Chapter seven _7

7. System security

System security encompasses a set of practices and measures designed to protect computer
systems, networks, and data from unauthorized access, misuse, and potential threats. Let’s
explore different aspects of system security:

1. Windows Security:

o In the Windows operating system, Windows Security is the built-in antivirus and
security suite.

o It provides essential protection against malware, viruses, and other threats.

o When you get a new Windows 10 device, the antivirus protection that comes pre-
installed is your default security app. However, you can use Windows
Security instead.

o To use Windows Security, uninstall other antivirus programs, and it will

automatically turn on. You may need to restart your device1.

2. Operating System Security:

o Windows 11 and Windows 10 offer fundamental chip-to-cloud protection for your

system and information.

o Key features include:

 Virus and Threat Protection: Guarding against malicious software.

 Network Security: Protecting network communication.

 Encryption and Data Protection: Safeguarding sensitive data.

 Security and Privacy: Ensuring privacy settings are robust2.

3. Basics of System Security:

1

Confidentiality: Keeping information private and accessible only to authorized

Page

users.
 o Integrity: Ensuring data remains accurate and unaltered.

o Availability: Making sure systems and services are available when needed.

o The security has three type level Low, medium, High in individual or in
originations

o Threats and Attacks: Understanding various threats (e.g., malware, phishing) and
how they compromise system security.

Malware, short for malicious software, refers to any intrusive software developed by
cybercriminals (often called hackers) to steal data and damage or destroy computers and
computer systems. Common examples of malware include:
1. Viruses: These malicious programs attach themselves to legitimate files and spread when
those files are executed. Viruses can corrupt or delete data and disrupt system operations.
2. Worms: Worms are self-replicating programs that spread across networks without user
intervention. They exploit vulnerabilities to infect other devices.
3. Trojan Viruses (Trojans): Disguised as legitimate software, Trojans trick users into
installing them. Once inside, they can steal sensitive information, create backdoors, or
launch attacks.
4. Spyware: Spyware secretly monitors a user’s activities, capturing keystrokes, browsing
history, and personal information. It often aims to steal sensitive data.
5. Adware: Adware displays unwanted advertisements, often in the form of pop-ups. While
not as harmful as other malware, it can be annoying and intrusive.
6. Ransomware: Ransomware encrypts files on a victim’s system, rendering them
inaccessible. The attacker demands a ransom for decryption.

Malware can infiltrate devices without users’ knowledge, causing damage, privacy breaches, and
financial losses. Protecting against malware involves using security software, keeping systems
updated, and practicing safe online behavior
Threats and attacks are two crucial concepts in the realm of security. Let’s delve into their
meanings and differences:
2
Page
 1. Threats:
o A threat refers to a potential security violation that might exploit the vulnerability of a
system or asset.
o These threats can originate from various sources, including accidental events,
environmental factors (such as natural disasters), human negligence, or human failures.
o Different types of security threats include:
 Interruption: Disrupting the normal functioning of a system or service.
 Interception: Unauthorized access to sensitive information during transmission.
 Fabrication: Creating or altering data to deceive or cause harm.
 Modification: Unauthorized changes to data or system configurations.
o There are different categories of threats:
 Unstructured Threats: Typically executed by inexperienced individuals using
readily available hacking tools. Even if executed for testing purposes, they can cause
significant damage to a company.
 Structured Threats: Involve organized attempts to breach specific networks or
organizations. These threats come from highly motivated and technically proficient
hackers.
 External Threats: Originate from individuals or organizations external to a company.
They gain unauthorized access to computer systems and networks, often via the
Internet or dial-up connections.
 Internal Threats: Arise due to authorized network access, whether through server
accounts or physical access within the organization.
2. Attacks:
o An attack is a deliberate unauthorized action taken against a system or asset.
o Attacks can be classified into two main types:
 Active Attacks: Aim to manipulate system resources or impact their operation.
Examples include altering data, disrupting services, or gaining unauthorized access.
 Passive Attacks: Aim to extract sensitive information from a system without directly
affecting its resources. These attacks focus on eavesdropping or monitoring.
3

o Primary classes of attacks include:

Page

 Reconnaissance: Gathering information about a target system or network.

  Denial of Service (DoS) and Distributed Denial of Service (DDoS): Overwhelming
system resources to the point where it cannot respond to legitimate service requests.
 Worms, Viruses, and Trojan Horses: Malicious software that can infiltrate and
harm systems.

In summary, a threat represents a potential risk, while an attack is the intentional act that causes
actual damage to a system or asse

o Viruses: Malicious software that can infect files and spread.

o Breaches: Unauthorized access to sensitive data or systems3.

Remember, maintaining robust system security is crucial to protect your digital assets and
maintain a safe computing environment

7.1. overview Application security login security

Let’s delve into an overview of application security and explore its significance:

1. What is Application Security?

o Application security aims to protect software application code and data against cyber
threats. It involves safeguarding applications during all phases of development, including
design, development, and deployment.

o Here are some key practices to promote application security throughout the software
development lifecycle (SDLC):

 Introduce security standards and tools during design and development phases.

 Implement security procedures and systems to protect applications in production environments.

