Network Security

by
Prof. Krishna Samdani
Contents
▸ Filtering Services

▸ Firewalls and its type

▸ DMZ

▸ NAT

▸ IDS and IPS

▸ SIEM

2
1
Filtering
Services
Filtering Services
▸ Filtering services play a crucial role in enhancing network security by
controlling and monitoring the flow of data within a network.
▸ Various filtering services are employed to protect against cyber threats,
manage network resources, and enforce policies.

4
Types of Filtering services
▸ Firewall – Examines the content and make the decision based on the traffic.
▸ Intrusion Prevention System – Monitor network and/or system activities for
malicious exploits or security policy violations and take action to block or prevent
those activities.
▸ Antivirus and Antimalware Filters – Scan files and network traffic for known
patterns or signatures of malicious software and prevent them from entering the
network.
▸ Web Content Filtering – Control and restrict access to certain websites or content
categories based on predefined policies. This helps prevent users from accessing
malicious or inappropriate content.
5
Types of Filtering services
▸ Email Filtering – Scan email content and attachments for malicious code, phishing
attempts, or spam. Email filtering helps prevent the delivery of malicious content
through email.
▸ DNS Filtering – Block access to malicious websites by filtering DNS requests. DNS
filtering can prevent users from accessing known malicious domains or websites.
▸ Application Layer Filtering – Control or block specific applications or services at
the application layer. This can include filtering instant messaging, peer-to-peer file
sharing, or other applications that may pose security risks.

6
Types of Filtering services
▸ Virtual Private Network Filtering – Manage and control access to VPN
connections to ensure secure and authorized remote access to the network.
▸ Data Loss Prevention – Monitor and control the transfer of sensitive data within
the network to prevent unauthorized access or data leakage.
▸ Packet Filtering – Examines packets of data and makes decisions to allow or block
the transmission based on predefined rules.
▸ Behavioral Analysis – Analyze the behavior of network traffic and detect
anomalies or patterns indicative of potential security threats.

7
2
Firewall and
its type
Firewalls
▸ A firewall is a type of cybersecurity tool that is used to filter traffic on a
network. Firewalls can be used to separate network nodes from external
traffic sources, internal traffic sources, or even specific applications.
Firewalls can be software, hardware, or cloud-based, with each type of
firewall having its own unique pros and cons.

▸ The primary goal of a firewall is to block malicious traffic requests and data
packets while allowing legitimate traffic through.

9
Firewall types - Packet Filtering
▸ As the most “basic” and oldest type of firewall architecture, packet-filtering firewalls basically
create a checkpoint at a traffic router or switch. The firewall performs a simple check of the data
packets coming through the router—inspecting information such as the destination and
origination IP address, packet type, port number, and other surface-level information without
opening up the packet to inspect its contents.

▸ If the information packet doesn’t pass the inspection, it is dropped.

▸ The good thing about these firewalls is that they aren’t very resource-intensive. This means they
don’t have a huge impact on system performance and are relatively simple. However, they’re also
relatively easy to bypass compared to firewalls with more robust inspection capabilities.

10
Firewall types - Circuit Level Gateways

▸ As another simplistic firewall type that is meant to quickly and easily approve or deny traffic
without consuming significant computing resources, circuit-level gateways work by verifying the
transmission control protocol (TCP) handshake. This TCP handshake check is designed to make
sure that the session the packet is from is legitimate.

▸ While extremely resource-efficient, these firewalls do not check the packet itself. So, if a packet
held malware, but had the right TCP handshake, it would pass right through. This is why circuit-
level gateways are not enough to protect your business by themselves.

11
 Firewall types - Stateful Inspection

▸ These firewalls combine both packet inspection technology and TCP handshake
verification to create a level of protection greater than either of the previous two
architectures could provide alone.

▸ However, these firewalls do put more of a strain on computing resources as well. This
may slow down the transfer of legitimate packets compared to the other solutions

12
Firewall types - Proxy
▸ Proxy firewalls operate at the application layer to filter incoming traffic between your network and
the traffic source—hence, the name “application-level gateway.” These firewalls are delivered via a
cloud-based solution or another proxy device. Rather than letting traffic connect directly, the proxy
firewall first establishes a connection to the source of the traffic and inspects the incoming data
packet.
▸ This check is similar to the stateful inspection firewall in that it looks at both the packet and at the
TCP handshake protocol. However, proxy firewalls may also perform deep-layer packet inspections,
checking the actual contents of the information packet to verify that it contains no malware.
▸ Once the check is complete, and the packet is approved to connect to the destination, the proxy
sends it off. This creates an extra layer of separation between the “client” (the system where the
packet originated) and the individual devices on your network—obscuring them to create additional
anonymity and protection for your network.
▸ If there’s one drawback to proxy firewalls, it’s that they can create significant slowdown because of
the extra steps in the data packet transferal process.
13
Firewall types - Next Generation
▸ Many of the most recently-released firewall products are being touted as “next-generation”
architectures. However, there is not as much consensus on what makes a firewall truly next-gen.

