UNIT 5

1 :What is Access Control List?

Access Control List (ACL) refers to the process of monitoring and comparing
data packets that flow in and out of a network.

This allows administrators to ensure that the device cannot gain access unless
the proper credentials are presented.

A network access control list (ACL) is a set of rules that either allow or deny
access to a computer environment.

An ACL is similar to a guest list at a private club. Only those on the list are
authorized entries.

Functions in Access Control List

Controlling network traffic flow

• It adjusts the flow control.

• All packets entering or leaving the network are under its control. It makes
sure that there aren’t any unnecessary or redundant packets circling the
network.
• This can shield the server against DDOS attacks, which take place whenever
hackers bombard the connection with the implementation with a high
quantity of data packets.
Better network performance

The Network Engineers can only permit local traffic, which enhances the
efficiency of the whole connection.

Allocation of an adequate standard of security

• ACL’s primary goal is to secure the network since the administrator has the
power to give or refuse access to anybody.
• You may grant permission to packets and limit users, packets from
particular networks, or packets that adhere to a specific test.
• ACL used to be the sole method of implementing firewalls, however there
are now a variety of choices.
• ACLs are still used by businesses in conjunction with other technologies like
VPNs.

Components of Access Control List

ACLs are implemented similarly across most routing platforms, and there are
certain standard configuration rules.

Remember that an ACL is a group of guidelines or entries. Each entry in an ACL,

whether it has one or more, is intended to accomplish a certain task, such as
permitting or blocking everything.

When creating an ACL entry, you’ll need some information

Sequence Number

Recognize an ACL violation with a certain number.

ACL Name

ACL entries can be recognized by their names. The use of letters and numbers
together rather than a series of numbers is permitted by some routers.

Network Protocol

Permit/allow UDP, ICMP, ICMP, TCP, IPX, IP,NetBIOS, and other protocols.

Statement

Allow or refuse access to a certain source establish on the hostname and

universal mask. Some routers, like Cisco, automatically add an implicitly forbid
statement to the conclusion of each ACL.

Source

A single IP address, a CIDR address range, or all ranges can be specified as the
Origin or End target.

Remark

Some Access points allow you to add comments to an ACL, which is useful for
adding explicit details.

Log

Some devices can store logs whenever ACL fixtures are discovered.
Want to Ace your interviews, then check out our Cyber Security Interview
Questions!

Access Control List Types

There are four different types of ACLs, each of which has a different use. they
are reflexive, extended, dynamic, and standard.

• Standard ACL

These are the Access-lists specifically developed with the source IP address.
These ACLs either permit or prevent access to the whole protocol suite. They
make no distinction between IP traffic types such as TCP, UDP, HTTPS, and so on.
The router will recognize numbers 1-99 or 1300-1999 as a standard ACL and the
specified address as the source IP address.
• Extended ACL

These are the ACLs that make use of the source IP, the destination IP, the source
port, and the destination port. We can specify which IP traffic should be allowed
or denied using these types of ACLs. These ranges are 100-199 and 2000-2699.

Dynamic ACL

Dynamic ACLs employ Telnet, extensive ACLs, and authorization. This kind of
ACL, commonly referred to as “Lock and Key,” can be applied for certain time
periods.
Such lists only provide access to resources or endpoints if the user first
establishes Telnet authentication with the device.

Reflexive ACL

• Reflexive ACLs are also known as IP connection ACLs. These ACLs use
session information from top layers to filter traffic.
• They enable or prevent outbound traffic in response to sessions started
inside the router.
• The router identifies outgoing ACL traffic and adds a new inbound ACL entry.

2:WHAT IS THE CISCO ASA?

The ASA in Cisco ASA stands for Adaptive Security Appliance.

In brief, Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention,
and virtual private network (VPN) capabilities. It provides proactive threat defense that stops
attacks before they spread through the network.

An ASA is valuable and flexible in that it can be used as a security solution for both small
and large networks.

The Cisco ASA 5500 series is Cisco's follow up of the Cisco PIX 500 series firewall. However,
the ASA is not just a pure hardware firewall. The Cisco ASA is a security device that combines
firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It
provides proactive threat defense that stops attacks before they spread through the
network. Therefore, the Cisco ASA firewall is the whole package, so to speak.

