Chapter 5 - Security Mechanisms

Firewall
What is Firewall?
Firewall is a network security device that observes and filters incoming and outgoing network
traffic, adhering to the security policies defined by an organization. Essentially, it acts as a
protective wall between a private internal network and the public Internet. Firewalls are used
to secure a computer network. Firewalls are network security systems that prevent
unauthorized access to a network. It can be a hardware or software unit that filters the incoming
and outgoing traffic within a private network, according to a set of rules to spot and
prevent cyber attacks. Firewalls are used in enterprise and personal settings. They are a vital
component of network security. Most operating systems have a basic built-in firewall.
However, using a third-party firewall application provides better protection.
Types of Firewall
A firewall can either be software or hardware. Software firewalls are programs installed on
each computer, and they regulate network traffic through applications and port numbers.
Meanwhile, hardware firewalls are the equipment established between the gateway and your
network. Additionally, firewalls delivered by a cloud solution can be called as a cloud firewall.
There are multiple types of firewalls based on their traffic filtering methods, structure, and
functionality. A few of the types of firewalls are:
• Proxy Service Firewall: This type of firewall protects the network by filtering
messages at the application layer. For a specific application, a proxy firewall serves as
the gateway from one network to another.
• Stateful Inspection: Such a firewall permits or blocks network traffic based on state,
port, and protocol. Here, it decides filtering based on administrator-defined rules and
context.
• Next-Generation Firewall: According to Gartner, Inc.’s definition, the next-generation
firewall is a deep-packet inspection firewall that adds application-level inspection,
intrusion prevention, and information from outside the firewall to go beyond
port/protocol inspection and blocking.
• Unified Threat Management (UTM) Firewall: A UTM device generally integrates
the capabilities of a stateful inspection firewall, intrusion prevention, and antivirus in a
loosely linked manner. It may include additional services and, in many cases, cloud
management. UTMs are designed to be simple and easy to use.
• Threat-Focused NGFW: These firewalls provide advanced threat detection and
mitigation. With network and endpoint event correlation, they may detect evasive or
suspicious behavior.
How does a firewall works?

1
As mentioned previously, firewalls filter the network traffic within a private network. It
analyses which traffic should be allowed or restricted based on a set of rules. Think of
the firewall like a gatekeeper at computer’s entry point which only allows trusted sources, or
IP addresses, to enter a network. A firewall welcomes only those incoming traffic that has been
configured to accept. It distinguishes between good and malicious traffic and either allows or
blocks specific data packets on pre-established security rules. These rules are based on several
aspects indicated by the packet data, like their source, destination, content, and so on. They
block traffic coming from suspicious sources to prevent cyber attacks. For example, the image
depicted below shows how a firewall allows good traffic to pass to the user’s private network.

Fig: Firewall allowing Good Traffic

However, in the example below, the firewall blocks malicious traffic from entering the private
network, thereby protecting the user’s network from being susceptible to a cyber attack.

Fig: Firewall blocking Bad Traffic

This way, a firewall carries out quick assessments to detect malware and other suspicious
activities.

Key Uses of Firewalls

Firewalls can be used in corporate as well as consumer settings.

2
 • Firewalls can incorporate a security information and event management strategy
(SIEM) into cyber security devices concerning modern organizations and are installed
at the network perimeter of organizations to guard against external threats as well as
insider threats.
• Firewalls can perform logging and audit functions by identifying patterns and
improving rules by updating them to defend the immediate threats.
• Firewalls can be used for a home network, Digital Subscriber Line (DSL), or cable
modem having static IP addresses. Firewalls can easily filter traffic and can signal the
user about intrusions.
• They are also used for antivirus applications.
• When vendors discover new threats or patches, the firewalls update the rule sets to
resolve the vendor issues.
• In-home devices, we can set the restrictions using Hardware/firmware firewalls.
Proxy Server
What is a Proxy Server?
A proxy server acts as a gateway between user and the internet. It’s an intermediary server
separating end users from the websites they browse. Proxy servers provide varying levels of
functionality, security, and privacy depending on use case, needs, or company policy. When
network users use a proxy server, internet traffic flows through the proxy server on its way to
the address they requested. The request then comes back through that same proxy server (there
are exceptions to this rule), and then the proxy server forwards the data received from the
website to intended user.
How Does a Proxy Server Operate?
Every computer on the internet needs to have a unique Internet Protocol (IP) Address. Think
of this IP address as user’s computer’s street address. Just as the post office knows to deliver
user mail to user’s street address, the internet knows how to send the correct data to the correct
computer by the IP address.