▸ Some common features of next-generation firewall architectures include deep-packet inspection

(checking the actual contents of the data packet), TCP handshake checks, and surface-level packet
inspection. Next-generation firewalls may include other technologies as well, such as intrusion
prevention systems (IPSs) that work to automatically stop attacks against your network.

▸ The issue is that there is no one definition of a next-generation firewall, so it’s important to verify
what specific capabilities such firewalls have before investing in one.
14
Firewall types - Software
▸ Software firewalls include any type of firewall that is installed on a local device rather
than a separate piece of hardware (or a cloud server). The big benefit of a software
firewall is that it's highly useful for creating defense in depth by isolating individual
network endpoints from one another.

▸ However, maintaining individual software firewalls on different devices can be difficult

and time-consuming. Furthermore, not every device on a network may be compatible
with a single software firewall, which may mean having to use several different
software firewalls to cover every asset.

15
Firewall types - Hardware
▸ Hardware firewalls use a physical appliance that acts in a manner similar to a traffic router to
intercept data packets and traffic requests before they're connected to the network's servers.
Physical appliance-based firewalls like this excel at perimeter security by making sure malicious
traffic from outside the network is intercepted before the company's network endpoints are exposed
to risk.

▸ The major weakness of a hardware-based firewall, however, is that it is often easy for insider
attacks to bypass them. Also, the actual capabilities of a hardware firewall may vary depending on
the manufacturer—some may have a more limited capacity to handle simultaneous connections
than others.

16
Firewall types - Cloud
▸ Whenever a cloud solution is used to deliver a firewall, it can be called a cloud firewall,
or firewall-as-a-service (FaaS). Cloud firewalls are considered synonymous with proxy
firewalls by many, since a cloud server is often used in a proxy firewall setup (though
the proxy doesn't necessarily have to be on the cloud, it frequently is).

▸ The big benefit of having cloud-based firewalls is that they are very easy to scale with
your organization. As your needs grow, you can add additional capacity to the cloud
server to filter larger traffic loads. Cloud firewalls, like hardware firewalls, excel at
perimeter security.

17
3
Demilitarized
Zone
Demilitarized Zone (DMZ)
▸ DMZ Network stands for the demilitarized zone it is a perimeter network that protects
along with adding an extra layer of security to an organization’s internal local-area
network from untrusted traffic present in the network. DMZ is a subnetwork that
works between what is called private networks and public internet.

19
Key Characteristics and Components
▸ Servers and Services – The DMZ typically hosts servers and services that need to be accessible from
the internet. Examples include web servers, email servers, and public-facing applications.

▸ Firewalls – Firewalls are used to separate the DMZ from both the internal network and the
internet. Two firewalls are often employed in a DMZ configuration: one facing the internet (external
firewall) and another facing the internal network (internal firewall). This is known as a "sandwich"
or "dual firewall" configuration.

▸ Security Policies - The firewalls are configured with specific security policies to control the traffic
flowing between the internal network, the DMZ, and the internet. Access control rules are
established to permit or deny traffic based on predefined criteria.

20
Key Characteristics and Components
▸ Perimeter Security - The DMZ acts as a perimeter security layer, helping to prevent direct access to
internal resources. Even if a server in the DMZ is compromised, it provides an additional barrier
before an attacker can reach critical internal systems.

▸ Intrusion Detection/ Prevention Systems (IDS/IPS) - IDS/IPS devices may be deployed within the
DMZ to monitor and analyze network traffic for potential security threats. They can detect and
respond to suspicious activities in real-time.

▸ Proxy Servers - Proxy servers in the DMZ can be used to forward requests from external users to
internal servers, adding an extra layer of security by hiding the internal network structure.

▸ Public-Facing Services - Any services hosted in the DMZ that are meant to be publicly accessible
should be carefully configured and regularly updated to mitigate potential security vulnerabilities.
21
 Network
Address
4
Translation
(NAT)
Network Address Translation (NAT)
▸ Network Address Translation (NAT) - is a technique used in networking to map private IP
addresses within a local network to a single public IP address or a small pool of public IP addresses.
NAT enables multiple devices within a private network to share a common public IP address when
communicating with external networks like the Internet. This provides a level of security by hiding
internal network structures and conserves public IP address space.