BEYOND BEING A FIREWALL, THE CISCO

ASA CAN DO THE FOLLOWING AND
MORE:
• antivirus

• antispam

• IDS/IPS engine

• VPN device

• SSL device
 • content inspection

What are the advantages of Cisco ASA?

• Helps organizations increase capacity and improve performance through

high-performance, multi-site, multi-node clustering. Delivers high availability
for high resiliency applications. Provides collaboration between physical and
virtual devices. Meets the unique needs of both the network and the data
center.
• What are the modes of Cisco ASA firewall

• The appliance connects the same Layer 3 network subnet on its inside and
outside ports, but each interface of the firewall resides in a different Layer 2
Vlan. The Cisco ASA firewall can operate both in Routed Firewall Mode
(default mode) or in Transparent Firewall Mode.
Features of Adaptive Security Appliance (ASA)
ASA is a Cisco security device that can perform basic firewall capabilities
with VPN capabilities, antivirus, and many other features. Some of the
features of ASA are:
1. Packet filtering
Packet filtering is a simple process of filtering the incoming or outgoing
packet on the basis of rules defined on the ACL that has been applied to
the device. It consists of various permit or deny conditions. If the traffic
matches one of the rules, no other rule is matched and the matched rule is
executed.
2. Stateful filtering
By default, ASA performs stateful tracking of the packet if the packet is
generated from a higher security level to a lower security level. By default,
if the traffic is initiated by the devices in higher security levels for lower
security levels device (as destination), TCP and UDP reply traffic will be
allowed and will able to, say, telnet the other device in Lower security
level. This is because a stateful database is maintained (in which an entry
about the source and destination device information such as IP address,
port numbers are maintained) as stateful inspection is enabled by default.
3. Routing support
ASA can perform static routing, Default routing also dynamic routing
protocols like EIGRP, OSPF, and RIP.
Transparent firewall
ASA can operate in two modes:
Routed mode: In this mode, ASA acts like a layer 3 device (router hop)
and needs to have two different IP addresses (means two different
subnets) on its interface.
Transparent mode: In this mode, ASA operates at layer 2 and only a
single IP address is needed to manage ASA management purpose as both
the interfaces (inside and outside) act as a bridge.
4. AAA support
ASA supports AAA services either using its local database or using an
external server like ACS (Access Control Server).
5. VPN support
The SA supports VPN connections, allowing remote users, branches, and
partners to access secure corporate networking resources through
encrypted channels. It provides support for various VPN protocols
including IPsec VPN, SSL VPN, and AnyConnect VPN, ensuring secure
connections and data privacy.
6. Centralized management
ASA devices can be managed centrally through Cisco Security Manager
(CSM) or Cisco Adaptive Security Device Manager (ASDM), which provides
a unified interface for configuration, monitoring, and troubleshooting
Centralized management simplifies operations and provide greater
visibility and security system control and devices.
7. VPN load Balancing
It is a Cisco proprietary feature of Cisco ASA. Multiple clients can be
shared across multiple ASA units at the same time.
8. Stateful failover
ASA supports the high availability of pair of Cisco ASA devices. If one of
the ASA goes down, the other ASA device will perform the operations
without any interruption. When stateful failover is enabled, the active unit
continuously passes connection state information to the backup device.
After the failover occurs, the same connection information is available on
the new active unit.
9. Clustering
Cisco ASA lets us configure multiple ASA devices as a single logical
device. The cluster can consist of a maximum of 8 cohesive units. This
results in high throughput and at the same time provides redundancy.
10. Advanced Malware Protection (AMP)
Cisco ASA provides support for Next-Generation firewall features which
can provide protection advanced malware protection in a single device as
the classic firewall features are combined with NGFWs features.
11. Modular Policy Framework (MPF)
MPF is used to define policies for different traffic flows. It is used in ASA
to utilize advanced firewall features like QoS, Policing, prioritizing, etc.
For using MPF, we define Class-map for identifying the type of traffic,
policy-map for identifying what action should be taken like prioritize, and
service-policy for where it should be applied.

