Unit-5

Firewall & Intrusion

Computer Intrusions
• Computer Intrusions refer to unauthorized access or breach of a computer system, network, or device.

• This can involve exploiting vulnerabilities, bypassing security measures, or using malicious techniques to gain access.

• Intrusions can compromise sensitive data, disrupt operations, and lead to significant financial and reputational damage.

• 💻 Types of Computer Intrusions

• Hacking: Unauthorized access to systems by exploiting weaknesses.

• Phishing: Deceptive emails or messages used to steal credentials.
• Malware Infections: Includes viruses, worms, ransomware, and Trojans that infiltrate systems.
• Brute Force Attacks: Automated guessing of passwords or keys.
• SQL Injection (SQLi): Inserting malicious SQL statements into input fields.
• Denial-of-Service (DoS) and Distributed DoS (DDoS) Attacks: Overloading systems with traffic to make them unavailable.
• Man-in-the-Middle (MitM) Attacks: Intercepting communication between two parties.
Introduction of Firewall

• A firewall is a network security device, either hardware or software-based, which monitors all incoming and
outgoing traffic and based on a defined set of security rules it accepts, rejects or drops that specific traffic.
• A firewall is a network security device or software that monitors and controls incoming and outgoing traffic
based on predefined security rules. It acts as a barrier between a trusted internal network and untrusted
external networks (e.g., the internet).

• Accept : allow the traffic

• Reject : block the traffic but reply with an “unreachable error”
• Drop : block the traffic with no reply
Characteristics of a Firewall
Traffic Filtering:
Firewalls inspect and filter packets based on rules such as IP addresses, ports, protocols, and content.
They allow or block traffic according to configured policies.

Packet Inspection:
Stateless Firewalls: Inspect individual packets independently.
Stateful Firewalls: Track the state of active connections and make filtering decisions based on the context of the traffic
flow.

Access Control:
Firewalls define access control policies, determining which devices or users can access specific resources.
They block unauthorized access attempts.

Logging and Monitoring:

Firewalls keep logs of traffic, which helps in detecting suspicious activity and troubleshooting.
Real-time monitoring allows administrators to identify intrusion attempts.
types of firewalls

1. Packet filtering firewall

Packet filtering firewalls operate inline at junction points where devices such as routers and
switches do their work.

However, these firewalls don't route packets; rather, they compare each packet received to
a set of established criteria, such as the allowed IP addresses, packet type, port number and
other aspects of the packet protocol headers.

Packets flagged as troublesome are not forwarded and, thus, cease to exist.

Packet filtering firewall advantages

A single device can filter traffic for the entire network.

Extremely fast and efficient in scanning traffic.

Inexpensive.

Minimal effect on other resources, network performance and end-user experience.

Packet filtering firewall disadvantages

Because traffic filtering is based entirely on IP address or port information, packet filtering
lacks broader context that informs other types of firewalls.

Doesn't check the payload and can be easily spoofed.

Not an ideal option for every network.

Access control lists can be difficult to set up and manage.

Packet filtering might not provide the level of security necessary for every use case,
but there are situations in which this low-cost firewall is a solid option.

For small or budget-constrained organizations, packet filtering provides a basic level

of security that offers protection against known threats.

Larger enterprises can also use packet filtering as part of a layered defense to
screen potentially harmful traffic between internal departments.

2. Circuit-level gateway

Using another relatively quick way to identify malicious content, circuit-level gateways
monitor TCP handshakes and other network protocol session initiation messages across the
network as they are established between the local and remote hosts to determine whether
the session being initiated is legitimate -- meaning, whether the remote system is considered
trusted.

They don't inspect the packets themselves, however.

Circuit-level gateway advantages

•They only process requested transactions; all other traffic is rejected.

•Easy to set up and manage.

•Low cost and minimal impact on end-user experience.

Circuit-level gateway disadvantages

•If they aren't used in conjunction with other security technology, circuit-level gateways offer no protection against
data leakage from devices within the firewall.

