OSI MODEL

Internet protocol suite

Application layer
BGP
DHCP
DNS
FTP
HTTP
SMTP
SNMP
SSH
Telnet
TLS/SSL
XMPP
more...

Transport layer
TCP
UDP
DCCP
SCTP
RSVP
more...

Internet Layer

Link layer

IP
IPv4
IPv6
ICMP
IGMP
IPsec
More

ARP
NDP
Tunnels
L2TP
PPP
MAC
Ethernet
DSL
ISDN
FDDI
more

Firewalls

Overview of Firewalls
As the name implies, a firewall acts to provide
secured access between two networks
A firewall may be implemented as a standalone
hardware device or in the form of a software on
a client computer or a proxy server
The two types of firewall are generally known as the
hardware firewall and the software firewall

What is a Firewall?
A choke point of control and monitoring
Interconnects networks with differing trust
Imposes restrictions on network services
only authorized traffic is allowed

Auditing and controlling access

can implement alarms for abnormal behavior

Hardware Firewall

What is it?

It is just a software firewall running on a

dedicated piece of hardware or specialized
device.
Basically, it is a barrier to keep destructive
forces away from your property.
You can use a firewall to protect your home
network and family from offensive Web sites
and potential hackers.

Hardware Firewall (Cont.)

What it does !
It is a hardware device that filters the information
coming through the Internet connection into your
private network or computer system.
An incoming packet of information is flagged by
the filters, it is not allowed through.

Hardware Firewall (Cont.)

An example !

Hardware Firewall (Cont.)

Packet filtering - Packets are analyzed against a set
of filters.

Proxy service - Information from the Internet is

retrieved by the firewall and then sent to the requesting

system and vice versa.

State-full inspection It compares certain key parts

of the packet to a database of trusted information.
Information traveling from inside to the outside is
monitored for specific defining characteristics, then
incoming information is compared to these
characteristics.

10

Hardware Firewall (Cont.)

What it protects you from:

Remote logins
Application backdoors
SMTP session hijacking
E-mail Addresses
Spam
Denial of service
E-mail bombs
E-mail sent 1000s of times till mailbox is full
Macros
Viruses
11

Software Firewall
What it is?
Also called Application Level Firewalls
It is firewall that operate at the Application
Layer of the OSI
They filter packets at the network layer
It Operating between the Datalink Layer and
the Network Layer
It monitor the communication type (TCP, UDP,
ICMP, etc.) as well as the origination of the
packet, destination port of the packet, and
application (program) the packet is coming
from or headed to.
12

Software Firewall (Cont.)

How does software firewall works ?

13

Software Firewall (Cont.)

Benefit of using application firewalls:
allow direct connection between client and host
ability to report to intrusion detection software
equipped with a certain level of logic
Make intelligent decisions
configured to check for a known Vulnerability
large amount of logging

14

Software Firewall (Cont.)

Benefit of application firewalls (Cont.)
easier to track when a potential vulnerability
happens
protect against new vulnerabilities before they
are found and exploited
ability to "understand" applications specific
information structure
Incoming or outgoing packets cannot access
services for which there is no proxy
15

Software Firewall (Cont.)

Disadvantage of Firewall:
slow down network access dramatically
more susceptible to distributed denial of
service (DDOS) attacks.
not transparent to end users
require manual configuration of each client
computer
16

Firewalls Characteristics

Design goals:
1. All traffic form the inside to outside must
pass through the firewall (physically
blocking all access to the local network
except via firewall).
2. Only Authorized traffic ( defined by the local
security policy) will be allowed to pass.
3. The firewall itself is immune to penetration
( use of trusted systems with secure
operating systems).

17

Firewall Characteristics

Four General Technologies:

1. Service Control: determines the types of
the internet services that can be
accessed, in bounded or out bounded.
2. Direction Control: determines the
direction in which particular services
requests are allowed to flow.