Models in ASA 500

• Cisco ASA 5505
• Cisco ASA 5510
• Cisco ASA 5520
• Cisco ASA 5525-X
• Cisco ASA 5540
• Cisco ASA 5550
• Cisco ASA 5580-20
• Cisco ASA 5580-40
Feautures of ASA
• Provides unified communications, VPN, and IPS integration.
• Enhances performance and expands capacity for enterprises by
utilising high-performance, multi-site, multi-node clustering
• Provides high resilience applications with high availability.
• Allows physical and virtual devices to work together
• Satisfies the particular requirements of the data centre and the
network. Uses identity-based firewall technology and Cisco
TrustSec security group tags to provide context awareness.
• Allows for per-context dynamic routing and site-to-site VPN

3:Routers
The routers are used to transmit the data packets between different networks. These
are the hardware devices, which are placed at gateways of two connected
networks. For example, if we want to connect our LAN to our ISP, we can use
the router. Using the router, we can connect our network with the internet.

Working of Routers
A router checks the IP address of the source and destination of each packet. After that,
it will go to the routing table, which provides directions to transfer the data to the
destination of a particular network and check the destination of the packet. Then it will
route the packet to another router. This process will stop when the destination IP is
reached and responded back. If we have many ways to go to the IP address of the
destination, the router will select the most economical way. If the list of routing
table does not contain the packet's destination IP address, the default router will get
the packet. If the packet has no destination, the packet will be dropped.
 Most routers have different ports so that they can connect the different devices to the
internet simultaneously. The router uses the routing table to find out where the traffic is
coming and where to send the data. Generally, ISP (Internet service provider) provides
the router. The ISP assigns our router's IP address, and that IP address is the public IP
address. Whenever we use the internet on our device, we are identified in the world
using the public IP address. Routers keep our private IP addresses protected. Our
laptop, TV media box, desktop, and network copier have different private IP addresses. If
they don't have a different private IP address, the router will be unable to recognize the
requesting device.

Importance of Router

The following are some importance of router:

o Ethernet is the most commonly used network. Apart from that, we have many
other networks like the Token ring and ATM. The network uses different
methods to encapsulate the data or packets so that the data cannot directly
communicate. Routers translate these packets, which are coming from
different networks so that the packets can understand each other.
o A broadcast storm is prevented by the routers. If we don't have a router, the
broadcast will go to every device's every port and be processed by every device.
If we have a large amount of broadcasts in the whole network, chaos can occur.
A router sub-divides the network into more than one smaller network, and all
that networks are connected by the router. A router would not allow the
broadcast to flow between subnets.
Security features of Routers
The following are some security feature of the router:

o We can prevent unauthorized access using password-protected networks.

o The malware attack risk can be removed by the secured routers.
o Secured routers are used to protect sensitive data.
o Additional protection against DoS can be provided by the sophisticated routers.

Firewall
Firewall
In the event of an emergency, the firewall is used as a wall to block the fires.
A network firewall is used to set a barrier between the internet and LAN (local area
network). The purpose of a network firewall is to protect our private LAN. It is used
to save our important data from leaking out. Without the firewall capability,
the routers will blindly pass traffic between two different networks. A firewall is used
to monitor the traffic and block the traffic, which is not authorized to go out.
A network firewall separates the internet and the LAN. In the LAN, it also segments
the ordinary data and the important data. Due to this, the internal invasion can be
avoided. You will determine the amount of threats that are blocked by your firewall.
By blocking, firewall prevents your private network from outside users. You need to
create a Demilitarized Zone (DMZ) if you allow remote access from others to your
network. Most of the firewall provided the DMZ option. It will designate a directory on
the computer of a gateway, just like Demilitarized Zone. Virus protected is offered by
some firewalls. It is recommended for every computer to install the anti-virus.
Working of Network Firewall
Some hardware firewalls allow you to define the blocking rules like UDP (User diagram
protocol) or TCP (transmission control protocol) or by IP address. This helps you to
forbidden the IP address and unwanted ports. Software applications and services
define some other type of firewall. Such firewall acts like a proxy server, which is used
to interconnect the two separate networks. The combination of a software firewall and
a hardware firewall is more efficient and safer.

