Module 04

Network Security

Elements of Network Security

Network Security ensures that data communicated over a network remains protected from
unauthorized access, modification, and misuse. It mainly focuses on protecting
information and verifying the identity of communicating users.
1. Confidentiality
Confidentiality means only authorized users should be able to access the information.
Key Points
 Prevents unauthorized access.
 Data is kept secret from intruders.
 Achieved using encryption.
 Ensures private communication between sender and receiver.
Authenticity and Integrity
This ensures that:
 The sender is genuine (Authenticity)
 The message is not altered during transmission (Integrity)
Key Points
 Protects from message modification, insertion, and replay attacks.
 Achieved using digital signatures, MAC, hashing.
 Ensures the receiver knows who sent the message and that it is untampered.

Illustration of Security Problems

(a) Message Falsification
Intruder changes the message and pretends to be the sender.
(b) Applying Security Using Key
A secret key is used to prevent modification.

Friends and Enemies Model: Alice, Bob, Trudy

This is a famous security example used to explain attacks.
Alice and Bob
 Legitimate communicating users.
 Want to exchange data securely.
Trudy
 The intruder/attacker.
 Can intercept, delete, modify, and inject messages.
Categories of Attacks
Network attacks target the network infrastructure and end systems. Major categories include:
1. DNS Hacking
The attacker manipulates the Domain Name System (DNS) so that users are redirected to
malicious websites.
2. Routing Table Poisoning
Attackers modify routing tables to misroute traffic, drop packets, or create loops.
3. Packet Mistreatment
Packets may be delayed, dropped, modified, or misrouted intentionally by an intruder.
4. Denial of Service (DoS)
The attacker floods a server/network with excessive requests, making the service unavailable
to legitimate users.

DNS Hacking:
DNS Hacking is a major threat to network security because DNS is responsible for mapping
domain names to IP addresses. Any modification in DNS information can completely change
the destination of user traffic. DNS Hacking happens when an attacker alters DNS entries,
redirects traffic, steals confidential information, or impersonates legitimate websites. This
leads to loss of authenticity and integrity.
DNS hacking mainly occurs in the following forms:
1. Information-level Attack – The attacker uses cache poisoning to force DNS servers
to store and respond with incorrect IP addresses, redirecting users to fake sites.
2. Masquerade Attack – The attacker pretends to be a trusted server, intercepts
communication, and steals sensitive information.
3. Information Leakage Attack – The attacker queries all hosts, identifies unused IP
addresses, and later uses them for spoofing or attacks.
4. Domain Hijacking Attack – The attacker compromises domain registration details
and replaces the original nameserver with a malicious one, forcing the user to visit
attacker-controlled websites.
DNS hacking compromises user security, privacy, and trust in online services, making it one
of the most severe network-level attacks.

Routing Table Poisoning Attacks:

Routing Table Poisoning is a type of network attack in which an intruder modifies the routing
information exchanged between routers. It causes routers to build incorrect routing tables,
which results in misrouting, dropping, or interception of packets. This attack is usually
performed by altering routing update packets.
There are two main types of routing table poisoning attacks:
1. Link Attack – The attacker gains access to a communication link between routers and
intercepts or modifies routing messages. It affects both link-state and distance-vector
protocols. The attacker may send false updates or suppress genuine updates, causing
routers to store incorrect neighbour information.
2. Router Attack – In this attack, the router itself is compromised and becomes
malicious. In link-state protocols, a malicious router may add fake links, remove
existing links, or change link costs. In distance-vector protocols, the attacker sends
wrong distance vectors about nodes, misleading routers and creating routing loops or
network disruptions.
Routing table poisoning attacks degrade routing efficiency and compromise the reliability of
the entire network.

