Unit-IV

Firewall and Intrusion

detection system
 Part -I
•Firewall
•Types of Firewall
•Configuration of Firewall
• Demilitarized Zone
 Firewall
• A firewall can be hardware , software or a combination of both, which will
inspects N/W traffic passing through it either accept or reject the message
based on the set of rules
• It is a partition between private N/W& public N/W & it will inspect all
traffic which is passing through it
• A firewall is always placed at a N/W gateway to protect the internal
resources of a private network from the public network
• Working of firewall is similar to a router program it examines each N/W
packet to determine whether to forward it towards its destination or not
• A firewall is installed in a special computer & it is separated from N/W
hence incoming request cannot enter directly at private N/W resources
 Need for firewall
• Everyone use the internet but it is difficult to protect N/W from attacks
• Most corporation have large amount of confidential data in their N/W’s.
Leaking of this critical information to competitors can be a great setback
• Apart from the leaking of the inside information, there is a great danger of
outside elements too.
 Need for firewall
• As a result of these dangers one must have a mechanism which can ensure
that inside information remain inside & also prevent the outside attackers
from entering inside a corporate network so to protect the corporate
N/W firewall is used
• A firewall works as a barrier between PC and Cyber space
• Firewall is standing between the N/W and outside work all traffic
between the N/W & the internet in other direction must pass through
the firewall
• The firewall decides if the traffic can be allowed to flow or whether it must
be stopped from proceeding further as shown in figure
 Types of firewall
• The different types of firewall are as follows
• Hardware
• Software
• Packet filter
• Proxy server
• Hybrid
• Application gateways
• Circuit level gateway
 Hardware Firewall
• Hardware firewall can be purchased as a stand alone product but more
recently H/W firewalls are typically found in broadband routers
• H/W firewall can be effective with few configurations & they can protect
every single machine on a local N/W

• H/W firewall uses packet filtering to examine the header of a packet to

determine its source and destination
• This information is compared to a set of predefined or user created rules
that determine whether the packet is to be forwarded or dropped
 Advantages & Disadvantages
• Advantages :
• H/W firewall protects multiple system

• Disadvantages :
• It is Expensive
• It is complicated
• Difficult to upgrade
• Tricky to configure
 Software Firewall
• For individual home user , the most popular firewall is a software Firewall
• Software firewall can be installed on your computer and are easy to
customize. It allows to control over its functions and protection features

• A software firewall protects computer from outside attempts to control or

gain access to the computer & depending on the choice of S/W firewall
• S/W firewall provide protection against the most common Trojan horse or
email worms.
• Many S/W firewall have user defined controls for setting up safe file and
printer sharing & to block unsafe applications from running on the system
 Advantages & Disadvantages
• Advantages :
• It is easier to configure & setup
• It is more flexible

• Disadvantages :
• S/W firewalls only protects the computer on which they are installed , not
a N/W , so each computer will need to have a S/W firewall installed on it
 Compare Hardware & Software Firewall
Sr. Hardware Firewall Software Firewall
No.

