Unit: 4

Security & Threats in E-Commerce

Virus: A virus is a computer program that replicates itself, spreads to other files,
and renders them inoperative or malfunctioning. It leads to complete breakdown
of operations. They are known as macro viruses.
Virus Type - WORM: It is a special type of computer program that acts as a carrier
of virus and carries virus from one machine to another through the internet.
Virus Type - TROJAN HORSE: A program allows virus programs to enter into a
computer system, steal passwords and email ids from the hard disk, and send them
to another person. They are capable of sending bogus emails.
A computer virus is a program that can harm devices and files and infect them for
no further use. When a virus program is executed, it replicates itself by modifying
other computer programs and instead enters its own coding. This code infects a
file or program, and if it spreads massively, it may ultimately result in the crashing
of the device.
The different types of Computer Viruses are:
Boot Sector Virus: It is a type of virus that infects the boot sector of floppy disks
or the Master Boot Record (MBR) of hard disks. The boot sector comprises all
the files which are required to start the operating system of the computer. The
virus either overwrites the existing program or copies itself to another part of the
disk.
Direct Action Virus: When a virus attaches itself directly to a .exe or .com file
and enters the device while its execution is called a Direct-Action Virus. If it gets
installed in the memory, it keeps itself hidden. It is also known as a Non-Resident
Virus.
Resident Virus: A virus which saves itself in the memory of the computer and
then infects other files and programs when its originating program is no longer
working. This virus can easily infect other files because it is hidden in the memory
and is hard to be removed from the system
Multipartite Virus: A virus which can Attacks both the boot sector and
executable files, posing a significant cyber threat.
Overwrite Virus: The overwrite virus can completely Deletes the existing
program and replaces it with malicious code.
Polymorphic Virus: Spreads through spam and infected websites, modifying its
code to avoid detection.

