UNIT 4

Firewall and Intrusion Detection System

Q] Define Firewall.
Q] Explain need for firewall.

A firewall is a network security device that monitors incoming and outgoing network traffic and
permits or blocks data packets based on a set of security rules.
Its purpose is to establish a barrier between your internal network and incoming traffic from
external sources (such as the internet) in order to block malicious traffic like viruses and hackers.
Firewalls can be an effective way of protecting a local system or network of systems from network-
based security threats while at the same time affording access to the outside world via wide area
networks and the Internet.

Types of firewall:
1. Packet Filter
2. Circuit level Gateway
3. Application Gateway
4. Software
5. Hardware
6. Hybrid
7. Stateful multilayer Inspection Firewall

Q] Write a brief note on firewall configuration 6M

i) Packet filter as a firewall
ii) Application level gateway firewall
iii) Circuit level gateway firewall

 Packet Filtering Firewall

{Write below Paragraph only if asked Packet Filtering Firewall for 6 Marks else Skip}

 A firewall works as a barrier, or a shield, between your PC and cyber space.

 When you are connected to the Internet, you are constantly sending and receiving
information in small units called packets.
 The firewall filters these packets to see if they meet certain criteria set by a series of rules,
and thereafter blocks or allows the data.
 This way, hackers cannot get inside and steal information such as bank account numbers
and passwords from you.

Prof. Somwanshi A.A. ( Arrow Computer Academy ) : - 8788335443

Working:-
A packet filtering router firewall applies a set of rules to each packet and based on outcome, decides
to either forward or discard the packet.
Such a firewall implementation involves a router, which is configured to filter packets going in
either direction i.e. from the local network to the outside world and vice versa.
A packet filter performs the following functions.

1. Receive each packet as it arrives.

2. Pass the packet through a set of rules, based on the contents of the IP and transport header
fields of the packet. If there is a match with one of the set rule, decides whether to accept or
discard the packet based on that rule.
3. If there is no match with any rule, take the default action. It can discard all packets or accept all
packets.

This firewall will act according to the table.

For example, Consider table has entry for Source IP 150.150.0.0. It is the IP address of a network , all
the packets which are coming from this network will be blocked by the firewall.
Consider Table is also having entry for port 80, IP Address 200.75.10.8 & port 23.
Port 23 is for Telnet (TELecommunication NETwork) remote login. In this case firewall won’t allow to
login onto this server.
IP Address 200.75.10.8 is the IP address of individual Host, all the packet having this IP address as a
destination address will be denied.
Port 80 is default port for HTTP. Firewall will not allow any web browsers to request and receive web
pages from servers.

Advantage:

The Biggest Advantage of Packet Filtering Firewalls is Cost and Lower Resource Usage and best suited
for Smaller Networks.
Simplicity,
Transparency to the users,
High speed

Disadvantage:
Packet Filtering Firewalls can work only on the Network Layer and these Firewalls do not support
Complex rule based models
It is also Vulnerable to Spoofing in some Cases.
It is difficult to set up packet filtering rules

Prof. Somwanshi A.A. ( Arrow Computer Academy ) : - 8788335443

2. Circuit level gateway Firewalls:

The circuit level gateway firewalls work at the session layer of the OSI model.
They monitor TCP handshaking between the packets to determine if a requested session is
legitimate.
If the initial handshake matches established security policies, the gateway permits the connection.
It creates a virtual circuit for the duration of the session, across which all traffic is allowed to flow
unimpeded.
The information passed through a circuit level gateway, to the internet, appears to have come from
the circuit level gateway.
So, there is no way for a remote computer or a host to determine the internal private ip addresses
of an organization, for example.
This technique is also called Network Address Translation where the private IP addresses
originating from the different clients inside the network are all mapped to the public IP address
and then sent to the outside world (Internet).
This way, the packets are tagged with only the Public IP address and the internal private IP addresses
are not exposed to potential intruders

3. Application level gateway Firewalls (Proxy Firewalls):

Application level firewalls decide whether to drop a packet or send them through based on the
application information (available in the packet).
They do this by setting up various proxies on a single firewall for different applications.
A proxy server is a system or router that provides a gateway between users and the internet.
Both the client and the server connect to these proxies instead of connecting directly to each other.
So, any suspicious data or connections are dropped by these proxies.
Application-level gateways can provide additional security benefits over other types of firewalls
because they can inspect the contents of data packets at the application layer, where protocols such
as HTTP, FTP, and SMTP operate.
This enables the firewall to identify and filter out traffic to detect and prevent attacks that might
attempt to exploit vulnerabilities in specific applications.

