Firewalls and IDS

What is Firewalls
 A firewall is a network security device that monitors
incoming and outgoing network traffic and permits or blocks
data packets based on a set of security rules.
 Its acts as a barrier between your internal network and
incoming traffic from external sources (such as the internet) in
order to block malicious traffic like viruses and hackers.
 Firewalls carefully analyze incoming traffic based on pre-
established rules and filter traffic coming from unsecured or
suspicious sources to prevent attacks..
Firewalls
 Think of IP addresses as houses, and port numbers as rooms
within the house. Only trusted people (source addresses) are
allowed to enter the house (destination address) at all—then
it’s further filtered so that people within the house are only
allowed to access certain rooms (destination ports), depending
on if they're the owner, a child, or a guest. The owner is
allowed to any room (any port), while children and guests are
allowed into a certain set of rooms (specific ports).
Firewalls
Types of firewalls

 Firewalls can either be software or hardware, though it’s best to have both.
A software firewall is a program installed on each computer and regulates
traffic through port numbers and applications, while a physical firewall is a
piece of equipment installed between your network and gateway.
 Types of firewalls
Packet-filter
Application gateway or proxy server
Packet filter firewalls
 Packet-filtering firewalls allow or block the packets mostly
based on criteria such as source and/or destination IP addresses,
protocol, source and/or destination port numbers, and various
other parameters within the IP header.
 The decision can be based on factors other than IP header fields
such as port no.
 Packet filter rule has two parts −
 Selection criteria − It is a used as a condition and pattern
matching for decision making.
 Action field − This part specifies action to be taken if an IP
packet meets the selection criteria. The action could be either
block (deny) or permit (allow) the packet across the firewall.
Packet filter firewalls
 Packet filtering is generally accomplished by
configuring Access Control Lists (ACL) on routers or
switches. ACL is a table of packet filter rules.
 As traffic enters or exits an interface, firewall applies

ACLs from top to bottom to each incoming packet,

finds matching criteria and either permits or denies the
individual packets.
Packet filter firewalls
 Packet-filtering firewalls, the most common type of
firewall, examine packets and prohibit them from
passing through if they don’t match an established
security rule set. This type of firewall checks the
packet’s source and destination IP addresses. If
packets match those of an “allowed” rule on the
firewall, then it is trusted to enter the network.
 Packet-filtering firewalls are divided into two

categories: stateful and stateless.

Packet filter firewalls
 Stateless firewall is a kind of a rigid tool. It looks at
packet and allows it if its meets the criteria even if it is
not part of any established ongoing communication.
 Hence, such firewalls are replaced by stateful

firewalls in modern networks. This type of firewalls

offer a more in-depth inspection method over the only
ACL based packet inspection methods of stateless
firewalls.
Application Gateways

 In application-level gateway intercept incoming and

outgoing packets, run proxies that copy and forward
information across the gateway, and function as a proxy
server, preventing any direct connection between a
trusted server or client and an untrusted host.
 The proxies are application specific. They can filter

packets at the application layer of the OSI model.

Application gateway
 Application gateway(proxy server)

internet Network Proxy SYSTEM

firewall firewall
What is the Intrusion Detection
 Intrusions are the activities that violate the security
policy of system.
 Intrusion Detection is the process used to identify

intrusions.
 Intrusion : Attempting to break into or misuse your

system.
 Intruders may be from outside the network or

legitimate users of the network.

 Intrusion can be a physical, system or remote intrusion.
Types of Intruders
 Masquerader: user with no authority to use the system.
Penetrate the system security.
 Misfeaser:
Legitimate user with no permission to access the some
application on the system e. g. when we deny internet facility
to some user on the system.
Legitimate user but that misuses the privileges.(when any user
leak secret information to the outside user.)
 Clandestine: when any user send some information with the
authenticity of some senior then that is called clandestine
intruder.
Intrusion Detection Systems
 Different ways of classifying an IDS
IDS based on
◦ network based
◦ host based
◦ signature based misuse
◦ anomaly detection
Network Based
 monitors the traffic on individual networks or subnets by
continuously analyzing the traffic and comparing it with
the known attacks in the library.
 Monitor, capture and analyze the network traffic.
 Analysis is done using matches the traffic to the lib of
known attacks.
 If an attack is detected, an alert is sent to the system
administration.
 Placed at important points in the network so that it can
keep an eye on the traffic travelling to and from the
different devices on the network.
Network Based
 A filter is usually applied to determine which traffic
will be discarded or passed on to an attack recognition
module. This helps to filter out known un-malicious
traffic.
 Very tough to analyze when traffic on the network is

high
Host based
 Installed on individual host or device on network.
 Analyze the packets from the device only and will alert

the admin if suspicious activity is detected.

 Action taken: files modified or file is deleted when any

suspicious activity occur.

Signature based
 Network or system information is scanned against a
known attack.
 The data is analyzed and compared with the signature

of known attacks.
 Incase of any matching, an alert is issued.
 Cannot identify new attacks.
Anaomly based
 It regularly monitors the network traffic and compares
it with the statistical model.
 When deviation is occur from regular behavior.
 In case of any anomaly or discrepancy, the

administrator is alerted.
 This system is they can detect new and unique attacks.
THANK YOU