•No application layer monitoring.

•Requires ongoing updates to keep rules current.

While circuit-level gateways provide a higher level of security than packet filtering firewalls, organizations should
use them in conjunction with other systems.

For example, circuit-level gateways are typically used alongside application-level gateways. This strategy
combines attributes of packet- and circuit-level gateway firewalls with content filtering.
3. Application-level gateway
This kind of device -- technically a proxy and sometimes referred to as a proxy firewall -- functions as the only
entry point to and exit point from the network.

Application-level gateways filter packets not only according to the service for which they are intended -- as
specified by the destination port -- but also by other characteristics, such as the HTTP request string.

While gateways that filter at the application layer provide considerable data security, they can
dramatically affect network performance and can be challenging to manage.

Application-level gateway advantages

Examines all communications between outside sources and devices behind the firewall, checking not just
address, port and TCP header information, but the content itself before it lets any traffic pass through the proxy.

Provides fine-grained security controls that can, for example, allow access to a website but restrict which pages
on that site the user can open.

Protects user anonymity.

Application-level gateway disadvantages

Can inhibit network performance.

Costlier than some other firewall options.

Requires a high degree of effort to derive the maximum benefit from the gateway.

Doesn't work with all network protocols.

Application-level firewalls are best used to protect enterprise resources from web application threats. They block
access to harmful sites and prevent sensitive information from being leaked from within the firewall. They can,
however, introduce a delay in communications.
Firewall Architectures

1. Dual-homed gateway / host

A dual-homed host firewall is a type of firewall architecture that uses a single computer (the dual-homed host) with two
network interfaces—one connected to the external network (e.g., the internet) and the other to the internal network.

This setup prevents direct communication between the two networks, forcing all traffic to pass through the firewall.

A dual-homed host is an application-based firewall that protects trusted networks (e.g., a corporate network) from
malicious traffic.

It monitors all network traffic from untrusted networks (like the internet) and acts as the first line of defense, ensuring
that no malicious traffic can enter.

The term “dual-homed host” can be used to define any gateway, firewall, or proxy that provides secure services or
applications to an untrusted network.
How a dual-homed host works

A dual-homed host is a firewall system with two network interfaces (NICs).

This system sits between an untrusted network and a trusted network to ensure secure access.

The dual-homed host is connected to the untrusted network (e.g., the internet) and the trusted network (e.g., internal) at the
same time.

With a dual-homed host, IP packets are not directly routed from an untrusted network to the trusted network.

The systems inside the firewall and outside the firewall (on the internet) can communicate with the dual-homed host, but
they can’t communicate directly with each other.
2. Screened Host Architecture

A screened host firewall is a firewall architecture that uses a bastion host to filter and monitor traffic between an
internal network and an external network (typically the internet).

It provides an additional layer of security by placing the bastion host between an external router and an internal
network.

Bastion Host: A highly secured and hardened system that acts as a gateway between external and internal
networks.

Packet Filtering Router: Positioned between the external network and the bastion host to filter traffic based on
predefined rules.

Internal Network: Protected behind the bastion host to prevent direct access from external threats.
How It Works

The packet filtering router allows only certain types of traffic to reach the bastion host.

The bastion host further inspects and proxies the allowed traffic before forwarding it to the internal network.

Any unauthorized traffic is blocked at the router or the bastion host.

3. Screened Subnet Architecture (DMZ Architecture)

The Screened Subnet Firewall Architecture, also known as DMZ (Demilitarized Zone) Architecture, is a firewall setup that
provides an additional layer of security by creating an isolated network (DMZ) between the internal network and the external
network (internet).

This setup protects sensitive internal resources while allowing controlled access to public-facing services like web servers and
email servers.

Architecture Overview

A screened subnet architecture uses two firewalls to create a DMZ:

External Firewall (Internet-facing)

Filters incoming traffic from the internet.
Allows only specific traffic (e.g., HTTP, HTTPS, SMTP) to enter the DMZ.

