UNIT : IV

Firewall& Intrusion Detection System

Contents:
4.1 Firewall: Need of Firewall, types of firewall- Packet Filters, Stateful Packet Filters,
Application Gateways, Circuit gateways.
4.2 Firewall Policies, limitations, DMZ Configuration,
4.3 Intrusion Detection System Vulnerability Assessment, Misuse detection, Anomaly Detection,
Network-Based IDS, Host-Based IDS, Honeypo

Course Outcome:
Apply measures to prevent attacks on network using firewall.

References:
a) [Link]

b) [Link] security/computer_ security quick_guide.htm

c) [Link]

d) [Link]
e) [Link]

f) [Link]

g) [Link]

h) [Link]
1) [Link]
 Firewall & Intrusion Detection System

4.1 What is Firewall? Explain Need of Firewall?

A firewall can be hardware, software or a combination of both, which will inspect network traffic passing through it,
and either accept or reject the messages based on a set of rules.

The firewall is a partition between private (trusted) networks and public (un-trusted) network and it will inspect all
traffic (packets) which is passing through it.

The firewalls should have following attributes :

All the traffic should pass through the firewalls.

The firewall should allow only authorized traffic.

The firewall itself can stop attacks.

It iseffective means of protecting a system or network from network-based threats and at the same time it should
allows for accessing the outside world via wide area networks and Internet.
A firewall is always placed at a network gateway server to protect the internal resources of a private network from the
public network.

In an organization, they install a firewall to prevent outsiders from accessing its own private data resources and it wil
allow their employees to access outside resources. Firewall will control the outside resources that organization's
employees are accessing.

Design Goals of Firewall

Alltraffic must pass through the firewall either from inside to outside, and vice versa. This is achieved by physically
blocking all access to the local network except via the firewall.

Only authorized traffic which is defined by the local security policy will be allowed to pass through the firewall.
Different types of firewalls will implement different types of security policies.

The firewall itself is immune to penetration.

Internal (protected) network External (untrusted) network
(e.g. enterprise network) Firewall (e.g. Internet)

Firewall

Explain different types of Firewall?

1. Packet Filter
router as part of a firewall usually performs packet Filtering.
packet-filtering router applies a set of rules to each and every incoming IP packet and then decides either to
forward or discard the packet.
Typically the router is configured to filter packets going towards and coming from the internal network.

Filtration rules are based on information of a network packet.

Source IP address: The IP address of the system who generates the IP Packet.
 Destination IP address: The IP address of the other system where the IP packet is trying to reach.

Source and destination transport-level address: The transport level port number TCP or UDP to define
applications such as SNMP or TELNET.
IP protocol field: It tells the transport protocol.
Interface: It is for a router who uses three or more ports from which interface the packet came from or
which interface the packet is destined for.
Security perimeter
*********************************** *
M Packet-
Internet Private
filtering
router network
*************************************************

Packet Filtering Router

The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header. If there is a
match to one of the rules, that rule is invoked to determine whether to forward or discard the packet. If there is no
match to any rule, then a default action is taken i.e discard the packet.

Advantages

Simplicity

Transparency to the users

High Speed

Disadvantages

Difficulty of setting up of Packet filtering rules.

Lack of Authentication.
2. Stateful Packet Filter
Stateful packet filters understand request and reply system.
A traditional packet filter firewall do not examine higher layer context i.e. matching return packets with outgoing

flow, stateful packet filters address this need.

They examine each IP packet in context and keep track of client-server sessions and check each packet validity
oelongs to one.

Hence are better able to detect faulty packets out of context and may event inspect limited application data.

3. Application Gateways

An application-level gateway is also known as proxy server. This is because it acts like a proxy and decides about
the flow of application level traffic.

An internal user contacts the application level gateway using a TCP/IP application, such as Telnet or FTP or HTTP.

The application level gateway will asks the user/host about the remote host with which the he wants a connection
for communication.

When the user provides all information like a valid user ID and authentication information, the gateway contacts
the application on the remote host and relays TCP segments containing the application data between the two
endpoints.