Packet Mistreatment Attacks:

Packet Mistreatment Attacks are performed by intruders who interfere with the normal
handling of data packets in a network. These attacks are categorized into link attacks and
router attacks. In a link attack, the attacker intercepts, modifies, or replicates packets on the
link. In a router attack, the attacker compromises a router and misroutes packets, causing
congestion and denial of service.
Examples of packet mistreatment attacks include:
1. Interruption – Packets are intercepted and dropped, reducing network throughput.
2. Modification – Attackers change packet contents, such as addresses or data.
3. Replication – Attackers replay trapped packets, which can overload receivers.
4. Ping of Death – Sending oversized ping messages that, when reassembled, cause
system crashes.
5. Malicious Misrouting – Attacker changes routing tables to misroute packets, leading
to DoS.
Packet mistreatment attacks affect network performance, reliability, and security.

Denial of Service (DoS):

A Denial of Service (DoS) attack is a network attack in which a legitimate user is prevented
from accessing a normally available service. It does not result in theft or loss of information,
but it makes the service unavailable by overloading the target with traffic. DoS attacks affect
the destination server and are easy to initiate but difficult to detect.
There are two types of DoS attacks. In a single-source DoS, one system sends a large number
of packets to overwhelm the target. In a Distributed DoS (DDoS) attack, multiple
compromised systems collectively flood the target with unwanted traffic, making it extremely
difficult to block or trace. DDoS attacks are faster and more powerful because they originate
from many different machines using botnets.
DoS attacks include Ping of Death, SYN Flood, Teardrop, and other volume-based or
fragmentation-based techniques. These attacks severely degrade network performance and
may completely deny access to legitimate users.

Feature DoS DDoS

Source Single computer/IP Multiple systems across the internet

Tools Used Simple scripts, LOIC, manual Botnets, malware-infected devices

triggers

Speed Slower Much faster, high volume

Blocking Easier to block Harder to block due to many sources

Traceability Easy to trace source Hard to trace (attackers hide behind

compromised systems)

Attack Ping of Death, Teardrop, Volumetric, Fragmentation, Application-

Types Buffer Overflow layer attacks

Cryptographic Techniques
Cryptography is a major security method used to protect data from unauthorized access.
Historically, it was used to protect national secrets, military strategies, and confidential
communications.

Definition of Cryptography
Cryptography is the process of transforming a message into coded form to protect it from
unauthorized access.
It scrambles the message before transmission so that outside watchers cannot understand it.
Basic Terms in Cryptography
 Plaintext: Original readable message.
 Ciphertext: Scrambled/encoded message after encryption.
 Encryption: Process of converting plaintext to ciphertext.
 Decryption: Process of converting ciphertext back to plaintext.
 Cipher: The algorithm used for encryption and decryption.

How Encryption Works (XOR Operation Example)

A simple encryption uses:
 Message bit M
 Secret key bit K
Encryption

Ciphertext = M ⊕ K
Decryption

(M ⊕ K) ⊕ K = M
Since XOR has the property:

0⊕0=0

0⊕1=1

1⊕0=1

1⊕1=0
Example (from slide)
Plaintext: 00110101
Secret Key: 11100011
Ciphertext (via XOR): 11010110
When decrypted again using XOR with the same key, plaintext is recovered.

End-to-End Encryption vs Link Encryption

End-to-End Encryption
 Data is encrypted at the sender and decrypted only at the receiver.
 Intermediate devices (routers, switches) cannot read data.
  Provides full privacy.
Link Encryption
 Each communication link has a separate encryption unit.
 Data is decrypted and re-encrypted at each hop.
 Protects data on each link, but intermediate nodes see plaintext.
Diagram Explanation
 End-to-End: Encryption from Server A → Server B directly.
 Link Encryption: Encryption between every router/hop.

Types of Cryptographic Models

There are two encryption models:
1. Secret-Key (Symmetric) Encryption
 Same key is used for both encryption and decryption.
 Sender and receiver must share the key.
 Faster and used for large data.
 Examples: AES-128, AES-192, AES-256.
Advantages
 Efficient and fast.
 Good for bulk data encryption.
Disadvantages
 Key distribution problem (how to safely share the key).
 If the key is leaked, security is broken.

