Chapter 4

Computer Security Technology

and Intrusion Detection
18 Marks
Contents
 Firewalls
 Need for firewall,
 Characteristics
 Limitation
 Types of firewalls
 Hardware, software,
 Packet filter, proxy server, Hybrid,
 Application gateway,
 Circuit level gateway, implementing firewall
2
 Firewall
 A dedicated appliance (H/w) or S/W.
 Stands between trusted & untrusted N/W,
inspecting all traffic passing between them.
 A choke point of control and monitoring
 Imposes restrictions on network services
 Only authorized traffic is allowed
 Provide NAT & usage monitoring
 Implement VPNs using IPSec

3
 Perimeter Defense
A firewall is said to provide “perimeter security” because
it sits on the outer boundary, or perimeter, of a network.
The network boundary is the point at which one network
connects to another.

4
Firewall

5
 What is a Firewall ?
 A firewall : Internet
 Acts as a security
gateway between two
networks Corporate Network Gateway

Usually between
trusted and untrusted
networks (such as
between a corporate
network and the
Internet)
Corporate
Site

6
 What is a Firewall ?
 A firewall :
Internet
 Acts as a security
gateway between two
networks
“Allow traffic
“Block Traffic
 Tracks and controls to Internet”
from Internet”
network
communications
Decides whether to
pass, reject,
encrypt, or log
communications
(Access Control) Corporate
Site

7
 Need for Firewall
 Centralized data processing system, with a central
mainframe supporting a number of directly connected
terminals
 LANs interconnecting PCs and terminals to each
other and the mainframe
 Enterprise-wide network, consisting of multiple,
geographically distributed networks interconnected
by wide area network (WAN)
 Internet connectivity, in which the various premises
networks all hook into the Internet and may or may
not also be connected by a private WAN
8
 Need for Firewall
 Prevent attacks from untrusted networks
 Protect data integrity of critical information
 Preserve customer and partner confidence

9
 Design Principle
 In organization users needs internet access.
 Internet access enables outside world to
connect & interact with local n/w assets.
 This creates threat to organization.
 Firewall is inserted between the n/w location
& the internet to establish a controlled link.
 The aim of this boundary is to protect the
location of n/w from internet based attacks.
10
 Design Goals
 All traffic must pass through the firewall
either from inside to outside or vice versa.
 This is achieved by physically blocking all
access to the local network except via the
firewall.
 Only authorized traffic that is defined by the
local security policy will be allowed to pass.
 The firewall itself is immune to penetration.

11
Techniques that firewalls use to control
access

 Service control: Determines the types of Internet

services that can be accessed.
 Filter traffic on the basis of IP address, protocol, or
port number;
 Direction control: Determines the direction in which
particular service requests may be initiated and allowed
to flow through the firewall.
 User control: Controls access to a service according to
which user is attempting to access it.
 Behavior control: Controls how particular services are
used.
12
 Capabilities of firewall

 Defines a single choke point that keeps

unauthorized users out of the protected network
 A firewall provides a location for monitoring
security-related events
 A firewall is a convenient platform for several
Internet functions that are not security related.
(NAT)
 A firewall can serve as the platform for IPsec.

13
 Firewalls must have following
attributes

 All communication traffic must pass through it

 Permits only traffic that is authorized.
 Can withstand attacks upon itself.
 Protecting a local system or network of systems
from network based threats.
 Working closely with a router program, examine
each n/w packet to determine whether to forward it
towards destination.

