Assignment

Topic: Firewalls and Intrusion Prevention System

 GROUP # 3
NAME ROLL NO.
Rida Fatima 5040
Nadra 5014
Mirza Rashid 5021
Ashan Raza 5060
Asim 5020
Hussnain Asif 5041
Submitted by : Group #3
Submitted to: Mam Samreen Arshad
 What is firewalls?
A firewall is a network security device that monitors incoming and
outgoing network traffic and permits or blocks data packets based on
a set of security rules. Its purpose is to establish a barrier between
your internal network and incoming traffic from external sources
(such as the internet) in order to block malicious traffic like viruses
and hackers
 How does a firewall work?
Firewalls carefully analyze incoming traffic based on pre-
established rules and filter traffic coming from unsecured or
suspicious sources to prevent attacks. Firewalls guard traffic at
a computer’s entry point, called ports, which is where
information is exchanged with external devices.
 For example:
“Source address 172.18.1.1 is allowed to reach destination
172.18.2.1 over port 22."
Think of IP addresses as houses, and port numbers as
rooms within the house. Only trusted people (source
addresses) are allowed to enter the house (destination
address) at all—then it’s further filtered so that people
within the house are only allowed to access certain rooms
(destination ports), depending on if they're the owner, a
child, or a guest. The owner is allowed to any room (any
port), while children and guests are allowed into a certain
set of rooms (specific ports).
 Types of firewalls
 

According to their structure, there are two types of firewalls.

Software firewalls
Hardware firewalls
Software firewalls:
A software firewall is a program installed on each computer and
regulates traffic through port numbers and applications.
Hardware firewalls:
While a physical firewall is a piece of equipment installed
between your network and gateway.
 Types of firewalls explain
Firewalls can either be software or hardware, though it’s best to have both.
A software firewall is a program installed on each computer and regulates
traffic through port numbers and applications, while a physical firewall is a
piece of equipment installed between your network and gateway.
 
Packet-filtering firewalls, the most common type of firewall, examine
packets and prohibit them from passing through if they don’t match an
established security rule set. This type of firewall checks the packet’s source
and destination IP addresses. If packets match those of an “allowed” rule on
the firewall, then it is trusted to enter the network.
 Rules of Firewall
 ALLOW:
It allows the flow of traffic automatically because it is been
deemed
 BLOCK:
It blocks the traffic which has been dangerous for your
computer
 ASK:
It always ask the user throughout traffic travel whether
It is allowed or not to move
Packet-filtering firewalls are divided into two categories: stateful and
stateless. Stateless firewalls examine packets independently of one another
and lack context, making them easy targets for hackers. In contrast, stateful
firewalls remember information about previously passed packets and are
considered much more secure.
While packet-filtering firewalls can be effective, they ultimately provide very
basic protection and can be very limited—for example, they can't determine if
the contents of the request that's being sent will adversely affect the
application it's reaching. If a malicious request that was allowed from a trusted
source address would result in, say, the deletion of a database, the firewall
would have no way of knowing that. Next-generation firewalls and proxy
firewalls are more equipped to detect such threats.
Next-generation firewalls (NGFW) 
Next-generation firewalls (NGFW) combine traditional
firewall technology with additional functionality, such as
encrypted traffic inspection, intrusion prevention
systems, anti-virus, and more. Most notably, it includes
deep packet inspection (DPI). While basic firewalls only
look at packet headers, deep packet inspection examines
the data within the packet itself, enabling users to more
effectively identify, categorize, or stop packets with
malicious data.
 Proxy firewalls
filter network traffic at the application level. Unlike basic
firewalls, the proxy acts an intermediary between two end
systems. The client must send a request to the firewall, where
it is then evaluated against a set of security rules and then
permitted or blocked. Most notably, proxy firewalls monitor
traffic for layer 7 protocols such as HTTP and FTP, and use both
stateful and deep packet inspection to detect malicious traffic.
Network address translation
(NAT) firewalls
Network address translation (NAT) firewalls allow multiple devices with
independent network addresses to connect to the internet using a single
IP address, keeping individual IP addresses hidden. As a result, attackers
scanning a network for IP addresses can't capture specific details,
providing greater security against attacks. NAT firewalls are similar to
proxy firewalls in that they act as an intermediary between a group of
computers and outside traffic.
Stateful multilayer inspection
(SMLI) firewalls 
Stateful multilayer inspection (SMLI) firewalls filter packets at
the network, transport, and application layers, comparing them
against known trusted packets. Like NGFW firewalls, SMLI also
examine the entire packet and only allow them to pass if they
pass each layer individually. These firewalls examine packets to
determine the state of the communication (thus the name) to
ensure all initiated communication is only taking place with
trusted sources.
 Intrusion Prevention System (IPS)

 Intrusion Prevention System is also known as Intrusion

Detection and Prevention System. It is a network security
application that monitors network or system activities for
malicious activity. Major functions of intrusion prevention
systems are to identify malicious activity, collect information
about this activity, report it and attempt to block or stop it. 
 Intrusion prevention systems are contemplated as
augmentation of Intrusion Detection Systems (IDS) because
both IPS and IDS operate network traffic and system
activities for malicious activity. 
IPS typically record information related to observed events, notify
security administrators of important observed events and produce reports.
Many IPS can also respond to a detected threat by attempting to prevent it
from succeeding. They use various response techniques, which involve
the IPS stopping the attack itself, changing the security environment or
changing the attack’s content. 
Classification of Intrusion Prevention System (IPS): 
Intrusion Prevention System (IPS) is classified into 4 types: 
 
1.Network-based intrusion prevention system (NIPS): 
It monitors the entire network for suspicious traffic by analyzing protocol activity. 
 
2.Wireless intrusion prevention system (WIPS): 
It monitors a wireless network for suspicious traffic by analyzing wireless
networking protocols. 
 
3.Network behavior analysis (NBA): 
It examines network traffic to identify threats that generate unusual traffic flows,
such as distributed denial of service attacks, specific forms of malware and policy
violations. 
 
4.Host-based intrusion prevention system (HIPS): 
It is an inbuilt software package which operates a single host for doubtful activity
by scanning events that occur within that host. 
Why is an intrusion prevention system important?

There are several reasons why an IPS is a key part of any enterprise
security system. A modern network has many access points and deals with
a high volume of traffic, making manual monitoring and response an
unrealistic option. (This is particularly true when it comes to cloud
security, where a highly connected environment can mean an expanded
attack surface and thus greater vulnerability to threats.) In addition, the
threats that enterprise security systems face are growing ever more
numerous and sophisticated. The automated capabilities of an IPS are vital
in this situation, allowing an enterprise to respond to threats quickly
without placing a strain on IT teams. As part of an enterprise’s security
infrastructure, an IPS is a crucial way to help prevent some of the most
serious and sophisticated attacks.
Where are the benefits of an intrusion prevention system?

An IPS works in tandem with other security solutions, and it can identify threats
that those other solutions can’t. This is particularly true of systems that use
anomaly-based detection. It also provides superior application security thanks to
a high level of application awareness.Increased efficiency for other security
controls: Because an IPS filters out malicious traffic before it reaches other
security devices and controls, it reduces the workload for those controls and
allows them to perform more efficiently. Time savings: Since an IPS is largely
automated, it requires less of a time investment from IT teams.Compliance: An
IPS fulfills many of the compliance requirements set forth by PCI DSS, HIPAA,
and others. It also provides valuable auditing data.Customization: An IPS can be
set up with customized security policies to provide security controls specific to
the enterprise that uses it.