Importance of Firewall
o Using the firewall, you can protect your home computer. To protect your network,
you should use a hardware firewall if you have more than one computer. You should
follow the policy of the network administrator if you are using a public computer.
o A firewall is designed to protect the organization from cyber-attacks. Many internal
programs that have potentially exploitable can be protected by firewall from danger
by limiting the traffic that crosses the boundary of the network, which is available only
for authorized traffic.
o A firewall provides you a clear boundary between the outside and inside of your
network. Firewall solution provides filtering, ensuring that the users inside your
network can access the external services easily. It also prevents your internal computers
from getting the connection from external computers until they meet specific access
requirements.

Security features of the firewall

o A hardware firewall is used to detect suspicious traffic.
o Using the hardware firewall, the data packets, which seem suspicious, can be blocked.
o Using the analyze content of the NGFW firewall, the leakage of data can be detected.
o A firewall provides a secure network so that multiple persons can interact, for example,
online video games.
o A firewall is used to protect your private information like online banking credentials,
social security numbers

4:what Is Intrusion Detection and

Prevention System?
An intrusion detection and prevention system (IDPS) is defined as
a system that monitors a network and scans it for possible threats
to alert the administrator and prevent potential attacks

firewall is a go-to solution to prevent unwanted and suspicious

traffic from flowing into a system. It is tempting to think that
firewalls are 100% foolproof and no malicious traffic can seep into
the network. Cybercriminals, however, are constantly evolving
their techniques to bypass all security measures. This is where an
intrusion detection and prevention system comes to the rescue.
While a firewall regulates what gets in, the IDPS regulates what
flows through the system. It often sits right behind firewalls,
working in tandem.
An intrusion detection and prevention system is like the baggage
and security check at airports. A ticket or a boarding pass is
required to enter an airport, and once inside, passengers are not
allowed to board their flights until the necessary security checks
have been made. Similarly, an intrusion detection system (IDS)
only monitors and alerts bad traffic or policy violations. It is the
predecessor of the intrusion prevention system (IPS), also known as
an intrusion detection and prevention system. Besides monitoring
and alerting, the IPS also works to prevent possible incidents with
automated courses of action.
Basic functions of an IDPS
An intrusion detection and prevention system offers the following
features:

• Guards technology infrastructure and sensitive

data: No system can exist in a silo, particularly in the
current era of data-driven businesses. Data is constantly
flowing through the network, so the easiest way to attack
or gain access to a system is to hide within the actual
data. The IDS part of the system is reactive, alerting
security experts of such possible incidents. The IPS part
of the system is proactive, allowing security teams to
mitigate these attacks that may cause financial and
reputational damage.
• Reviews existing user and security policies: Every
security-driven organization has its own set of user
 policies and access-related policies for its applications
and systems. These policies considerably reduce the
attack surface by providing access to critical resources to
only a few trusted user groups and systems. Continuous
monitoring by intrusion detection and prevention
systems ensures that administrators spot any holes in
these policy frameworks right away. It also allows admins
to tweak policies to test for maximum security and
efficiency.
• Gathers information about network resources: An
IDS-IPS also gives the security team a bird’s-eye view of
the traffic flowing through its networks. This helps them
keep track of network resources, allowing them to modify
a system in case of traffic overload or under-usage of
servers.
• Helps meet compliance regulations: All businesses, no
matter the industry vertical, are being increasingly
regulated to ensure consumer data privacy and security.
Predominantly, the first step toward fulfilling these
mandates is to deploy an intrusion detection and
prevention system.
An IDPS works by scanning processes for harmful patterns,
comparing system files, and monitoring user behavior and system
patterns. IPS uses web application firewalls and traffic filtering
solutions to achieve incident prevention.
Types of IDPS
Organizations can consider implementing four types of intrusion
detection and prevention systems based on the kind of deployment
they’re looking for.

