Department of CSE

III Year B.Tech. II-Sem

Regulation: R18
Subject: Information Security (18PE0CS2C)

Prepared By:
Dr.B.Veeramallu

Dept. of CSE ,GNITC

1
 Information Security
UNIT-V
• Web Security: Web security considerations, Secure Socket
Layer and Transport Layer Security, Secure electronic
transaction.

• Intruders, Virus and Firewalls: Intruders, Intrusion

detection, Password management, Virus and related threats,
countermeasures, firewall design principles, Types of
firewalls.

• Case Studies on Cryptography and security: Secure inter

branch payment transactions, cross site Scripting
Vulnerability, virtual elections.
Arun Singh, Asst. Professor, GNITC
 Web Security
 Introduction to Web Security :
 Today internet has become one of the fastest growing and mostly
used by every person and firms.

 Websites now widely used by business, government, individuals.

 All of them have separate websites , which enable them to set their
business facilities through web as e-commerce.

 But Internet and web are extremely vulnerable because with growth
of web use, the threats to security and privacy has also grown.

 Web security is a set of procedures , practices and technologies for

protecting web servers and their surrounding against unexpected
behavior.
 Web Security
 Web Security Considerations :
 Web security can be achieved by implementing various strategies
including SSL or TLS and SET approaches.

 World wide web is basically a client/server application that runs

internet and TCP/IP intranets.

 New challenges presented by Web in computer and network security

are as :

 Internet is of two ways : Even electronic publishing systems are

vulnerable to attacks on Web servers over internet.

 High Visibility: When web servers are destroyed , reputation , money

can be lost.
 3. Complex Software : Client/server application is complex.
 The software's are complex an can hide many security faults.

 4. Untrained Users : The untrained users are not aware of the

security risks.

 They don’t have knowledge to take effective measures.

 Web Security Threats :

 Variety of threats with web security like :
 Active attack and Passive Attack

 Some other threats are associated with Web Security based on

specific locations like web browser ,web server and network traffic
between them
 If Proper action not taken against these threats ,then following
areas are affected:
 Integrity (Threats = modification of data , Trozan horse browser, )
 Confidentiality (Threats = Intruder theft data from client)
 Denial of service (Threats : Intruder may kill the user, can cut the
communication)
 Authentication (Threats : Data may be forged )
 Web Traffic Security Approaches :
 Web Traffic Security Approaches
 A number of approaches are there to make web security possible.

 The approaches are similar in services , mechanisms , but they differ

in their applicability and their location within TCP/IP protocol stack.

 Above figure lists the difference.

 Network level Security : We provide web security in network level by

using IPSec.

 The main advantage of using IPSec is that it is transparent to end

users.
 Web Traffic Security Approaches
 The IPSec has filtering capability so we can filter unauthorized messages.
 Transport level Security : We implement security at the Transport level
just above TCP.

 Example Secure Socket Layer (SSL) and TLS (transport layer security).

 Application layer Security : In this approach security is provided at

application layer.
 Security is implemented to particular applications.
 Advantage : service can be applied to particular needs for given
application.

 It includes application like Kerberos , S/MIME , PGP and SET.

 Important application is SET.
 Secure Socket Layer (SSL)
 The Netscape Corporation developed SSL in 1994.

 SSL is an internet protocol used for secure exchange of information

between Web server and Web Client.

 Version 3 of this protocol was designed with public review and was
published as an Internet draft document.

 It is based on connection oriented and reliable service.(eg.TCP)

 SSL provide security services for any TCP based application protocol
eg. HTTP , FTP, TELNET, etc.

 It is application independent.
 Secure Socket Layer (SSL)
 SSL consist of two sub-layers :
 1. SSL record Protocol : Where all action takes place.

 2. SSL Management : Handshake/Cipher change/Alert protocols

 SSL provides : Client server Authentication , Data traffic

confidentiality, Message authentication and integrity.

 SSL Does not provide : Traffic analysis , TCP oriented attacks.