A proxy server is basically a computer on the internet with its own IP address that your
computer knows. When you send a web request, your request goes to the proxy server first.
The proxy server then makes your web request on your behalf, collects the response from the
web server, and forwards you the web page data so you can see the page in your browser. When
the proxy server forwards your web requests, it can make changes to the data you send and still
get you the information that you expect to see. For example
• A proxy server can change your IP address, so the web server doesn’t know exactly
where you are in the world.
• It can encrypt your data, so your data is unreadable in transit.

3
 • And lastly, a proxy server can block access to certain web pages, based on IP address.

Why do Network users use Proxy Server?

There are several reasons organizations and individuals use a proxy server.
• To control internet usage of employees and children: Organizations and parents set
up proxy servers to control and monitor how their employees or kids use the internet.
Most organizations don’t want you looking at specific websites on company time, and
they can configure the proxy server to deny access to specific sites, instead of
redirecting you with a nice note asking you to refrain from looking at said sites on the
company network. They can also monitor and log all web requests, so even though they
might not block the site, they know how much time you spend cyber loafing.
• Bandwidth savings and improved speeds: Organizations can also get better overall
network performance with a good proxy server. Proxy servers can cache (save a copy
of the website locally) popular websites – so when you ask for www.ambou.edu.et, the
proxy server will check to see if it has the most recent copy of the site, and then send
you the saved copy. What this means is that when hundreds of people hit
www.ambou.edu.et at the same time from the same proxy server, the proxy server only
sends one request to ambou.edu.et. This saves bandwidth for the company and improves
the network performance.
• Privacy benefits: Individuals and organizations alike use proxy servers to browse the
internet more privately. Some proxy servers will change the IP address and other
identifying information the web request contains. This means the destination server
doesn’t know who actually made the original request, which helps keeps your personal
information and browsing habits more private.
• Improved security: Proxy servers provide security benefits on top of the privacy
benefits. You can configure your proxy server to encrypt your web requests to keep
prying eyes from reading your transactions. You can also prevent known malware sites
from any access through the proxy server. Additionally, organizations can couple their
proxy server with a Virtual Private Network (VPN), so remote users always access the
internet through the company proxy. A VPN is a direct connection to the company
network that companies provide to external or remote users. By using a VPN, the
company can control and verify that their users have access to the resources (email,
internal data) they need, while also providing a secure connection for the user to protect
the company data.
• Get access to blocked resources: Proxy servers allow users to circumvent content
restrictions imposed by companies or governments. Is the local sportsball team’s game
blacked out online? Log into a proxy server on the other side of the country and watch
from there. The proxy server makes it look like you are in California, but you actually

4
 live in North Carolina. Several governments around the world closely monitor and
restrict access to the internet, and proxy servers offer their citizens access to an
uncensored internet.

Types of Proxy Servers

• Transparent Proxy: A transparent proxy tells websites that it is a proxy server and it
will still pass along your IP address, identifying you to the webserver. Businesses,
public libraries, and schools often use transparent proxies for content filtering: they’re
easy to set up both client and server-side.
• Anonymous Proxy: An anonymous proxy will identify itself as a proxy, but it won’t
pass your IP address to the website – this helps prevent identity theft and keep your
browsing habits private. They can also prevent a website from serving you targeted
marketing content based on your location. For example, if CNN.com knows you live in
Raleigh, NC, they will show you news stories they feel are relevant to Raleigh, NC.
Browsing anonymously will prevent a website from using some ad targeting
techniques, but is not a 100% guarantee.
• Distorting proxy: A distorting proxy server passes along a false IP address for you
while identifying itself as a proxy. This serves similar purposes as the anonymous
proxy, but by passing a false IP address, you can appear to be from a different location
to get around content restrictions.
• High Anonymity proxy: High Anonymity proxy servers periodically change the IP
address they present to the web server, making it very difficult to keep track of what
traffic belongs to who. High anonymity proxies, like the TOR Network, is the most
private and secure way to read the internet.

