Network Security

VPNs (Virtual Private Networks) ❖ Context enrichment (e.g., geo-

Firewalls • Purpose: Establish private, secure location, user data).
• Definition: Security gateways between connections over public networks. ❖ Real-time alerting and dashboards.
networks that control traffic through • Features: Authentication and encryption Use Case
access control mechanisms (pass, to maintain data integrity and • Process Flow:
reject, encrypt, log communications). confidentiality. ❖ Collect data from diverse sources
• Types: Types of VPNs (e.g., network devices, identity
❖ Hardware Firewalls: Protect • Remote Access VPN: Connects remote systems).
entire networks at the router level. users to corporate networks. ❖ Extract meaningful insights through
❖ Software Firewalls: Protect • Site-to-Site VPN: Links multiple office correlation.
individual devices. locations. ❖ Present data via reports and
• Evolution of Firewalls: • Extranet VPN: Grants business partners- dashboards.
❖ Packet Filter controlled access to resources. Importance
❖ Stateful Inspection • Client/Server VPN: Protects internal • Proactive defense against sophisticated
❖ Application Proxy communications. attacks.
Packet Filters • Efficient log management and
• Operate at the network layer, making IDS/IPS compliance tracking.
decisions based on transport-layer data. Definitions • Enhanced threat detection and
• Key Features: • Intrusion: Actions threatening response.
❖ Examine packets for basic network/computing security.
accept/reject decisions. • IDS (Intrusion Detection System):
❖ Do not analyze higher protocol layers. Identifies intrusions. Firewall - Role
• Configuration Steps: • IPS (Intrusion Prevention System): • Data Inspection:
❖ Define a security policy to allow/deny Combines IDS with preventive ❖ Inspects inbound and outbound
traffic. measures (e.g., firewalls, antivirus). packets.
❖ Write rules using logical expressions IDS Components ❖ Decides whether packets should be
(e.g., IP, ports, protocols). 1. Audit Data: Raw system activity data. allowed or blocked.
❖ Translate rules into firewall-specific 2. Preprocessor: Formats audit data for • SNIFFING:
syntax. analysis. ❖ Attackers attempt to compromise
• Example Rules: 3. Detection Models: Patterns of services on the protected network.
❖ Default: Deny all traffic unless normal/intrusive activities. ❖ Firewall can:
explicitly allowed. 4. Detection Engine: Matches activity ▪ Alert the admin.
❖ Allow inbound SMTP (port 25) to a data with models. ▪ Strengthen its defense.
specific machine. 5. Alarms & Decision Engine: ▪ Reset TCP/IP connections.
❖ Block mail from untrusted sources. Determines and signals appropriate • Firewall Functions:
❖ Permit internal hosts to send/receive responses. ❖ Stops hackers from accessing your
mail on port 25. IDS Detection Approaches computer.
Application Gateways (Proxies) • Misuse Detection (Signature-Based): ❖ Protects personal information.
• Operate at the application layer to analyze Matches known intrusion patterns. ❖ Blocks pop-up ads and certain
content and commands. • Anomaly Detection: Flags deviations cookies.
• Advantages: from normal behavior. ❖ Controls which programs can access
❖ Block specific commands (e.g., FTP Deployment the internet.
"put"). • Network-Based IDS: Monitors traffic ❖ Blocks invalid packets.
❖ Enable detailed filtering. across a network.
• Disadvantages: • Host-Based IDS: Analyzes processes on Firewall Generations
❖ Moderate performance. individual devices. 1. First Generation - Packet Filtering
❖ Limited scalability. Firewall:
Stateful Inspection SIEM (Security Information and Event ❖ Monitors outgoing and incoming
• Operates between the data link and Management) packets.
network layers. Overview ❖ Allows or blocks traffic based on
• Tracks connection context using state source and destination IP addresses,
• Purpose: Combine log management
tables. protocols, and ports.
(LM) and security event analysis for
• Introduced by Check Point. ❖ Analyzes traffic at the transport
comprehensive threat detection.
protocol layer.
Network Address Translation (NAT) • Key Objectives:
❖ Treats each packet in isolation (no
• Converts private IPs into public IPs for o Identify threats.
connection tracking).
secure Internet communication. o Centralize security-relevant logs.
❖ Maintains a filtering table to decide
• Benefits: o Provide incident investigation
packet forwarding.
❖ Hides internal host addresses. support.
2. Second Generation - Stateful Inspection
❖ Enables more devices on the same Components and Features
Firewall:
network. • Core Components:
❖ Tracks the connection state of packets,
Firewall Deployment ❖ Log Collectors and Processors.
making it more efficient than packet
• Used at corporate gateways and internal ❖ Correlators and Databases.
filtering.
sensitive segments (e.g., Finance, HR). ❖ Reporting Engines.
❖ Makes filtering decisions based on the
• Prevents external attacks and internal • Capabilities: packet's history in the state table.
misuse. ❖ Log normalization and correlation.