• Network-based intrusion prevention system (NIPS):

Network-based intrusion prevention systems monitor
entire networks or network segments for malicious
traffic. This is usually done by analyzing protocol
activity. If the protocol activity matches against a
database of known attacks, the corresponding
information isn’t allowed to get through. NIPS are
usually deployed at network boundaries, behind firewalls,
routers, and remote access servers.
• Wireless intrusion prevention system
(WIPS): Wireless intrusion prevention systems monitor
wireless networks by analyzing wireless networking
specific protocols. While WIPS are valuable within the
range of an organization’s wireless network, these
systems don’t analyze higher network protocols such as
transmission control protocol (TCP). Wireless intrusion
prevention systems are deployed within the wireless
network and in areas that are susceptible to unauthorized
wireless networking.
• Network behavior analysis (NBA) system: While NIPS
analyze deviations in protocol activity, network behavior
analysis systems identify threats by checking for unusual
traffic patterns. Such patterns are generally a result of
policy violations, malware-generated attacks, or
distributed denial of service (DDoS) attacks. NBA systems
are deployed in an organization’s internal networks and
at points where traffic flows between internal and
external networks.
• Host-based intrusion prevention system (HIPS): Host-
based intrusion prevention systems differ from the rest in
that they’re deployed in a single host. These hosts are
critical servers with important data or publicly accessible
servers that can become gateways to internal systems.
The HIPS monitors the traffic flowing in and out of that
particular host by monitoring running processes, network
activity, system logs, application activity, and
configuration changes.
 IDPS Deployed In Types of Activity Detected
Type

Network- Network boundaries, behind Network, transport, and

based firewalls and routers and application TCP/IP layer activit
remote access servers

Wireless Within the wireless network Wireless protocol activity,

unauthorized WLAN use

NBA Internal networks and at Network, transport, and

points where traffic flows application TCP/IP layer activit
between internal and with protocol-level anomalies
external networks

Host- Individual hosts: critical Host application and operating

based servers or publicly system (OS) activity; network,
accessible servers transport, and application
TCP/IP layer activity

• Detection–level functionalities of IDPS

1:Threshold monitoring

The first step of threshold monitoring consists of setting accepted

levels associated with each user, application, and system behavior.
2:Profiling
Intrusion detection and prevention systems offer two types of
profiling: user profiling and resource profiling.

User profiling: involves monitoring if a user with a particular role

or user group only generates traffic that is allowed. For example,
only a DevOps user can have access to the cloud server hosting
applications. A programmer can only access data in a sandbox
server environment.

Resource profiling measures how each system, host, and

application consumes and generates data. An application with a
suddenly increased workflow might indicate malicious behavior.

Prevention–level functionalities of
IDPS
1. Stopping the attack
Otherwise known as ‘banishment vigilance’, intrusion prevention
systems prevent incidents before they occur. This is done by
blocking users or traffic originating from a particular IP address. It
also involves terminating or resetting a network connection.
2. Security environment changes
This involves changing security configurations to prevent attacks.
An example is the IPS reconfiguring the firewall settings to block a
particular IP address.
3. Attack content modification
Malicious content can be introduced into a system in various
forms. One way of making this content more benign is to remove
the offending segments.

Techniques of IDPS
1. Signature-based detection
A signature is a specific pattern in the payload. This specific
pattern can be anything from the sequence of 1s and 0s to the
number of bytes. Most malware and cyberattacks come with their
own identifiable signature. Another example of a signature is
something as simple as the name of the attachment in a malicious
email.
2. Anomaly-based detection
Anomaly detection works on threshold monitoring and profiling.
The ‘normal’ behavior of all users, hosts, systems, and applications
is configured. Any deviation from this norm is considered an
anomaly and alerted for. For example, if an email ID generates
hundreds of emails within a few hours, the chances of that email
account being hacked are high.
3. Stateful protocol analysis
Anomaly detection uses host- or network-specific profiles to
determine suspicious activity. Stateful protocol analysis goes one
step further and uses the predefined standards of each protocol
state to check for deviations.
For example, file transfer protocol (FTP) only allows logins when
unauthenticated. Once a session is authenticated, users can view,
create, or modify files based on their permissions.

5:Host-Based vs Network-Based
Intrusion Detection System (IDS)
What Is a Host-Based IDS?
A host-based IDS is a type of IDS that monitors both network traffic and devices for
suspicious or malicious activity. They are installed locally on endpoints, such as computers.
You can install a host-based IDS on your computer. After configuring it, the host-based IDS
will monitor traffic on your business’s network and the computer on which it’s installed.