File Infector Virus: It first infects a single file and spreads to others, commonly
found in games and word processors.
Space Filler Virus: It is a rare type of virus which fills empty spaces in files,
remaining undetected and not affecting file size.
Macro Virus: A virus Written in the same language as software programs, often
spread through email attachments.
2. Hacking: A hacker is an individual who intends to gain Unauthorized access
to computer systems with criminal intent, also known as 'cyber vandalism'.
3. Spoofing: It is the process to hide identity using fake email addresses and
redirects web links, disrupting business processes.
4. Sniffing: This is a special type of computer program that monitors and acquires
information traveling across the network. Initially, the program was used to
identify potential network problem spots but was later maliciously used by
hackers to steal proprietary information. It included e-mail messages, corporate
information, and confidential business reports. They make confidential reports
public, thereby affecting the privacy and confidentiality of the company.
5. Denial of Service (DoS): It is an incident in which a user organization is denied
the service they would normally expect to have. Hackers use this method to send
a large number of automated requests to an e-commerce website. For the server,
it seems to originate from a genuine visitor. This does not result in theft or other
security loss, but loss of service due to network connectivity problems. It can also
destroy programs and files in affected computer systems.
6. Phishing: It is a fraudulent practice to acquire confidential information and
sometimes indirectly money by concealing as trustworthy. They exist in different
forms such as misleading emails, man-in-the-middle attacks, URL obfuscation,
malware, key loggers, screen grabbers, hijackers, web Trojans, IP address
manipulation, system reconfiguration attacks, etc.
7. Malware: It is typically any code or software program designed to infect,
damage, or disrupt a system for malicious purposes. It is unwanted software
installed on a computer of an internet user without their knowledge or consent,
resulting in the theft of sensitive personal and financial information.
8. Pharming: It is a fraudulent practice similar to phishing and malware. Here,
the attackers install code or software programs on a server or personal computer.
It tries to steal sensitive financial information. They install or activate themselves
on personal computers or other computers in a network while opening either an
email or an email attachment.
9. SQL Injection: It is one of the web attack mechanisms used by hackers to steal
data from organizations. It takes advantage of improper coding of web
applications that allows hackers to inject SQL commands into a login form. It can
read sensitive data from the database, modify database data, execute
administration operations, and recover the content of a given file.
10. Cross Site Scripting (XSS): It targets scripts embedded in a page, which are
executed on the client side. This is due to a weakness in client-side scripting
languages. It is a type of injection problem in which malicious scripts are injected
into otherwise benign and trusted websites.
11. Key loggers: It is one of the major threat to user privacy. It is used to steal
user's sensitive information. It captures or records the user's keystrokes working
on computer, enabling malicious user to collect your secured information such as
password or pin. It can be later used for quick cash withdrawal and fraudulent
money transactions.
Key Loggers Types:
Software Key loggers: Unwanted software infects the computer of an internet
user without their knowledge or consent. The user unknowingly picks up this
virus while opening an email or an email attachment and malicious websites,
resulting in the theft of sensitive personal and financial information.
Hardware Key loggers: These are small hardware devices connected between the
keyboard and a computer. It is undetectable software and a method to capture
keystroke logging, resulting in the theft of sensitive personal and financial
information.
12. Man-in-the-Browser Attack (MitB): It is a growing concern for financial
services. It infects the browser and manipulates bank account transactions
automatically. It intercepts and decrypts the communication between the web
browser and the destination web server and modifies the messages for fraudulent
purposes.
13. Cookies: They are small pieces of text stored on a client computer and contain
sensitive information that is not encrypted. Anyone can read and interpret cookie
data. They do not directly harm the client machine but could still cause damage.
They are placed by the web server site, and are called 'first-party cookies,' or by
a different website, called 'third-party cookies.' A third-party website originates
on a website other than the site being visited and generally provides
advertisements or other content keen on tracking responses to their ads by visitors
who have already seen ads on other sites.
14. Web Bugs: A third-party website places a tiny graphic on another site's
webpage. When a site visitor loads the webpage, the web bug is delivered by the
third-party site, which can then track the visitor's activity.
CYBER CRIME
Cybercrime is a crime in the online environment. The internet is wide open to
exploitation. Cybercrime is any illegal act that involves a computer, its system,
or its application. Cyberspace is considered a type of community or massive
neighborhood made up of networked computer users around the globe. As is
typical in a traditional society, there are crime males in cyberspace, there are
cybercriminals committing cybercrimes.
Computer crime poses a daunting task for law enforcement agencies because they
are highly technical crimes. Law enforcement agencies must have individuals
trained in computer science or computer forensics in order to properly investigate
computer crimes. Additionally, states must update and create legislation, which
prohibits computer crimes and outlines appropriate punishments for those crimes.
Computer crimes will likely become more frequent with the advent of further
technologies. It is important that civilians, law enforcement officials, and other
members of the criminal justice system are knowledgeable about computer
crimes in order to reduce the threat they pose.
Computer Crime
Computer crime can be considered any criminal (or unethical) activity facilitated
by or committed with computer and information technologies. As with crime in
general, the range of unethical and criminal activities is quite broad. All of the
following fall into the category of computer crime:
a) Stealing someone's password by watching them type it in.
b) Looking at someone's private files.
c) Stealing computer media and hardware (disks, hard drives, etc.).
d) Intercepting data.
e) Stealing information, money, or services.
f) Impersonating someone else on a computer system.
Creating or disseminating a computer virus.
h) Denying service by saturating a network
i) Hacking a web site and replacing it with other materials
Types of Cyber Crime
a) Hacking
Hacking is defined as entering a network, like the Internet, Intranet, LAN, or
WAN, without permission to access certain areas or data. Hackers are computer
experts who can breach privacy and confidential information. They can steal data,
merge it, and add incorrect information, leading to data loss and destruction. This
crime is defined in Section 66 of the Information Technology Act of 2000. The
punishment for hacking, as per Section 66(2), includes imprisonment for up to
three years, a fine up to two lakh rupees, or both.
b) Cracking: This refers to unauthorized access into a computer system via public
telecommunication networks or a local area network (LAN).
c) Fraud on the Internet: Internet fraud is a white-collar crime that has grown
alongside the internet itself. It involves fraudulent activities where individuals or
companies deceive others through the internet, often using investment schemes
to appear credible.
d)Bulletin Boards: These are platforms where investor information is shared, but
they can also be a source of fraud, leading to financial losses for those who rely
on them.
e) Credit Card Fraud: This type of fraud is prevalent in e-commerce and involves
issues such as undelivered goods or services, damaged or misrepresented items,
auction scams, pyramid schemes, and multi-level marketing schemes.
f) Email Scams: These involve the use of emails to spread false information about
companies or to promote bogus investment schemes.

