I will give a presentation about firewalls and IDS

1.1. Firewall.
A firewall is defined as a cybersecurity tool that monitors incoming and outgoing
network traffic and permits or blocks data packets based on a set of cybersecurity rules.

Firewalls are generally deployed to isolate network nodes from egress and ingress data
traffic or even specific applications. Firewalls operate by using software, hardware, or cloud-
based methods for safeguarding the network against any external attack. The primary
objective of a firewall is to block malicious traffic and data packets while allowing legitimate
traffic to pass through.

1.2. Key Components of a Firewall.

1.2.1. Network policy.
The design, installation, and use of a firewall in a network are largely influenced by two
levels of network policy — the higher-level policy and the lower-level policy.

- The higher-level policy is an issue-specific network access policy that defines

services that are allowed or explicitly denied from the restricted network, how
they would be used, and the conditions for exceptions to this policy.
- The lower-level policy discloses how the firewall will handle access restriction
and service filtration defined in the higher-level policy.
o Service access policy
o Firewall design policy
1.2.2. Advanced authentication.
Advanced authentication measures such as smartcards, authentication tokens, biometrics,
and software-based mechanisms are designed to tackle weak traditional passwords. While
the authentication techniques vary, they are similar in that the passwords generated by
advanced authentication devices cannot be reused by an attacker who has monitored a
connection. Given the problems posed by passwords on the internet, an internet-accessible
firewall that does not use or does not contain the hooks to use advanced authentication
may be regarded as irrelevant in the current setting.

Some of the more popular advanced authentication devices in use today are called one-time
password systems. A smartcard or authentication token, for example, generates a response
that the host system can use in place of a traditional password. Because the token or card
works in conjunction with software or hardware on the host, the generated response is
unique for every login. The result is a one-time password that, if monitored, cannot be
reused by an intruder to gain access to an account.
 1.2.3. Packet filtering.
IP packet filtering is accomplished using a packet filtering router that filters packets as they
pass between the router’s interfaces. A packet-filtering router usually can filter IP packets
based on source IP address, destination IP address, TCP/UDP source port, or destination
port.

Not all packet filtering routers currently filter the source TCP/UDP port. However, more
vendors are starting to incorporate this capability. Some routers examine which of the
router’s network interfaces a packet arrived at and then use this as an additional filtering
criterion. 

1.2.4. Application gateways.

To counter the weaknesses associated with packet filtering routers, firewalls need to use
software applications to forward and filter connections for services such as TELNET and FTP.
Such an application is referred to as a proxy service, while the host running the proxy service
is referred to as an application gateway.

1.3. Usage and advantages in a network.

1.3.1. Usage.
 Software-based applications
Software-based applications involve securing data by using any type of firewall installed on a
local device rather than a separate piece of hardware (or a cloud server). The benefit of such
a software-based firewall is that it’s highly useful for creating defense in depth by isolating
individual network endpoints from one another. However, maintaining individual software
firewalls on different devices can be difficult and time-consuming. Furthermore, not every
device on a network may be compatible with a single software firewall, which may mean
having to use several different software firewalls from different vendors to cover every node
or device.

 Hardware-based applications
Hardware firewalls use a physical appliance that acts as a traffic router to intercept data
packets and traffic requests before they’re connected to the network’s servers. Physical
appliance-based firewalls like this excel at perimeter security by making sure malicious
traffic from outside the network is intercepted before the company’s network endpoints are
exposed to risk. The major weakness of a hardware-based firewall, however, is that it is
often easy for insider attacks to bypass them. Also, the actual capabilities of a hardware
firewall may vary depending on the vendor manufacturing it; some may have a more limited
capacity to handle simultaneous connections than others.

 Cloud-based applications
 Whenever a cloud solution is used to deliver a firewall, it can be called a cloud firewall or
firewall-as-a-service (FaaS). Cloud firewalls are analogous to proxy firewalls, where a cloud
server is often used in a proxy firewall setup. The advantage of having cloud-based firewalls
is that they are very easy to scale with any organization. As the needs grow, one can add
additional capacity to the cloud server to filter larger traffic loads. Cloud firewalls provide
perimeter security to network architecture.