 Versions of SSL :
 1.0 – Never released to public because of security faults
 2.0 – Some weakness (man in middle attack) in Netscape navigator
 3.0 – No serious security faults in Netscape Navigator 3.0, MS
explorer.
 Secure Socket Layer (SSL) Architecture
 SSL is designed to make use of TCP to provide reliable end-to-end
secure service.

 SSL is a two layered protocol as shown in figure.

 SSL record protocol provides basic security services to higher layer

protocols.

 HTTP, can operate on top of SSL which provides transfer service for
Web Client/server interaction.

 The three high layer protocols : Handshake protocol, The change

cipher protocol and Alert protocol are SSL specific protocols and
used in management of SSL.
 Secure Socket Layer (SSL) Architecture
 Handshake protocol : This protocol is used to exchange the
certificates between web server and web client.

 Change Cipher Spec Protocol : This protocol is used to change secure

channel to new spec.

 Alert protocol : The Alert protocol is used to convey SSL related

alerts to the web server/web client.

 The two important concepts of SSL are :

 SSL Session and SSL Connection

 SSL Session : An SSL session is an association between a client and a

server.
 Secure Socket Layer (SSL) Architecture
 Sessions are created by Handshake protocol.

 Sessions will define parameters which can be shared between

connections.

 SSL state is defined by the following parameters :

 Session Identifier
 Peer certificate
 Compression method
 Cipher Spec
 Master secret
 Is resumable
 Secure Socket Layer (SSL) Architecture
 SSL Connection : A connection is a transport that provides service
between server and client.

 Every connection is associated with one session.

 A connection state is defined by the following parameters :

 Server and client random
 Server write MAC secret
 Client write MAC secret
 Server write key
 Client write key
 Initialization vector
 Sequence numbers
 Secure Socket Layer (SSL)
 SSL Record Protocol :
 SSL Record protocol used after a successful Handshake between
client and server.

 It means , after client and server have authenticated each other and
have decided what algorithms to use for secure information
exchange.

 The SSL record protocol provides two services for SSL connection :
 Confidentiality : It is achieved by symmetric encryption SSL payloads
with shared secret key defined by Handshake protocol.

 Message Integrity : It is achieved by using a MAC with shared secret

key defined by Handshake protocol.
SSL
 Secure Socket Layer (SSL)
 The SSL Record protocol takes an application message to be
transmitted.
 Fragments the data into smaller blocks & optionally compresses
each block , applies a MAC

 Encrypts, adds header, and create an object called Record and

transmit it under TCP protocol

 These steps to prepare record in detail are as :

 Fragmentation : This step breaks up message is fragmented into

blocks of 16384 bytes or less.
 Secure Socket Layer (SSL)
 Compression : This step is optionally applied.

 Compression must not result into loss of original data.

 SSL version 3 includes no compression protocol , so no default

compression algorithm is used.

 Addition of MAC : It is the next step in which MAC is computed over

the compressed data to provide data integrity .

 For this a shared secret key is used to protect data from any
modification.

 Encryption : Next, the data plus MAC are encrypted using symmetric
encryption algorithm , like DES or 3-DES.
 Secure Socket Layer (SSL)
 Append Record Header : This is the final step of SSL Record protocol
in which a header is prepared consist of following fields :

 Content Type (8 bits): Identifies which payload is delivered by packet

and determines which higher protocols are to be used for processing
of enclosed fragment.

 Major version (8 bits) : Specifies major version of SSL in use. For SSL
v3, value is 3.
 Minor version (8 bits) : Specifies minor version of SSL in use. For SSL
v3, value is 1.
 Compressed Length (16 bits) : Specifies length in bytes of plaintext
fragment.
 With these steps , the Record preparation is completed. Then record
is sent to the target point.
SSL RECORD PROTOCOL
 Secure Socket Layer (SSL)
 SSL Change Cipher Spec Protocol :
 It is one of the three protocols that uses SSL Record protocol.