2. Public-Key (Asymmetric) Encryption

 Sender and receiver use different keys:
o Public key (shared openly)

o Private key (kept secret)

 Provides higher security.

 Used for digital signatures and secure key exchange.
  Examples: RSA, DSA.
Advantages
 No need to share secret key.
 Very secure for authentication and privacy.
Disadvantages
 Slower due to mathematical complexity.
 Not suitable for large data.

Private Key vs Public Key – Short Exam Table

Feature Private Key (Symmetric) Public Key (Asymmetric)

Keys used One key shared by both Two keys: public + private

Speed Faster Slower

Security Less secure (key shared) More secure (key pairs)

Key Must be shared secretly Public key openly available

sharing

Usage Encrypting large data Authentication, key exchange

Examples AES, DES RSA, DSA

Authentication Techniques
Authentication techniques are used to verify the authenticity of the sender and ensure that the
received message has not been modified. It protects the user against data falsification and
guarantees data integrity. Two commonly used authentication methods are message digest
and digital signature.
In message digest authentication, a hash function is applied to the message to produce a
digest. This digest is sent along with the message. The receiver computes the digest again
using the same hash function and compares it with the received digest. If both are identical,
the message is authentic and unchanged.
In digital signature authentication, the sender signs the message digest using a private key.
The receiver verifies this signature using the sender’s public key. Digital signatures provide
stronger security, ensuring authentication, integrity, and non-repudiation. They are widely
used in secure communication, electronic documents, and online transactions.
Thus, authentication techniques play a vital role in securing communication by verifying
sender identity and preserving message integrity.
Secret-Key Encryption Protocols
Secret-key encryption, also known as symmetric encryption, is an encryption method where
the same key is used for both encryption and decryption. It consists of an encryption
algorithm, a shared key, and a decryption algorithm. Popular secret-key algorithms include
DES and AES. The encrypted output is called ciphertext.

DES (Data Encryption Standard):

DES is a block cipher that encrypts 64-bit blocks of plaintext using a 56-bit effective key. The
DES algorithm performs an initial permutation, divides the message into left and right 32-bit
halves, and encrypts the data through 16 rounds. Each round involves key shifting, key
compression, expansion of the right half, XOR with the round key, substitution using S-
boxes, and permutation. The results are recombined and passed through a final permutation to
produce ciphertext. Decryption uses the same process but applies the keys in reverse order.
Although DES was once widely used, its 56-bit key is no longer considered secure. Triple
DES improves its strength by applying DES three times with three different keys, providing
168-bit security.
Weakness of DES
 56-bit key is considered weak today due to brute-force attacks.
 Cryptographers consider DES insecure for modern levels of security.

AES (Advanced Encryption Standard):