14
 Limitations
 Firewall cannot protect against attacks that bypass
the firewall.
 Firewall does not protect against internal threat.
 A laptop, PDA, or portable storage device may be
used and infected outside the corporate network,
and then attached and used internally.
 Firewall cannot protect against the transfer of virus
infected programs or files
 Cannot guard against wireless communications
15
 Types of Firewall
 Software firewall
 Hardware firewall
 Packet filtering firewall
 Proxy Server
 Hybrid
 Application Level Gateway
 Circuit Level Gateway

16
 Software firewall
 S/W firewall is a (set) program(s) which is installed
on a computer
 A host-based firewall is a software module used to
secure an individual host.
 A common location for such firewalls is a Server
 It runs on a single computer. (Personal firewall)
 Prevents unauthorized access to computer through
network.
 Allows configuration of trusted zones
 S/W firewalls depend on users decision
17
 Hardware firewall
 H/W firewall is a device which stands between
trusted and untrusted networks
 More complex than software firewall
 Contains software(OS) run on hardware
 OS for H/W firewall is small in size but very
difficult to attack.
 It can handle/filter more traffic.
 It can act as router, VPN

18
 Packet Filtering Firewall
 Simplest, fastest firewall component
 Examine each IP packet (no context) and permit
or deny according to rules
 Restrict access to services (ports)
 The router is typically configured to filter packets
going to and from internal N/w.
 Filtering rules are based on information contained
in a packet.
 Works on network layer
19
 Packet Filtering Firewall
 Source IP address: the systems IP address that
originates the IP packet.
 Destination IP address: the IP address of the
another system the IP packet is trying to reach.
 Source & Dest. Transport level address:
Transport level port number. e.g TCP, UDP, etc.
 IP protocol Fields: Defines the transport
protocol
 Interface: which interface of the router packet
came from or packet is destined for
20
 Packet Filtering Firewall
 Packets examined at the network layer
 Useful “first line” of defense - commonly deployed on
routers
 Simple accept or reject decision model
 No awareness of higher protocol layers

Applications Applications Applications

Presentations Presentations Presentations

Sessions Sessions Sessions

Transport Transport Transport

Network Network Network

Data Link Data Link Data Link

Physical Physical Physical

21
 Packet
Private
Filtering
Internet Network
Router

Advantages
Simplicity
Packet Filtering Firewall
Transparency to the users
High speed
Disadvantage
Lack of authentication
Difficulty of setting up packet filtering rules.
22
 Proxy Server
 Important part of web architecture
 Reduce loads on servers
 Act as a gateway to and from the Internet.
 An intermediary program that acts as both a
server and a client for the purpose of making
requests on behalf of other clients.
 Two forms of proxy servers
 Nontransparent and Transparent
 A nontransparent server is visible to a user –
 User configures a browser to contact proxy
instead original. 23
 Proxy Server
 A transparent proxy no need to change configure
 Examines all TCP connection that pass through it
 Requests are serviced internally or by passing
them, with possible translation, on to other servers.
 A proxy must interpret and, if necessary, rewrite a
request message before forwarding it.
 Proxies are often used as client-side portals
through network Firewalls.
 Clients connect to Proxy Server when they make a
request for resources located on the Internet
 Also known as application gateway
24
 Proxy Server
 Server gets the resource and returns it to the client.
 Since you are only presenting one IP address to the
Internet, Proxy Server effectively hides your
internal network.
 The Proxy Server is the only computer in the
network attached to both internal and external
networks. W
MSBTE
MSBTE E
B

You
You
Tube S
Tube E
Client R
Proxy V
111.222.3.4 FB
222.111.123.234 FB E
25
R
S
 Application Level Gateway
 Also known as proxy server.
 It acts like proxy & decides about the flow of
application level traffic.
 User contacts application level gateway using a
TCP/IP application, such as FTP or HTTP.
 Application level gateway asks the user about
the remote host with which user wants to set up
connection for comm.