 Use strong authentication for sensitive or mission-critical applications.

 Employ security systems like firewalls, web application firewalls (WAF), and intrusion
prevention systems (IPS)1.
4
Page

2. Web Application Security:

 o Web applications run on web servers and are accessible via the Internet. They often handle
sensitive customer data.

o Despite improvements (such as HTTPS), web applications remain vulnerable. The OWASP
Top 10 lists common vulnerabilities.

o Solutions like web application firewalls (WAF) help detect and block application-layer attacks1.

3. API Security:

o APIs (Application Programming Interfaces) are crucial for modern microservices

applications. They allow data sharing and access to software functionality.

o Insecure APIs can lead to major data breaches and business disruptions.

o Common API security weaknesses include weak authentication, data exposure, and lack of
rate limiting.

o Specialized tools exist to identify vulnerabilities in APIs and secure them in production 1.

Remember, robust application security is essential to protect against cyber threats and maintain
the integrity of your software systems!

7.2 boot loader security (LILO and GRUB)

Let’s delve into the differences between LILO and GRUB boot loaders:

1. LILO (Linux Loader):

o Interface and Simplicity:

 LILO has a simpler interface and is easier to understand.

o Bootstrap Process:

 During the bootstrap process, LILO locates the kernel by essentially pointing to
the first logical sector of the kernel file.

o Functionality:
5
Page

 LILO only supports Linux as an operating system.

  It loads itself into a space that fits on the Master Boot Record (MBR).

o Advantages:

 Simplicity and straightforwardness.

 Robustness (still used by some distributions like Slackware).

2. GRUB (GRand Unified Bootloader):

o Feature-Rich and Complex:

 GRUB is more feature-rich and handles odd configurations better.

 It has an interactive command interface.

o Bootstrap Process:

 GRUB is more filesystem-aware and can locate a kernel file without specifying a
logical sector.

 It has two stages: stage 1 (usually loaded from the MBR) and stage 2 (loaded
from /boot along with its configuration).

o Functionality:

 GRUB supports a wide range of operating systems, including Windows, Linux,

UNIX, macOS, BSD, and Solaris.

 It can even boot from a network.

o Advantages:

 Flexibility and adaptability.

 Handles edge cases better.

In summary, while LILO is straightforward and robust, GRUB offers more features and broader
OS support. Most modern systems use GRUB due to its versatility and reliability
6

7.3. TCP wrappers configuration

Page
 Certainly! Let’s explore TCP Wrappers and their configuration:

1. What Are TCP Wrappers?

o TCP Wrappers are a set of tools that control access to network services based on
the client’s IP address or hostname.

o They act as a protective layer, allowing or denying connections to services based

on predefined rules.

2. Configuration Files:

o TCP Wrappers reference two files, commonly known as hosts access files:

 /etc/hosts.allow: Contains rules specifying which clients are allowed to connect

to specific services.

 /etc/hosts.deny: Contains rules specifying which clients are denied access to services.

o When a TCP-wrapped service receives a client request, it follows these steps:

 It checks /etc/hosts.allow sequentially for a matching rule. If found, it allows the connection.

 If no match is found in hosts.allow, it checks /etc/hosts.deny. If a matching rule

exists, it denies the connection.

 If neither file contains a rule for the service, access is granted.

3. Important Points:

o Rules in hosts.allow take precedence over those in hosts.deny.

o Rules are read from top to bottom, and the first matching rule for a service is applied.

o If no rules exist for a service in either file, access is granted.

o Changes to these files take effect immediately without restarting network services.

o Ensure that the last line of each file ends with a newline character to avoid errors.
7

4. Formatting Access Rules:

Page

o Both hosts.allow and hosts.deny follow the same format:

  Each rule must be on its own line.

 Blank lines or lines starting with a hash (#) are ignored.

 Basic rule format: <daemon list> : <client list> [: <options>]

 <daemon list>: Comma-separated process names (not service names) or the ALL wildcard.

 <client list>: Comma-separated hostnames, IP addresses, special patterns, or wildcards.

 Operators can be used for flexibility.

Remember that TCP Wrappers provide an additional layer of security for network
services. Properly configuring these files helps control access effectively

7.4. iptables firewalling: preliminaries

Certainly! Let’s dive into the preliminaries of iptables firewalling:

1. What Is Iptables?

o Iptables is a powerful firewall program for Linux.

o It monitors network traffic to and from your server using tables.

o These tables contain sets of rules (called chains) that filter incoming and outgoing
data packets.

2. How Iptables Works:

o Network traffic consists of packets.

o Iptables identifies these packets and then applies a set of rules to decide what to
do with them.

o Key components:

 Tables: Files that group similar actions. Each table contains several chains.

 Chains: Strings of rules. When a packet arrives, iptables processes it

8
Page

through the chain until it finds a match.

  Rules: Statements that dictate how to handle packets (e.g., block, forward,
or accept).

 Targets: Decisions on what to do with a packet (accept, drop, or reject).

3. Default Tables in Iptables:

o Filter Table:

 Most frequently used. Acts as a bouncer for network traffic.

 Default chains:

 Input: Controls packets received by the server.

 Output: Manages outbound traffic.