Network Security:
Network security involves measures to protect the integrity, confidentiality, and
availability of computer networks and data transmitted. It includes strategies,
technologies, and policies to prevent unauthorized access, secure data, and ensure
smooth network functioning. Key components and practices include:
 1. Firewalls:
Security devices or software that monitor and control network traffic based on
rules, acting as a barrier against unauthorized access and cyber threats.
2. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems
(IPS):
IDS monitors for malicious activity, while IPS actively prevents or blocks it,
providing an additional layer of defense against security incidents.
3. Virtual Private Network (VPN): VPNs establish secure and encrypted
connections over public networks, ensuring private communication between
users or networks. VPNs enhance confidentiality and privacy, particularly when
accessing sensitive information over untrusted networks.
4. Network Segmentation: Dividing a network into segments to limit the
potential impact of a security breach and to control the flow of traffic. Reducing
the attack surface and preventing lateral movement of attackers within the
network.
5. Access Control Lists (ACLs): ACLs are rules or configurations applied to
routers and switches to control the flow of traffic based on specified criteria. They
enforce network security policies, restricting access to resources and minimizing
the risk of unauthorized access.
6. Security Information and Event Management (SIEM): SIEM solutions
collect and analyse log data from various devices within a network to identify and
respond to security incidents. Providing real-time insights into network activity,
aiding in threat detection, and facilitating incident response.
7. Encryption: Encryption transforms data into a secure format that can only be
accessed with the appropriate decryption key. Safeguarding sensitive information
during transmission and storage, ensuring confidentiality.
ENCRYPTION
Encryption is a security technique used to protect sensitive data by encoding it in
such a way that only authorized parties can access and decipher it. It involves
converting plaintext information into ciphertext using mathematical algorithms
and cryptographic keys. Here are key aspects of encryption:
1. Encryption Process
Plaintext: The original, unencrypted data that needs to be protected.
Ciphertext: The encrypted data generated by applying an encryption algorithm to
the plaintext using an encryption key.
Encryption Algorithm: This is a set of rules or a mathematical function used to
convert plaintext into ciphertext. Common algorithms include AES, RSA, and
Triple DES.

Encryption Key: A unique piece of data used as input to the encryption algorithm.
Keys can be symmetric (same for encryption and decryption) or asymmetric
(public-private pair).
2. Symmetric Encryption:
Uses the same secret key for both encryption and decryption.
Requires secure sharing of the secret key between sender and receiver.
Efficient and fast, suitable for large amounts of data, but key management can be
challenging.
3. Asymmetric Encryption:
Uses a pair of keys: a public key for encryption and a private key for decryption.
The public key can be freely distributed, while the private key must be kept secret.
Enables secure key exchange and digital signatures.
Common algorithms include RSA, Diffie-Hellman, and ECC.
4. Applications of Encryption:
Data Protection: Protects data at rest and in transit from unauthorized access.
Secure Communication: Ensures confidentiality and privacy in communication
channels like email and messaging apps.
Secure Web Browsing: SSL and TLS protocols use encryption for secure
connections between web browsers and servers.
Digital Signatures: Encryption is used to create digital signatures, which verify
the authenticity and integrity of electronic documents, messages, and
transactions, ensuring they have not been tampered with or altered.
VPN and Secure Remote Access: Virtual Private Networks (VPNs) use
encryption to establish secure tunnels over public networks, allowing remote
users to access corporate networks and resources securely.
5. Strengths and Limitations:
Strengths:
Encryption provides strong protection against unauthorized access, interception,
and data breaches. It helps maintain confidentiality, integrity, and authenticity of
sensitive information.
Limitations : Encryption does not prevent all types of attacks, such as social
engineering, malware infections, or insider threats. It can introduce
computational overhead and performance impact, particularly for resource-
constrained devices or high-volume data processing.