What Is a Network-Based IDS?

A network-based IDS is a type of IDS that exclusively monitors network traffic. Most IDSs can
be classified as either host-based or network-based. Network-based IDSs live up to their
namesake by monitoring network traffic. They don’t monitor computers or devices. Instead,
network-based IDSs only monitor network traffic. They’ll scan data packets while checking
them for signs of suspicious or malicious activity.

Differences Between Host-Based and Network-

Based IDSs
Host-based IDSs and network-based IDSs are both capable of identifying cyber threats. With
that said, they are two different types of IDSs. Network-based IDSs are more common than
host-based IDSs. In the past, all IDSs were network-based. It wasn’t until recently that host-
based IDSs emerged as an alternative.
For greater protection against cyber threats, you may want to choose a host-based IDS. Both
types of IDSs can monitor network traffic for suspicious or malicious activity. Only host-
based IDSs, though, can monitor computers and similar endpoints as well.
Network-based IDSs, on the other hand, are typically easier to set up. You can easily install a
network-based IDS. Installing a host-based IDS requires a bit more work. If this is your first
time using an IDS, you may want to stick with a network-based IDS for this reason.
In Conclusion
You shouldn’t assume that all IDSs are the same. There are host-based IDSs, and there are
network-based IDSs. Host-based IDSs are designed to monitor network traffic and
computers, whereas network-based IDSs are only designed to monitor network traffic.
There are other nuances between these IDSs, so you should learn the differences between
them to determine which IDS type is right for your business’s cybersecurity needs.

What is network-based and host-based IDSs

and IPSs?
A network-based IPS or IDS is a device or software application that scans traffic
passing through the network. A host-based IPS or IDS is a piece of software
installed directly onto devices that scans the computer for malicious behavior
What is a network based intrusion prevention
system?

Network based intrusion prevention system (NIPS), which is installed at strategic

points to monitor all network traffic and scan for threats. Host intrusion prevention
system (HIPS), which is installed on an endpoint and looks at inbound/outbound
traffic from that machine only.

6:Web Filtering
Web Filtering definition
A web filtering software is used to control which websites an end user is able to
access. It compares the content and its source to a set of rules in order to decide
whether or not to display it.

Internet content such as spyware, viruses, and material deemed improper for the
workplace can be blocked by implementing a web filtering policy for an organization.
Filtering unsuitable content from the internet can help employees operate more
efficiently, limit legal exposure, and safeguard a company's network from outside
attacks.
In addition to its primary filtering function, a web filtering system may also include a
plethora of additional features. Notable characteristics include the ability to report on
traffic, soft blocking that can show warnings before denying access, and an override
feature that lets administrators unclog webpage.

How does it work?

Hardware or software content filters are commonly part of a firewall. Content filtering
can also refer to a company's network-wide information system usage regulations.
Office internet content filters block distractions like social channels. Web content
clarifying sets rules and patterns for hazardous sites.
The content filter uses established rules to organize commonalities like objects in
photos or text strings like keywords into categories like adult, gambling, gaming,
sports, etc. Sites that match are jammed and designated as undesirable.
Web content screening can protect children from unsuitable content. Yet, workplace
material filtering is becoming vital. DNS filtering blocks sites by pre-identifying their
IP addresses to restrict access. These sites include productivity drains like social
media, gambling, pornographic content, and malware-risky sites.
The Importance of Web Filtering
It is a great tool for anyone worried about using the internet securely, as it may block
access to malicious sites and other threats. Employees' online activity can be
supervised and filtered to enforce IT policies and avoid data leaks.
Any breach of a company's privacy, no matter how minor, will have negative
consequences. CIPA (Child Internet Protection Act) is a legislation that mandates
filtering solutions for publicly accessible net access suppliers like universities and
libraries or risks losing funds.
Web filters can block entree to harmful websites that could infect a user's machine
with malware. Even at a micro level, web categorizing enables organizations to avert
workforces from retrieving, distracting or otherwise using unbefitting sites.