26
 Application Level Gateway
 When user responds & provides valid user ID &
authentication information, gateway contacts the
application on remote host,
 If the gateway does not implement the proxy code
for a specific application, The service is not
supported & can not be forwarded across firewall.
 The gateway can also be configured to support only
specific features of an application.
 Application level gateways tend to be more secure
than packet filtering.
27
 Firewalls - Application
Level Gateway (or Proxy)
 Have application specific gateway / proxy
 Has full access to protocol
 User requests service from proxy
 Proxy validates request as legal
 Then actions request and returns result to user
 Can log / audit traffic at application level
 Need separate proxies for each service

28
 Application Gateway or
Proxy
 Packets examined at the application layer
 Application/Content filtering possible - prevent FTP
“put” commands, for example
 Modest performance
 Scalability limited
Applications Applications Applications

Presentations Presentations Presentations

Sessions Sessions Sessions

Transport Transport Transport

Network Network Network

Data Link Data Link Data Link

Physical Physical Physical

29
Advantage
Higher Security than packet Filtering
Only need to scrutinized a few allowable application.
Easy to log & audit all incoming traffic.
Disadvantage
Additional overhead on each connection.
30
 Circuit Level Gateway
 A stand-alone system or a specialized function
performed by application level gateway.
 Does not permit an end-to-end TCP connection;
 The gateway sets up two TCP connections,
 One between itself and a TCP user on an inner host
and
 One between itself and a TCP user on an outside
host.
 Imposes security by limiting which such
connections are allowed
31
Circuit Level Gateways

32
 Circuit Level Gateway
 Once created usually relays traffic without
examining contents
 Typically used when trust internal users by
allowing general outbound connections
 SOCKS (a protocol) commonly used for this

33
 Implementing Firewall
 Three types of firewall configuration

1. Screened host firewall, Single Homed Bastion

2. Screened host firewall, Dual Homed Bastion
3. Screened subnet firewall

34
 Bastion Host
 Highly secure host system that serves as a
platform for an application-level or circuit-level
gateway.
 Host hardware platform executes a secure version
of it’s operating system, making it a trusted
system.
 Only services that the network administrator
considers essential are installed on the bastion
host (e.g. Telnet, DNS, FTP, and user
authentication)
35
 Single-Homed Bastion
 Consists of two systems: a packet-filtering router and
a bastion host. The router is configured so that
 For traffic from the Internet, only IP packets destined
for the bastion host are allowed in.
 For the traffic from the internal network, only IP
packets from the bastion host are allowed to out.
 The bastion host performs authentication and proxy
functions.

36
Single-Homed Bastion

37
 Dual-Homed Bastion Host
 Direct connection between internal hosts and
the packet filter are avoided.
 Packet filter connects only to the application
gateway
 Application gateway has a separate connection
with internal host

38
Dual-Homed Bastion Host

39
 Screened Subnet Firewall
 There are now three levels of defense to thwart
intruders.
 The outside router advertises only the existence of
the screened subnet to the Internet; therefore, the
internal network is invisible to the Internet.
 Similarly, the inside router advertises only the
existence of the screened subnet to the internal
network; therefore, the systems on the inside
network cannot construct direct routes to the
Internet.
40
Screened Subnet Firewall

41
 Network Address
Translation (NAT)
192.172.1.1-192.172.1.254
Internal 219.22.165.1 Public
IP Addresses Internet IP Address(es)
Corporate LAN

Converts a network’s illegal IP addresses to legal or public IP

addresses
Hides the true addresses of individual hosts, protecting them from
attack
Allows more devices to be connected to the network

42
 Firewall Deployment
DMZ
•Corporate Network Gateway
–Protect internal network from Internet
Demilitarized Zone
attack (DMZ)
Public Servers
–Most common deployment
point Corporate Network
Gateway

Human Resources Network

Corporate
Site
43
 Firewall Deployment
•Corporate Network Gateway
•Internal Segment Gateway Internet
Public Servers
–Protect sensitive segments
(Finance, HR, Product
Development) Demilitarized Zone
(Publicly-accessible
–Provide second layer of servers)
defense
–Ensure protection against Human Resources Network
internal attacks and misuse
Internal Segment Gateway

Corporate
Site
44
 Firewall Deployment
•Corporate Network
Gateway Internet
Public Servers
DMZ
•Internal Segment
Gateway
•Server-Based Firewall
–Protect individual Human Resources Network

application servers
–Files protect Server-Based
Firewall

Corporate
Site
SAP
Server 45
 Summary
 Firewall
 Limitation
 Firewall Types
 Packet Filtering Firewall
 Application Level Gateway
 Circuit Level Gateway
 Firewall Configuration