6. Key Management
Key management is a critical aspect of encryption, involving the generation,
storage, distribution, and protection of encryption keys. Proper key management
practices ensure the security and integrity of encrypted data and prevent
unauthorized access or misuse of encryption keys.
HISTORY OF ENCRYPTION
The history of encryption dates back thousands of years, evolving alongside the
need to protect sensitive information and communication from unauthorized
access or interception. Here is a brief overview of key developments in the history
of encryption:
[Link] Civilizations:
Encryption techniques have been used since ancient times to conceal messages
and protect information during communication.
Ancient civilizations, such as the Egyptians, Greeks, and Romans, employed
various substitution ciphers, such as the Caesar cipher, to encrypt messages by
replacing plaintext characters with different symbols or letters.
2. Classical Ciphers:
During the Middle Ages, classical ciphers, including transposition and
substitution ciphers, were commonly used for military and diplomatic
communication.
The Vigenère cipher, invented by Giovan Battista Bellaso in the 16th century,
introduced the concept of polyalphabetic substitution, where different alphabets
are used to encode plaintext characters based on a keyword.
3. Development of Cryptography:
The Renaissance period saw advancements in cryptography, with the publication
of influential works such as "The Code Book" by Leon Battista Alberti and
"Cryptomenysis Patefacta" by John Wallis.
In the 19th century, the development of frequency analysis techniques by
cryptanalysts, including Charles Babbage and Friedrich Kasiski, led to the
breaking of classical ciphers and the advancement of cryptanalysis.
4. The Enigma Machine:
During World War II, the Enigma machine, developed by the Germans, became
one of the most famous encryption devices used for military communication.
The Enigma machine encrypted messages using electromechanical rotors,
creating complex substitution ciphers that were thought to be unbreakable until
the efforts of cryptanalysts, including Alan Turing and the team at Bletchley Park,
led to its decryption.
5. Modern Cryptography:
The advent of computers and digital technologies in the 20th century
revolutionized cryptography, leading to the development of modern
cryptographic algorithms and protocols.
Symmetric encryption algorithms, such as the Data Encryption Standard (DES)
and Advanced Encryption Standard (AES), became widely adopted for secure
data encryption and protection.
Asymmetric encryption, introduced by Whitfield Diffie and Martin Hellman in
the 1970s, revolutionized cryptography by enabling secure key exchange and
digital signatures without requiring shared secret keys.
6. Public Key Cryptography:
Public key cryptography, based on mathematical principles such as modular
arithmetic and the difficulty of factoring large prime numbers, paved the way for
secure communication
The RSA algorithm, developed by Ron Rivest, Adi Shamir, and Leonard Adleman
in 1977, remains one of the most widely used asymmetric encryption algorithms
for secure data transmission and digital signatures.
7. Modern Cryptographic Applications:
Cryptography plays a crucial role in modern digital communication,
cybersecurity, and information security.
It is used to secure online transactions, protect sensitive data, authenticate users,
ensure privacy in communication channels, and safeguard critical infrastructure
and systems from cyber threats.
COMPONENTS OF ENCRYPTION
Encryption involves several components working together to secure data and
communication. Here are the key components of encryption:
Plaintext: This is the original, unencrypted data that needs to be protected.
Plaintext can include text, files, messages, or any form of digital information.
Ciphertext: Ciphertext is the encrypted form of plaintext. It is produced by
applying an encryption algorithm to the plaintext using an encryption key.
Ciphertext appears as random or unintelligible data and cannot be understood
without decryption.
Encryption Algorithm: An encryption algorithm is a mathematical procedure or
set of rules used to transform plaintext into ciphertext. Encryption algorithms
come in various forms, such as symmetric encryption and asymmetric encryption.
Common encryption algorithms include AES (Advanced Encryption Standard),
RSA (Rivest-Shamir-Adleman), and DES (Data Encryption Standard).
Encryption Key: An encryption key is a piece of data used as input to the
encryption algorithm to control the encryption and decryption process. The
choice of encryption key determines the security and strength of the encryption.
Keys can be symmetric or asymmetric:
Symmetric Key: In symmetric encryption, the same secret key is used for both
encryption and decryption. The sender and receiver must share this secret key
securely.
Asymmetric Key Pair: Asymmetric encryption uses a pair of keys: a public key
for encryption and a private key for decryption. The public key can be freely
distributed, while the private key is kept secret.
Key Management: Key management involves generating, storing, distributing,
and protecting encryption keys. Proper key management practices are essential
for maintaining the security and integrity of encrypted data and preventing
unauthorized access or misuse of encryption keys.
Cryptographic Protocols: Cryptographic protocols are sets of rules and
procedures governing secure communication and data exchange. They define
how encryption and decryption are performed, how keys are exchanged and
authenticated, and how secure connections are established over networks.
Examples of cryptographic protocols include SSL/TLS (Secure Sockets
Layer/Transport Layer Security) for secure web browsing and SSH (Secure Shell)
for secure remote access.
Authentication: Encryption may be combined with authentication mechanisms
to verify the identity of communicating parties and ensure the integrity of
encrypted data. Authentication methods include digital signatures, certificates,
and shared secrets.
Secure Channels: Encryption is often used to establish secure communication
channels or tunnels over untrusted networks, such as the internet. Secure channels
protect data transmitted between parties from interception, eavesdropping, or
tampering.
Firewalls:
Firewall is a network security device, which can be hardware or software-based,
that monitors incoming and outgoing network traffic. It either accepts, rejects, or
drops traffic based on a defined set of security rules.
Firewalls operate with the following actions:
Accept:
Allows the traffic to pass through.
Reject:
Blocks the traffic and sends an "unreachable error" message in reply.
Drop:
Blocks the traffic without sending any reply.
A firewall is a network security device that filters network traffic based on
security policies set up within an organization.
A firewall is essentially the wall that separates a private internal network from the
open Internet at its very basic level.
TYPES OF FIREWALLS
Firewalls can be categorized into several types based on their architecture,
functionality, and deployment characteristics. Here are the main types of
firewalls:
 1. Packet Filtering Firewall:
Packet filtering firewalls operate at the network layer (Layer 3) of the OSI model.
They examine individual packets of data as they pass through the firewall and
make filtering decisions based on predetermined rules, such as source and
destination IP addresses, port numbers, and protocols.
Packet filtering firewalls are typically stateless, meaning they do not maintain
session information or context awareness.
2. Stateful Inspection Firewall:
Stateful inspection firewalls combine the functionality of packet filtering with the
ability to track the state of active network connections.
They maintain stateful information about established connections, such as TCP
handshake, packet sequence, and session state, to make informed decisions about
allowing or denying traffic.
Stateful inspection firewalls offer enhanced security and performance compared
to packet filtering firewalls by providing context-aware filtering and improved
protection against network-based attacks.
3. Application Layer Firewall (Proxy Firewall):
Application layer firewalls, also known as proxy firewalls, operate at the
application layer (Layer 7) of the OSI model.
They inspect network traffic at the application level, analyzing the payload of
packets to identify specific application protocols, behaviors, or signatures.
-Proxy firewalls act as intermediaries between clients and servers, establishing
separate connections for inbound and outbound traffic and providing advanced
application-level filtering, authentication, and content inspection capabilities.
4. Next-Generation Firewall (NGFW):
Next-generation firewalls (NGFWs) incorporate advanced security features and
capabilities beyond traditional firewall functionalities. They combine stateful
inspection with deep packet inspection (DPI), intrusion detection and prevention
(IDS/IPS), application awareness, and advanced threat intelligence to provide
comprehensive network security. NGFWs offer granular control over
applications, users, and content, enabling organizations to enforce security
policies, detect and block sophisticated threats, and mitigate cyber risks
effectively.
5. Proxy Server Firewall:
Proxy server firewalls act as intermediaries between internal clients and external
servers, intercepting and filtering network traffic on behalf of clients. They
provide additional security and privacy by hiding internal network details,
modifying requests and responses, and caching content to improve performance.
Proxy server firewalls can be deployed for specific protocols or applications, such
as web proxies, email proxies, and FTP proxies, to enforce access controls,
content filtering, and security policies.
6. Hardware Firewall:
Hardware firewalls are standalone devices dedicated to performing firewall
functions, such as packet filtering, stateful inspection, and network address
translation (NAT). They are typically deployed at network boundaries, such as
perimeter gateways or network entry points, to protect entire networks or subnets
from external threats. Hardware firewalls offer high-performance packet
processing, scalability, and reliability, making them suitable for enterprise
networks, data centers, and network infrastructure environments.
7. Software Firewall:
Software firewalls are software-based applications or modules installed on
individual computers, servers, or network devices to provide localized firewall
protection.
They offer flexibility, ease of deployment, and cost-effectiveness compared to
hardware firewalls, making them suitable for small office/home office (SOHO)
environments, personal computers, and virtualized environments.
Software firewalls can be integrated with operating systems, security software
suites, or network management platforms to provide host-based firewall
protection and centralized management.
8. Cloud Firewall:
Cloud firewalls are virtualized firewall instances deployed in cloud computing
environments to protect cloud-based workloads, applications, and infrastructure.
They offer scalable, on-demand firewall protection for virtual machines,
containers, and cloud-native services deployed in public, private, or hybrid cloud
environments.
Cloud firewalls provide centralized security management, policy enforcement,
and visibility across distributed cloud deployments, enabling organizations to
secure dynamic and elastic cloud environments effectively
Protecting Web Server with a Firewalls:
Protecting Web server with a firewall is an essential part of securing your online
presence and ensuring the integrity, confidentiality and availability of your web
based services. Here's how you can use a firewall to protect your web server:
1. Perimeter Firewall Deployment:
Deploy a perimeter firewall at the network boundary between the internet and the
internal network or web server infrastructure.
Configure the firewall to filter incoming and outgoing traffic based on predefined
security rules and policies to control access to the web server.
2. Packet Filtering:
Implement packet filtering rules on the firewall to allow or deny traffic based on
source and destination IP addresses, port numbers, and protocols.
Allow inbound traffic only on necessary ports (e.g., HTTP port 80, HTTPS port
443) for web services and block all other unnecessary ports to minimize the attack
surface.
3. Stateful Inspection:
Enable stateful inspection on the firewall to maintain awareness of active network
connections and track the state of TCP sessions.
Stateful inspection allows the firewall to make informed decisions about allowing
or denying traffic based on established connections, preventing unauthorized
access and session hijacking attacks.
4. Application Layer Filtering:
Use an application layer firewall or a next-generation firewall (NGFW) with deep
packet inspection (DPI) capabilities to analyze web traffic at the application layer.
Apply application-specific filtering rules to identify and block malicious or
suspicious web traffic, such as SQL injection, cross-site scripting (XSS), and
other application-layer attacks.