 It is consist of single message , consist of single byte with value 1.

 Purpose of this message is to cause pending state to be copied into

current state , which updates cipher to be used on this connection.

 SSL Alert protocol :

 The Alert protocol is used to send alerts to the peer entity.

 Alert messages are compressed and encrypted.

 Secure Socket Layer (SSL)
 Each message in Alert Protocol consist of two bytes :
 First byte is used to convey the severity of the message , either it is
warning alert or the fatal alert.

 If level is fatal , SSL terminate connection , other connections may be

continued.

 Second byte contains a code indicating the specific alert.

 Some of the fatal alerts are :
 Unexpected message
 Bad record mac
 Decompression failure
 Handshake failure
 Illegal parameter
 Secure Socket Layer (SSL)
 Some warning Alerts are :
 Close notify ,No certificate
 Bad certificate
 Unsupported certificate
 Certificate revoked
 Certificate expired

 SSL Handshake Protocol :

 It is most complex part of SSL.
 This protocol allows the server and client to authenticate each other
and negotiate an encryption.

 The MAC algorithm and cryptographic keys are to be used to protect

data which is sent in SSL record.
 Secure Socket Layer (SSL)
 This protocol is used before transmission of any application data.

 Before transmission, client and server establish connection by using

handshake protocol.

 Handshake protocol consist of series of messages exchanged by

client and server .

 The Handshake protocol message consist of three fields as follows :

 Type (1 byte): Indicates type of message in the packet.

 Length (3 bytes) : This field is used to represent length of message in

bytes.
 Secure Socket Layer (SSL)
 Content (>= 0 bytes): This field carries the parameters associated
with the message.

 The type of message and parameters are listed in below figure (a).

 In Handshake protocol there are four phases for establishing logical

connection between client and server .

 The figure (b) represents phases in Handshake protocol.

 Secure Socket Layer (SSL)
 Cryptographic Computations :
 There are two cryptographic computations :
 (1) Creation of a shared master secret key

 (2) Generation of cryptographic parameters from master secret.

 Master Secret Creation : The shared master secret is a one time 48

byte value.

 It is generated for the session by secure key exchange.

 The two stages of creating master secret :

 1. Pre master secret is exchanged.
 2. Master secret is calculated by both the parties.
 Secure Socket Layer (SSL)
 There are two possibilities for pre master secret exchange :
 1. RSA 2. Diffie Hellman

 Generation of Cryptographic Parameters :

 The Cipher Spec requires the following parameters :

 A client write MAC secret , a server write MAC secret , a client write
key , a server write key , a client write IV, a server write IV.

 All these parameters are generated from the master secret by

hashing the master secret into sequence of secure bytes of sufficient
length for all required parameters
 Transport Layer Security (TLS)
 Transport layer security (TLS) is a protocol that guarantees privacy
and data integrity between client/server applications over internet.

 TLS is an IETF standard initiative whose goal is to produce an internet

standard version of SSL.

 TLS is defined in RFC 5246 . It is very similar to SSLv3.

 It is successor to the SSL.

 Version Number : TLS Record format is same as that of SSL Record

format.

 Difference is in version values.

 For current version of TLS , major version is 3 and minor version is 1.

TLS
 Transport Layer Security (TLS)
 TLS Record Format :
 Content Type (8 bits): It is used to process enclosed fragment.

 Major version (8 bit):Used to represent major version of TLS. For

TLSv3 , value is 3.

 Minor Version (8 bit) :Used to represent minor version of TLS. For

TLSv3 ,value is 1.

 Compressed Length (16 bits) : Used to represent length of the

plaintext fragment.
 TLS uses three basic functionalities to provide security :
 1. MAC
 2. Pseudorandom function
 3. Alert C
TLS RECORD PROTOCOL
 Transport Layer Security (TLS)
 MAC : There are two differences between SSLv3 and TLS MAC
scheme.

 The actual algorithm and scope of the MAC calculation.

 TLS uses HMAC algorithm for MAC calculation.