1.3.2. Advantages.
 Block spyware
In today’s data-driven world, stopping spyware from gaining access and getting into a
system is of paramount importance. As systems become more sophisticated and robust,
criminals trying to gain access to the systems also increase. One of the most common ways
unwanted people gain access is by employing spyware and malware. These are software
programs designed to infiltrate systems, control computers, and steal sensitive or critical
data. Firewalls serve as an important blockade against such malicious programs.

 Direct virus attacks

A virus attack can shut down any enterprise’s digital operations faster and harder than
expected. As the number of threats continues to evolve and grow in complexity, it is vital
that the defenses are put in place to keep the systems healthy and up-and-running all the
while. One of the most visible benefits of firewalls is controlling the system’s entry points
and stopping virus attacks. The cost of damage from a virus attack on any system could be
immeasurably high, depending on the type of virus.

 Maintain privacy
Another benefit of employing a firewall is the promotion of privacy. By proactively working
to keep your data and your customer’s data safe, you build an environment of privacy that
your clients can trust. No one likes their data stolen, especially when it is known that steps
could have been taken to prevent the intrusion.

 Network traffic monitoring

All of the benefits of firewall security start with the ability to monitor network traffic. Data
coming in and out of your systems creates opportunities for threats to compromise your
operations. By monitoring and analyzing network traffic, firewalls leverage pre-established
rules and filters to keep the systems protected. With a well-trained IT team, an enterprise
can manage customized protection levels based on what is seen as coming in and out
through the firewall.

 Prevent hacking
The trend followed by most businesses today is that of digital operations, which is inviting
more thieves and bad actors into the picture. With the rise of data theft and criminals
holding systems hostage, firewalls have become even more important, as they prevent
hackers from gaining unauthorized access to data, emails, systems, and more. A firewall can
stop a hacker completely or deter them from choosing an easier target.

1.4. How firewalls provide security.

 Backdoors. 
While certain applications are designed to be accessed remotely, others may have bugs that
give potential hackers a “backdoor,” or a hidden way to access and exploit the program for
malicious purposes. Some operating systems may also contain bugs that provide backdoors
for skilled hackers to manipulate to their own benefit.

 Denial of service. 
This increasingly popular type of cyberattack can slow or crash a server. Hackers utilize this
method by requesting to connect to the server, which sends an acknowledgment and
attempts to establish a connection. However, as part of the attack, the server will not be
able to locate the system that initiated the request. Flooding a server with these one-sided
session requests allows a hacker to slow down server performance or take it offline entirely.
While there are ways firewalls can be used to identify and protect against certain forms of
denial of service attacks, they tend to be easily fooled and are usually ineffective. For this
reason, it’s important to have a variety of security measures in place to protect your
network from different types of attacks.

 Macros. 
Macros are scripts that applications can run to streamline a series of complicated
procedures into one executable rule. Should a hacker gain access to your customers’
devices, they can run their own macros within the applications. This can have drastic effects,
ranging from data loss to system failure. These executable fragments can also be embedded
data attempting to enter your network, which firewalls can help identify and discard.

 Remote logins. 
Remote logins can vary in severity, but always refer to someone connecting to and
controlling your computer. They can be a useful technique for allowing IT professionals to
quickly update something on a specific device without being physically present—but if
performed by bad actors, they can be used to access sensitive files or even execute
unwanted programs.

 Spam. 
While most spam is harmless, some spam can also be incredibly malicious. Spam often will
include links—which should absolutely never be clicked! By following links in spam mail,
users may accept cookies onto their systems that create backdoor functionality for hackers.
It is important that your customers receive cybersecurity awareness training in order to
reduce vulnerabilities from within their network.
  Viruses. 
Viruses are small programs that replicate themselves from computer to computer, allowing
them to spread between devices and across networks. The threat posed by some viruses
can be relatively small, but others are capable of doing more damage—such as erasing your
customers’ data. Some firewalls include virus protection, but using a firewall alongside
antivirus software is a smarter and more secure choice.