Prof. Somwanshi A.A. ( Arrow Computer Academy ) : - 8788335443

4. Stateful multilayer Inspection Firewall (SMLI)
The stateful multi-layer inspection (SMLI) firewall uses a sophisticated form of packet-filtering that
examines all seven layers of the Open System Interconnection (OSI) model.
Each packet is examined and compared against known states of friendly packets.
While screening router firewalls only examine the packet header, SMLI firewalls examine the entire
packet including the data.
SMLI is a mechanism that uses a sophisticated form of packet-filtering, examining all major layers of the
OSI model.
In other words, this type of filter examines packets on the network, transmission, and application levels,
comparing them to known trusted packets.
SMLI checks the entire packet and only allows it to pass through each layer individually.
Such firewalls inspect packets to assess the state of communication in order to ensure that all facilitated
communication only takes place with trusted sources.
To be more specific, an SMLI firewall is not necessarily a single firewall implementation.
Rather, it is a series of firewalls that work in concert to secure traffic at different levels of the OSI model.
It may be a composition of a stateless packet filter, a stateful firewall, as well as an application level
proxy.

Prof. Somwanshi A.A. ( Arrow Computer Academy ) : - 8788335443

  Firewall Policies
Firewall policies are sets of rules that control network traffic, preventing unauthorized access and
protecting against security threats by defining which traffic is allowed or blocked based on source,
destination, protocol, and port.

Q) State any two policies of the firewall 2M

Service control: Determines the types of Internet services that can be accessed, inbound or outbound.
The firewall may filter traffic on the basis of IP address, protocol, or port number; may provide
proxy software that receives and interprets each service request before passing it on.
Direction control: Determines the direction in which particular service requests may be initiated and
allowed to flow through the firewall.
User control: Controls access to a service according to which user is attempting to access it. This feature
is typically applied to users inside the firewall perimeter (local users).
Behavior control: Controls how particular services are used. For example, the firewall may filter e-mail
to eliminate spam, or it may enable external access to only a portion of the information on a local Web
server.

Prof. Somwanshi A.A. ( Arrow Computer Academy ) : - 8788335443

  Firewall Configuration
Q) Write a brief note on firewall configuration

Configuration of firewall
There are 3 common firewall configurations.
1. Screened host firewall, single-homed bastion configuration
2. Screened host firewall, dual homed bastion configuration
3. Screened subnet firewall configuration

1. Screened host firewall, single-homed bastion configuration

In this type of configuration a firewall consists of following parts
i) A packet filtering router
ii) An application gateway.
The main purpose of this type is as follows:
• Packet filter is used to ensure that incoming data is allowed only if it is destined for application
gateway, by verifying the destination address field of incoming IP packet. It will also ensure that
outgoing traffic is allowded only if it is originated from application level gateway, by examining
the source address field of every outgoing IP packet.
• Application gateway is used to perform authentication and proxy function.

Fig single homed bastion configuration

Advantages:
• It improve security of network by performing checks at both levels- thet is packet and application
level.
• It provide flexibility fexibility to the network administrator to define more secure policies.

Disadvantages :
Internal users are connected to the application gateway as well as packet filter router, So if any how
packet filter is attacked , then the whole internal network is exposed to the attacker.

Prof. Somwanshi A.A. ( Arrow Computer Academy ) : - 8788335443

2. Screened host firewall, dual homed bastion configuration
To overcome the disadvantage of a screened host firewall, single homed bastion configuration, another
configuration is available known as screened host firewall, Dual homed bastion.
In this, direct connections between internal hosts and packet filter are avoided.
As it provide connection between packet filter and application gateway, which has separate connection
with the internal hosts. Now if the packet filter is successfully attacked, only application gateway is
visible to attacker. It will provide security to internal hosts.

3. Screened subnet firewall configuration

It provides the highest security among all firewall configurations.
It is improved version over all the available scheme of firewall configuration.
It uses two packet filters, one between the internet and application gateway and another between the
application gateway and the internal network.
Thus this configuration achieves 3 levels of security for an attacker to break into.

Limitations:
1. Firewall do not protect against inside threats.
2. Packet filter firewall does not provide any content based filtering.
3. Protocol tunneling, i.e. sending data from one protocol to another
protocol which negates the purpose of firewall.
4. Encrypted traffic cannot be examine and filter.

Prof. Somwanshi A.A. ( Arrow Computer Academy ) : - 8788335443

  DMZ
Describe DMZ with suitable diagram. 4M

DMZ (Demilitarized Zone): It is a computer host or small network inserted as a ―neutral zone in a
companys private network and the outside public network. It avoids outside users from getting direct
access to a companys data server. A DMZ is an optional but more secure approach to a firewall. It can
effectively acts as a proxy server.
The typical DMZ configuration has a separate computer or host in network which receives requests
from users within the private network to access a web sites or public network. Then DMZ host
initiates sessions for such requests on the public network but it is not able to initiate a session back into
the private network. It can only forward packets which have been requested by a host.