 The HMAC is defined as :

 HMAC (M) = H[ (K+ XOR opad ) ll H [ (k+ XOR ipad ) ll M ]

 H = Embedded hash function, M = message input to HMAC

 K+ = Secret key padded with zeros

 ipad = 0011110 , opad = 01011100
 Transport Layer Security (TLS)
 Pseudorandom Function : TLS uses pseudorandom function to
expand secret blocks for key generation and for key validation.

 The objective of this is to generate longer blocks of data by using

small secret value

 Alert Codes :
 TLS support following fatal alert codes :
 Unexpected message ,Bad record mac ,Decompression failure
 Handshake failure, Illegal parameter ,Decryption failed
 Record overflow , Unknown CA , Access denied , Decode error ,
Export restriction
 Protocol version , Insufficient security , Internal error :
 System Security
 Major security for system in network is unwanted use by an user or a
software

 System security is an area in which the concerns of network security

and computer security threats can enter through network or directly.

 Intruder :
 Intruder also called Hacker or a Cracker is most important threat to
system security.

 It gains unauthorized access to computer system or to gain

unauthorized use.
 System Security
 Types of Intruders :

 Masquerader : It is an outsider who is not authorized to access the

system.

 Misfeasor : It is an authentic insider who can use those data for

which they are not authorized.

 Clandestine User : It can be either inside or outside the system.

 It captures all administrative control .

 System Security
 Intrusion Techniques :
 Aim to gain access and/or increase privileges on a system

 Often use system / software vulnerabilities

 Goal often is to acquire passwords .

 So try to use rights of owner

 Basic attack methodology : Target acquisition and information

gathering

 Initial access , Privilege escalation , Covering tracks

 System Security
 Intrusion Detection :
 It is an art and science of sensing when a system or network is used
or without authorization.

 Intrusion detection is important because :

 It eliminates intruders

 It is an anti-threatening system.

 To prevent further intrusions.

 Some intrusion detection techniques are :

 System Security
 Statistical Anomaly Detection :
 It is based on statistical factors.

 It is based on collection of data of behavior of users over specified

period

 Rule based detection :

 By using set of rules we find a given behavior is authorized or

intruder. The rule is based existing usage patterns.

 Audit Records : It is an intrusion detection is audit record.

 System Security
 This collected data is then applied to statistical tests to decide
whether user behavior is ok or not.

 This detection technique is classified into two categories :

 1. Threshold : In threshold detection, number of occurrences of a

particular event over a period of time is calculated.

 If event count is more than allowable count, then it is an intrusion.

 Number of allowable occurrences is called threshold value.

 Threshold value can result in false negative or false positive.

 System Security
 False positive : Describes situation when system reports intrusion
activity
 False negative : Describes situation when system fails to detect
intrusion

 Profile based Anomaly Detection :

 It is based on user past profile.
 The user profile is recorded in the form of “audit records”.
 So current audit records are analyzed to identify differences from
average behavior.
 Metrics that are used to study user behavior are :
 Counter (count of event in some time, eg: no. of times user logged in
some time)
 Guage (Used to measure entity value , eg : no. of outgoing messages
from user)
 System Security
 Native audit records : It is included in operating system itself.

 Multiuser OS include native audit record in the form of accounting

software that collects information on activity.

 Detection Specific Audit records :

 Only required information is collected in detection specific audit records.

 Statistical Anomaly Detection :

 Based on data related to users behavior collected over period of time

 Internal timer : it is duration of time between two events

 Resource utilization : Number of resources used over some time.