AES is a symmetric block cipher that encrypts data in fixed 128-bit blocks using key sizes of
128, 192, or 256 bits. It was introduced by NIST in 2000 as a replacement for DES due to its
stronger security and better performance.
AES organizes the 128-bit plaintext into a 4×4 byte matrix called the State. The encryption
process begins with an initial AddRoundKey step, followed by a series of rounds (10, 12, or
14 depending on key size). Each round transforms the State using well-defined operations.
AES rounds consist of four major stages:
1. SubBytes – A non-linear substitution step where each byte is replaced using an S-box.
2. ShiftRows – A transposition step where each row of the State matrix is cyclically
shifted left.
3. MixColumns – A mixing operation that combines bytes within each column to
provide diffusion. (This step is not used in the final round.)
4. AddRoundKey – The State is XORed with a round key generated from the key
expansion process.
AES uses a key expansion algorithm to derive multiple round keys from the original key.
These round keys are added in each round through XOR operations. Once all rounds are
completed, the final State matrix is converted into the 128-bit ciphertext.
Decryption in AES uses the same structure but applies the inverse steps: InvSubBytes,
InvShiftRows, InvMixColumns, and AddRoundKey, using the round keys in reverse order.
AES provides strong security because of its large key sizes, resistance to cryptanalysis, and
efficient implementation in both hardware and software. Today, AES is widely used in
applications such as VPNs, wireless security (WPA/WPA2), SSL/TLS, banking systems, and
secure storage.
Public-Key Encryption Protocols:
Public-key encryption, also called asymmetric encryption, uses two related keys: a public
key for encryption and a private key for decryption. These keys are mathematically linked,
but it is computationally infeasible to determine the private key from the public key. A system
generates a pair of keys, publishes the public key in a directory, and keeps the private key
secret.
If A wants to send a secure message to B, A encrypts it using B’s public key. Only B can
decrypt it using B’s private key, ensuring confidentiality. This method is used for secure key
exchange and authentication.
Public-key algorithms rely on mathematical functions rather than substitution/permutation.
Two popular protocols are RSA, where encryption is based on large-prime factorization, and
Diffie-Hellman, used for secure key exchange. Public-key encryption provides strong
security and avoids the need for prior key sharing, but is slower than symmetric methods.

RSA (Rivest–Shamir–Adleman):
RSA (Rivest–Shamir–Adleman) is the first practical public-key encryption algorithm.
It is widely used for secure data transmission and digital signatures.
RSA uses:
A public key for encryption
A private key for decryption
It is based on the mathematical difficulty of factoring very large prime numbers.

Phases of RSA Algorithm

RSA works in three major phases:
1. Key Generation
2. Encryption
3. Decryption

1. RSA Key Generation (Steps)

1. Choose two large prime numbers:
Let them be a and b.
2. Compute

o n=ab
 o This nis used in both public and private keys.

3. Compute Euler’s Totient Function

ϕ (n)=(a−1)(b−1)

4. Choose encryption key x

o x must be relatively prime to ϕ (n)

o i.e., gcd(x, φ(n)) = 1

5. Find decryption key y

o y is the multiplicative inverse of x mod φ(n)

o i.e.,

xy mod ϕ (n)=1

6. Public key = {x, n}

7. Private key = {y, n}

2. RSA Encryption
If sender wants to send message m, where m < n:
x
c=m mod n
Where
x = public key exponent
n = public modulus

3. RSA Decryption
Receiver uses private key {y, n}:
y
m=c mod n

RSA EXAMPLE
Given:
Message m = 9,
Choose primes a = 3, b = 11
Step 1: Compute n
n=ab=3 ×11=33
Step 2: Compute φ(n)

ϕ (n)=(a−1)(b−1)=2× 10=20

Step 3: Choose x
Choose x = 3, since gcd(3, 20) = 1
Step 4: Compute y
Find y such that:
3 y mod 20=1

Solution: y = 7
Step 5: Keys
 Public Key = {3, 33}
 Private Key = {7, 33}
Step 6: Encryption
x 3
c=m mod n=9 mod 33=729 mod 33=3
Step 7: Decryption
y 7
m=c mod n=3 mod 33=2187 mod 33=9
✔Original message is recovered.

Diffie–Hellman Key-Exchange Protocol

Definition
The Diffie–Hellman (DH) protocol is a public-key exchange method that allows two users
to securely generate a shared secret key over an insecure communication channel without
sharing any secret information in advance.

Important Points
1. Enables shared secret without prior exchange
Two end users can agree on a shared secret key used for encryption/decryption.
2. Intruders cannot discover the key
Although attackers can see some values exchanged between users, they cannot compute the
secret key because of the difficulty of solving Discrete Logarithm Problem.
3. Used in VPNs
DH is widely used in Virtual Private Networks (VPNs), secure messaging, and SSL/TLS.