The public networks users who are outside the company can access only the DMZ host. It can store
the companys web pages which can be served to the outside users. Hence, the DMZ cant give access
to the other companys data. By any way, if an outsider penetrates the DMZs security the web pages
may get corrupted but other companys information can be safe.

Examples:
Web servers
It's possible for web servers communicating with internal database servers to be deployed in a DMZ.
This makes internal databases more secure as these are the repositories responsible for storing
sensitive information. Web servers can connect with the internal database server directly or through
application firewalls, even though the DMZ continues provide protection.

Prof. Somwanshi A.A. ( Arrow Computer Academy ) : - 8788335443

Intrusion Detection System (IDS)
Q. Describe IDS and its two types.

An Intrusion Detection System (IDS) monitors network traffic and monitors for suspicious activity and
alerts the system or network administrator.
In some cases the IDS may also respond to anomalous or malicious traffic by taking action such as
blocking the user or source IP address from accessing the network.

IDS are mainly divided into two categories, depending on monitoring activity:

 Host Based Intrusion Detection System

 Network Based Intrusion Detection System

 Host Based Intrusion Detection System (HIDS)

Q. Explain Host based IDS.

Host intrusion detection systems (HIDS) run on independent hosts or devices on the network.

A HIDS monitors the incoming and outgoing packets from the device only and will alert the
administrator if suspicious or malicious activity is detected. It takes a snapshot of existing system files
and compares it with the previous snapshot. If the analytical system files were edited or deleted, an alert
is sent to the administrator to investigate.

Basic Components HIDS:

 Traffic collector:

This component collects activity or events from the IDS to examine.

On Host-based IDS, this can be log files, audit logs, or traffic coming to or leaving a specific system

 Analysis Engine:

This component examines the collected network traffic & compares it to known patterns of suspicious or
malicious activity stored in the signature database. The analysis engine acts like a brain of the IDS.

 Signature database:

It is a collection of patterns & definitions of known suspicious or malicious activity.

Prof. Somwanshi A.A. ( Arrow Computer Academy ) : - 8788335443

  User Interface & Reporting:

This is the component that interfaces with the human element, providing alerts & giving the user a
means to interact with & operate the IDS.

1) Host-based IDS: Host based IDS looks for certain activities in the log files are:
1. Logins at odd hours
2. Login authentication failure
3. Adding new user account
4. Modification or access of critical systems files.
5. Modification or removal of binary files
6. Starting or stopping processes
7. Privilege escalation
8. Use of certain program

2) Network based IDS: Network based IDS looks for certain activities like:
1. Denial of service attacks.
2. Port scans or sweeps
3. Malicious contents in the data payload of packet(s)
4. Vulnerability of scanning
5. Trojans, Viruses or worms
6. Tunneling
7. Brute force attacks.

Honey Pots
Q] Explain honey pots. 4M

A relatively recent innovation in intrusion detection technology is the honey pot.

Honeypots are designed to purposely engage and deceive hackers and identify malicious activities
performed over the Internet.
Honey pots are decoy systems that are designed to lure a potential attacker away from critical systems.

Prof. Somwanshi A.A. ( Arrow Computer Academy ) : - 8788335443

Honey pots are designed to:

 divert an attacker from accessing critical systems

 collect information about the attacker's activity

It encourages the attacker to stay on the system for some time, allowing the administrations to detect
this and act on this.
These systems are filled with fabricated information designed to appear valuable but that a legitimate
user of the system wouldn’t access.
Honeypots are designed for 2 important goals
1. Make them look-like full real-life systems.
2. Do not allow legitimate users to know about or access them.

State any four difference between Firewall and Intrusion Detection System 4M

Prof. Somwanshi A.A. ( Arrow Computer Academy ) : - 8788335443

Prof. Somwanshi A.A. ( Arrow Computer Academy ) : - 8788335443
Describe DMZ with suitable diagram.

DMZ (Demilitarized Zone): It is a computer host or small network inserted as a ―neutral zone in a
company,s private network and the outside public network. It avoids outside users from getting direct
access to a company’s data server. A DMZ is an optional but more secure approach to a firewall. It can
effectively acts as a proxy server.

The typical DMZ configuration has a separate computer or host in network which receives requests
from users within the private network to access a web sites or public network. Then DMZ host initiates
sessions for such requests on the public network but it is not able to initiate a session back into the
private network. It can only forward packets which have been requested by a host. The public network‟s
users who are outside the company can access only the DMZ host. It can store the company’s web pages
which can be served to the outside users. Hence, the DMZ can‟t give access to the other company’s data.
By any way, if an outsider penetrates the DMZ‟s security the web pages may get corrupted but other
company‟s information can be safe.

Demonstrate configuration of Firewall setting windows operating system. 4M

Prof. Somwanshi A.A. ( Arrow Computer Academy ) : - 8788335443