Internal Firewall (Internal Network-facing)

Filters traffic between the DMZ and internal network.
Prevents unauthorized access to sensitive internal systems.
DMZ (Demilitarized Zone)
A buffer zone that hosts public services (e.g., web servers, mail servers, DNS servers).
Accessible from the internet, but traffic between the DMZ and internal network is strictly controlled.

🔹 How It Works

External Users → DMZ

External users can access public-facing services (e.g., a web server) in the DMZ.
The external firewall ensures that only permitted traffic (e.g., HTTP, HTTPS) reaches the DMZ.

DMZ → Internal Network

The internal firewall prevents unauthorized traffic from reaching the private network.
Only approved connections (e.g., database access from the web server to an internal database) are allowed.

Internal Users → DMZ & Internet

Internal users may access both DMZ services and the internet.
The internal firewall enforces security policies to block threats.
Benefits of a Firewall
1.Network Security – Firewalls act as a barrier between trusted internal networks and untrusted external networks (e.g., the
internet), blocking unauthorized access.

2.Traffic Monitoring and Control – They regulate inbound and outbound traffic based on predefined security rules.

3.Protection Against Malware and Cyberattacks – Firewalls help prevent unauthorized access, DoS (Denial of Service) attacks,
and malware infiltration.

4.Access Control – They enforce security policies by restricting access to certain applications, websites, or services.

5.Logging and Monitoring – Firewalls provide logs of network activities, helping in forensic analysis and threat detection.

6.VPN Support – Many firewalls support Virtual Private Networks (VPNs) to secure remote access.

7.Data Loss Prevention – They help prevent sensitive data from being transmitted outside the network.
Limitations of a Firewall
1.Cannot Prevent Insider Threats – Firewalls do not stop malicious activities from authorized users within the network.

2.Limited Protection Against Zero-Day Attacks – New or unknown threats may bypass firewall defenses.

3.No Protection Against Social Engineering – Firewalls cannot stop phishing attacks, email fraud, or human-based
manipulation tactics.

4.Performance Overhead – High-security configurations may slow down network performance.

5.Complex Configuration – Misconfigurations can create vulnerabilities, allowing unauthorized access.

6.Cannot Detect Encrypted Malware – Firewalls may struggle to analyze encrypted malicious traffic.

7.Cost of Implementation – Enterprise-grade firewalls can be expensive in terms of hardware, software, and maintenance.
Trusted Systems in Network
Security
• Trusted Systems are special systems designed to serve the purpose of
providing security.
• Safety is ensured by trusted system in a manner by protecting the
system against malicious software’s and third party intruders.
• Trusted system allow only verified users to access the computer
system.
• Trusted system are responsible for providing security at different
levels and based on different parameters.
 Importance of Trusted System:
• Identity Verification: Trusted systems ensure that only verified users are given
access. The verification process takes place that each user is identified
uniquely.
• Safety Maintained: Trusted system ensures that safety is maintained by
preventing direct access to confidential information.
• Limiting Access: Permissions and access that are absolutely necessary are
granted for users. Unwanted rules and permissions are avoided.
• Preventing Malicious Activities: Trusted systems have a mechanism in place to
detect and prevent malicious activities such as hacking attempts and
unauthorized access.
• Ensuring Compliance: Trusted systems help organizations to comply with
various regulations and standards such as HIPAA, PCI-DSS, and SOX by providing
a secure environment for sensitive information.
Password Management in Cyber
Security
• In technical terms, it is a series of letters or numbers that you must
type into a computer or computer system in order to be able to use it.