 Forward: Governs routed packets.

o Network Address Translation (NAT) Table:

 Contains rules for altering packet destinations or sources.

 Chains:

 Prerouting: Assigns packets upon arrival.

 Output: Similar to the output chain in the filter table.

 Postrouting: Allows changes to packets after leaving the output

chain.

o Mangle Table:

 Adjusts IP header properties.

 Chains: Prerouting, Postrouting, Output, Input, Forward.

o Raw Table:

 Exempts packets from connection tracking.

9
Page
 Remember, iptables provides essential security for your server workloads. Proper configuration
is crucial to safeguard against cyber attac

7.5 Iptables sceneries

Certainly! Let’s explore some scenarios related to iptables, the powerful firewall for Linux:

1. Filtering Network Traffic:

o Imagine you want to allow incoming SSH connections (port 22) but block all
other traffic. You can achieve this using iptables rules:

o # Allow SSH (port 22)

o sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

o # Block everything else

o sudo iptables -A INPUT -j DROP

o This ensures that only SSH traffic is allowed, and all other packets are dropped.

2. Port Forwarding with NAT:

o Suppose you have an internal web server (port 80) that you want to expose to the
internet. You can use NAT to forward external requests to your server:

o # Enable port forwarding

o sudo sysctl net.ipv4.ip_forward=1

o # Set up port forwarding (external port 8080 to internal port 80)

o sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-

destination <internal_IP>:80

o sudo iptables -A FORWARD -p tcp --dport 80 -d <internal_IP> -j ACCEPT

3. Rate Limiting:
10

To prevent abuse or DoS attacks, you can limit the rate of incoming connections:
Page

o
 o # Allow only 5 new SSH connections per minute

o sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m limit --

limit 5/min -j ACCEPT

o sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j DROP

4. Logging Dropped Packets:

o Sometimes it’s useful to log dropped packets for troubleshooting:

o # Log dropped packets (before the DROP rule)

o sudo iptables -A INPUT -j LOG --log-prefix "Dropped packet: "

Remember that iptables provides fine-grained control over network traffic. Always test your
rules thoroughly and consider security implications when configuring your firewall

7.5.1 packet filtering

What is Packet Filtering Firewall?

A packet filtering firewall is the most basic type of firewall that controls data flow to and from a
network. It is a network security solution that allows network packets to move across between
networks and controls their flow using a set of user-defined rules, IP addresses, ports, and
protocols. Packets are routed through the packet filtering firewall only if they match predefined
filtering rules; otherwise, they are declined.

The main benefits of packet filtering firewalls are that they are fast, cheap, and effective. The
static packet filter has no discernible influence on speed, and its low processing requirements
made it an appealing alternative from the start when compared to other firewalls that slowed
responsiveness. Higher-level firewalls, on the other hand, provide outstanding performance. The
security they provide, however, is rudimentary. They are unable to protect against malicious data
packets arriving from trusted source IPs because they lack the necessary packet inspection
capability. Also, because they are stateless, they are vulnerable to source routing and tiny
11

fragmentation attacks. Another disadvantage of packet filtering firewalls is the difficulty in

Page
 configuring and managing access control lists. Despite their shortcomings, packet filtering
firewalls paved the way for today's firewalls, which provide better and deeper security.

we will cover the following topics:

 How Does Packet Filtering Firewall Work?

 What is Packet Filtering Used For?

 What Are The Types Of Packet Filtering?

 What are the Advantages and Drawbacks of Packet Filtering Firewall?

 How much does a Packet Filtering Firewall Cost?

 What is Packet Filtering Firewall Example?

 Comparison of Packet Filtering Firewalls with other firewall types, such as Proxy
Firewalls, and Stateful Inspection Firewalls

How Does Packet Filtering Firewall Work?

On packet-switched networks, packets are structured data units. Because these networks break
down communications into little bits, or packets, and transport them independently across the
network, they can be fault-tolerant. Packages are reordered when they pass through the firewall
and arrive at their destination in order to show their information accurately. Packet switching,
when done effectively, maximizes network channel capacity, reduces transmission latency, and
improves communication efficacy. Two significant components can be found in packets:

 Headers: Packet headers are used to send data to the correct destination. They contain
elements of the internet protocol (IP), addressing, and any other information needed to
deliver the packets to their destination.

 Payloads: Within the packet, the payload is the user data. This is the data that is
attempting to reach its destination.
12

Packet filtering firewall permits or denies network packets based on the following specifications:
Page

 Source IP address: The address from which the packet is being sent.
  Destination IP address: The destination address of the packet.

 Protocol: The session and application protocols that are used to transfer data(TCP, UDP,
ICMP).

 Ports: Source and destination ports, ICMP types, and codes.

 Flags: Flags in the TCP header, such as whether the packet is a connect request.

 Direction: Incoming or outgoing.

 Interface: Which physical interface(NIC) the packet is traversing.

It examines access control lists (ACLs) to separate packets based on upper-layer protocol ID,
source and destination port numbers, source and destination IP addresses, and packet
transmission route. The firewall looks for information in the IP, TCP, or UDP headers and then
decides whether to allow or block the packet based on the ACL. Also, after comparing the
information with the ACL, the firewall can allow fragment-type packets.