1 H/W firewall are specially built within S/W firewall are S/W program
H/W devices like routers installed on computer

2 It protects whole N/W It protect individual computer on

which they are installed

3 It is tricky to configure It is easy to configuration

4 It filter web packets It may not filter web packets unless
web traffic filtering controls are
enabled

5 It can be configured to use a proxy It does not use a proxy service to

service for filtering packets filter packets
 Packet Filter Firewall
• A packet filtering firewall applies a set of rules to each incoming &
outgoing IP packet & then forwards or discards the packet
• A packet filter firewall is designed to filter packets going in both directions
(from & to the internal N/W)
• Filter rules are based on information contained in N/W packet:
1. Source IP address : The IP address of the system who transmits the IP
packet
2. Destination IP address : The IP address of the system where the IP packet
is trying to reach
3. Source & Destination transport level address : The transport level port
number which defines applications such as SNMP or TELNET
4. IP protocol field : Define the transport protocol
5. Interface : It is for a router who uses two or more ports from which
interface the packet came from or which interface the packet is defined
for
 Packet Filtering operation
• A packet filter can be considered as a router that performs three main
actions as shown in following figure
 A Packet filtering operation
• A packet filter performs the following functions:
1. Receive each packet as it arrives
2. Pass the packet through a set of rules, based on the contents of the IP &
transport header fields of the packet. If there is a match with one of the
set rules, decide whether to accept or discard the packet based on that
rule
3. If there is no match with any rule, take the default action. Two default
polices are possible:
i) Default = discard : Discard all packet
The Default discard policy is more conservative. Initially everything is
blocked & services are added a case-by-case basis
ii) Default =Forward : Accept all packets
The Default forward policy increases ease of use for end users but
provides reduced security
 Advantages and Disadvantages
• Advantages :
• Simplicity
• Packet filters typically are transparent to users
• Packet filters are faster
• Disadvantages :
• Packet filter firewall do not examine upper-layer data, they cannot prevent
attack that employ application specific function
• Because of limited information available to the firewall the logging
functionality present in packet filter firewalls is limited
• Most packet filter firewalls do not support advance user authentication
schemes
• Packet filters are the difficulties in setting up the packet filter rules
correctly
• Many packet filter firewall cannot detect a N/W packet in which the
addressing information has been altered
 Stateful Packet filter
• Stateful packet filter understand request and reply system
• Usually the rules of stateful packets are specified only for the first packet
in one direction, and then new rule is created dynamically after the first
outbound packet
• All other packet in the communication are then processed automatically
• Stateful firewall can support for a wider
 Proxy Server
• A Firewall proxy server is an application that acts as mediator between
two end systems
• It operates at application layer of the firewall so it is also called as
application layer firewall
• A proxy service should run for every Internet applications the firewall
should support a Simple Mail Transport Protocol (SMTP) for email, an
HTTP proxy for web services etc
• A proxy server is a one-way arrangement which is running from the
internal network to the outside N/W
• If an internal user wants to communicate with the internet then the
packets making up that request are processed through the HTTP server
before being forwarded outside N/W
• Packet returned from the outside N/W in turn are processed through the
HTTP server before being forwarded back to the internal user host
• Internal client/host who want to use Internet must create a Virtual Circuit
with the proxy server & send request to connect to a specific site/host
• Proxy server then change the IP of the request so that internet or the
outside world can be able to view only the IP of the proxy server
• In this way proxy server hides the internal N/W behind it. When a proxy
server receives the data from the internet it will send the data back to its
original internal user via the virtual circuit only
 Hybrid Firewall
• When there is a combination of one or more no of firewall programs then
it a Hybrid Firewall
• A Hybrid Firewall system may actually consist of two separated firewall
devices. Each is a separate firewall system, but they are connected so that
they work in together.
• It connects two or more firewall types together to provide more security
• Example : A hybrid firewall system might include a packet filtering firewall
that is setup to screen all acceptable requests then pass the request to a
proxy server, which in turn requests services from a web server deep
inside the organizations N/W
• These types of firewalls are used by government agencies & large
cooperation's
 Application Level Gateway
• An application gateway is also called a proxy server, act as a relay of
application level traffic
 Application Gateways working
• An internal user contacts the application gateway using a TCP/IP
applications such as HTTP or TELNET
• The application gateway asks the user about the remote host with which
the user wants to setup connection for actual communication. The
application gateway also asks for the user id & the password required to
access the services of application gates
• The user provides a valid user ID & Authentication information
• The application gateway now accesses the remote host on behalf of the
users & passes. The packets of user to the remote host & relays TCP
segments containing the application data between the two end points
• The service is not supported & cannot be forward across the firewall, if the
gateway does not implement the proxy code for a specific application
• Generally, the application gateway act like a proxy of the actual end user &
delivers packet from the user to the remote host & vice version
 Advantages & Disadvantages
• Advantages :
• Application level Gateways is more secure than packet filters
• It only needs to scrutinize a few allowable applications
• It is easy to log & audit all incoming traffic at the application level