Working of Diffie–Hellman Protocol

Assume both users agree on two public values in advance:
• a → a prime number (public)
• g → generator (public)
These are not secret.

Steps of the Algorithm

Step 1: User 1 and User 2 select private keys
 User 1 selects a secret number x₁
 User 2 selects a secret number x₂
(These are kept private.)

Step 2: Users compute public values

User 1 computes:
x1
y 1=g mod a

User 2 computes:
x2
y 2=g mod a

Both y₁ and y₂ are sent openly on the network.

Step 3: Users compute the shared secret key

After exchanging public values:
User 1 computes key:
x1
k 1= y 2 mod a

User 2 computes key:

x2
k 2= y 1 mod a

Both keys are mathematically equal:

 k 1=k 2

Thus, a shared secret key is formed.

Why the keys are equal?

Because:
x1 x2
y 2 =¿ y 1 =¿

Both compute the same value, forming the same shared key.

Example (Based on the image)

Let:
 Prime P = 11
 Generator G = 7
 Alice chooses secret Xₐ = 6
 Bob chooses secret Xᵦ = 9
Step 1: Compute public values
Alice:
6
Y A =7 mod 11=4

Bob:
9
Y B=7 mod 11=8

Step 2: Exchange Y values

Alice receives 8, Bob receives 4.
Step 3: Compute secret keys
Alice:
6
K=8 mod 11=3
Bob:
9
K=4 mod 11=3
Final Shared Secret Key = 3
Advantages
  Secure key exchange without pre-shared keys
 Computationally infeasible to break (Discrete Logarithm)
 Used in many modern secure communication systems

Limitations
 Vulnerable to Man-in-the-Middle (MITM) attack if authentication is not used
 No encryption itself—only a key generation method

AUTHENTICATION
1. Authentication
Authentication is a security service that ensures:
 The message received is from the correct sender.
 The message has not been altered during transmission.
Authentication provides integrity + origin verification.

Authentication ensures that the message received is from the correct sender and has not been
altered during transmission.
Properties of Hash Function (used in authentication)
 Unlike encryption algorithms, hash algorithms do not need to be reversible.
 Given a message digest h(m), it is computationally infeasible to find the original
message m.
 It is also computationally infeasible to find two different messages m1 and m2 such
that h(m1) = h(m2) (no collisions).
 Message authentication can be implemented using two methods:
1. Hash + Encryption (Using shared key or public key)
2. Hash without Encryption (requires secret key sharing)
Message Authentication Methods
1. Hash + Encryption
 Message is first hashed to produce a message digest.
 Digest is then encrypted (using sender’s secret key or public key).
  Receiver decrypts the digest and compares it with the locally computed hash.
 If both match → message is authentic and unaltered.
2. Hash without Encryption
 Both sender and receiver share a secret key.
 Sender sends message + h(message).
 Receiver computes hash locally and compares with received digest.
 If they match → message is valid.
 Common hash algorithms: MD5 and SHA (SHA-1, SHA-256).

SHA(Secure Hash Algorithm):