5. Content Filtering:
Implement content filtering on the firewall to inspect and control the content of
web traffic based on predefined rules and policies. Block access to malicious
websites, URLs, domains, or content categories (e.g., malware, phishing, adult
content) to protect users from web-based threats and enforce acceptable use
policies.
6 Intrusion Detection and Prevention (IDS/IPS):
Deploy an intrusion detection and prevention system (IDS/IPS) in conjunction
with the firewall to detect and block known and emerging web-based threats.
Enable signature-based detection, anomaly detection, and protocol inspection
capabilities to identify and mitigate web application attacks, such as buffer
overflows, directory traversal, and HTTP-based attacks.
7. Web Application Firewall (WAF):
Consider deploying a dedicated web application firewall (WAF) to protect your
web server from targeted web application attacks and vulnerabilities.
WAFs provide advanced application-layer protection, including signature-based
filtering, behavioral analysis, and virtual patching, to defend against OWASP Top
10 threats and zero-day exploits.
8. Secure Remote Access:
If your web server requires remote administration or management access, restrict
remote access through the firewall to authorized IP addresses or VPN
connections.
Implement secure remote access controls, such as two-factor authentication
(2FA) and strong encryption protocols, to secure remote administrative access
and prevent unauthorized access attempts.
9. Logging and Monitoring:
Enable logging and monitoring features on the firewall to capture security events,
traffic activities, and firewall rule violations.
Regularly review firewall logs, generate security reports, and analyze traffic
patterns to detect anomalies, identify security incidents, and respond to emerging
threats in real-time.
[Link] Updates and Maintenance:
Keep the firewall firmware, software, and security signatures up to date with the
latest patches, updates, and threat intelligence feeds.
Perform regular security assessments, firewall rule reviews, and penetration tests
to evaluate the effectiveness of your firewall configuration and ensure compliance
with security best practices and industry standards.