The packets' passing is totally dependent on the packet filtering firewall's choice. it filters
packets based on the security rules configured into the firewall. Firewall administrators create
packet filtering firewall rules to prevent packet transmission and only allow packets that match
specific IP addresses or ports. They can create rules that allow just packets intended for their IT
services to pass through while rejecting all others.
13

Figure 1. How packet filtering firewall works

Page

What is Packet Filtering Used For?

 Controlling and monitoring network data to assure its validity and compliance is a key role of
packet filtering firewalls. The performance of your systems may be improved, valuable assets
can be protected, and operations can flow smoothly if you have functional network security.

In most cases, packet filtering is an effective defense against attacks from computers outside of
an internal network (LAN). Packet filtering is considered a conventional and cost-effective
method of security because most routing devices have incorporated filtering capabilities.

Only packet filtering firewalls, and only when put in specific areas in your network, can provide
certain protections. It's strongly advised to reject all packets with internal source addresses - that
is, packets that pretend to be originating from internal machines but are actually coming in from
the outside - because such packets are frequently used in IP spoofing attacks. An attacker
pretends to be coming from an inside machine in such attacks. This type of decision can only be
made in a filtering firewall at the network's perimeter. Only a filtering firewall in the boundary
can recognize such a packet by examining the source IP address and determining whether the
packet originated on the internal network or on the external. This type of source address fraud is
depicted in Figure 2.

Figure 2. Blocking IP address spoofing attack by packet filtering firewall

Typically, packet-filtering firewalls are employed in the following scenarios:

14

 When security regulations may be fully applied in a packet filter without the need
Page

for authentication: Packet-filtering firewalls can also be used to limit internal access
 between subnets and departments when authentication isn't required. In this case, you're
concerned about restricting your users' access to specific internal resources; you're less
concerned about sophisticated hacking attempts.

 As the first line of defense: Many businesses utilize packet-filtering firewalls as their
first line of defense, with a fully functional firewall offering extra security.

 In SOHO networks with a low-security need and a limited budget: Packet-filtering

firewalls are used by many SOHO networks due to their ease of use and low cost when
compared to other types of firewalls. SOHOs are looking for basic security at an
affordable price. Packet-filtering firewalls do not provide total protection for SOHOs, but
they do give at least a basic level of defense against a wide range of cyberattacks.Get
Started with Zenarmor Today For Free

What Are The Types of Packet Filtering?

There are four types of packet filtering listed below:

 Dynamic packet filtering firewall

 Static packet filtering firewall

 Stateless packet filtering firewall

 Stateful packet filtering firewall

We will briefly explain each type of packet filtering firewall in the following sections.

1. Dynamic Packet Filtering Firewall

This form of firewall is smarter because rules can be adjusted dynamically depending on the
situation, and ports are only open for a limited time before closing. Because administrators may
establish customizable parameters and automate certain procedures, dynamic packet filtering
15

firewalls are more flexible than static firewalls. Dynamic packet filtering is especially beneficial
Page

for protocols that dynamically allocate ports, such as the File Transfer Protocol (FTP). If you
 wish to give outside users secure access to an FTP server inside the company firewall, you need
to think about the following:

 The FTP server must keep Port 21 (the FTP control port) open at all times so that it may
"listen" for connection attempts from outside clients. This can be accomplished with a
static filtering rule.

 Only when data will be transferred to or downloaded from the FTP server should Port 20
(the FTP data port) be opened. With static filtering, this port would have to be left open
all the time, potentially opening the door to hacking efforts. This port can be opened at
the start of an FTP session and then closed at the end of the session thanks to dynamic
filtering.

 To create an FTP connection with the client, the FTP server assigns the client two port
numbers, one for control and one for data transfer, from 1024 to 65,535 at random.
Because these ports are assigned at random, there is no way to know which ports above
1024 the firewall must be able to open. If you use static filtering, you'll have to leave all
ports above 1024 open all the time if you wish to allow FTP access through the firewall,
which is a serious security concern. However, with dynamic filtering, you can configure
firewall rules to read the packets issued by the server, dynamically open the two
randomly assigned ports to allow a session to be opened, monitor the flow of packets to
ensure that an unauthorized user does not attempt to hijack the session, and close the
randomly assigned ports when the FTP session ends.

2. Static Packet Filtering Firewall

This form of firewall requires human configuration, with the connection between the external
and internal networks remaining open or closed at all times unless manually modified.
Administrators can configure rules and manage ports, access control lists (ACLs), and IP
addresses with these firewall types. They're usually straightforward and practical, making them a
good fit for tiny applications and home or small-business networks that don't have a lot of
16

requirements.
Page
 Figure 3. Static and Dynamic Packet Filtering for FTP

3. Stateless Packet Filtering Firewall

Stateless packet filtering firewalls are the most common and well-known type of firewall. While
they're becoming less widespread, they nevertheless serve a purpose for home internet users or
service providers who deploy low-power customer-premises equipment (CPE). If users want to
depart from default security settings, they must typically manually set up firewalls. Different
ports and apps might pass through the packet filter thanks to manual setups.

