability and integrity of your
network and data.

 It includes both hardware and software technologies

 Firewall- CISCO, Fortinet
 IDS- CISCO, Firepower
 Unified Threat Management Appliances- Combined Multiple feature
firewall(Antivirus,Content Filtering etc)-Fortinet UTM,SOPHOS UTM
 It targets a variety of threats
 Packet Sniffing
 Denial Of Service
 DNS Spoofing
 It stops them from entering or spreading on your network
 Effective network security manages access to the network

A firewall establishes a barrier between a trusted, secure internal network and

another network (e.g., the Internet) that is assumed not to be secure and
trusted.

 Effective means of protection a local system or network of systems from

network-based security threats while affording access to the outside world via
WAN`s or the Internet

Design goals:
1. All traffic from inside to outside must pass through the firewall
(physically blocking all access to the local network except via the
firewall)
2. Only authorized traffic (defined by the local security police) will be
allowed to pass
3. The firewall itself is immune to penetration (use of trusted system with a
secure operating system)

Firewall Characteristics

Four general techniques:

• Service control

– Determines the types of Internet services that can be accessed, inbound

or outbound

– can filter traffic based on its Internet Protocol (IP) address or the port it
uses.

• Direction control

– Determines the direction in which particular service requests are allowed

to flow.

– For instance, if you suspect that an application in a certain area of your

network has been compromised, you can prevent computers and devices
within that segment from sending requests out to the internet.

• User control

– Controls access to a service according to which user is attempting to

access it

– With user control, you can decide which users are allowed to access a
server. This can include people inside your network's perimeter and
those outside

• Behavior control

– Controls how particular services are used (e.g. filter e-mail)

– Controls how particular services are used. For example, the firewall may
filter e-mail to eliminate spam, or it may enable external access to only a
portion of the information on a local Web server

• Packet-filtering Router

– Applies a set of rules to each incoming IP packet and then forwards or

discards the packet

– Filter packets going in both directions

– The packet filter is typically set up as a list of rules based on matches to

fields in the IP or TCP header

– Two default policies (discard or forward)

• Advantages:

– Simplicity

– Transparency to users

– High speed

• Disadvantages:

– the trust is based on IP addresses.

– They are unable to protect against malicious data packets arriving from
trusted source IPs because they lack the necessary packet inspection
capability.

– Lack of Authentication

1. Permit trusted File Transfer Protocol traffic to a specific IP address.

2. Restrict traffic to known malicious IP addresses.

3. Authorize a specific internal IP address to access a designated file-sharing IP

address.

4. Prohibit traffic to file-sharing IP addresses for all other internal IP addresses.

5. Allow web traffic on commonly used ports 80 and 443.

6. Block all other traffic types.

Proxy Server

• Intermediate agent or server acting on behalf of endpoint without allowing a

direct connection between the two endpoints

– So each endpoint talks to proxy, thinking it is talking to other endpoint

– Proxy decides whether to forward messages, and whether to alter them

• Access control done with proxies

– Usually bases access control on content as well as source, destination

addresses, etc.

• Also called an applications level or application level firewall

• Example: virus checking in electronic mail

– Incoming mail goes to proxy firewall

– Proxy firewall receives mail, scans it

– If no virus, mail forwarded to destination

– If virus, mail rejected or disinfected before forwarding

• Application-level Gateway

• Acts as relay of application-level traffic.

• The user contacts the gateway using a TCP/IP application, such as FTP, and the
gateway asks the user for the name of a remote host to be accessed.

• When the user responds and provides a valid user ID and authentication
information, the gateway contacts the application on the remote host and
relays TCP segments containing the application data between the two points
 • Advantages:

– Higher security than packet filters

– Only need to scrutinize a few allowable applications

– Easy to log and audit all incoming traffic

• Disadvantages:

– Additional processing overhead on each connection (gateway as splice

point)

An Application Layer Firewall is a type of firewall that operates at the application layer of the
OSI model (Layer 7). Unlike traditional firewalls that focus on IP addresses, ports, and protocols,
application layer firewalls inspect the actual content of the traffic, making decisions based on
what the traffic is trying to do, not just where it's going.