The Secure Hash Algorithm (SHA) is a widely used cryptographic hash function designed to
ensure data integrity and message authentication. SHA takes an input message of any length
and produces a fixed-size hash value (digest). It is a one-way function, meaning the original
message cannot be obtained from the hash. SHA was developed by NIST and is used in
digital signatures, authentication, and security protocols.
SHA-1, the first version, produces a 160-bit hash. It processes the input message in 512-bit
blocks, using padding and multiple rounds of computation to generate the final digest. The
algorithm uses five 32-bit registers (A, B, C, D, E) to maintain a 160-bit internal state.
The SHA process has three main steps:
1. Padding the Message
The message is padded to make its length congruent to 448 mod 512.
Padding begins with a single ‘1’ bit, followed by enough ‘0’ bits, and finally a 64-bit value
representing the original message length.
This ensures the final padded message length is a multiple of 512 bits.
2. Message Expansion
Each 512-bit block is divided into 16 words of 32 bits.
These 16 words are expanded into 80 words by repeatedly applying XOR operations and left-
rotation steps.
This expansion increases confusion and ensures that each part of the message affects the final
digest.
3. Processing the Message in 80 Steps
SHA processes each expanded block through 80 rounds, grouped into four stages of 20
rounds each.
In each round, a specific function Fi(A, B, C) is applied based on the round number,
combined with a constant value and the expanded message word.
The five registers (A–E) are updated every round using bitwise operations, left rotations, and
modular additions. After all 80 rounds, the values in the registers are added to the previous
hash value.
After all message blocks are processed, the final 160-bit hash is obtained by concatenating
the registers A, B, C, D, and E.
Properties of SHA
 Produces a fixed-length digest (160 bits for SHA-1, 256/384/512 bits for SHA-2
family).
 One-way function — impossible to recover the message from the hash.
 Collision-resistant — extremely hard to find two different messages with the same
digest.
 Fast to compute and widely used for integrity checking.
Applications
SHA is used in:
 Digital signatures
 SSL/TLS security
 Password protection
 Blockchain
 Message authentication codes (HMAC)
SHA ensures data integrity by generating a unique digest for any input. Even a single-bit
change in the message produces a completely different hash, making tampering easily
detectable.

Difference Between SHA and MD5

Feature MD5 SHA (SHA-1)

Full Name Message Digest Algorithm 5 Secure Hash Algorithm

Digest Size 128 bits 160 bits

Security Level Weaker, collisions can be Stronger than MD5, harder to break
found

Block Size Processes data in 512-bit Also processes 512-bit blocks

blocks

Speed Faster but less secure Slightly slower but more secure

Collision Poor – collisions have been Better, stronger resistance to collisions

Resistance demonstrated

Usage Checksums, file integrity Digital signatures, certificates, secure

(non-security uses) applications

Current Status Not recommended for SHA-1 also deprecated but still stronger
security than MD5; SHA-256 widely used

Digital Signature
Digital signature ensures authentication, integrity, and non-repudiation of a message.
Features
 Required for verifying the identity of the right sender.
 Must be unique to the individual, just like a handwritten signature.
 More complex than paper-based signatures.
How Digital Signature Works
 Technical authentication is done using cryptography.
 RSA algorithm is commonly used for digital signatures.
 In digital signing:
o Sender encrypts the message or the hash of the message using sender’s
private key.
 o The encrypted message/hash is the digital signature.

 At the receiver side:

o Receiver uses sender’s public key to decrypt it.

o If decryption is successful → message is truly from the sender.

o This proves the sender’s authenticity and message integrity.

Why Digital Signature is Important

 Prevents impersonation.
 Ensures the message comes from the actual sender.
 Provides legal validity in secure transactions.
In Simple Words
 Authentication = Verify sender + message integrity using hash functions.
 Digital Signature = Encrypting the hash/message with the sender’s private key to
prove identity.

Firewalls

A firewall is a security system placed between an organization’s internal network and the
external Internet. It monitors, filters, and controls incoming and outgoing network traffic
based on predefined security rules. The main purpose of a firewall is to protect internal
systems from unauthorized access, attacks, and malicious traffic.
Definition
A firewall is a device or software that filters packets flowing between a trusted internal
network and an untrusted external network (such as the Internet). It allows safe traffic and
blocks unsafe traffic.
Functions of a Firewall
1. Packet Monitoring & Filtering
Firewall checks each packet and decides whether to allow or block it based on rules.
2. Access Control
Controls how devices inside the network communicate with the Internet.
3. Traffic Management
Manages data flow and prevents unwanted or harmful data from entering.
4. Enforces Security Policies
Allows centralized enforcement of organizational network security.