18

Firewall Characteristics
3. User Control: controls access to a service
according to which user is attempting to
access it.
4. Behavior Control: controls how particular
service are used (e.g. filter e-mail)

19

Classification of Firewall
Characterized by protocol level it
controls in
Packet filtering
Circuit gateways
Application gateways

20

Firewalls Packet Filters

21

Packet-Filtering-Router
Applies a set of rules to each incoming IP
packet and then forwards or discards the
packet.
Filter packets going in both directions.
The packet filter is typically set up as a list
of rule based on matches to fields in the IP
or TCP header.
Two default polices( discards or forwards).
22

Security & Performance of Packet Filters

IP address spoofing
Fake source address to be trusted
Add filters on router to block

Tiny fragment attacks

Split TCP header info over several tiny packets
Either discard or reassemble before check

Degradation depends on number of rules

applied at any point
Order rules so that most common traffic is dealt
with first
Correctness is more important than speed
23

Port Numbering
TCP connection

Server port is number less than 1024

Client port is number between 1024 and 16383

Permanent assignment

Ports <1024 assigned permanently

20,21 for FTP
23 for Telnet
25 for server SMTP
80 for HTTP

Variable use

Ports >1024 must be available for client to make

any connection
This presents a limitation for stateless packet
filtering
If client wants to use port 2048, firewall must allow
incoming traffic on this port

Better: stateful filtering knows outgoing requests24

Packet-Filtering-Router

1.
2.
3.

1.
2.

Advantages:
Simplicity.
Transparency to users.
High speed
Disadvantages:
Difficulty of setting up packet filter walls.
Lack of Authentication.
25

Firewall Gateways
Firewall runs set of proxy programs
Proxies filter incoming, outgoing packets
All incoming traffic directed to firewall
All outgoing traffic appears to come from firewall

Policy embedded in proxy programs

Two kinds of proxies
Application-level gateways/proxies
Tailored to http, ftp, smtp, etc.

Circuit-level gateways/proxies
Working on TCP level

26

Firewalls - Application Level Gateway

(or Proxy)

27

Application-Level Filtering
Has full access to protocol
user requests service from proxy
proxy validates request as legal
then actions request and returns result to user

Need separate proxies for each service

E.g., SMTP (E-Mail)
NNTP (Net news)
DNS (Domain Name System)
NTP (Network Time Protocol)
custom services generally not supported
28

Application-Level-Gateway

Advantages:
1. Higher security than packet filter
2. Only need securitize a few allowable
applications.
3. Easy to log and audit all incoming traffic.
Disadvantages:
Additional processing overhead on each
connection (Gateway as splice point).
29

Circuit Level Gateway

Circuit Level
Gateway.
OUT

Outside host
& outside
connection

30

IN

OUT

IN

OUT

IN

OUT

IN

Inside host &

inside
connection

Circuit Level Gateway

Stand-alone system or specialized
function performed by Application level
gateway.
Sets up two TCP connections.
The gateway typically relays TCP
segments from one connection to the
other without examining the contents.

31

Circuit Level Gateway

The security function consists of which
connections to be allowed.
Typically use is a situation in which the
system administrators trusts the internal
users.
An example is the SOCKS package.

32

 Socket Secure (SOCKS) is

an Internet protocol that routes network
packets between
a client and server through a proxy server.
SOCKS5 additionally
provides authentication so only authorized
users may access a server. Practically, a
SOCKS server proxies TCP connections to
an arbitrary IP address, and provides a
means for UDP packets to be forwarded.
33

Firewalls Arent Perfect?

Useless against attacks from the inside
Evildoer exists on inside
Malicious code is executed on an internal
machine

Organizations with greater insider threat

Banks and Military

Protection must exist at each layer

Assess risks of threats at every layer

Cannot protect against transfer of all virus

infected programs or files
because of huge range of O/S & file types

34

Bastion Host

highly secure host system

runs circuit / application level gateways
or provides externally accessible services
potentially exposed to "hostile" elements
hence is secured to withstand this
hardened O/S, essential services, extra auth
proxies small, secure, independent, nonprivileged
may support 2 or more net connections
may be trusted to enforce policy of trusted
separation between these net connections
35

Host-Based Firewalls
s/w module used to secure individual host

available in many operating systems

or can be provided as an add-on package

often used on servers

advantages:

can tailor filtering rules to host environment

protection is provided independent of topology
provides an additional layer of protection
36

Firewall Configurations
Single-homed bastion host

37

Firewall Configurations
Dual-homed bastion host

38

Firewall Configurations
Screened-subnet firewall

39

What is a VPN?
A virtual private
network (VPN) is a
network that uses
public means of
transmission
(Internet) as its
WAN link

40

What is a VPN? (Cont.)

A VPN can be created by connecting offices
and single users (including mobile users) to
the nearest service providers POP (Point of
Presence) and using that service providers
backbone network, or even the Internet, as
the tunnel between offices. (Tunneling is a
protocol that allows for the secure movement
of data from one network to another. )
Traffic that flows through the backbone is
encrypted to prevent intruders from spying or
intercepting the data
41

What is a VPN? (Cont.)

42

Who uses VPNs?