Firewall and the security policy:

1. Harden and Properly Configure the Firewall
Install most all-in-one firewall solution operating systems that are hardened by
the vendor. If deploying a software firewall solution, ensure the OS is first
patched and hardened.
2. Plan Firewall Deployment
Firewalls are vital for applying zero trust security principles by monitoring and
controlling inbound and outbound access across network boundaries in a macro-
segmented network.
Consider if the firewall needs a dedicated management interface. Lights-out
Management and serial console access should only be accessible from dedicated,
secure networks.
3. Secure the Firewall
A firewall is a vital component of an organization's security infrastructure and
needs protection against exploitation. To secure the firewall, take the following
steps.
Disable insecure protocols like telnet and SNMP or use a secure SNMP
configuration.
b) Schedule periodic backups of the configuration and database.
c) Enable auditing of system changes and send logs via secure syslog or another
method to an external, secured, central SIEM server or firewall management
solution for forensics and reporting.
d) Add a stealth rule in the firewall policy to hide the firewall from network scans.
e) Limit management access to specific hosts.
f) Firewalls are not immune to vulnerabilities. Check with the vendor to see if
there are any known vulnerabilities and security patches that fix the vulnerability.
4. Secure User Accounts
Account takeover is a common technique used by cyber threat actors. To secure
user accounts on your firewall, do the following:
a) Rename or change default accounts and passwords.
b) Require MFA and/or set a strong password policy (complex passwords with
upper and lower case letters, special characters, and numbers, 12 characters or
longer, prevent password reuse).
c) Use role-based access control (RBAC) for firewall admins. Delegate and limit
access to match the user's need for access (i.e., allow only read-only access for
auditors and create dedicated access roles and accounts for DevSecOps teams).
5. Lock Down Zone Access to Approved Traffic
The primary function of a firewall is to enforce and monitor access for network
segmentation.
Firewalls can inspect and control north/south traffic across a network boundary.
In this macro-segmentation use case, the zones are broad groups like external,
internal, DMZ, and guest Wi-Fi. They may also be business groups on separate
internal networks like data center, HR, and finance or a production floor in a
manufacturing plant that uses Industrial Control Systems (ICS).
6. Ensure Firewall Policy and Use Complies with Standards
Regulations have specific requirements for firewalls. Any security best practice
must comply with these requirements and may require adding additional security
controls to any deployed firewall. Example requirements include using virtual
private networks (VPNs) to encrypt data in transit, antivirus to prevent known
malware, and intrusion detection and prevention systems (IDS/IPS) to detect any
network intrusion attempts.
Additional PCI DSS requirements include:
A) Use anti-spoofing techniques to detect and block falsified source IP addresses
from entering the network, such as blocking inbound traffic on the external
interface from internal network addresses.
B) Do not disclose private IP addresses and routing information to unauthorized
parties, using Network Address Translation (NAT) and removing route
advertisements for private networks.
C) Every half year, review and clean up unnecessary, outdated, or incorrect
firewall rules, ensuring that all rules allow only authorized services and ports.
D) Encrypt the transmission of cardholder data across open, public networks.
7. To verify the policy and identify risk:
Firewall policies should be applied in a top-down order. Optimize them by
moving frequently hit rules higher in the inspection order.
Regularly inspect the policy to optimize firewall performance.
Perform regular penetration testing to identify any additional security measures
needed beyond the firewall to secure the organization.
NETWORK FIREWALLS
A network firewall is a security device or software that monitors, filters, and
controls incoming and outgoing network traffic based on predetermined security
rules. The primary purpose of a firewall is to establish a barrier between a trusted
internal network and untrusted external networks, such as the internet. Firewalls
play a crucial role in preventing unauthorized access, protecting against cyber
threats, and ensuring the security of the network infrastructure. Here are aspects
of network firewalls:
1. Packet Filtering
Firewalls use packet filtering to examine data packets and make decisions about
whether to allow or block them based on specific criteria, such as source and
destination IP addresses, port numbers, and protocol types.
2. Stateful Inspection
Stateful firewalls keep track of the state of active connections and make decisions
based on the context of the traffic. They understand the state of a communication
session, allowing for more intelligent and context-aware filtering.
3. Proxy Services
Some firewalls act as proxies, forwarding requests on behalf of clients. This can
enhance security by inspecting and filtering the content of the requests and
responses. Common proxy services include HTTP proxies and SOCKS proxies.
4. Network Address Translation (NAT)
Firewalls often use NAT to hide the internal IP addresses of devices from external
networks. NAT translates private IP addresses to a single public IP address,
providing an additional layer of security.