1|Page
3. Third Generation - Application Layer ❖ Allows web browsing, FTP, email, ❖ Vulnerable to attacks like data
Firewall: and other services. tampering, identity spoofing, and
❖ Inspects and filters packets up to the ❖ Forwards client requests and retrieves privacy loss.
application layer. responses. • Solution: IPSec addresses these issues
❖ Recognizes and blocks misuse of with strong encryption, authentication,
specific applications and protocols Proxy Types and data integrity.
(e.g., HTTP, FTP). • Forward Proxy:
❖ Operates with proxy servers, ❖ Client requests the proxy to access 2. Security Issues in IP Networks
preventing direct connections between the internet. • Data Integrity Attack: Packets can be
internal and external networks. • Open Proxy: altered during transmission.
❖ Can also act as a Network Address ❖ Conceals a client's IP address while • Identity Spoofing: IP addresses can be
Translator (NAT). browsing. faked.
4. Next Generation Firewalls (NGFW): • Reverse Proxy: • Anti-Replay Attacks: Data can be
❖ Includes features like Deep Packet ❖ Forwards requests to proxy servers captured and resent without
Inspection, Application Inspection, and and presents the response as if it permission.
SSL/SSH inspection. came from the original server. • Loss of Privacy: Packet contents can be
❖ Provides advanced protection from read in transit.
modern threats. Proxy Server Architecture • How IPSec Helps:
• User Interface: ❖ Ensures encryption, integrity,
Firewall Types ❖ Provides easy management, including authentication, and replay protection
• Packet Filter: starting/stopping the proxy, blocking for data security.
❖ Looks at packets entering or leaving URLs/clients, and managing
the network. logs/cache. 3. What is IPSec?
❖ Accepts or rejects based on rules. • Proxy Server Listener: • Definition: A set of protocols and
❖ Transparent to users but hard to ❖ Listens for client requests and algorithms that secure IP traffic at the
configure. handles client blocking. network layer.
❖ Vulnerable to IP spoofing. • Connection Manager: • Compatibility:
• Application Gateway/Proxy: ❖ Manages proxy connections. ❖ Built into IPv6 and supports IPv4.
❖ Handles TCP/IP application requests • Cache Manager: • Functions:
(e.g., FTP, TELNET). ❖ Manages web page storage, deletion, ❖ Works across different security layers
❖ Highly effective but can cause and retrieval from the cache. (e.g., TLS, HTTPS).
performance degradation. • Log Manager: ❖ Hardware encryption adds an extra
• Circuit Level Gateway: ❖ Manages logs, including viewing, layer of security for all applications.
❖ Standalone application that doesn’t clearing, and updating logs.
permit end-to-end TCP connections. • Configuration Module: 4. Core Functions of IPSec
❖ Sets up two TCP connections ❖ Configures proxy settings like 1. Authentication:
(internal and external hosts). caching. ❖ Ensures packets are from the
• Bastion Host: intended sender.
❖ A dedicated machine designed to Tunneling - Proxy ❖ Verifies packets haven’t been altered
withstand attacks. • Purpose: in transit.
❖ Hosts specific applications (e.g., ❖ Allows users to bypass firewall 2. Confidentiality:
Telnet, SMTP, FTP). restrictions by sending data through ❖ Encrypts messages to prevent
❖ Limits application support to reduce HTTP (port 80). eavesdropping.
security threats.
• SSL Tunneling: 3. Key Management:
❖ Web proxy servers use SSL tunneling ❖ Safely exchanges and manages
Port Forwarding protocols to securely transmit data encryption keys.
• Usage: through port 443. Applications:
❖ Allows internal devices to • Used in secure e-commerce, remote
communicate with the external Proxy Connection Settings access, LANs, WANs, and the Internet.
network via a single public IP
• Configuration Options:
address.
❖ Manual or automatic proxy 5. Benefits of IPSec
❖ Router/firewall must forward • Provides strong security for all traffic
configuration.
incoming connections to specific
❖ Specific ports for HTTP, SSL, FTP, crossing firewalls/routers.