▸ Purpose of NAT

▹ Address Conservation

▹ Security

▹ IPV4 Address Exhaustion Mitigation

23
 Types of Network Address
Translation (NAT)
▸ Static (NAT) - A one-to-one mapping where a private IP address is permanently mapped to a
specific public IP address. Static NAT is often used for servers or devices that need to be
consistently accessible from the external network.

▸ Dynamic (NAT) - Maps private IP addresses to a pool of public IP addresses dynamically. As

devices within the private network initiate communication, they are assigned an available public IP
address from the pool.

▸ Overloading (NAT Overload or PAT - Port Address Translation) - Maps multiple private IP
addresses to a single public IP address but uses different source ports to distinguish between
connections. This allows many internal devices to share a single public IP address.

24
 Types of Network Address
Translation (NAT)
▸ NAT64 - Facilitates communication between IPv6-only and IPv4-only devices by translating IPv6
addresses to IPv4 addresses and vice versa. NAT64 is used to bridge the gap between IPv4 and IPv6
networks.

▸ NAT-PT (Network Address Translation - Protocol Translation) - A more comprehensive approach

that not only translates addresses but also handles protocol translation between IPv6 and IPv4.
NAT-PT has been largely deprecated in favor of other transition mechanisms.

25
 Components of Network Address
Translation (NAT)
▸ Inside Local Address - The private IP address assigned to a device within the local network.

▸ Inside Global Address - The public IP address assigned to a device within the local network after
translation.

▸ Outside Local Address - The private IP address of a device in the external network (e.g., the
Internet) before translation.

▸ Outside Global Address - The public IP address of a device in the external network after translation.

26
Network Address Translation (NAT)
Consideration and Challenges Inside Local Address

▸ Port Exhaustion - In NAT Overload (PAT), the limited number of source ports can be exhausted
under heavy usage, leading to performance issues.

▸ Application Compatibilities - Some applications may encounter issues when used across NAT,
especially if they embed IP addresses in the application data.

▸ Complex Configurations - Large-scale networks with complex applications may require careful
configuration and management of NAT rules.

▸ IPv6 Transition - As the transition to IPv6 progresses, NAT may become less prevalent, and direct
end-to-end connectivity could be favored.

27
5
IDS/ IPS and
its Types
Intrusion Detection System & its
Types
▸ An intrusion occurs when an attacker attempts to gain entry into or disrupt the normal operations
of an information system, almost always with the intent to do harm.

▸ Intrusion detection consists of procedures and systems that identify system intrusions.

▸ Intrusion reaction encompasses the actions an organization takes when an intrusion is detected.

▸ Intrusion correction activities finalize the restoration of operations to a normal state and seek to
identify the source and method of the intrusion in order to ensure that the same type of attack
cannot occur again—thus reinitiating intrusion prevention.

29
Intrusion Detection System & its
Types
▸ Host-based IDS (HIDS) - Monitors and analyzes activities on individual hosts or devices within a
network. It focuses on detecting suspicious behavior at the host level, such as unauthorized access
or changes to system files.

▸ Network-based IDS (NIDS) - Examines network traffic and identifies suspicious patterns or
anomalies. NIDS is deployed at strategic points within the network to monitor traffic and detect
potential threats.

▸ Signature-based IDS - Relies on a database of predefined signatures or patterns associated with

known threats. It compares network or system activity against these signatures to identify and alert
on known attacks.

30
Intrusion Detection System & its
Types
▸ Anomaly-based IDS - Learns the baseline behavior of the network or system and triggers alerts
when deviations from the normal behavior are detected. Anomaly-based IDS is effective in
detecting new and unknown threats.

▸ Heuristic-based IDS - Uses predefined rules and algorithms to identify patterns or behaviors that
may indicate potential security incidents. Heuristic-based IDS combines aspects of both signature-
based and anomaly-based detection.

▸ Behavior-based IDS - Analyzes the behavior of users, applications, or systems to detect abnormal
activities that may indicate a security threat. This approach focuses on deviations from expected
behavior.

31
Intrusion Prevention System & its
Types
▸ Intrusion prevention consists of activities that deter an intrusion. Some important
intrusion prevention activities are writing and implementing good enterprise
information security policy, planning and executing effective information security
programs, installing and testing technology-based information security
countermeasures (such as firewalls and intrusion detection systems), and conducting
and measuring the effectiveness of employee training and awareness activities.

32
Intrusion Prevention System & its
Types
▸ Host-based IPS (HIPS) - Operates on individual hosts or devices to prevent malicious activities at
the host level. HIPS can enforce security policies and respond to threats on the specific host where it
is deployed.

▸ Network-based IPS (NIPS) - Monitors network traffic in real-time and actively blocks or prevents
malicious activities. NIPS is positioned inline on the network and can take immediate action to stop
or mitigate threats.