Packet Filtering Firewall & Proxy Firewall

1. Packet Filtering Firewall
A packet filtering firewall is the simplest and earliest type of firewall. It works at the
Network Layer (Layer 3) and Transport Layer (Layer 4) of the OSI model. It filters
packets one-by-one based on predefined rules.
Working of Packet Filtering
The router/firewall checks each packet and decides whether to allow or block it based on:
 Source IP address
 Destination IP address
 TCP/UDP source and destination port numbers
 IP protocol type (TCP/UDP/ICMP etc.)
 ICMP message type
 TCP flags such as SYN, ACK
Only packets that match the allowed rules are forwarded; others are discarded.
Examples
 Example 1: Block all incoming/outgoing packets with
Protocol = UDP (17) and Port = 23.
→ Blocks all UDP and Telnet traffic.
 Example 2: Block inbound TCP packets with ACK = 0.
→ Prevents external clients from initiating TCP connections with internal systems.
Advantages
  Fast and efficient
 Low processing overhead
 Works directly on packet header info
Disadvantages
 No user authentication
 Cannot inspect payload (not secure for application-level threats)
 Vulnerable to IP spoofing
Sample Filtering Rules

Rul Source IP Destination IP Source Dest. Port Action

e Port

1 [Link] -- -- -- Deny

2 -- -- -- 23 Deny

3 -- [Link] -- -- Deny

4 -- [Link] -- >1023 Allow

Conclusion: Packet filtering is simple and fast, but cannot examine content deeply.

Types of Filtering Performed

A firewall controls traffic using the following methods:
1. Packet Filtering
 Each packet is checked for IP address, port number, and protocol.
 Packets that match rules are allowed; others are discarded.
2. Source IP Filtering
 Blocks or allows packets based on the sender’s IP address.
 Useful for preventing unauthorized or unknown hosts from entering the network.
3. Denial of Service (DoS) Protection
 Controls and limits the number of packets entering the network.
 Helps prevent flooding attacks.
Types of Firewalls
1. Hardware Firewalls
 External devices placed between the network and the Internet.
 More secure and reliable.
 Used in organizations and data centers.
2. Software Firewalls
 Installed on computers.
 Act as gateways and protect individual devices.
 Common in home networks.

Advantages of Firewalls
 Protects internal network from external attackers.
 Prevents unauthorized login attempts.
 Allows implementation of centralized security policy.
 Ensures only specific, safe traffic is allowed.
 Helps create zones of trust (e.g., Internal Network, DMZ, Internet).

Zone of Trust Concept

Firewalls divide a network into trust zones:
 Internal Network – highly trusted
 DMZ (Demilitarized Zone) – moderately trusted
 External Internet – least trusted
This structure increases security by isolating critical resources.

How a Firewall Works

 Packets from internal devices pass through the firewall.
 Allowed (safe) packets reach the Internet.
 Unknown or malicious packets are blocked and discarded.
  Remote employees can connect securely through the firewall.

2. Proxy Firewall (Application-Level Gateway)

A proxy firewall works at the Application Layer (Layer 7) and acts as an intermediary
between internal users and the Internet.
How it Works
 Users connect to the proxy, not directly to the destination server.
 The proxy validates and filters application-level packets (HTTP, FTP, SMTP, etc.).
 Only safe and allowed packets are forwarded to the internal network.
Features
 Deep packet inspection (checks entire data payload)
 Hides internal network structure (acts as a shield)
 Can perform caching, improving performance
 Provides strong user authentication
 Can block malicious content at the application level

Diagram Explanation
 All HTTP packets go from the Internet → Firewall → HTTP proxy.
 The proxy checks them and forwards only safe packets to the internal HTTP server.
 Errors or suspicious packets are dropped.
Advantages
  Very high security
 Protects against application-layer attacks
 Masks internal IP addresses
 Can implement content filtering and URL filtering
Disadvantages
 Slower than packet filtering (heavy processing)
 Needs more resources
 Requires application-specific configuration