1.5. Diagrams the example of how firewall works

1.6. IDS.
An intrusion detection system (IDS) is a system that monitors network traffic for suspicious
activity and alerts when such activity is discovered. While anomaly detection and reporting
are the primary functions, some intrusion detection systems are capable of taking actions
when malicious activity or anomalous traffic is detected, including blocking traffic sent from
suspicious Internet Protocol (IP) addresses.

An IDS can be contrasted with an intrusion prevention system (IPS), which monitors network
packets for potentially damaging network traffic, like an IDS, but has the primary goal of
preventing threats once detected, as opposed to primarily detecting and recording threats.

 Usage
Intrusion detection systems are used to detect anomalies with the aim of catching
hackers before they do real damage to a network. They can be either network- or host-
based. A host-based intrusion detection system is installed on the client computer, while
a network-based intrusion detection system resides on the network.

Intrusion detection systems work by either looking for signatures of known attacks or
deviations from normal activity. These deviations or anomalies are pushed up the stack
and examined at the protocol and application layer. They can effectively detect events
such as Christmas tree scans and domain name system (DNS) poisonings.

An IDS may be implemented as a software application running on customer hardware or

as a network security appliance. Cloud-based intrusion detection systems are also
available to protect data and systems in cloud deployments.

 Diagrams
 1.7. The potential impact (Threat-Risk) of a
firewall and IDS if they are incorrectly configured
in a network.
1.7.1. The potential impact (Threat-Risk) of a firewall.
Network firewalls are not easy to update. Keeping rules up to date when environments
and applications are dynamic and complex is almost impossible.

Because of this challenge, firewall policy is often behind the current status of your
applications and data. This means you are increasing risk in your data center until you
manage to manually set the rules. Moreover, those rules may well become obsolete
again almost immediately, so you can never truly stem the issue of growing risk.

At the same time, companies have to deal with compliance mandates and governance,
which are just as strict on the cloud environments as on-premises environments. While
the increased agility of a hybrid cloud ecosystem is helpful for streamlining business
processes, the speed of change has caused many organizations to fall badly short of
compliance requirements.

It’s especially difficult to get full visibility into hybrid cloud environments – and without
visibility, you can easily fall prey to blind spots resulting from misconfigurations. Take
the Capital One breach, for example, where hackers could exfiltrate “data through a
‘misconfiguration’ of a firewall on a web application. That allowed the hacker to
communicate with the server where Capital One was storing its information and,
eventually, obtain customer files.” The result was the loss of the personal data of more
than 100 million people, including tens of millions of credit card applications.

 Some of the most common firewall misconfigurations:

- EC2 instances:
Configuring security groups incorrectly can lead to unnecessary risk. AWS itself reports
that “Among the most egregious were AWS Security Groups configured to leave SSH
wide open to the Internet in 73 percent of the companies analysed.” Any approach that
relies on IP addresses that constantly change is going to be error-prone.

- VPC access:
Of course, your business doesn’t want anyone on the internet to be able to access your
VPCs. That said, this is a common mistake. Many businesses use ACLs to manage the
problem, but it can be time-consuming and leave blind spots.

- Services permissions:
It often happens that unnecessary services are left running on the firewall, opening up
enterprises to risk and broadening the attack surface. When devices are configured from
 the start with the principle of zero-trust and least privilege, this removes that risk. It also
ensures that devices can only do the specific function you need them for.

- Inconsistent authentication:
Enterprises often have networks that work across multiple geographies and locations, as
well as different environments. Consistent authentication across these different places is
a cornerstone of good firewall hygiene. If some requirements are weaker than others,
the misalignment creates vulnerable areas of the enterprise that can be leveraged like
an unlocked door. The result is that your business will be open to attacks.

1.7.2. The potential impact (Threat-Risk) of IDS.

May cause false alarms if the configuration is not correct.

The ability to analyze encrypted traffic is relatively low.

System deployment and operation costs are relatively large.