Intrusion Detection System (IDS)/Intrusion Prevention System (IPS)

An intrusion detection system (IDS) monitors traffic on a network, analyzes that traffic for
signatures matching known attacks, and when something suspicious happens, users will be
alerted. In the meantime, the traffic keeps flowing. An intrusion prevention system (IPS) also
monitors traffic. But when something unusual happens, the traffic stops altogether until you
investigate and decide to open the floodgates again.

5
IDS vs. IPS: Differences & Similarities
Let's examine how they're alike and what sets them apart. Both systems can:
• Monitor: After setup, these programs can look over traffic within parameters you
specify, and they will work until you turn them off.
• Alert: Both programs will send a notification to those you specify when a problem has
been spotted.
• Learn: Both can use machine learning to understand patterns and emerging threats.
• Log: Both will keep records of attacks and responses, so you can adjust your protections
accordingly.

But they differ due to:

• Response: An IDS is passive, while an IPS is an active control system. You must take
action after an IDS alerts you, as your system is still under attack.
• Protection: Arguably, an IDS offers less help when you're under threat. You must figure
out what to do, when to do it, and how to clean up the mess. An IPS does all of this for
you.
• False positives: If an IDS gives you an alert about something that isn't troublesome at
all, you're the only one inconvenienced. If an IPS shuts down traffic, many people could
be impacted.

IDS & IPS Working Together

Many companies avoid the IDS vs. IPS problem by deploying both solutions to protect their
assets and servers.

Virutal Private Networking (VPN)

VPN describes the opportunity to establish a protected network connection when using public
networks. VPNs encrypt organization’s internet traffic and disguise user’s online identity. This

6
makes it more difficult for third parties to track activities online and steal data. The encryption
takes place in real time.

How does a VPN work?

A VPN hides IP address by letting the network redirect it through a specially configured remote
server run by a VPN host. This means that if user surf online with a VPN, the VPN server
becomes the source of user’s data. This means Internet Service Provider (ISP) and other third
parties cannot see which websites a user visit or what data user send and receive online. A VPN
works like a filter that turns all your data into "gibberish". Even if someone were to get their
hands on your data, it would be useless.

Benefits of VPN
A VPN connection disguises user data traffic online and protects it from external access.
Unencrypted data can be viewed by anyone who has network access and wants to see it. With
a VPN, hackers and cyber criminals can’t decipher this data.
• Secure encryption: To read the data, you need an encryption key . Without one, it
would take millions of years for a computer to decipher the code in the event of a brute
force attack . With the help of a VPN, your online activities are hidden even on public
networks.
• Disguising your whereabouts: VPN servers essentially act as your proxies on the
internet. Because the demographic location data comes from a server in another
country, your actual location cannot be determined. In addition, most VPN services do
not store logs of your activities. Some providers, on the other hand, record your
behavior, but do not pass this information on to third parties. This means that any
potential record of your user behavior remains permanently hidden.
• Access to regional content: Regional web content is not always accessible from
everywhere. Services and websites often contain content that can only be accessed from
certain parts of the world. Standard connections use local servers in the country to
determine your location. This means that you cannot access content at home while
traveling, and you cannot access international content from home. With VPN location
spoofing, you can switch to a server to another country and effectively “change” your
location.
• Secure data transfer: If you work remotely, you may need to access important files on
your company’s network. For security reasons, this kind of information requires a
secure connection. To gain access to the network, a VPN connection is often required.
VPN services connect to private servers and use encryption methods to reduce the risk
of data leakage.

7
What should a good VPN do?
You should rely on your VPN to perform one or more tasks. The VPN itself should also be
protected against compromise. These are the features you should expect from a comprehensive
VPN solution:
• Encryption of your IP address: The primary job of a VPN is to hide your IP address
from your ISP and other third parties. This allows you to send and receive information
online without the risk of anyone but you and the VPN provider seeing it.
• Encryption of protocols: A VPN should also prevent you from leaving traces, for
example, in the form of your internet history, search history and cookies. The encryption
of cookies is especially important because it prevents third parties from gaining access
to confidential information such as personal data, financial information and other
content on websites.
• Kill switch: If your VPN connection is suddenly interrupted, your secure connection
will also be interrupted. A good VPN can detect this sudden downtime and terminate
preselected programs, reducing the likelihood that data is compromised.
• Two-factor authentication: By using a variety of authentication methods, a strong
VPN checks everyone who tries to log in. For example, you might be prompted to enter
a password, after which a code is sent to your mobile device. This makes it difficult for
uninvited third parties to access your secure connection.