▸ Signature-based IPS - Uses predefined signatures to identify known threats and takes action to
prevent their execution. Signature-based IPS is effective for blocking well-known attack patterns.

33
Intrusion Prevention System & its
Types
▸ Anomaly-based IPS - Analyzes deviations from normal behavior and takes proactive measures to
prevent potential threats. Anomaly-based IPS can dynamically adapt to changing attack patterns.

▸ Inline IPS - Operates directly in the network traffic path and can block or allow traffic in real-time.
Inline IPS is positioned strategically to provide immediate response to security threats.

▸ Passive IPS - Monitors network or system activities passively and generates alerts but does not take
direct action to block or prevent threats. Passive IPS can provide insights into potential security
incidents without disrupting normal operations.

▸ Behavior-based IPS - Analyzes the behavior of users, applications, or systems and takes action to
prevent abnormal activities. Behavior-based IPS focuses on proactively stopping threats based on
observed behaviors.
34
 Security
Information
5 and Event
Management
(SIEM)
 Security Information and Event
Management
▸ SIEM, which stands for Security Information and Event Management, is a
comprehensive approach to managing and analyzing security events within an
information technology (IT) environment. SIEM systems collect and aggregate log data
generated throughout the organization's technology infrastructure, from host systems
and applications to network and security devices. The primary goal of SIEM is to
provide a centralized platform for real-time analysis of security alerts and events,
aiding in the detection of security incidents.

36
 Security Information and Event
Management
Components of SIEM

▸ Data Collection - SIEM systems collect log and event data from various sources across the IT
environment, such as firewalls, intrusion detection/prevention systems, servers, endpoints, and
applications.

▸ Log Management - SIEM platforms store and manage log data in a centralized repository. Logs are
indexed and normalized for easy searching and analysis.

▸ Normalization and Correlation Engine - Normalization standardizes log data from different
sources, making it consistent and understandable. The correlation engine identifies patterns and
relationships between seemingly unrelated events to detect potential security incidents.

37
 Security Information and Event
Management
Components of SIEM

▸ Alerting and Notification - SIEM systems generate alerts and notifications based on predefined
rules and correlation logic. Security analysts are notified of potential security incidents that require
investigation.

▸ Dashboards and Reporting - SIEM solutions provide dashboards and reporting tools to present
summarized and detailed information about security events, trends, and incidents. Customizable
dashboards help security teams monitor key metrics.

▸ Incident Response - SIEM facilitates incident response by providing tools for investigation,
forensics, and tracking the lifecycle of security incidents. It helps security teams understand the
nature and scope of incidents and take appropriate actions. 38
 Security Information and Event
Management
Components of SIEM

▸ User and Entity Behavior Analytics (UEBA) - Some SIEM systems incorporate UEBA capabilities
to detect abnormal behavior patterns that may indicate insider threats or compromised accounts.

▸ Compliance Management - SIEM platforms assist in meeting regulatory compliance requirements

by providing reports and audit trails. They help organizations demonstrate adherence to security
policies and standards.

39
 Security Information and Event
Management
Workflow of SIEM

▸ Data Collection - Log and event data is collected from various sources, including security devices,
servers, applications, and network infrastructure.

▸ Normalization - Raw log data is normalized to a consistent format, making it easier to analyze and
correlate events across different sources.

▸ Correlation - Correlation engines analyze normalized data to identify patterns and relationships
between events. This helps in detecting complex security incidents.

▸ Alerting - Alerts are generated based on predefined rules and correlation logic. Security teams are
notified of potential security incidents.
40
 Security Information and Event
Management
Workflow of SIEM

▸ Investigation - Security analysts investigate alerts, using dashboards, reports, and analysis tools to
understand the context and severity of the incidents.

▸ Incident Response - Based on the investigation, security teams initiate incident response
procedures to contain, eradicate, and recover from security incidents.

▸ Reporting - SIEM platforms provide detailed reports and dashboards for ongoing monitoring,
compliance reporting, and management visibility.

41
 Class Participation/
Question Class Activity

42
Study Materials
▸ Matt Bishop,“ Introduction to Computer Security ”, Pearson Education,
2005.
▸ K Gaves, CEH: Official Ethical Hacker Review Guide version 8 and above
▸ Allen Harper, Gray Hacking the Ethical Hacker’s Handbook, McGraw Hill
Education, 5th Edition, 2018.
▸ Few other online references.

Note: PPT are for Reference only, NOT as a Study Material

43
Thanks for Your Attention !!!
Any questions?
krishna.samdani@nmims.edu

Mobile- 9920407045

Seating – 401 Faculty Area SBMP Phase-2

44