4. Stateful Packet Filtering Firewall

It employs a presettable to keep a secure connection, and packets pass through in the order that
the filter rules allow. Stateful firewalls, unlike stateless packet filtering solutions, track active
connections using current extensions such as transmission control protocol (TCP) and user
datagram protocol (UDP) streams. Stateful firewalls can better distinguish between genuine and
malicious traffic or packages by detecting the context of incoming traffic and data packets. New
connections must typically introduce themselves to the firewall before being included in the list
17

of authorized connections.
Page

What are the Advantages of Packet Filtering Firewall?

 Packet filtering is a powerful security technique against intrusions from external networks. It's
also a conventional and cost-efficient method of defense because most routing devices include
built-in filtering capabilities, eliminating the need for a separate firewall device. The following
are some of the most notable benefits of a packet filtering firewall that make it widely accepted
around the world:

 Highly effective and quick: The packet filtering router operates swiftly and effectively,
accepting or rejecting packets based on destination and source ports and addresses.
Because the decisions made by packet-filtering firewalls are not based on much
reasoning, they are extremely rapid. They don't conduct any internal traffic inspections.
They also don't store any state information. All traffic that will flow over the firewall
must be manually opened ports. Other firewalls, on the other hand, use more time-
consuming methods and the performance overheads of most other firewalls are higher
than those of packet filtering firewalls.

 Transparency: Packet filtering is transparent to users since it functions autonomously

without the requirement for user awareness or collaboration. Users will not be informed
about packet transmission until something has been rejected. Other firewalls, on the other
hand, necessitate custom software, client machine setup, and user training or procedures.
Packet filtering firewalls are thus user-friendly and simple to implement.

 Cost-efficient: Packet filtering has the distinct advantage of cost-efficiency by requiring

only one filtering router to secure the internal network. In widely used hardware and
software routing devices, packet filtering capabilities are built-in. Furthermore, most
websites now have packet filtering capabilities built into their routers, making this
strategy the most cost-effective.

 Easy-to-use: Packet filtering is an enticing choice because of its price and ease of usage.
With this security strategy, a single screening router may defend an entire network. Users
don't require a lot of information, training, or help to utilize firewalls because they won't
notice packet transfer unless it's rejected.
18

What are the Disadvantages of Packet Filtering Firewall?

Page
 Packet filtering has various advantages, but it also has some drawbacks. The following are some
of the downsides of a packet filtering firewall:

 Less Secure: The most significant disadvantage of packet filtering is that it is dependent
on IP address and port number rather than context or application information. Therefore,
they are not thought to be highly secure. This is due to the fact that they will forward any
traffic traveling via an authorized IP/port. The packet filter does not check the full packet,
allowing an attacker to place harmful commands in headers that aren't examined or in the
payload itself. As a result, malicious communication may be sent, but it will not be banned
as long as it is on an allowed port.

 Lack of Logging: The packet filter may lack logging capabilities, making it problematic
for a business that must adhere to compliance and reporting requirements.

 Stateless Firewall: Another significant shortcoming of packet filtering is that it is

fundamentally stateless, which means it monitors each packet independently without
taking into account the established connection or previous packets that have passed
through it. As a result, the ability of these firewalls to protect against advanced threats and
attacks is severely limited.

 Vulnerable to Address Spoofing: Because it just looks at the packet headers, packet
filtering does not guard against IP spoofing. Attackers can use basic spoofing techniques
to get through the static packet filter, which can't distinguish the difference between a real
and a fake address.

 Difficult to Manage: Packet filtering firewalls are not a perfect solution for many
networks because it can be difficult or time-consuming to build in highly wanted filters.
Packet filter gets unmanageable in bigger installations since packet-filtering rules are
checked in sequential order, necessitating caution when entering rules into the rule base.
Finally, because the static packet filter is stateless, the administrator must set up rules for
both sides of the conversation. Managing and configuring ACLs can be challenging at
times.
19

Some protocols are incompatible with packet filtering: Even with flawless packet
Page

filtering implementations, some protocols are simply not well suited to packet filtering
 security. The Berkeley "r" commands (rcp, rlogin, rdist, rsh, etc.) and RPC-based
protocols like NFS and NIS/YP are examples of such protocols.

 Some policies are difficult to enforce with standard packet filtering firewalls: Packets,
for example, indicate the host from whence they originated, but not the user. As a result,
you won't be able to impose limitations on specific users. Similarly, packets specify which
port they're going to but not which application they're going to; when enforcing limits on
higher-level protocols, you do so by port number, trusting that no other protocol is using
that port. Insiders with nefarious motives can easily sabotage such control.

How much does a Packet Filtering Firewall Cost?

Among all types of firewalls, packet filtering firewalls are the most cost-effective. Almost all
routers have packet filtering capabilities built-in as well. You can also set up your own packet
filtering firewall for free on an outdated PC. OPNsense, pfSense software, IPFire, and ClearOS
are just a few of the open-source firewalls freely available for home and small business
networks. Without spending any money, you may easily and rapidly activate the UFW packet
filtering firewall on your Ubuntu-based router or FirewallD on your CentOS-based router.

What is Packet Filtering Firewall Example?