The service is not supported and cannot be forwarded across the firewall, if the gateway does not implement the
proxy code for a specific application.

Generally, the gateways are configured to support only specific features that the network administrator considers
acceptable while denying all other features.
 An application level gateway is more secure than packet filtering. Here, it is very easy to audio or logs all
incoming traffic.
Application-level
gateway

Outside Inside.
connection
TELNET Connection
Outside host FTP Inside host
SMTP
HTTP

Application Level Gateway

Advantages
It has high security than Packet Filtering.

It only needs to scrutinize a few allowable applications.

It is easy to log and audit every incoming traffic

Disadvantages

The additional overhead for each connection because there are two separate connections between the end users
and with the gateway. The gateway should examine and forward all traffic in both directions.
Circuit Gateways
It can be a specialized function that performs an application level gateway for certain applications.
I
will not allow an end-to-end TCP connection, but it will set up two TCP connections:

One between a TCP user on an inner host and a gateway.

One between a gateway and a TCP user on an outside host.

After establishing the two connections, the gateway transmits the TCP segments from one connection to another
without examining the contents. The security function will check which connection is allowed.
The use of circuit-level gateways is in a situation where the system administrator trusts the internal users.
Circuit-Hevel
gateway
Outside
connection
2 aannE **************
Out
Outside host
In Inside
connection
Out
n *********

Inside host

Circuit Level Gateway

The gateway can be configured to support application-level or proxy service on inbound connections and circuit-
level functions for outbound connections.

Inthis, the gateway can acquire the processing overhead of examining incoming application data for prohibited
functions but does not acquire that overhead on outgoing data.

4.2 What are Firewall Policies?

Firewall policies allow all type of traffic but block some services like Telnet/snmp, and port numbers those are used
by an attacker

Restrictive policies block all traffic passing through firewall and allow only traffic which are useful such as HTTP, POP3,
SMTP, or SSH.
 If network administrator forgets to block something then it might be exploited after some time without your
knowledge.

The most secure option is block everything that is suspicious and after complaining by someone you can allow the
protocols.

Following are typical firewall ruleset

Firewall allows HTTP, FTP, SSH, DNS protocols to communicate from internal network to Internet.

Firewall allows SMTP protocol to communicate to mail server from anywhere

Firewall allows SMTP & DNS protocol to communicate from mail server to Internet
Firewall allows SMTP &POP3 protocols to communicate from inside to mail server

Firewall allows only reply packets

o Firewall can block everything else

Explain Firewall with its Configuration?

A firewall is a combination of packet filter and application level gateway. Based on these, there are three types of
configurations

Firewall Configurations

Screened Host firewall, Screened Host firewall, Screened

Single-Homed Bastion Dual-Homed Bastion Subnet Firewall

1. Screened Host firewall, Single-Homed Bastion

Here, the firewall configuration consists of two parts a packet filter router and an application level gateway.
-

A packet filter router will ensure that the incoming traffic is allowed only if it is intended for the application
gateway, by examining the destination address field of each incoming IP Packet.

also ensure that the outgoing traffic is allowed only if it is originated from application level gateway, by
It will
examining the source address field of every outgoing IP Packet.

An application level gateway performs authentication as well as proxy functions.

------ ---

Application Gateway

Packet frilter

HTTP
SMTP Internet
FTP
TELNET

Internal network

Single-Homed Bastion

Advantages

It improves security of the network by performing checks at both levels- packet and application level
It provides flexibility to the network administrator to define more security policies.
Disadvantages

Internal users are connected to the application gateway as well as packet filter router. So, if any how the packet filter
is attacked, then the whole internal network is exposed to the attacker.
 Screened Host firewall, Dual-Homed Bastion:

In this type of configuration, the direct connections between the internal hosts and the packet filter are avoided.

Here, the packet filter connects only to the application gateway, which in turn has a separate connection with
the internal hosts.
Hence, if packet filter is successfully attacked, then only application gateway is visible to the attacker.