VPNs can be found in homes, workplaces,

or anywhere else as long as an ISP (Internet
Service Provider) is available.
VPNs allow company employees who travel
often or who are outside their company
headquarters to safely and securely
connect to their companys Intranet
43

All 3 types of VPN

44

VPN Protocols
There are three main
protocols that power the vast
majority of VPNs:
PPTP
L2TP
IPsec
All three protocols emphasize
encryption and
authentication; preserving
data integrity that may be
sensitive and allowing
clients/servers to establish an
identity on the network

45

VPN Protocols (In depth)

Point-to-point tunneling protocol (PPTP)
PPTP is widely supported by Microsoft as it is built
into the various of the Windows OS
PPTP initially had weak security features, however,
Microsoft continues to improve its support

Layer Two tunneling protocol (L2TP)

L2TP was the original competitor to PPTP and was
implemented primarily in Cisco products
L2TP is a combination of the best features of an older
protocol L2F (Layer 2 Forwarding) and PPTP
L2TP exists at the datalink layer (Layer 2) of the OSI
model
46

VPN Protocols
(continued)
Internet
Protocol Security Protocol (IPSec) provides

enhanced security features such as better

encryption algorithms and more comprehensive
authentication.
IPSec has two encryption modes: tunnel and
transport. Tunnel encrypts the header and the
payload of each packet while transport only
encrypts the payload. Only systems that are IPSec
compliant can take advantage of this protocol.
IPSec can encrypt data between various devices,
such as:
Router to router
Firewall to router
PC to router
PC to server

47

Security Topologies
Any network that is connected (directly or
indirectly) to your organization, but is not
controlled by your organization, represents
a risk.
Firewalls deployed on the network edge
enforce security policies and create choke
points on network perimeters.
Include demilitarized zones (DMZs)
extranets, and intranets .
48

Security Topologies (cont..)

The firewall must be the gateway for all
communications between trusted
networks, untrusted and unknown
networks.
The firewall should selectively admit or
deny data flows from other networks
based on several criteria:
Type (protocol)
Source
Destination
Content

49

Security Zones
Three Main Security Zones.
Trusted sites
Unclassified sites
Restricted sites
e.g.- Internet Explorer.
Includes 4 predefined zones.
50

Creating and designing SZ.

Go to Tools menu, click Internet Options
and then click the Security tab.
Internet - (medium)
Local Internet - (LAN, IP, FQDN)
Trusted site (low)
Restricted sites (medium)
Security setting Security level (high, medium,

medium-low or low), Sites , Custom level, Default

level

51

DMZ (Demilitarized Zone)

Used by a company to
host its own Internet
services without
sacrificing unauthorized
access to its private
network
Sits between Internet
and internal networks
line of defense, usually
some combination of
firewalls and bastion
hosts
Traffic originating from it
should be filtered

52

DMZ
Typically contains devices accessible to
Internet traffic
Web (HTTP) servers
FTP servers
SMTP (e-mail) servers
DNS servers
Optional, more secure approach to a
simple firewall; may include a proxy server
53

DMZ Design Goals

Minimize scope of damage

Protect sensitive data on the server
Detect the compromise as soon as possible
Minimize effect of the compromise on other
organizations
The bastion host is not able to initiate a session
back into the private network. It can only forward
packets that have already been requested.

54

DMZ Design Goals

A useful mechanism to meet goals is to add the
filtering of traffic initiated from the DMZ network to
the Internet, impairs an attacker's ability to have a
vulnerable host communicate to the attacker's host
keep the vulnerable host from being exploited
altogether
keep a compromised host from being used as a
traffic-generating agent in distributed denial-ofservice attacks.
The key is to limit traffic to only what is needed, and
to drop what is not required, even if the traffic is not
a direct threat to your internal network
55

DMZ Design Goals

Filtering DMZ traffic would identify
traffic coming in from the DMZ interface of the
firewall or
router that appears to have a source IP
address on a network other the DMZ network
number (spoofed traffic).

the firewall or router should be configured

to initiate a log message or rule alert to
notify administrator
56

Intranet
Typically a collection of all LANs inside the
firewall (campus network.)
Either a network topology or application
(usually a Web portal) used as a single
point of access to deliver services to
employees
Shares company information and
computing resources among employees
Allows access to public Internet through
firewalls that screen communications in
both directions to maintain company
security
57

Extranet
Private network that uses Internet protocol
and public telecommunication system to
provide various levels of accessibility to
outsiders
Requires security and privacy
Firewall management
Issuance and use of digital certificates or
other user authentication
Encryption of messages
Use of VPNs that tunnel through the public
network
58

VLAN introduction
VLANs logically segment switched
networks based on the functions, project
teams, or applications of the organization
regardless of the physical location or
connections to the network.
All workstations and servers used by a
particular workgroup share the same
VLAN, regardless of the physical
connection or location.
59

VLAN introduction
A workstation in a VLAN group is restricted
to communicating with file servers in the
same VLAN group.