Each TCP/IP packet contains the source/destination IP addresses and source/destination port
number, which packet filters act on. You can create packet filtering rules that only allow access
to IP addresses that are recognizable and well-known while blocking access to all unknown or
unrecognized IP addresses.

You may, for example, allow access to just known, established IP addresses or prevent access to
all unknown or unrecognized IP addresses by permitting access to known IP addresses.

You may, for example, restrict outsiders' access to port 443 by denying access to IP addresses or
ports. Because most HTTPS servers use port 443, this effectively blocks all external access to the
HTTPS server.
20

According to a CERT report, using packet filtering techniques to allow only permitted and
known network traffic to the greatest extent possible is the most useful.
Page

Here is a real-world packet filtering implementation scenario:

 We assume that the company offers WWW, FTP, and Telnet services accessible from the Internet.
The internal network of a corporation is connected to the router's Serial 3/1/9/1:2, and internal
users access the Internet via the router's GigabitEthernet 3/1/1. The company's internal subnet is
129.1.1.0, with internal FTP server addresses of 129.1.1.1, Telnet server addresses of 129.1.1.2,
internal WWW server addresses of 129.1.1.3, and the company's public address of 20.1.1.1. The
router's NAT feature is turned on, allowing hosts on the internal network to access the Internet
and external hosts to access the internal servers.

The company wishes to achieve the following goal by utilizing the firewall feature: only
particular users on external networks are granted access to internal servers, and only specific
hosts on the internal network are allowed to access external networks.

Assume that a certain external user's IP address is 20.3.3.3.

Figure 4. Packet filtering topology example

Packet filtering may be implemented on the router by following the steps given below:

1. Create advanced ACL by running the following command.

[Router] acl number 3001

2. Configure rules to permit specific hosts to access external networks and permit internal servers
to access external networks by running the following commands.
21

[Router-acl-adv-3001] rule permit ip source 129.1.1.1 0

Page

[Router-acl-adv-3001] rule permit ip source 129.1.1.2 0

 [Router-acl-adv-3001] rule permit ip source 129.1.1.3 0
[Router-acl-adv-3001] rule permit ip source 129.1.1.4 0

3. Configure a rule to prohibit all IP packets from passing the firewall by running the following
commands.

[Router-acl-adv-3001] rule deny ip

[Router-acl-adv-3001] quit
Create advanced ACL by running the following commands.

[Router] acl number 3002

Configure a rule to allow a specific external user to access internal servers by running the
following commands.

[Router-acl-adv-3002] rule permit tcp source 20.3.3.3 0 destination 129.1.1.0 0.0.0.255

1. Configure a rule to permit specific data (only packets of which the port number is greater
than 1024) to get access to the internal network by running the following commands.

[Router-acl-adv-3002] rule permit tcp destination 20.1.1.1 0 destination-port gt 1024

[Router-acl-adv-3002] rule deny ip
[Router-acl-adv-3002] quit
Apply ACL 3001 to filter packets that come in through GigabitEthernet 3/1/1 by running the
following commands.

[Router] interface gigabitEthernet 3/1/1

[Router-GigabitEthernet3/1/1] firewall packet-filter 3001 inbound
Apply ACL 3002 to filter packets that come in through Serial 3/1/9/1:2.

[Router-GigabitEthernet3/1/1] quit
[Router] interface serial 3/1/9/1:2
[Router-Serial3/1/9/1:2] firewall packet-filter 3002 inbound
22
Page

As another example, let us assume you wish to build a simple Linux-based packet-filtering
firewall.For the two IP subnets, you have two network interface cards installed and configured.
 Between the network interfaces, packet forwarding is enabled. You have a Linux-based router. If
this is your principal firewall between your internal network and the Internet, you might wish to
accept only internal www connections and refuse everything else. It's possible that
your ipchains configuration looks like this:

ipchains -A int-ext -p tcp -dport www -j ACCEPT

ipchains -A int-ext -j REJECT

The first line adds the ability to accept and pass connections on port 80 (www) from the internal
to the external interface. It's a part of the int-ext chain (sometimes this is referred to as the access
control list).

The second line is a catch-all. All other packets are rejected.

Although this is a very simplistic example, it shows a few issues. A packet must first be
expressly declared in order to pass. Second, having a "catchall" rule that rejects all packets that
aren't specifically authorized is a smart idea.

What is the Difference Between Proxy Firewall And Packet Filtering Firewall?

Packet-filtering firewalls run at the network layer (layer 3) of the OSI model as a router and do
not distinguish between application protocols. Proxy firewalls, on the other hand, provide proxy
services for internal users by monitoring/controlling outgoing internal packets and regulating
incoming external network traffic.

Proxy firewalls, unlike packet filtering firewalls, do not route packets; instead, they accept a
connection on one network interface and establish a corresponding connection on another. A
Proxy server acts as a bridge between hosts on different networks, keeping track of the state and
sequencing of TCP connections.