• A password is a real-life implementation of challenge-response

authentication (a set of protocols to protect digital assets and data).
Password Management:

• Since passwords are meant to keep the files and data secret and safe
so it is prevented the unauthorized access,
• password management refers to the practices and set of rules or
principles or standards that out must follow or at least try to seek
help from in order to be a good/strong password
• along with its storage and management for the future requirements.
Issues Related to Managing
Passwords:
• Login spoofing
• Sniffing attack
• Brute force attack
• Shoulder surfing attack
• Data breach
 Methods to Manage Password:
• Strong and long passwords: A minimum length of 8 to 12 characters long, also
it should contain at least three different character sets (e.g., uppercase
characters, lowercase characters, numbers, or symbols)
• Password Encryption: Using irreversible end-to-end encryption is
recommended. In this way, the password remains safe even if it ends up in the
hands of cybercriminals.
• Multi-factor Authentication (MFA): Adding some security questions and a
phone number that would be used to confirm that it is indeed you who is trying
to log in will enhance the security of your password.
• Make the password pass the test: Yes, put your password through some testing
tools that you might find online in order to ensure that it falls under the strong
and safe password category.
• updating passwords frequently: Though it is advised or even made mandatory
to update or change your password as frequently as in 60 or 90 days.
Access control
Access control is a security mechanism that regulates who or what can view or use resources in a computing environment. It
ensures that only authorized users or systems can access specific data, applications, networks, or physical spaces.

Types of Access Control

1.Discretionary Access Control (DAC) – The owner of the resource decides who gets access. Example: File permissions in
Windows/Linux.

2.Mandatory Access Control (MAC) – Access is controlled by a central authority based on security classifications. Example:
Military systems.

3.Role-Based Access Control (RBAC) – Access is granted based on roles assigned to users. Example: A database admin has
more privileges than a regular user.

4.Attribute-Based Access Control (ABAC) – Access decisions are based on attributes (user, resource, environment). Example:
A system allowing access only from a specific IP address.
Objectives of Access Control
Access control aims to protect resources from unauthorized access and misuse. The key objectives include:

1.Confidentiality – Ensures that sensitive data and resources are accessible only to authorized users.

2.Integrity – Prevents unauthorized modification or tampering with data.

3.Availability – Ensures that authorized users can access resources when needed.

4.Identification & Authentication – Verifies the identity of users before granting access.

5.Authorization – Grants permissions based on user roles, attributes, or security policies.

6.Accountability & Auditability – Tracks user activities and access attempts for monitoring and compliance.

7.Least Privilege Enforcement – Restricts access to the minimum required for users to perform their tasks.
Intrusion Detection System (IDS)

An Intrusion Detection System (IDS) is a security mechanism designed to detect unauthorized access, malicious activities, or
policy violations within a network or system.

It monitors and analyzes traffic or system behavior to identify potential threats.

An intrusion detection system (IDS) is an application that monitors network traffic and searches for known threats and
suspicious or malicious activity. The IDS sends alerts to IT and security teams when it detects any security risks and threats.
Firewall IDS
A firewall is a hardware and/or software which functions An Intrusion Detection System (IDS) is a software or
in a networked environment to block unauthorized hardware device installed on the network (NIDS) or host
access while permitting authorized communications. (HIDS) to detect and report intrusion attempts to the
network.

A firewall can block an unauthorized access to network An IDS can only report an intrusion; it cannot block it
(E.g. A watchman standing at gate can block a thief) (E.g. A CCTV camera which can alert about a thief but
cannot stop it)
A firewall cannot detect security breaches for traffic that IDS is fully capable of internal security by collecting
does not pass through it (E.g. a gateman can watch only information from a variety of system and network
at front gate. He is not aware of wall-jumpers) resources and analyzing the symptoms of security
problems

Firewall doesn’t inspect content of permitted traffic. (A IDS keeps a check of overall network
gateman will never suspect an employee of the company
)

No man-power is required to manage a firewall. An administrator (man-power) is required to respond to

threats issued by IDS
Firewalls are most visible part of a network to an IDS are very difficult to be spotted in a network
outsider. Hence, more vulnerable to be attacked first. (A (especially stealth mode of IDS).
gateman will be the first person attacked by a thief!!)
Types of Intrusion Detection Systems (IDS) :

1. Network-based Intrusion Detection System (NIDS)

Definition:
A Network-based IDS (NIDS) monitors and analyzes network traffic in real time to detect malicious activity. It
inspects packet flows and matches them against known attack signatures or anomalous behavior patterns.