5. Application-Layer Filtering
 Firewalls can perform filtering at the application layer, inspecting the content
of application-layer protocols such as HTTP, FTP, and DNS. This allows for
more granular control over specific types of traffic.
6. Virtual Private Network (VPN) Support
Firewalls may support VPNs, allowing secure communication over public
networks by encrypting data between connected devices. VPNs are commonly
used for remote access and secure communication between branch offices.
7. Intrusion Detection and Prevention Systems (IDPS)
Some advanced firewalls integrate intrusion detection and prevention
capabilities. These systems analyze network traffic for signs of malicious activity
and can take proactive measures to block or mitigate potential threats.

WORKING OF FIREWALLS
Firewalls can control and monitor the amount of incoming or outgoing traffic on
the network.
The data that comes to the network is in the forms of packets, it is tough to identify
whether the packet is safe for the network or not, this gives chance to the hackers
and intruders to bombard the networks with various viruses, malware, spam, etc.
Benefits of Network Firewall
1. Monitoring and Analyzing Network Traffic: A network firewall monitors
and analyzes traffic by inspection to determine if the traffic or packets
passing through a network are safe. By doing so, it protects the network
from malicious content that could cause harm the network
2. Defense against hacking: Firewalls are crucial for network security in a
technologically connected society.
3. Virus attack prevention: Firewalls can prevent viruses originating from
sources like insecure websites and spam.
4. Enhanced security: Firewalls monitor the network to establish a secure
environment free from malware, viruses, and spam.
5. Increased privacy: By securing the network, firewalls enhance user
privacy.
The drawbacks of using a network firewall include:
1. Cost: Depending on the type, firewalls can be expensive, with hardware
firewalls generally costing more than software.
2. Restricted user access: The strict security measures of firewalls can limit user
access, which can be disadvantageous for large organizations.
3. Network slowdown: Firewalls monitor every data packet, which can slow
down network operations.
4. Continuous maintenance: Firewalls require regular updates and maintenance
to adapt to changes in networking technology and combat new viruses.
APPLICATION LAYER OF FIREWALLS
Application layer firewalls, also known as next-generation firewalls (NGFWs),
are advanced security devices that operate at the application layer (Layer 7) of
the OSI model. Unlike traditional network firewalls that primarily focus on
packet-level filtering and inspection, application layer firewalls provide deep
packet inspection (DPI) capabilities, allowing them to analyze and control traffic
based on the specific application protocols and contents.
Here are some key features and characteristics of application layer firewalls:
1. Deep Packet Inspection (DPI):
Application layer firewalls inspect the entire contents of network packets,
including application-layer data, payloads, and headers.
DPI enables the firewall to understand the context of network traffic and make
granular filtering and policy decisions based on application protocols and content.
2. Application Awareness:
Application layer firewalls have extensive knowledge of various application-
layer protocols, including HTTP, HTTPS, FTP, SMTP, DNS, and others.
They can identify and classify traffic based on specific applications and
application categories, allowing organizations to enforce policies tailored to
different types of applications.
3. Content Filtering and Control:
Application layer firewalls offer advanced content filtering capabilities, allowing
organizations to inspect and control the content of network traffic.
Administrators can create policies to block or allow specific content types, URLs,
file extensions, keywords, or patterns, helping mitigate risks associated with
malware, data loss, and compliance violations.
4 User Identification and Authentication:
Application layer firewalls support user identification and authentication
mechanisms, enabling organizations to enforce access controls based on user
identities and roles.
Users may be required to authenticate before accessing specific applications or
services, ensuring proper authorization and accountability for network activities.
5. Intrusion Detection and Prevention (IDPS):
Many application layer firewalls integrate intrusion detection and prevention
systems (IDPS) to detect and block network-based attacks targeting application-
layer vulnerabilities.
IDPS functionality helps organizations identify and respond to security threats in
real-time, including web application attacks, SQL injection, cross-site scripting
(XSS), and command injection.
6. Advanced Threat Prevention:
Application layer firewalls incorporate advanced threat prevention capabilities,
such as antivirus, anti-malware, sandboxing, and threat intelligence integration.
By combining signature-based detection, behavioral analysis, and threat
intelligence feeds, application layer firewalls can proactively identify and
mitigate known and emerging threats targeting application-layer protocols and
services.
7. Integration with Security Ecosystem:
Application layer firewalls integrate with other security solutions and ecosystem
components, such as security information and event management (SIEM)
platforms, endpoint protection solutions, and threat intelligence feeds.
Integration enables coordinated threat detection, response orchestration, and
centralized security management across the organization's security infrastructure.
8. Policy-based Controls:
Application layer firewalls allow organizations to define and enforce granular
security policies based on specific applications, users, groups, and content
attributes.
Administrators can create rules and policies to allow, deny, or restrict access to
applis, URLs, content categories and user generated content, providing fine
grained control over network traffic and behaviour.
Proxy Server:
A proxy server acts as an intermediary between client devices ( such as computers
or smartphones) and the internet. It serves several purposes, including enhancing
security, privacy and performance. Here are key aspects of a proxy server:
1. Proxy Server Functionality:
A proxy server forwards request and responses between client devices and the
internet. When a client sends a request to access a resource the request first goes
to the proxy server, which then fetches the resource on behalf of the client.
2. Anonymity and privacy:
Proxy servers can be used to enhance user privacy by acting as an intermediary
that hides the client's IP address from the destination server. This helps users
browse the internet more anonymously.
[Link] Control and Content Filtering:
Organizations often use proxy servers to control and filter internet access. Access
control policies can be implemented to restrict or allow access to specific
websites or content categories.
4. Caching:
Proxy servers can cache frequently accessed resources locally. When multiple
clients request the same resource, the proxy can serve it from its cache, reducing
the load on the internet and improving performance.
5. Security:
Proxy servers can enhance security by acting as a barrier between the internal
network and the internet. They can filter out malicious content, block access to
harmful websites, and provide an additional layer of defense against cyber threats.
6. Load Balancing:
In a corporate or organizational setting, proxy servers can be configured for load
balancing. This helps distribute incoming network traffic across multiple servers
to optimize resource utilization and improve overall performance.
7. Content Modification:
Some proxy servers allow content modification, where the proxy can alter the
content of web pages before delivering them to the client. This can include
compressing images or removing ads.
Types of Proxy Server:
Proxy servers have different types, each designed for specific purposes related to
functionality, security, and network management. Below is a description of one
common type:
1. Forward Proxy
Acts as an intermediary between client devices and the internet.
Clients send requests to the forward proxy, which then forwards these requests to
the internet on behalf of the clients.
Use Cases:
Enhances privacy:
Hides client IP addresses.
Implements content filtering and access control policies:
Manages and restricts access to certain content.
Bandwidth optimization and caching:
Improves network efficiency and speed by storing frequently accessed data.
2 Reverse Proxy
Sits between client devices and web servers. It handles requests from clients,
forwards them
to the appropriate web servers, and then returns the servers' responses to the
clients.
Use Cases:
a) Load balancing to distribute incoming traffic across multiple servers.
b) SSL termination to handle encryption and decryption, improving server
security.
c) Web acceleration by caching and optimizing content.

3. Open Proxy
A proxy server that is accessible by any internet user. It does not require
authentication,
allowing anyone to use it to access the internet.
Use Cases:
a) Limited use due to security risks.
b) Potential for misuse by malicious actors for various activities.

4. A transparent proxy: operates without requiring client-side configuration, and

clients might not be aware their requests are being forwarded through it. Use cases
include:
Content filtering and access control in corporate networks.
Simplifying the user experience by eliminating the need for explicit client
configurations.
5. Anonymous Proxy:
Enhances user privacy by hiding the client's IP address from the destination
server.
Provides anonymity but may still reveal some information about the client.
Use cases:
Allows users to browse the internet more privately.
Useful for bypassing geo-restrictions on certain websites.

[Link] Proxy:
Similar to an anonymous proxy but intentionally provides false information about
the client's IP address.
Introduces inaccuracies to confuse tracking attempts.
Use cases:
Adds an additional layer of obfuscation for users who want to hide their identity