Web Filtering Types

This service has several usages but its solutions differ in how they determine
allowable material. Web filters can be described as:

• Allow Listing
Allow listings list sites a person, machine, or application can visit. Any web traffic
with an unlisted destination is discarded and this restricts site access.

• Block Listing
Block lists are diametrically opposed to allow lists. They mention forbidden sites
instead of allowed ones. Blocklists check all traffic and drop traffic to destinations on
the list. This method is utilized to stop phishing sites, drive-by malware downloads,
and obnoxious material.

• Content Filtering
Based on a webpage's material, this approach allows or blocks circulation. An entity
can filter explicit data online. If the policy is breached, the site is blocked. This
decontamination method lets a corporate avert unknown malevolent or unacceptable sites.
URL filtering systems implement rules differently based on filter type and location.
These processing techniques are applied in several ways:

• DNS Filtering
It is the Internet's phone book, translating realms like google.com to IP addresses
used by computers to route data. This filtering permits or restricts DNS requests
based on policy.

• URL Filtering
They are webpage addresses. URL filtering checks web requests' URLs and decides
if they're allowed based on policy.

• Content Filtering
This analyses a webpage's content and congest policy-violating responses
performing a cloud based web filtering.

Benefits of Web Filtering

It can help your institution in several ways.

1. Reducing Malware Infection

Before harmful payloads are introduced, you can defend your info and users by
confining access to known catastrophic sites. Web filtering reduces malware
warnings and endpoint maintenance.
Current URL filtering technologies effectively block harmful
applications. Firewalls with online URL filtering systems can examine web pages for
hazards, in addition to blocking domains.

2. Protecting Minors from Unwanted Content

URL content cleaning protects youths from pornographic and ferocious information,
which is its main value. In today's fast-paced world, parents may not always be
present to monitor their children's material or know all the sites to block. URL filtering
in a firewall gives comprehensive control over what is accessible without referring
user or administrative rules.

3. Protection From Exploit-Kits

As network security improves, hackers are finding new ways to break in. Exploit kits
exploit web browser susceptibilities via browser extensions and plugins.
Mistakenly visiting malicious sites might release an attack kit that exploits browser or
operating system vulnerabilities. Vulnerabilities allow attackers to download
malware, hijack sessions and credentials, and more. Content filters can detect
exploit kits and prevent payload downloads.

4. Improving Staff Productivity

Social media is a tremendous time-waster and productivity killer. Restriction boosts
productivity and several sectors need social media expertise. Online purchasing and
streaming sites drain productivity in these industries. There is no reason for
employees to watch movies while working. In addition to blocking distracting
websites, it's important to avoid downloading malicious files, opening strange emails,
and responding to unknown contacts.

5. Network Bandwidth Efficiency

Non-work internet use drains network bandwidth. Limiting these sites improves
network bandwidth efficiency and speeds. To achieve network bandwidth efficiency,
you might educate your employees on the benefits of a continuously fast network or
place restrictions on bandwidth-hogging video streaming websites like YouTube.

6. Regulatory Compliance
. Monitoring worker web usage helps prevent internet-related mishaps. Posting hateful,
bigoted, or obscene content on blogs or social media, cyberbullying, or downloading
copyright-protected material could result in liability. With the world becoming so polarized,
you must always defend your firm and brand by carefully controlling the information you and
your workers let in or send out.

7:security incident response team

What is the security incident response team?
Definitions: Group of individuals usually consisting of Security Analysts organized to
develop, recommend, and coordinate immediate mitigation actions for containment,
eradication, and recovery resulting from computer security incidents.
Types of CSIRT
Distributed CSIRT
A distributed CSIRT unit consists of several independent teams collaborating
and sharing incident response responsibilities. It is typically managed by a
coordinating team that distributes responsibilities and resources according to
the unique needs of each project.

Coordinating CSIRT
A coordinating CSIRT manages other, typically subordinate CSIRT units,
coordinating incident response activities, workflows, and information flow
among distributed teams. Typically, a coordinating CSIRT does not provide
independent incident response services. Rather, it ensures resources and
activities are effectively distributed between disparate teams.