Key Features:

 Deep Packet Inspection (DPI): It examines the full contents of the packets, including
the payload, allowing it to detect malicious activity hidden within seemingly legitimate
traffic.
 Protocol Awareness: Understands and filters traffic based on specific applications or
protocols (e.g., HTTP, FTP, DNS, SMTP).
 Granular Control: Can enforce detailed rules (e.g., only allow file downloads from
certain domains, or block specific email attachments).
 User Authentication: Can require users to authenticate before accessing certain
applications or services.
 Protection Against Application-Layer Attacks: Helps detect and block threats like
SQL injection, cross-site scripting (XSS), and other web-based attacks.

Examples:

 Web Application Firewalls (WAFs) like AWS WAF, Cloudflare WAF, or

ModSecurity.
 Proxy firewalls (e.g., Squid Proxy with filtering).
 Next-Generation Firewalls (NGFWs) often include application layer features.
Pros:

 More precise security filtering.

 Protects against sophisticated, application-specific attacks.
 Can provide logging and auditing at the application level.

Cons:

 Can introduce latency due to deep inspection.

 Higher resource usage.
 More complex to configure and manage.

CIRCUIT-LEVEL GATEWAY

– Stand-alone system or

– Specialized function performed by an Application-level Gateway

– Sets up two TCP connections

– The gateway typically relays TCP segments from one connection to the
other without examining the contents

•
• Circuit-level Gateway

– The security function consists of determining which connections will be

allowed

– Typically use is a situation in which the system administrator trusts the

internal users

– An example is the SOCKS package

A Circuit-Level Firewall is a type of firewall that works at the session layer (Layer 5) of the
OSI model. It monitors TCP handshakes and other session-level communications between
trusted internal hosts and untrusted external hosts to determine whether a connection is
legitimate.

Key Characteristics:

 Monitors TCP/UDP sessions rather than individual packets.

 Tracks connection states, ensuring that only valid sessions are allowed.
 Does not inspect the actual data content (payload) of packets—only the session-level
info like the handshake and connection status.
 Often used as part of proxy servers.

How It Works:

1. When a connection is initiated, the firewall checks the legitimacy of the TCP
handshake.
2. If valid, it establishes a virtual circuit between internal and external hosts.
3. After that, the data flows freely without inspection of the payload.

Pros:

 Efficient performance (less resource-intensive than deep packet inspection).

 Good at hiding internal network structure, improving security via NAT or proxies.
 Works well for trusted applications and known services.

Cons:

 No application-level inspection, so it can't detect malware or attacks hidden in the data.

 Limited control over content-based policies.
 Not ideal for environments needing high security at the application level.
Singled-homed bastion host

• Has greater security than simply a packet filtering router or an application level
gateway alone.

• Implements both packet-level and application-level filtering, allowing for

considerable flexibility in defining security policy.

• An intruder must generally penetrate two separate systems before the security
of the internal network is compromised.

• If the packet-filtering router is completely compromised, traffic could flow

directly through the router between the Internet and other hosts on the private
network.
 • A singled-homed bastion host has only one network interface and is normally
used for application-level gateway firewalls.

• The external router is configured to send all incoming data to the bastion host,
and all internal clients are configured to send all outgoing data to the host

Dual-homed bastion host

• Serve as application gateways, packet filters, and circuit gateways creating a

complete break between the external network and internal network.
Security issues that affect TCP/IP include IP spoofing, fragmentation, sequence
number prediction, and hijacking.

 IP spoofing involves an attacker sending packets with a forged source IP

address, potentially to bypass authentication or launch denial-of-service
attacks.
 IP fragmentation is when large packets are split into smaller fragments to fit the
MTU of the network, which can create opportunities for attackers to
manipulate or reassemble the fragments maliciously.
 TCP sequence number prediction is when an attacker guesses the sequence
number of a TCP connection, allowing them to inject or modify data or
terminate the connection.
 TCP hijacking is when an attacker takes over an existing TCP connection by
sending forged packets with the correct sequence number and
acknowledgment number, allowing them to redirect or steal data or execute
commands on the target system.

IP Spoofing

 The creation of IP packets with a forged source.

 The purpose of it is to conceal the identity of the sender or impersonating
another computing system
 A technique used to gain unauthorized access to computers, whereby the
intruder sends messages to a computer with an IP address indicating that the
message is coming from a trusted host
 Base for IP spoofing
The concept of IP spoofing was discovered as a security weakness in the IP
protocol which carries the Source IP address and the TCP protocol which
contains port and sequencing information.