How It Works:
Placed at critical points in the network, such as between a firewall and internal systems.

Examines network packets using deep packet inspection (DPI).

Uses signature-based detection (matching known attack patterns) and anomaly-based detection (identifying
deviations from normal traffic patterns).

Generates alerts when it detects suspicious activity.

2. Host-based Intrusion Detection System (HIDS)

Definition:
A Host-based IDS (HIDS) is installed on individual devices (hosts) to monitor and analyze system activity, including file
integrity, system logs, and process behavior.

How It Works:
•Installed on endpoints such as servers, desktops, or critical infrastructure devices.

•Monitors system logs, file integrity, running processes, and kernel activities.

•Uses signature-based detection to detect malware and behavior-based analysis to identify unusual system behavior.

•Provides alerts or logs incidents for security teams to investigate.

3. Hybrid Intrusion Detection System (Hybrid IDS)

Definition:

A Hybrid IDS combines both Network-based IDS (NIDS) and Host-based IDS (HIDS) to provide comprehensive security by
monitoring both network traffic and host activity.

How It Works:

•Deploys NIDS to inspect network traffic for suspicious activity.

•Uses HIDS on critical endpoints to monitor system logs, file integrity, and user activity.

•Correlates data from both NIDS and HIDS for improved threat detection and reduced false positives.
Detection Methods in Intrusion Detection Systems (IDS)

Anomaly-based Detection

Definition:

Anomaly-based detection (or behavior-based detection) uses statistical models, machine learning, or artificial intelligence to
identify deviations from normal system or network behavior.

How It Works:

IDS learns normal behavior by analyzing historical data.

When a significant deviation occurs, it triggers an alert.

This method does not rely on predefined attack patterns but instead flags any unusual behavior.

Example:

A normal user logs in from the same IP address daily. Suddenly, an attempt is made from a foreign country at 3 AM →
Anomaly detected!
A web server usually handles 50 requests per second. Suddenly, it receives 10,000 requests per second → Possible DDoS
attack detected.

Signature-based Detection

Definition:
Signature-based detection (also called pattern-matching detection) compares network traffic, system activity, or log data
against a database of known attack signatures (predefined patterns of malicious behavior). If a match is found, an alert is
triggered.

How It Works:

Security researchers collect and store attack patterns (signatures) in a database.

IDS scans incoming data and compares it to stored attack signatures.

If a match is found, the IDS raises an alert.

Example:

SQL Injection attack follows a predictable pattern (e.g., ' OR 1=1 -- in SQL queries). If an IDS detects such a
query, it flags it as an attack.
malware infection may involve a known sequence of system calls. If detected, the IDS alerts administrators.
Heuristic-based Detection

Definition:
Heuristic-based detection uses rule-based algorithms to identify suspicious behavior that deviates from normal patterns. It
is similar to anomaly detection but relies on predefined rules rather than learning from data.

How It Works:

•Security experts create rules that define suspicious behavior.

•The IDS compares observed activities against these rules.

•If an activity matches a rule, an alert is triggered.

Example:

•Rule 1: If a single user account fails to log in 10 times in 5 minutes, raise an alert → Possible brute-force attack.

•Rule 2: If a process modifies system files without user authorization → Possible rootkit attack.
Misuse-based Detection

Definition:
Misuse-based detection focuses on detecting known attack patterns and system misuse behaviors. It is a combination of
signature-based detection and rule-based heuristics.

How It Works:

•IDS maintains a database of known attack patterns and misuse rules.

•It monitors system activity and compares it with predefined misuse patterns.

•If a match is found, an alert is raised.

Example:

•An employee accessing restricted files repeatedly without permission → Possible insider threat.

•A hacker trying to exploit an old vulnerability in a web application → IDS flags it as an attack.