NETWORK SECURITY

Chapter 8: Firewalls
07/01/2025

FIREWALLS
❑ A firewall is a device (usually a router or a computer) installed between the internal
network of an organization and the rest of the Internet. It is designed to forward some
packets and filter (not forward) others.
❑ A firewall may filter all incoming packets destined for a specific host or a specific
server such as HTTP. A firewall can be used to deny access to a specific host or a
specific service in the organization. A firewall is usually classified as a packet-filter
firewall or a proxy-based firewall
HOST-BASED AND NETWORK-BASED FIREWALLS

HOST-BASED VS NETWORK-BASED FIREWALLS

PACKET-FILTER FIREWALL
❑ firewall can be used as a packet filter. It can forward or block packets based on the
information in the network-layer and transport-layer headers: source and destination
IP addresses, source and destination port addresses, and type of protocol (TCP or
UDP).
❑ A packet-filter firewall is a router that uses a filtering table to decide which packets
must be discarded (not forwarded).

PACKET-FILTER FIREWALL
PACKET-FILTER FIREWALL
❑ According to the figure, the following packets are filtered:
1) Incoming packets from network 131.34.0.0 are blocked (security precaution).
Note that the * (asterisk) means “any.”
2) Incoming packets destined for any internal TELNET server (port 23) are blocked.
3) Incoming packets destined for internal host 194.78.20.8 are blocked. The
organization wants this host for internal use only.
4) Outgoing packets destined for an HTTP server (port 80) are blocked. The
organization does not want employees to browse the Internet.

PACKET-FILTER FIREWALL
•Tracks the state of active connections and allows only
packets that match an active session or valid new
connection request.

•Operates at both the network layer (OSI Layer 3) and STATEFUL

PACKET
transport layer (OSI Layer 4).

•Connection tracking: Maintains a state table to monitor

active connections.

•More secure: Can identify packets that are part of a valid

FIREWALL
session and block unsolicited or malicious packets.

• Filters packets based on predefined rules that

STATELESS
examine headers like source/destination IP, port
number, and protocol.
•Operates at the network layer (OSI Layer 3) and does
not keep track of the state of connections.
•No connection tracking: Each packet is treated
PACKET
independently.
•Simple and faster: Because it doesn't maintain state FIREWALL
information, it requires less memory and processing
power.
•Less secure: It cannot determine if a packet is part of a
legitimate connection, making it susceptible to spoofing
and other attacks .
 STATEFUL VS STATELESS PACKET FIREWALL

PROXY FIREWALL
❑ The packet-filter firewall is based on the information available in the network layer and
transport layer headers (IP and TCP/UDP).
❑ However, sometimes we need to filter a message based on the information available in the
message itself (at the application layer).
❑ As an example, assume that an organization wants to implement the following policies
regarding its web pages: only those Internet users who have previously established
business relations with the company can have access; access to other users must be
blocked. In this case, a packet-filter firewall is not feasible because it cannot distinguish
between different packets arriving at TCP port 80 (HTTP). Testing must be done at the
application level (using URLs).
PROXY FIREWALL
❑ One solution is to install a proxy firewall (computer) (sometimes called an
application gateway), which stands between the customer computer and the
corporation computer.
❑ When the user client process sends a message, the application gateway runs a
server process to receive the request.
❑ The server opens the packet at the application level and finds out if the request is
legitimate. If it is, the server acts as a client process and sends the message to the
real server in the corporation. If it is not, the message is dropped and an error
message is sent to the external user.
❑ In this way, the requests of the external users are filtered based on the contents at
the application layer.

PROXY FIREWALL
 NEXT-GENERATION FIREWALL
(NGFW)
A Next-Generation Firewall (NGFW) is an advanced security solution that goes
beyond traditional firewalls by incorporating modern features to provide
comprehensive network protection. NGFWs combine traditional firewall functions with
additional layers of security, enabling better detection and prevention of sophisticated
cyber threats.