46
Virtual Private Network
 Virtual Private Network
(VPN)
 Uses public telecommunication infrastructure to
provide remote offices with secure access to their
org. n/w.
 VPN is a mechanism of employing encryption,
authentication & integrity protection.
 Public n/w can use as private n/w
 VPN can connects distant n/w of an org.
 VPN is a mechanism to create a private n/w over
a public n/w.
48
Virtual Private Network
(VPN)

49
 VPN between two private networks

VPN
Tunnel
Firewall 1 Firewall 2

Internet
Network 1 Network 2

50
 Suppose an org. has 2 N/W, N/W 1 & N/W 2,
which are physically separate, users needs to
set up two firewalls for encryption &
decryption purpose.
 Fig show N/W 1 connects to internet through
firewall1 & network 2 via firewall 2
 Two firewalls are virtually connected to each
other via internet with help of VPN tunnel
between firewall.

51
• The transmission between two networks takes
following steps:
Let us assume that network’s host X wants to send a
packet to network’s host Y.
2. Then host X creates packet, insert its own IP address as
source address & IP address of host Y as destination
address.
Source Address Destination Address

X Y Other Headers & actual data

52
Then this packet reaches firewall 1; firewall 1 add new IP
headers to packet. It changes source IP address of
packet to its own IP address. It also changes the dest.
IP address of packet to IP address of firewall 2
• Also performs encryption & authentication.

X Y Other Headers & actual data

F1 F2 X Y Other Headers & actual data

Setting dependent encryption & authentication

53
Packet reaches at firewall 2 over internet. Here firewall 2
will discard the outer header & performs appropriate
decryption. This gives original packet that was created
by host X. and it delivers the packet to host Y.

F1 F2 X Y Other Headers & actual data

X Y Other Headers & actual data

54
VPN Protocols
 PPTP (Point to Point Tunneling Protocol)
 Used on windows NT systems
 It mainly supports the VPN connectivity between a
single user & a LAN, rather than between two
LANS

55
 PPTP

 The Point-to-Point Tunneling Protocol (PPTP)

makes this possible
 Created by Microsoft
 Widely used

Access
Concentrator
RAS

56
 PPTP

 PPTP Operation
 User dials into local PPTP access concentrator host
 User sends the access concentrator a PPP frame
within an IP packet

Access
Concentrator RAS

57
Packet
 PPTP

 PPTP Operation
 Access concentrator places incoming IP packet within
another IP packet
 Sends packet to the distant RAS

Access
Concentrator RAS

Encapsulated Packet
58
 PPTP

 PPTP Operation
 Distant RAS removes the original packet
 Treats the packet as if it came in over a local
telephone line
 Deals with the PPP frame within the packet

RAS

Original IP Packet
59
 PPTP
 PPTP Encapsulation
 Access concentrator receives the original IP packet,
which has the destination IP address of the access
concentrator
 Adds a new IP header with the IP address of the RAS
 Adds an enhanced general routing encapsulation
(GRE) header for security

Enhanced New
Original IP Packet
GRE Header IP Header

60
 PPTP
 PPTP Tunneling
 Encapsulating an IP packet within another packet to
send it through a network is called tunneling
 This is how tunneling mode works in IPsec (discussed
earlier in the module)

RAS

Access Tunnel
Concentrator
61
VPN Protocols
 L2TP (Layer 2 Tunneling protocol)
 Developed by IETF
 Improvement over PPTP.
 L2TP is considered as secure open standard for
VPN.
 It works for both combinations : user-to-LAN &
LAN-to-LAN.

62
 VPN Protocols
• IPSec
• Designed to provide a secure communication
channel between two devices
• It provides confidentiality, data authentication, data
integrity & protection from replay.