 System Security
 Measures used for Intrusion detection :
 Following are the activities on which measures are applied for
intrusion detection :

 1. Login and session Activities :

 Measures that are used during login and session are as :

 Login frequency by day and time
 Frequency of login at different locations
 Time since Last Login
 Elapsed time per session
 Quantity of output
 System Security
 Resource utilization per session , Password failure at login

 2. Command or program execution Activity :

 The measures used during command and program execution

activity are :
 Execution frequency , Program resource utilization ,Execution Denials

 3. File Access activity :

 Measures that are used during file access activity are as :

 Read, write, create, delete, frequencies , Records read ,written ,

Failure count for read , Write , Create ,Delete
 System Security
 Rule Based Intrusion Detection :
 Technique that detect intrusion by observing events in a system and
applying a set of rules are called rule – based intrusion detection
techniques.

 There are two approaches :

 1.Rule based Anomaly Detection :
 It is identical to statistical anomaly detection in its approach and
strength.

 In this ,historical audits are analyzed and a specific usage pattern is

identified.

 If any transaction matched with historical pattern, then intrusion has

taken place
 System Security
 2. Rule-based Penetration Identification :It is based on expert
system technology.

 Rules are generated by “experts” but not using historical audit

records.

 The rules are specific to machine and operating system.

 These rules can identify the suspicious behavior ,known penetrations

and expected penetrations which can find weaknesses of system.

 The strength of this approach relies on experts as they are people

who set rules.
 System Security
 Some of them are : Users should not read from or write to others
files.

 Same files are used by users even log on after hours.

 Distributed Intrusion Detection :

 An intrusion detection system that protects a single is not much
needed for an organization.

 So there is a need of distributed intrusion detection system.

 Some design issues of a distributed intrusion detection system are :

 1. It may need to deal with different formats of audit records.

 System Security
 Honeypots :
 Modern intrusion detection make use of a novel of idea , called as
honeypots.

 A honeypot is a trap that attracts potential attackers.

 A honeypot is designed so as to do the following :

 Divert attention of a potential intruder from critical systems
 Collect information about intruder’s actions

 Honeypots are designed with two important goals :

 Make them look like real life systems.
 Put real looking information into them.
 Do not allow legitimate users to know about or access them.
 System Security
 Password Management :
 First protection scheme against intruders is usage of passwords.

 All multi user systems require that user have name along with
password.

 User name provides uniqueness that no two users are having same
account.

 All user names along with password are stored in a password file.

 When someone gives username and password, first system verifies

whether there is a record of that username or not.


 System Security
 Unix Password schema : In case of UNIX OS the passwords are not
stored in their original form within a password file.

 Passwords are converted into ASCII equivalent result in a 56 bit value

 The 56 bit value with “salt ” value of 12 bits that is related to the
time at which password is assigned to the user are provided as inputs
to encryption algorithm

 The result is then subjected to 25 rounds of encryption.

 The final 64 bit result is then translated into 11 character sequence.

 This character sequence and a copy of salt value are recorded in the
password file for each user.
 System Security
 Importance of salt :
 Salt serves three important purposes.
 1. It prevents duplicate passwords.
 Even length of the password is small it effectively increases length of
password.

 It prevents the user of hardware implementations of DES.

 Password selection Strategies : one should be careful when

selecting password.

 The selected password must be far away from guessing by other

persons.
 Better solution is password should consist of 8 or more characters.
 System Security
 There are four techniques for password selection and they are :
 1. Using computer Generated Passwords
 2. Educating users in password selection
 3. Reactive password checking
 4. Proactive password checking

 Malicious Software :
 Malicious software or Malware is any software that gives partial or
full control of computer to do whatever the malware creator wants.

 Malicious software can be virus , worm , trojan , spyware backdoors

etc.

 Malicious software or malware are not limited to one operating

 System Security
 Most highly advanced types of threats to computer systems are
presented by programs that provide dangers in computing systems.

 The term used for such threats is malicious software or malware.

 Malware is a software designed to cause damage to resources of

target computer

 Malicious programs :
 These threats can be divided into two categories , those that need
host program and those which are independent.

 The first one cannot exist independently of some actual application

program , utility or system program .
 System Security
 The second can exist independently and are self contained programs
that can be scheduled and run by operating system
 Virus :
 A virus is a software program that replicates itself and infects
another computer without knowledge of the user.