Hybrid CSIRT
A hybrid CSIRT consists of a centralized full-time unit and distributed units
employing subject matter experts (SMEs). Typically, SMEs participate in incident
response activities ad-hoc—as needed during specific events. This model
employs a central CSIRT unit to detect a potential event and analyze it to
determine the appropriate response. Next, the relevant distributed CSIRT
experts are asked to assist in incident response activities.

CSIRT/SOC Hybrid
A CSIRT/SOC Hybrid model puts the security operations center (SOC)
responsible for receiving all security alerts, reports, and alarms that indicate
potential incidents. The CSIRT is activated only if the SOC requires help with
additional analysis. The SOC performs incident detection and passes incidents
to the CSIRT, acting as a front end for the CSIRT.
Outsourced CSIRT
An outsourced CSIRT helps organizations that lack the staff or resources
required to build an in-house incident response team. This model typically
supplements an internal team with external contractors or outsources CSIRT
services and tasks on-demand, like digital forensics.

What is the importance of incident response?

Incident response (IR) is the process by which an organization handles a data
breach or cyberattack. It is an effort to quickly identify an attack, minimize its effects,
contain damage, and remediate the cause to reduce the risk of future incidents.

What is the main function of the security incident response team?

The CSIRT is responsible for identifying and controlling the incidents, notifying
designated CSIRT responders, and reporting findings to management.
Advantages
They may assist in identifying vulnerabilities in the organization's
systems and providing recommendations for improving security
posture. The incident response team is responsible for coordinating
and executing the organization's response to security incidents.

8:Honeypot

What is Honeypot?
•••
Honeypot is a network-attached system used as a trap for cyber-
attackers to detect and study the tricks and types of attacks used by hackers.
It acts as a potential target on the internet and informs the defenders about
any unauthorized attempt to the information system.
Honeypots are mostly used by large companies and organizations involved in
cybersecurity. It helps cybersecurity researchers to learn about the different
type of attacks used by attackers. It is suspected that even the cybercriminals
use these honeypots to decoy researchers and spread wrong information.
The cost of a honeypot is generally high because it requires specialized skills
and resources to implement a system such that it appears to provide an
organization’s resources still preventing attacks at the backend and access to
any production system.
A honeynet is a combination of two or more honeypots on a network.
Types of Honeypot:

Honeypots are classified based on their deployment and the involvement

of the intruder.
Based on their deployment, honeypots are divided into :
1. Research honeypots- These are used by researchers to analyze
hacker attacks and deploy different ways to prevent these
attacks.
2. Production honeypots- Production honeypots are deployed in
production networks along with the server. These honeypots act
as a frontend trap for the attackers, consisting of false
information and giving time to the administrators to improve any
vulnerability in the actual system.
Based on interaction, honeypots are classified into:
 1. Low interaction honeypots:Low interaction honeypots gives
very little insight and control to the hacker about the network. It
simulates only the services that are frequently requested by the
attackers. The main operating system is not involved in the low
interaction systems and therefore it is less risky. They require
very fewer resources and are easy to deploy. The only
disadvantage of these honeypots lies in the fact that
experienced hackers can easily identify these honeypots and can
avoid it.
2. Medium Interaction Honeypots: Medium interaction honeypots
allows more activities to the hacker as compared to the low
interaction honeypots. They can expect certain activities and are
designed to give certain responses beyond what a low-
interaction honeypot would give.
3. High Interaction honeypots:A high interaction honeypot offers a
large no. of services and activities to the hacker, therefore,
wasting the time of the hackers and trying to get complete
information about the hackers. These honeypots involve the
real-time operating system and therefore are comparatively risky
if a hacker identifies the honeypot. High interaction honeypots
are also very costly and are complex to implement. But it
provides us with extensively large information about hackers.

Advantages of honeypot:

1. Acts as a rich source of information and helps collect real-time

data.
2. Identifies malicious activity even if encryption is used.
3. Wastes hackers’ time and resources.
4. Improves security.

Disadvantages of honeypot:

1. Being distinguishable from production systems, it can be easily

identified by experienced attackers.
2. Having a narrow field of view, it can only identify direct attacks.
3. A honeypot once attacked can be used to attack other systems.
4. Fingerprinting(an attacker can identify the true identity of a
honeypot ).