60

VLAN introduction
VLANs function by logically segmenting the
network into different broadcast domains so that
packets are only switched between ports that are
designated for the same VLAN.
Routers in VLAN topologies provide broadcast
filtering, security, and traffic flow management.

61

VLAN introduction
VLANs address scalability, security, and
network management.
Switches may not bridge any traffic
between VLANs, as this would violate the
integrity of the VLAN broadcast domain.
Traffic should only be routed between
VLANs.

62

Broadcast domains with VLANs

and routers
A VLAN is a broadcast domain created by
one or more switches.

63

Broadcast domains with VLANs

and routers
Layer 3 routing allows the router to send
packets to the three different broadcast
domains.

64

VLAN operation
Each switch port could be assigned to a different
VLAN.
Ports assigned to the same VLAN share
broadcasts.
Ports that do not belong to that VLAN do not
share these broadcasts.

65

VLAN operation
Users attached to the same shared segment,
share the bandwidth of that segment.
Each additional user attached to the shared
medium means less bandwidth and fall of
network performance.
VLANs offer more bandwidth to users than a
shared network.
The default VLAN for every port in the switch is
the management VLAN.
The management VLAN is always VLAN 1 and
may not be deleted. All other ports on the switch
may be reassigned to alternate VLANs.
66

VLAN operation
Dynamic VLANs allow for membership based on
the MAC address of the device connected to the
switch port.
As a device enters the network, it queries a
database within the switch for a VLAN
membership.

67

VLAN operation
In port-based or port-centric VLAN membership,
the port is assigned to a specific VLAN
membership independent of the user or system
attached to the port.
All users of the same port must be in the same
VLAN.

68

Benefits of VLANs
The key benefit of VLANs is that they permit
the network administrator to organize the
LAN logically instead of physically.
Performance
Formation of Virtual Workgroups
Simplified Administration
Reduced Cost eliminate need Expn. routers
Security
Improved management
69

VLAN Limitations
Broadcast limitations
Device limitations
Port Constraints

70

VLAN types
There are three basic VLAN memberships for determining
and controlling how a packet gets assigned: Port-based VLANs
MAC address based
Protocol based VLANs
e.g. Protocol - IP VLAN- 1
Membership by IP subnet Address IP- 23.2.24 VLAN -1
Higher Layer VLANS
The frame headers are encapsulated or modified to reflect
a VLAN ID before the frame is sent over the link between
switches.
Before forwarding to the destination device, the frame
header is changed back to the original format.
71

VLAN types
Port-based VLANs
MAC address based VLANs
Protocol based VLANs

72

Membership by Port

73

Email Security

Electronic Mail
Send text , picture, videos and sounds
Security is extremely important issue.
Email msg. has two portions.
Content and Header (like postal system.)
Header Which are followed by the actual
msg contents.
Header Include -- From, To ,Subject & Date.
74

Threats to E-mail

Message interception(confidentiality)
Message interception(blocked delivery)
Message content modification
Message origin modification
Message content forgery (fake ,dummy) by outsider
Message origin forgery by outsider
Message content forgery by recipient
Message origin forgery by recipient
Denial of message transmission

75

 Viruses :

E-mail Threats

Common Threats, types - worm or Trojan

Program code that replicates itself by being copied
Come from Innocent looking email or attachment.
Dangerous bz they arrive in email from people you know

Spam :

Billions sent every day.

Electronic junk mail or junk newsgroup postings
unsolicited email
Real spam is generally email advertising for some
product sent to a mailing list or newsgroup.
wasting people's time with unwanted e-mail,
spam also eats up a lot of network bandwidth.

76

E-mail Threats
Phishing
the fraudulent (criminal,illegal) practice of sending
emails purporting (seem) to be from reputable
companies in order to induce individuals to reveal
personal information, such as passwords and credit
card numbers,online.
e.g. simulated a bank
Direct you to a false site.
Ask you to confirm your account information
False site look like the real website.

77

SMTP
Simple Mail Transfer Protocol
Request/Response based

78

Fig- Email using SMTP Protocol

79