 For replicating itself , a virus must execute code and should be

written to memory

 A virus spreads by transmitting itself through network and bypassing

security system or they are transmitted as attachments in an email
message.

 Virus contains malicious code that can damage system by destructing

important programs , deleting necessary files.
 System Security
 Virus may be based on two considerations according to
their behavior :
 1. Non – Resident Virus : It searches for other uninfected host
programs and infects

 2. Resident – Virus : These do not search for host programs but load
themselves into memory during execution and transfer control to
host program.

 Virus goes through following four phases or stages during its

lifetime :
 1. Dormant phase : In this phase , virus is activated by some
condition.
 2. Propagation phase : The virus places an identical copy of itself into
other programs or into certain system areas.
 System Security
 3. Triggering phase : Triggering phase can be caused by variety of
system including number of times virus has made copy of itself.

 4. Execution phase : Virus executes intended function that are

dangerous.

 Types of Viruses :
 1. Parasitic Virus : It attaches itself to executable files like .exe in
order to spread.

 When a infected program is executed , the cloned copy of parasitic

virus is transmitted to .exe files.

 2. Memory – resident virus : These virus load themselves into

memory during execution of infected programs.
 System Security
 Boot-sector virus : It infects the master –boot record and propagates
while booting the system from infected disk.

 Stealth virus : It hides itself from being detected by any antivirus

software.

 This virus tricks antivirus program by intercepting request made to

operating system and passing it to the virus.

 Polymorphic Virus : It is one of the serious threat to virus scanner.

 It is a virus that modifies with each infection.

 Every individual virus differ in their virus detection

 System Security
 Polymorphic virus achieve this variation using encryption technique
where a part of virus is called as polymorphic engine generates
encryption key randomly.

 Metamorphic virus : It also modifies with every infection like

polymorphic virus.

 But the difference is that a metamorphic virus re-writes itself

completely while infecting a new executable file.

 So difficulty of detecting a virus increases.

 Macro Viruses : It is a common virus.

 System Security
 These virus cause much damage to system’s data or its resource. It
has become a threat because :

 It is independent of executing platform.

 It can infect MS Word.

 Macro virus only infect documents but not executable files.

 They can be spread without any difficulty .

 E-mail virus : It is latest developed malicious program.

 Mellissa virus is fast spreading email virus that uses word macro’s
that are inserted in an email attachment.
 System Security
 Virus Counter Measures :
 Anti-virus approaches :
 The best way to control threats is to stop them getting inside the
system.

 As it is very difficult to stop a virus , three approaches are used to

reduce the virus threats .
 These approaches are :
 1. Virus Detection approach : When a program is infected , analysis is
done to detect and find location of virus.

 2. Virus Identification approach :

 When virus is detected , this approach identifies the actual virus ,
which is the main reason for infection.
 System Security
 3. Virus Removal approach :
 When virus is identified , this approach removes all viruses and
restores infected programs to its actual state.

 Advanced anti-virus approaches :

 1. Generic decryption approach :

 Generic decryption (GD) is a technology that allows an anti-virus
program to detect polymorphic viruses easily.

 It maintains the speed of fast scanners during detection.

 System Security
 GD scanner detects copy of polymorphic virus when executable files
are executed using GD scanner.

 GD scanner has following components :

 CPU Emulator
 Virus Signature Scanner
 Emulation control module

 2. Digital Immune System : IBM developed an automated

system for detecting and eradicating viruses called digital immune
system.

 The reason for developing DIS is to decrease virus that were caused
due to internet.
 Advanced internet technology play vital role for increasing virus.
 System Security
 Advanced internet technology include :
 Integrated mail system
 Mobile Program system

 3. Behavior Blocking software :

 This examines the program behavior in real time environment for
detecting malicious actions.

 It blocks these actions before they cause any damage to the system.
 System Security
 Firewalls :
 Firewalls are computer network devices that protect a network from
malicious programs.

 Firewalls are access control devices that allow or stop different types
of traffic in organization.