• Disadvantages :
• The additional overhead for connection because there are two separate
connection:
• One between the end user & application gateway & another between the
application gateways & the remote host
• The application gateway has to manage these two sets of connections &
the traffic going between them
 Circuit- Level Gateway
• The circuit level gateway can be a stand alone system or it can be a
specialized function performs by application level gateways for certain
application
• A circuit level gateway does not permit an end-to-end TCP connection
rather, the gateways sets up two TCP connections :
1. One between itself & a TCP user on an inner host
2. One between itself & a TCP user on an outside
 Circuit- Level Gateway
• Once the two connections are established, the gateways typically relays
TCP segments from one connection to other without examining the
contents
• The security function consists of determining which connection will be
allowed
• A typical use of circuit level gateway is a situation in which the system
administrator trusts the internal users
• The gateway can be configured to support application level or proxy
service on inbound connections & circuit level functions for outbound
connection
• In this the gateway can acquire the processing overhead of examining
incoming application data for prohibited function but does not acquire
that overhead on outgoing data
 Firewall Configuration
• A firewall is usually a combination of packet filter & application gateway.
Based on this there are three possible configurations of firewalls are as
follows :
1. Screened Host Firewall, Single –homed bastion
2. Screened Host Firewall, Dual-homed bastion
3. Screened Subnet Firewall
Screened Host Firewall, Single –homed
bastion
Screened Host Firewall, Single –homed bastion
• In this configuration , a firewall setup consist of two parts :
1. Packet Filtering router
2. An Application gateway
• A packet filter router ensures that the incoming traffic is allowed only if it
is destined for application gateway, by examining the destination address
field of each incoming IP packet
• Similarly, it also ensures that the outgoing traffic is allowed only if it is
originating from the application gateway by examining the source address
field of every outgoing IP packet
• The application gateway performs authentication & proxy function
 Advantages & Disadvantages
• Advantages :
• This configuration increases the security of the N/W by performing checks
at both levels- packet & application level
• It provides more flexibility to N/W administrator to define more security
policies

• Disadvantages :
• The internal users are connected to the application gateway as well as to
the packet filter. Therefore the packet filter is somehow successfully
attacked & its security compromised then the whole internal N/W is
exposed to the attacker
Screened Host Firewall, Dual-homed bastion
 Screened Host Firewall, Dual-homed bastion
• To overcome the drawbacks of a screened host firewall, single-Homed
bastion configuration, another type of configuration called as Screened
Host Firewall, Dual – Homed Bastion exists
• Here , direct connections between the internal host & the packet filter are
avoided.
• Instead , the packet filter connects only to the application gateway , which
in turn has a separate connection with the internal host. Therefore now
even if the packet filter is successfully attacked, only the application
gateway is visible to the attacker
• The internal host are protected. AS shown in above figure
Screened Subnet Firewall
 Screened Subnet Firewall
• The Screened subnet firewall offers the highest security among the
possible firewall configurations
• Here Two packet filters are used , one between the Internet & the
application gateway as previously & another one between the application
gateway & the internal N/W.
Demilitarized Zone
 DMZ
• A DMZ is a computer host or small N/W inserted as a neutral zone
between a company’s private N/W & the outside public network.
• It prevents outside users from getting direct access to a server that has
company data.
• DMZ is an optional & more secure approach to a firewall & effectively act
as a proxy server
• In a typical DMZ configuration for a small company, a separate computer
receives request from users within the private network for access to web
sites or other companies accessible on the public N/W
• The DMZ host then initiates sessions for these request on the public N/W
• However the DMZ host is not able to initiate a session back into the
private N/W
• It can only forward packets that have been requested by a host
• User of the public N/W outside the company can access only the DMZ
host
 Limitations of Firewall
• The Firewall cannot protect against that bypass the firewall
• The Firewall does not protect internal treats
• A firewall cannot internal N/W from virus threats. This is because a
firewall cannot be expected to scan every incoming file or packet for
possible virus contents
• If a firewall is installed incorrectly it can prevent users accessing
information on the internet
 Part - II
Intrusion Detection System
• Host based Intrusion Detection System
• Network based Intrusion Detection
System
Honeypots
 Intrusion Detection System
• Intrusion Detection System is the process of monitoring the events
occurring in computer system or N/W & analyzing them for possible
incidents, which are threats of Computer Security.
• Intrusion Detection System(IDS) is a device or S/W application that
monitors N/W or system activities for malicious activities & produces
reports to a management station.
• Intrusion Detection System keeps watch on activities going on around it &
tries to identify unwanted activity .
 Intrusion Detection system
• IDSs are typically divided into two main categories, depending on how
they monitor activity:
1 Host-based IDS:
• Examines activity on an individual system, such as a mail server, web
server, or individual PC. It is concerned only with an individual system and
usually has no visibility into the activity on the network or systems around
it.