Proxy firewalls look at packets more thoroughly than packet filtering firewalls recognizing the
type of data being sent (HTTP or FTP, for example). It operates at a higher level in the protocol
23

stack than packet-filtering firewalls, giving it greater options for accessibility monitoring and
management. An application gateway functions as a distributor when dispatching messages from
Page

internal clients to the outside world, changing the source identification of the client packets.
 In applications that forward and filter connections for services like Telnet and FTP, proxy
firewalls have solved some of the flaws inherent with packet-filtering devices. Packet-filtering
and proxy firewalls, on the other hand, do not have to be employed separately. When proxy
firewalls and packet-filtering devices are used together, they can provide greater flexibility and
security than if they were used separately. A web server that utilizes a packet-filtering firewall to
deny all incoming Telnet and FTP connections and redirects them to an application gateway is an
example of this. The source IP address of incoming Telnet and FTP packets can be authenticated
and logged using an application gateway, and if the information in the packets passes the proxy
firewall's acceptance criteria, a proxy is created and a connection between the gateway and the
selected internal host is allowed. Only those connections for which a proxy has been created will
be allowed through the application gateway. This type of firewall system allows only trusted
services to pass through to the enterprise's internal systems and prohibits untrusted services from
passing through without the security administrators' monitoring and control.

Packet-filtering devices are, on average, faster than application gateways, but they lack the
security that most proxy services provide.

Because proxy firewalls are more complicated than packet-filtering firewalls, the additional
computing resources and cost of operating such a system should be considered when determining
organizations' firewall requirements. For all of the concurrent sessions in use on a network, the
host may need to support hundreds to thousands of proxy processes, depending on the
requirements. As with other business decisions, the higher the level of performance required, the
higher the expenses associated with achieving that level of performance.

Proxy firewalls have the following advantages: they prevent direct connections between internal
and external hosts; they frequently provide user and group-level authentication, and they may
analyze specific application commands within the payload component of data packets. Proxy
firewalls have the disadvantages of being slower than packet filtering firewalls, not being
transparent to users, and requiring each application to have its own dedicated proxy firewall
policy/processing module.
24

Packet filter Application-level

Page

Simplest Even more complex

 Packet filter Application-level

Filters based on connection rules Filters based on behavior or proxies

Auditing is difficult Activity can audit

Low impact on network performance High impact on network performance

Network topology can not be hidden from the Network topology can be hidden from the
attacker attacker

Transparent to user Not transparent to the user

See only addresses and service protocol type See full data portion of a packet

What is the Difference Between Packet Filtering Firewall And Stateful Inspection Firewall?

Stateful inspection is a method that does a more in-depth analysis of the information contained in
packets, with subsequent filtering decisions based on what the firewall "learned" from previously
analyzed packets.

Stateful packet inspection firewalls work in the same way as packet filtering firewalls, except
they can maintain track of traffic at a more detailed level. A stateful firewall can watch the traffic
over a specific connection, which is normally specified by the source/destination IP addresses,
the ports, and the previously existing network traffic, whereas a packet filtering firewall can only

examine each packet in isolation. A stateful firewall uses a state table to keep track of the
connection state and will only allow traffic that is part of a new or existing connection through.
Therefore, stateful firewalls provide more advanced security than packet-filtering firewalls by
making filtering decisions based on both packet content and past packet history.

Most stateful firewalls can also act as packet filtering firewalls, with the two types of filtering
being combined. This form of firewall, for example, can detect and track traffic relating to a
25

specific user-initiated connection to a Web site and can determine when the connection has been
closed and no further traffic should be present.
Page

What is the Difference Between Packet Filtering Firewall And Circuit-Level Firewall?
 Circuit-level firewalls are similar to proxy firewalls, only they don't need to know what kind of
data is being sent. SOCKS servers, for example, can operate as circuit-level firewalls. "SOCKS"
is a protocol that allows a server to accept requests from a client on a private network and send
them over the Internet. Sockets are used by SOCKS to keep track of individual connections.

While packet filtering firewalls are stateless, stateful inspection or dynamic packet filtering is
performed by circuit-level gateways to make filtering decisions. Stateful inspection is a circuit-
level gateway function that provides more robust screening than packet-filtering devices by using
both packet content and previous packet history to make filtering judgments.

Circuit-level gateways, like proxy firewalls, can be set up to specify advanced accessibility
decision-making and offer increased security monitoring capabilities over packet-filtering
firewalls. They still rely on a well-laid-out core routing structure and, like packet-filtering
firewalls, rely on a well-laid-out core routing structure.

7.5.2. Port-forwareding /redirection and NAT/IP masquerading

Certainly! Let’s delve into the concepts of port forwarding, redirection, and NAT (Network
Address Translation) or IP masquerading.

1. Port Forwarding:

o Port forwarding allows you to selectively direct incoming network traffic from a specific
port to a designated internal computer within your local network.

o Here’s how it works:

 You configure your router to associate an external port number with an internal IP
address and port.

 When an external device initiates a connection to that specific port, the router
forwards the traffic to the corresponding internal computer.
26

 This is commonly used for services like web servers (HTTP on port 80) or gaming
(specific game ports).
Page
 o In essence, port forwarding ensures that incoming traffic reaches the right destination
within your network.