private IP addresses and ports.
SOCKS. • Transparent to applications and end-users.
• Process: ❖ Options for exceptions (e.g., • Secures routing architecture and
❖ Network administrators configure localhost). individual users.
routers to accept and forward
connections.
6. IPSec Documents
Simplified Document: IP Security (IPSec) 1. Architecture:
Proxy Overview
❖ Describes security concepts and
• Definition: 1. Introduction to IPSec mechanisms (RFC 4301).
❖ A proxy acts as an intermediary for • IP Protocol Issue: Original IP design 2. Authentication Header (AH):
machines on the network to access (from the 1970s–80s) lacked security ❖ Ensures message authentication and
the internet. since all hosts and users were known integrity (RFC 4302).
❖ It forwards requests from clients to and trusted. 3. Encapsulating Security Payload
other servers or services.
• Modern Internet Challenges: (ESP):
• Proxy Functions: ❖ Untrusted public networks.
2|Page
 ❖ Provides encryption and ❖ Sequence Number Counter:
authentication (RFC 4303). Prevents duplicate packets.
4. Internet Key Exchange (IKE): ❖ Anti-Replay Window: Detects and
❖ Manages secure key exchanges. prevents replay attacks.
5. Cryptographic Algorithms: ❖ AH/ESP Information: Stores
❖ Defines encryption, authentication, algorithms, keys, and lifetimes.
and key exchange methods. ❖ Lifetime: Defines when an SA
6. Domain of Interpretation (DOI): expires.
❖ Specifies encryption/authentication ❖ IPSec Protocol Mode: Specifies
identifiers and operational transport or tunnel mode.
parameters. ❖ Path MTU: Tracks the maximum
packet size for transmission.
7. IPSec Architecture
• Modes of Operation: 11. Security Policy Database (SPD)
1. Transport Mode: • Purpose: Determines how IP traffic
 End-to-end security between relates to specific SAs.
two hosts. • SA Selectors:
2. Tunnel Mode: ❖ Destination IP Address: Can specify
 Security between gateways or a single address, a range, or a
between a host and a gateway wildcard.
(used in VPNs). ❖ Source IP Address: Same options as
• Key Components: destination.
 Security Association (SA): One- ❖ User ID: Links traffic to a specific
way relationship providing security user (if supported).
for traffic. ❖ Data Sensitivity Level: Defines the
 Security Parameter Index (SPI): security level (e.g., secret or public).
A unique identifier for each SA. ❖ Transport Protocol: Identifies the
 Security Association Database protocol (e.g., TCP, UDP).
(SAD): Stores all parameters for ❖ Source/Destination Ports: Specifies
each SA. the application or service (e.g., port
 Security Policy Database (SPD): 80 for HTTP).
Links IP traffic to specific SAs Actions:
based on rules. 1. Discard: Blocks traffic.
2. Bypass: Allows traffic without IPSec.
8. Transport Mode vs. Tunnel Mode 3. Protect: Applies IPSec security.
• Transport Mode:
 Encrypts only the packet’s payload 12. Actions When SA is Missing
(inner data). • Outbound Traffic:
 AH can protect headers and payloads. ❖ Use IKE to dynamically generate an
• Tunnel Mode: SA.
 Encrypts the entire packet, including • Inbound Traffic:
headers. ❖ Drop the packet if no SA is available.
 AH applies to parts of the outer
header.

9. Security Association (SA)

• Definition:
Step in encryption in DES
❖ A one-way relationship providing
security for traffic between sender i. Initial Permutation
and receiver.
ii. Compute Round Key
• Key Features:
❖ SA specifies encryption keys, iii. Divide the message in to right
algorithms, and policies for securing and left half
traffic. iv. Expand the right hand to 48-bit
❖ Identified by three parameters:
1. SPI: A 32-bit identifier in v. XOR with the round key
AH/ESP headers. vi. Pass through S-Box
2. IP Destination Address: End vii. Apply P-Box
address for the SA.
3. Security Protocol Identifier:
viii. XOR with previous left that will
Indicates if it’s an AH or ESP be next right
association. ix. Previous right will be next left
10. Security Association Database (SAD)
• Definition: Stores the parameters for each
SA.
• Key Parameters:

3|Page