2 Network-based IDS:
• Examines activity on the network itself. It has visibility only into the traffic
crossing the network link it is monitoring and typically has no idea of what
is happening on individual systems.
Intrusion Detection System (IDS)
 Components of IDS
• An Intrusion detection system is having following logical components
1. Traffic Collector (or sensor):
• This component collects activity/events for the IDS to examine.
• On host-based IDS, this could be log files, audit logs, or traffic coming to
or leaving a specific system.
• On a network-based IDS, this is typically a mechanism for copying traffic
off the network link-basically functioning as a sniffer. This component is
often referred to as a sensor.

2. Analysis engine :
• This component examines the collected network traffic and compares it
to known patterns of suspicious or malicious activity stored in the
signature database. The analysis engine is the "brains" of the IDS.
 Components of IDS
3. Signature database:
• The signature database is a collection of patterns and definitions of known
suspicious or malicious activity.

4. User interface and reporting:

• This component interfaces with the human element, providing alerts
when appropriate and giving the user a means to interact with and
operate the IDS.
• Most IDSs can be tuned to fit a particular environment. Certain signatures
can be turned off, telling the IDS not to look for certain types of traffic.
 HIDS
• host-based and designed to examine activity only on a specific host.
• A host-based IDS (HIDS) examines log files, audit trails, and network traffic
coming in to or leaving a specific host.
• HIDS can operate in real time, looking for activity as it occurs, or in batch
mode, looking for activity on a periodic basis.
• Host-based systems are typically self-contained, but many of the newer
commercial products have been designed to report to and be managed by
a central system.
• Host-based systems also take local system resources to operate. In other
words, a HIDS will use up some of the memory and CPU cycles of the
system it is protecting.
• Early versions of HIDS ran in batch mode, looking for suspicious activity on
an hourly or daily basis, and typically looked only for specific events in the
system's log files.
 HIDS
• Most HIDS focus on the log files or audit trails generated by the local
operating system.
• On UNIX systems, the examined logs usually include those created by
syslog such as messages, kernel logs, and error logs.
• On Windows systems, the examined logs are typically the three event logs:
Application, System, and Security.
• Some HIDS can cover specific applications, such as FTP or web services, by
examining the logs produced by those specific applications or examining
the traffic from the services themselves.
 HIDS
• Within the log files, the HIDS is looking for certain activities that typify
hostile actions or misuse, such as the following:
• Logins at odd hours
• Login authentication failures
• Additions of new user accounts
• Modification or access of critical system files
• Modification or removal of binary files (executables)
• Starting or stopping processes
• Privilege escalation
• Use of certain programs
Components of HIDS
1. Traffic Collector :
• This component pulls the data from the information of local system has
already generated such as error messages, log files & system files.
• Traffic collector is responsible for reading those files , selecting which
items are of interest & forwarding them to the analysis engine
• Traffic collector will also examine specific attributes of critical files such as
file size, date modified & checksum

2. Analysis Engine : The analysis engine is perhaps the most important

component of the IDS, as it must decide what activity is "okay" and what
activity is "bad."
• The analysis engine is a sophisticated decision and pattern-matching
mechanism-it looks at the information provided by the traffic collector and
tries to match it against known patterns of activity stored in the signature
database.
• If the activity matches a known pattern, the analysis engine can react,
usually by issuing an alert or alarm.
• An analysis engine may also be capable of remembering how the activity it
is looking at right now compares to traffic it has already seen or may see in
the near future so that it can match more complicated, multistep
malicious activity patterns.
• An analysis engine must also be capable of examining traffic patterns as
quickly as possible, as the longer it takes to match a malicious pattern the
less time the IDS or human operator has to react to malicious traffic.
3. Signature database :
The Signature database is a collection of predefined activity patterns that
have already been identified and categorized-patterns that typically
indicate suspicious or malicious activity.
• When the analysis engine has a traffic pattern to examine, it will compare
that pattern to the appropriate signatures in the database.