63
Kerberos
 Kerberos
 Kerberos is authentication service developed at MIT.
 Kerberos addresses problem
 Servers to be able to restrict access to authorized users
and authenticate requests.
 Workstation cannot be trusted to identify its users.
 Threats
 User access to particular workstation and pretend to be
another user operating from that workstation
 User may alter workstations address
 User may eavesdrop on exchanges and use a reply attack
65
 Kerberos
 Kerberos is a network authentication protocol.
 It is designed to provide strong authentication for
client server appln using secret key cryptography.
 Provides centralized authentication server whose
function is to authenticate users to servers and
servers to users.

66
 Kerberos
Characteristics
 It is secure. Never sends a password unless it is
encrypted.
 Only single login is required per session.
 Credentials defined at login are passed between resources
without the need for additional logins
 Uses KDC. KDC is aware of all systems in the
network and is trusted by all of them
 It performs mutual authentication
67
 Kerberos
 Kerberos introduces concept of Ticket Granting (TGS).
 A client has to receive a ticket to use service.
 Ticket is a time limited cryptographic message, which
gives access to server.
 Kerberos requires an Authentication Server AS to
verify clients.
 Client authenticates itself to AS, which forwards
username to KDC.
 KDC issues TGT which is time stamped, encrypted
using users password and sent to users workstation.
68
 Kerberos Key Distribution Center

Authentication
Server (AS)
_R EQ 2
_A S
B
User KR R E P
A S_ Ticket Granting
Workstation KR
B _
EQ Server (TGS)
_ R
1 _ T GS
KRB _R EP 4
_ T GS
3 KRB

Server
Once per 6
service
session
69
1. Workstation sends a message to the authentication
server requesting a ticket granting ticket (TGT)
2. The AS verifies users access rights and creates a TGT
and session key. AS encrypts result using a key
derived from users password and send encrypted
result to user workstation.
– User decrypt using password.
3. Workstation send a request to TG Server containing
the client name, realm name (domain), and a
timestamp.
• User proves his identity by sending
authenticator encrypted with session key
70
4. TGS decrypts the ticket and authenticator, verifies
request, and creates ticket for requested server.
• The ticket contains client name, and optionally
IP addr, realm name and ticket timestamp
• The TGS returns ticket to workstation.
5. Client application sends a service request to server
containing ticket.
• The service authenticates the request by
decrypting session key. The server verifies ticket and
authenticator match and then grant access to the
service.
• 6. If mutual authentication is required, then server
will reply with server authentication message. 71
Security Topologies
 Security Topology
 Is a logical map that depicts interconnectivity
between security devices, networks
 That are protected by security devices, and
security domains that host these networks.
 Security topologies serve as a foundation to create
IPsec VPNs on network
 And to configure firewall policies on security
devices.
73
 Security Zones
 Is a way to classify websites into different security
categories.
 Internet explorer includes five predefined zone:
Internet, local Intranet, trusted sites, restricted sites &
my computer
 Trusted Sites : This zone is for sites that you trust.
 Unclassified sites : This zone is for sites that you
haven’t classified or you are not sure of it.
 Restricted Sites : This zone is for sites that you don’t
trust and want to restrict them.
74
Key aspects of Creating &
Designing Security zone

• Internet Zone
 Contains websites that are not on your
computer or on local intranet.
 The default security level is medium.

75
 Local Intranet Zone
 Contains all network connections that were
established by Universal Naming Convention
(UNC) path
 Websites that bypass the proxy server or have
names that do not include periods.
 Not assigned to either Restricted/Trusted sites.
 The default security level for Local Intranet zone
is set to medium or medium low.

76
 Trusted sites zone
 Contains websites that you trust as safe
 Websites in trusted zone believe that files you
download or you run from the web site will not
damage your computer or data.
 By default, there are no web sites are assigned to
the Trusted zone.
 Security level is set to low.