2. IP Masquerading (NAT):

o IP masquerading (also known as Network Address Translation) serves two primary

purposes:

 Conserving IPv4 Addresses: When IPv4 addresses became scarce, masquerading

allowed multiple internal machines to share a smaller pool of public IP addresses.

 Security Measure: It provides a layer of security by allowing internal machines to

access the internet through a single public IP address.

o How it works:

 All machines within your internal network appear to have the same set of public
addresses.

 When an internal host wants to establish an outbound connection, it gets assigned

an IP address and port from the pool.

 The machine doing the masquerading modifies the source IP address of each packet
so that replies are routed back to it.

 Essentially, it allows private IP addresses to access the internet via the

masquerading machine.

o Note that if there’s only one public address, it’s more accurately called PAT (Port
Address Translation).

3. Firewall:

o A firewall filters traffic between networks (e.g., internal network and the internet).

o It inspects connection requests and flowing traffic, denying or modifying traffic based
27

on rules.
Page

o Firewalls are often combined with both port forwarding and masquerading.
 In summary:

 Port forwarding directs specific external port traffic to internal computers.

 IP masquerading (NAT) allows private IP addresses to access the internet via a shared
public address.

 Firewalls enhance security by filtering and managing network traffic.

Feel free to explore these concepts further, and if you have any more questions, I’m here to
assist!

7.6. packet processing model

Certainly! Let’s delve into the concepts of packet processing, which plays a crucial role in
digital communication networks. As data traverses through various network elements, packet
processing algorithms come into play. Here are the key points:

1. Control Plane vs. Data Plane:

o Packet processing algorithms fall into two broad categories:

 Control Information Processing: This involves handling control information within

packets. It ensures safe and efficient packet transfer from origin to destination.

 Payload (Data Content) Processing: Here, the focus is on the actual data content
(payload) of the packet. Content-specific transformations or actions occur based on this
payload.

o Within network devices (such as routers, switches, and terminals), the packet processing
subsystem manages the traversal of the multi-layered network or protocol stack—from the
lower physical and network layers up to the application layer.

2. History of Packet Processing:

o The history of packet processing is intertwined with the development of the Internet and
28

packet switching:
Page

 1960s: Early research into packet switching.

  1969: The first two nodes of ARPANET (the precursor to the internet) were connected,
with email as a new application.

 1973: Packet-switched voice connections over ARPANET using Network Voice Protocol (NVP).

 1974: Specification of Transmission Control Protocol (TCP).

 1981: Standardization of IP and TCP.

 1991: Release of the World Wide Web (WWW) by CERN.

 1998: Publication of IPv6 specifications.

3. OSI Model and Layered Approach:

o The OSI (Open Systems Interconnection) Model provides a 7-layer framework describing
how a network operating system works.

o Benefits of a layered model include modularity (changing one layer without affecting
others) and understanding network behavior.

1. The layers include:

1. Physical Layer: Deals with physical transmission of bits.

2. Data Link Layer: Manages data frames and error detection.
3. Network Layer: Handles routing and addressing.
4. Transport Layer: Ensures reliable data transfer.
5. Session Layer: Establishes, maintains, and terminates connections.
6. Presentation Layer: Translates data formats.
7. Application Layer: Provides network services to applications.
2. Deep Packet Inspection (DPI):
o DPI technologies separate specific traffic types by looking inside the data payload of
packets.
o Pattern matching algorithms identify packet contents, enabling actions based on
29

content.
Page

o DPI is used for security, quality of service (QoS), and application-specific processing.
 In summary, packet processing is the backbone of network communication, ensuring efficient
data transfer and content-specific actions.
7.7. Intrusion Detection and mandatory Access control with LIDS

Certainly! Let’s explore the concepts of Intrusion Detection and Mandatory Access Control
(MAC) using the Linux Intrusion Detection System (LIDS).

1. Linux Intrusion Detection System (LIDS):

o LIDS was a patch for the Linux kernel and associated administrative tools.

o Its primary goal was to enhance kernel security by implementing mandatory access control.

o When LIDS was active:

 All system network administration operations, chosen file access, capability use,
raw device, memory, and I/O access could be restricted—even for the root user.

 You could define which programs could access specific files.

 LIDS extended the system capabilities bounding set to control the entire system
and added network and filesystem security features to the kernel.

 Fine-tuning security protections online, hiding sensitive processes, and

receiving security alerts through the network were possible.

o LIDS supported Linux kernels 2.4 and 2.6.

o It was released under the terms of the GNU General Public License (GPL).

2. Mandatory Access Control (MAC):

o MAC is a security model that enforces access controls based on predefined rules.

o Unlike discretionary access control (DAC), where users have control over their own
objects, MAC imposes restrictions regardless of user discretion.

LIDS implemented MAC by:

30

Controlling access to system resources (files, devices, etc.) based on policies.

Page


  Ensuring that even privileged users (like root) adhere to these policies.

o Other well-known MAC solutions include SELinux and AppArmor.

o SELinux, developed by the U.S. National Security Agency (NSA), is widely used for
enforcing access controls in Linux systems.

In summary, LIDS provided an additional layer of security by enforcing mandatory access

controls within the Linux kernel. Although it’s no longer actively maintained, its concepts remain
relevant in the broader field of system security.
31
Page