4. User Interface :
• The user interface is the visible component of the IDS-the part that
humans interact with.
• The user interface varies widely depending on the product and vendor and
could be anything from a detailed GUI to a simple command line.
• the interface is provided to allow the user to interact with the system:
changing parameters, receiving alarms, tuning signatures and response
patterns, and so on.
 Advantages & Disadvantages
• Advantages :
• Operating system specific & have more detailed signatures
• Examine data after it has been decrypted
• Very application specific
• Determine whether or not an alarm may impact that specific

• Disadvantages :
• Should a process on every system to watch
• High cost of ownership and maintenance
• Uses local system resources
• Very focused view and cannot relate to activity around it
• If logged locally, could be compromised or disable
 Network based Intrusion detection system
• A Network based Intrusion detection system focuses on N/W traffic the
bits & bytes traveling along the cables & wires that interconnect the
system
• Network based Intrusion detection system must examine the N/W traffic
as it is passes by & be able to analyze traffic according to protocol, type,
amount, source, destination, content, traffic etc.
• The Network based Intrusion detection system is looking for certain
activities are as follows :
• Denial of service attack
• Port scans or sweeps
• Malicious content in the data payload of a packet
• Vulnerability scanning
• Trojans, Viruses or worms
• Tunneling
• Brute force attack
Components of Network based Intrusion
detection system
 Components of NIDS
1 Traffic Collector :
• Traffic collector reads every packet that passes through or within the N/W
to which it is connected to
• Traffic collector logically attaches itself to a network Interface card &
direct the NIC to receive every packet & forward them to Analysis engine

2. Analysis Engine :
• The N/W analysis engine is capable of collecting packets & examining
them individually & if essential, reassembling an entire traffic session
• Also N/W based analysis engine must be able to sustain with the flow of
traffic on the N/W , recreating N/W sessions & matching patterns in real
time
3. Signature Database :
• This component is a collection of patterns & definitions of known
suspicious or malicious activity

4. User Interface :
• This is visible component of IDS & it is interfaced with human elements
providing alerts whenever required & giving the user a means to interact
with & operate the IDS
 Advantages & Disadvantages
• Advantages :
• Provide IDS coverage to fewer systems
• Lower cost for deployment, maintenance and upgrade
• Has visible into all network traffic and can correlate attacks among
multiple system

• Disadvantages :
• Ineffective when traffic is encrypted
• Cannot see traffic which does not pass it
• Should handle high volume of traffic
• Don’t know the activity on the host
 Honeypots
• Honey Pots are the current innovation in Intrusion Detection technology
• Honey pots is a computer system on the Internet which is specifically set
up to attract & trap people who are attempting to penetrate other critical
system
• Honey pots are trap systems that are created to trap a possible attackers
away from critical systems
• Honey pots are designed to :
i) Distract an attacker from accessing critical system
ii) Gather information about the attackers activity
iii) Motivate an attacker to reside on the system for long time, so that
administrators get enough time to respond
• These system are loaded with fake information designed to look as if
valuable but not accessed by legitimate user
 Honeypots
• The system is loaded with sensitive monitors & event loggers those spot
these accesses & gather information about the activities of attackers
• There are two different kinds of honeypots are as follows:
1. Production Honeypots :
Used by companies and corporations for the purpose of researching the
aims of hackers as well as diverting and mitigating the risk of attacks on
the overall network
2. Research Honeypots :
Used by non profit organizations and educational institutional for the
sole purpose of researching the motives and tactics of the hacker
community for targeting different networks
 Honeypots
• Since any attack on honey pot seem to be successful, because
administrator have sufficient time to organize record & track the attackers
without ever showing the productive system
• Initial efforts involved in single honey pot compute with IP addresses
designed is to attract hackers
• Once hackers are inside the N/W, administrators can spot their behavior in
detail & figure out the defenses.
• Overall honeypots are considered as an effective method to track hackers
behavior & heighten the effectiveness of computer security tools
 Advantages & Disadvantages
• Advantages :
• Attackers can be diverted to targets that they cannot damage
• Administrators have time to decide how to respond to an attacker
• Attackers actions can be easily & more extensively monitored & the
records can be used to refine threat models & improve system protections
• Honeypots may be effective at catching insiders who are snooping around
a N/W

• Disadvantages :
• Honeypots have not yet been shown to be generally useful security
technologies
• An expert attacker, once diverted into trap system, may become angry &
launch a more hostile attack against an organizations system