KEY FEATURES OF NGFWS:

•Application Awareness and Control:
•NGFWs can identify and control applications regardless of port, protocol, or IP address. This
allows for fine-grained application usage policies.
•Integrated Intrusion Prevention System (IPS):
•Detects and blocks known and unknown threats in real time by analyzing traffic for
malicious activity.
•Deep Packet Inspection (DPI):
•Inspects the data portion of network packets to identify malware, encrypted threats, or
unusual behavior.
•Advanced Threat Protection (ATP):
•Provides tools like sandboxing, where files are executed in a controlled environment to
detect zero-day vulnerabilities.
•SSL/TLS Inspection:
•Decrypts and inspects encrypted traffic for hidden threats while maintaining user privacy.
KEY FEATURES OF NGFWS:
•User Identity Integration:
•NGFWs can integrate with user directories (e.g., LDAP, Active Directory) to enforce policies
based on user identity.
•Unified Threat Management (UTM):
•Combines multiple security functions, such as antivirus, anti-spam, and content filtering, into
a single device.
•Cloud Integration:
•Offers seamless integration with cloud security platforms and services for enhanced
protection.
•Quality of Service (QoS):
•Monitors and manages bandwidth usage, ensuring critical applications receive priority.
•Behavioral Analytics and Threat Intelligence:
•Uses AI and machine learning to detect anomalies and receive updates on emerging threats.

INTRUSION DETECTION/PREVENTION
SYSTEM (IDS/IPS)
▪ Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) monitor
network traffic to detect and prevent malicious activities
▪ These systems are either implemented on a dedicated hardware or implemented
as applications on a general-purpose server
▪ IDS and IPS are placed at strategic points in the network to be able to monitor
traffic from all devices
 IDS/IPS
▪ IDS and IPS leverage a database of attacks’ signatures to detect malicious traffic
▪ Signature-based IDS/IPS are popular and effective, but cannot detect zero-day
attacks
▪ Machine learning can be leveraged to create a model of the normal behavior of the
network
▪ Thus, the normal model can be used as a baseline to detect any abnormalities in
the network

INTRUSION DETECTION SYSTEM (IDS)

▪ An IDS monitors the traffic of a network passively
▪ i.e., the IDS is not deployed inline in the topology
▪ Instead, a network device (e.g., switch, router) duplicates and forwards the traffic to
the IDS
▪ The IDS then analyzes the traffic offline and matches the traffic stream with known
malicious signatures
▪ Advantages of IDS:
✓ It does not negatively impact the performance of the network
✓ It does not affect the network if a problem or misconfiguration of the IDS occurs
▪ Disadvantages of IDS:
❖It cannot stop malicious single-packet attacks from reaching the target
❖It requires assistance from other networking devices to respond to the attack
 INTRUSION
DETECTION
SYSTEM
(IDS)

INTRUSION PREVENTION SYSTEM (IPS)

• An IPS device monitors the network traffic actively
➢ i.e., the IPS is deployed inline in the topology

• The IPS analyzes traffic online, thus, all inbound and outbound traffic must flow
through the IPS for processing
• Advantages of IPS:
➢ It can stop single packet attacks

• Disadvantages of IPS:
➢ It can negatively affect the performance of the network
➢ It can disrupt the network if a problem or misconfiguration of the IPS occurs
 INTRUSION
PREVENTION
SYSTEM
(IPS)

IDENTIFYING MALICIOUS TRAFFIC ON THE NETWORK

• Signature-based IPS/IDS
➢ Set of rules looking for some specific pattern in a packet or stream of packets
➢ Most significant method used on today’s IPS/IDS

• Policy-based IPS/IDS
➢ Traffic is matched based on the security policy implemented in the network

• Anomaly-based IPS/IDS
➢ A baseline of normal and malicious behavior is modeled and compared to the
traffic flowing in the network
• Reputation-based IPS/IDS
➢ A collection of inputs from various sources is gathered, including the reputation
of a certain IP address, domain, URL, etc.
INTRUSION DETECTION SYSTEM EVASION TECHNIQUES

❑ Fragmentation: Dividing the packet into smaller packet called fragment and the
process is known as fragmentation. This makes it impossible to identify an intrusion
because there can’t be a malware signature.
❑ Packet Encoding: Encoding packets using methods like Base64 or hexadecimal
can hide malicious content from signature-based IDS.
❑ Traffic Obfuscation: By making message more complicated to interpret,
obfuscation can be utilized to hide an attack and avoid detection.
❑ Encryption: Several security features, such as data integrity, confidentiality, and
data privacy, are provided by encryption. Unfortunately, security features are used
by malware developers to hide attacks and avoid detection.