77
 Restricted sites zone
 Contains websites that you do not trust.
 Websites in restricted zone believe that files you
download or run from web site may damage your
computer or data.
 By default, there are no websites in Restricted
zone
 Security level is set to High.
 Default security level is Medium.

78
 DMZ (Demilitarized zone)
 Is a computer host or small network inserted as
‘neutral zone’ Between a company’s private n/w
& outside public n/w
 Prevents outside users from getting direct access
to a server.
 DMZ is an optional & more secure approach to
firewall
 Effectively act as a proxy server as well.

79
Internet

80
81
 DMZ
 A separate computer in n/w receives request from
users within the private n/w for access to websites
or other companies public n/w.
 It can only forward the packets that have already
been requested.
 Users of public n/w outside the company can
access only DMZ host.

82
 Internet
 Is a n/w that can be used to transfer emails, files,
financial records remote access etc.
 Internet is not a single n/w.
 It is series of interconnected n/w
 Such a large mesh allows the user infinite ability to
communicate between diff. systems.
 Everyone can have access to this n/w
 It is difficult to impose security policies, it is
considered as un trusted system.
83
 Intranet
 Is a private network that is contained within
enterprise.
 It may consist of many interlinked LANs & also
use leased lines in WAN
 An intranet includes connections through one or
more gateway computes to internet.
 Main purpose is to share company information &
computing resources among employees.

84
 Intranet
 Uses TCP/IP, HTTP, and other Internet protocol
 looks like private version of internet.
 With tunneling, companies can send private message
through public networks.
 Users within their intranet access the public internet
through firewall servers.
 When part of intranet is made accessible to
customers, partners, outside the company, then it
becomes part of extranet.

85
 Virtual LAN (VLAN)
 In traditional LAN workstations are connected to each
other by using hub.
 These devices propagates incoming data throughout
network.
 Problem of collision
 Preventing collision bridges and switches can be used
because they do not forward collision
 and allow to broadcast every users in network
 They are within which broadcast and multicast are
confined is called as broadcast domain or LAN. 86
 Virtual LAN (VLAN)
 VLAN allow to locally segment a LAN into different
broadcast domain.
 i.e single switch forms multiple broadcast domain.
 This is logical segmentation not a physical one.
 All VLAN’s over a single switch operate in parallel

87
VLAN 1 VLAN 2

Switch/
Bridge
VLAN 3 VLAN 4

Fig. VLAN
88
 Advantages of VLAN
1. Performance
• In network high percentage of traffic is of
broadcast and multicast
• VLAN reduce need to send traffic to
unnecessary dest.
2. Formation of virtual workgroup
3. Simplified Administration
4. Security
89
 Types of VLAN
• Layer 1 VLAN : Membership by port
 Membership in VLAN can be based on the ports
that belongs to the VLAN.
 Disadvantage of this is that it does not allow user
mobility.

Port 1 2 3 4 5 6 7 8
VLAN 1 1 3 3 2 2 4 4
90
 Types of VLAN
• Layer 2 VLAN: Membership by MAC addresses
 Membership is based on MAC address of
workstation
 Switch tracks MAC addresses belongs to which
VLAN.
 If workstation is moved or port is changed then no
need to reconfigure VLAN.
 Disadvantage is membership is assigned initially. In
n/w with thousand of users this is not a easy task.
91
 VLAN Types
• Layer 2 VLAN: Membership by protocol
 This method is based on protocol field.
 Protocols are assigned to different port
 Ex. IP protocol traffic is assigned to port 1
And other traffic on some another port.

92
 VLAN Types
• Layer 2 VLAN: Membership by IP address
subnet
 This method is based on IP address subnet

IP Address Subnet
192.168.1.100 255.255.255.128
192.168.1.100 255.255.255.128
117.240.248.129 255.255.255.240

93
 Summary
 VPN a way to create private network over public
 VPN protocols PPTP, L2TP, IPSec
 Kerberos
 Security Topologies
 Security Zones
 Internet, Intranet, Trusted sites and Restricted Sites
 DMZ
 Virtual LAN
94