Application Gateway
HTTP Packet filter
SMTP Internet
FTP
TELNET

Internal network

Dual-Homed Bastion

3. Screened Subnet Firewall

This type of configuration offers highest security among the possible configurations.

Inthis type, two packet filters are used, one between the Internet and application gateway and other in between
pplication gateway and the Internal network.

This configuration achieves 3 levels of security for an attacker to break into.

 Application Gateway
HTTP
H
Packet flter ,
H
Packet filter
SMTP
FTP
TELN
Internet

Internal network

------*=*-**

Screened Subnet Firewall

List down the limitations of Firewalls?

1. Firewall cannot protect against attacks that bypass the firewall.

2. Firewall does not protect against insider threats like employees innocently cooperates with an external attackers.

3. Firewall cannot protect against the transfer of virus infected programs or files.

What is DMZ (Demilitarized Zone)?

computer host or small network inserted as

It is a a "neutral zone" in a company's private network and the outside
public network.

Itavoids outside users from getting direct access to a company's data server. A DMZ is an optional but more secure
approach to a firewall. It can effectively acts as a proxy server.

The typical DMZ configuration has a separate computer or host in network which receives requests from users within
the private network to access a Web sites or the public network.

Then a DMZ host initiates sessions for such requests on the public network but it is not able to initiate a session back
into the private network. It can only forward packets which have been requested by a host.

The public network's users who are outside the company can access only the DMZ host.
Itcan store the company's Web pages which can be served to the outside users. Hence, the DMZ can't give access to
other company's data.
By any way, if an outsider penetrates the DMZ's security, then the Web pages may get corrupted but other
company's information can be safe.
 Internet

Firewall

Internal private
network

---*--**-**-*----

DM 2

DMZ

4.3 What is IDS?

Intrusion Detection is the process of monitoring the events happening in a computer system or network. Intrusion
Detection process analyzes them for possible incidents, which are threats of violation of computer security policies,
standard security practices or acceptable use policies.
An Intrusion Detection System is same like a burglar alarm system installed in a house. In case of an intrusion, the IDS
system will provide some type of warning or alert.
Then an operator will tag events of interest for next investigation by the Incident Handling team.
An IDS watches the surrounding activity and tries to identify undesirable activity. The main purpose of IDS is to identify
suspicious or malicious activity which deviate from normal behavior, catalog and classify the activity and if possible
then reply to the activity.

Intrusion Detection Systems are mainly divided into two categories, depending on the monitoring activity.

1. Host-Based IDS

This examines activity on an individual system like a mail server, web server, or individual PC. It concerned only
with an individual system and usually has no visibility into the activity on the network or systems around it.

2. Network-Based IDS

This examines activity on the network itself. It has visibility only into the traffic monitoring it crossing the
network link and typically has no idea of what happening on individual systems.

Typically, an IDS will have the following logical components

 Critical Signature
Files Database

Network Traffic Analysis User

Traffic Collector Engine Interface

Log Alarm
Reports
Files Storage

Components of IDS

Traffic collector

The job of traffic collector is used to collect the activity or events from the IDS for examination.

Host-based IDS-the events can be log files, audit logs, or traffic coming to or leaving a specific system.

Network-based IDS -
the events can be a mechanism for copying traffic of the network link.

2. Analysis Engine

Analysis engine will examine the collected network traffic and compares it to known patterns of suspicious or
malicious activity. These malicious activities are stored in the signature database.

The analysis engine act like a brain of the IDS.

3. Signature database

Signature database stores the collection of patterns and definitions of knovwn suspicious or malicious activity on host
or on network.

4. User Interface and Reporting

Its job is to provide

interface with the human element and provide alert whenever required. Because of this user can
interact with and operate the IDS.

Explain Host-Based IDS with neat diagram?

A host based IDS check log files, audit trails and network traffic coming into or leaving specific host.
HIDS can operate in real time, looking for activity as it arises, or batch mode, looking for activity on a periodic basis.