 Firewall is a device that is used to provide protection to a system or

set of system

 Firewalls are effective means of protecting a local system or network

of system from network based threats.
 System Security
 Firewall design principles :

 Internet connectivity is important for every firm which helps to

connect to the outside world. It also affects firm i.e. threat.

 Firewall may be hardware or software running on a secured host

computer.

 It is placed at junction or gateway between the two networks.

 Four general techniques to control access :
 Service control
 Direction control
 User control
 Behavior control
 System Security
 Firewalls characteristics :
 1. All traffic from inside to outside must pass through the firewall.
 2. Only authorized traffic , as defined by security policy is allowed to
pass.
 3. The firewall itself is immune to penetration.
 4. The firewall uses various control access methods to enforce
security activity.
 5. It determines type of internet services.
 6. It determines the direction of flow , in which service request is
initiated.
 7. It controls the user access.
 8. It controls the user from doing malpractices on secured data.
 System Security
 Firewall Limitations :
 1. Firewalls cannot fix the problems related to poorly designed
security features.

 2. Firewall cannot prevent attacks made on those packets that do not

pass through them.

 3. Firewall reduces its effectiveness if permissive rules are frequently

used
 4. Firewall cannot halt the attacks made against authorized networks.
 5. It is impossible for firewall to scan the malicious code like incoming
messages
 6. Huge cost is there for firewall installations.
 Incorrectly configured firewall may block authorized users from using
network.
 System Security
 Firewalls capabilities :
 1. It is capable of blocking unauthorized network users from entering
in network

 2. It stops vulnerable incoming services that attacks users and also

protects network from various IP address spoofing and routing
attacks.

 3. Firewall is capable of reducing burden of security management

services

 4. It is capable of providing a platform for implementing virtual

private network
 5. It handles security related problems by using alerts and audits on
firewall
 System Security
 Architecture of Firewall :
 The architecture of firewall can be classified as :
 Single Layer architecture :
 A single host is allocated all firewall functions.

 This architecture is only used when cost is a key factor and only two
networks are to be connected.

 Advantage : Any change to the firewall needs to be done only at

single host.

 Disadvantage : If single entry point is breached , then entire network

is susceptible to attack.
 Multiple layer architecture :
 The firewall functions are distributed among hosts that are
connected in series.
 Advantage : multiple layer architecture provides greater security
 Disadvantages : Difficult to design and mange and are more costly

 Types of Firewall :
 The firewalls are basically of three types depending on :
 Whether communication is being done between single node or two
network

 Whether communication is intercepted at network layer or at

application layer

 Whether communication is being tracked at the firewall or not.

 Firewall consist of following type of filters :
 Packet filtering Router :
 It is also known as screening router or screening filter .

 It applies a set of rules to the incoming IP packets .

 Whenever IP packet enters into network , the firewall applies some

rules .

 Based on results, firewall decide to forward or not to forward.

 The rules are based on the information obtained from:

 Source of IP address

 Destination of IP address
 Source and destination of transport level address
 IP protocol field
 Interface

 Advantages of packet filtering Router :

 Simplicity
 Very Fast
 Transparency

 Disadvantages of packet filtering router :

 Lack of support for authentication

 Difficult in setting up the packet filter rules correctly

 Attacks on packet filtering router and counter measures :
 IP address spoofing attacks
 Source Routing attacks
 Tiny fragment attacks

 Application Level Gateway :

 It is also called proxy server.

 It acts like a substitute and decides about the flow of application.

 Source and destination of transport level address

 IP protocol field
 Interface
 One-Way Authentication :
 It is required when sender & receiver are not in communications at
same time.

 (e.g. email) because it is not necessary for the sender and receiver
be online at the same time.

 The message is forwarded to the receiver ‘s mailbox , where it is

buffered till the receiver read it.

 Have header in clear so can be delivered by store and forward email

protocol , like SMTP.

 It want contents to be protected & sender authenticated .