Typically Host based systems are self contained, but many new commercial products are designed for reporting to and
be managed by a central system. These systems are also taking local system resources to operate.

Older version of host-based IDSs was operating in batch mode, looking for suspicious activity on an hourly or daily basis
and typicaly looked for particular events in the system's log files.
In the new version of host-based IDS, processor speed is increased and IDSs start looking through the log files in real
time and the ability to examine the data traffic the host was generating and receiving is also added.

Many host-based IDS focus on the log files or audit trails produced by local operating system. On windows systems, the
examined logs are typically Application, System and Security event logs. On Unix system, the examined logs are
generally message, kernel and error logs.

Some host based IDSs have the ability to cover specific applications by examining the logs produced by that specific
applications or examining the traffic from the services themselves like FTP, or web services.
HIDS is looking for certain activities in the log file are

Logins at odd hours.

Login authentication failure.

O Adding new user account.

 Modification or access of critical system files.

o Modification or removal of binary files.

o Starting or stopping processes.

o Privilege escalation.

o Use of certain programs.

Critical Signaturee
Files Database

raffic Analysis User

Collector Engine Interface

Log Alam Reports

Fil Storage

Components of Host-based IDS

Advantages

Operating system specific and detailed signatures.

Examine data after it has been decrypted.

Very application specific.

Determine whether or not an alarm may impact that specific.

Disadvantages

Should a process on every system to watch.

High cost of ownership and maintenance.

Uses local system resources.

Very focused view and cannot relate to activity around it.

If logged locally, could be compromised or disable.

Explain Network-Based IDS with neat diagram?

Network-based IDS focuses on network traffic the bits and bytes travelling along the cables and wires that
interconnect the system.
A network IDS should check the network traffic when it passes and it is able to analyze traffic according to protocol,
type, amount, source, destination, content, traffic already seen etc.
Such an analysis must occur quickly and the IDS must be able to handle traffic at any speed the network operates on
to be effective.
Network-based IDSs are generally deployed so that they can monitor traffic in and out of an organization's major links
like connection to the Internet, remote offices, partner etc.

Network-based IDSs looks for certain activities like

Denial of service attacks
o Port scans or sweeps
Malicious content in the data payload of a packet or packets
o Vulnerability scanning
Trojans, viruses, or worms
Tunneling
Brute-force attacks.
The logical layout of Network-based IDS is shown in following

Signature
Database

Network Traffic Analysis User

En ine Interface
Tranic Collector

Alarm
Reports
Storage

Components of Network IDS

Advantages

Provide IDS coverage to fewer systems.

Lower cost for deployment, maintenance and upgrade.

Has visibility into all network traffic and can correlate attacks among multiple systems.

Disadvantages
Ineffective when traffic is encrypted.
Can't see traffic which does not pass it.
Should handle high volumes of traffic.

Don't know the activity on the hosts.

What do you mean by honeypots? Explain?

Honey Pots are the innovation in Intrusion Detection technology.

A honey pot is a computer system on the Internet which is specifically set up to attract and "trap" people who are
attempting to penetrate (attackers) other critical systems.

Honey pots are designed:

1. To purposely divert hackers from accessing critical systems

2. To identify malicious activities performed over the Internet by attacker.

3 To engage the attacker for longer time, so he will stay on the system for administrators to respond

The Honey pot system is designed with sensitive monitors and event loggers, which will detect the accesses and
collect the information about the attacker's activities.

There are two different kinds of honeypots. They are classified based on their deployment method:
1. Production Honeypot

Used by companies and corporations for the purpose of researching the aims of hackers as well as diverting and
mitigating the risk of attacks on the overall network.

2. Research Honeypot

Used by nonprofit organizations and educational institutions for the sole purpose of researching the motives and
tactics of the hacker community for targeting different networks.

Overall, honey pots are considered as an effective method to track hacker behaviour and heighten the effectiveness
of computer security tools.

Internet

Router

Firewal/Gateway/1DS/IPS/Log

Switch

Honeypot Honeypot
windows

Honey Pots