UNIT V

INTRUSION PREVENTION

Firewalls and Intrusion Prevention Systems: Need for Firewalls – Firewall Characteristics and Access
Policy – Types of Firewalls – Firewall Basing – Firewall Location and Configurations –Intrusion
Prevention Systems – Example Unified Threat Management Products.

5.1 FIREWALLS AND INTRUSION PREVENTION SYSTEMS

Firewalls can be an effective means of protecting a local system or network of systems from network-
based security threats while at the same time affording access to the outside world via wide area
networks and the Internet.

1. Firewalls

Function
Firewalls control network traffic by filtering incoming and outgoing packets based on rulesets. These
rules often involve IP addresses, ports, protocols, and applications.

Role
They act as a gatekeeper, preventing unauthorized access to the network and protecting it from
external threats.

Position
Typically placed at the network's perimeter, acting as the first line of defense.

Limitations
While effective at blocking known threats, firewalls may not be able to detect sophisticated attacks that
exploit vulnerabilities or come from inside the network.

2. Intrusion Prevention Systems (IPS)

Function
IPSs monitor network traffic in real-time, analyzing packets for malicious patterns and behaviors.

Role
They detect and prevent attacks by actively blocking or dropping suspicious traffic.

Position
Can be placed behind the firewall, acting as a second line of defense.

111
Advantages
IPSs can identify and block a wider range of threats, including those that might bypass a firewall, and
they can also adapt to new threats through signature updates and anomaly detection.

Limitations
IPSs can generate false positives, requiring careful configuration and tuning to minimize disruptions.

Key differences between firewalls and intrusion prevention system

Feature Firewall IPS

Threat detection and
Function Traffic control and filtering
prevention
Blocks or allows traffic Blocks, drops, or alerts on
Action
based on rules suspicious traffic
Usually at the network
Position Often behind the firewall
perimeter
Preventing unauthorized Identifying and blocking
Focus
access malicious activity

5.2 NEED FOR FIREWALLS

Information systems in corporations, government agencies, and other organizations have undergone a
steady evolution. The following are notable developments:

• Centralized data processing system, with a central mainframe supporting a number of directly
connected terminals.

• Local area networks (LANs) interconnecting PCs and terminals to each other and the
mainframe.

• Premises network, consisting of a number of LANs, interconnecting PCs, servers, and perhaps
a mainframe or two.

• Enterprise-wide network, consisting of multiple, geographically distributed premises networks

interconnected by a private wide area network (WAN).

• Internet connectivity, in which the various premises networks all hook into the Internet and may
or may not also be connected by a private WAN.

Internet connectivity is no longer optional for organizations. The information and services available are
essential to the organization. Moreover, individual users within the organization want and need Internet
access, and if this is not provided via their LAN, they could use a wireless broadband capability from
their PC to an Internet service provider (ISP). The firewall, then, provides an additional layer of

112
defense, insulating the internal systems from external networks. This follows the classic military
doctrine of “defense in depth,” which is just as applicable to IT security.

5.3 FIREWALL CHARACTERISTICS AND ACCESS POLICY

Design goals for a firewall

1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by
physically blocking all access to the local network except via the firewall. Various configurations are
possible, as explained later in this chapter.

2. Only authorized traffic, as defined by the local security policy, will be allowed to pass. Various
types of firewalls are used, which implement various types of security policies, as explained later in this
chapter.

3. The firewall itself is immune to penetration. This implies the use of a hardened system with a
secured operating system. Trusted computer systems are suitable for hosting a firewall and often
required in government applications.

The main characteristics of firewalls revolve around their ability to filter and control network traffic
based on predefined security rules. They act as a barrier between a trusted internal network and an
untrusted external network, like the internet, to prevent unauthorized access and protect against
cyberattacks and data breaches.

Here are some key characteristics of firewalls:

• Traffic filtering: Firewalls examine incoming and outgoing network traffic and decide whether to
allow or block it based on predefined rules. These rules can consider factors like source and
destination IP addresses, port numbers, protocols, and the content of the data packets.

• Access control: Firewalls regulate which applications, services, and devices can access the
network, protecting sensitive resources. This allows organizations to define granular access
policies.

• Threat prevention: Many firewalls can detect and prevent various threats, including viruses,
malware, and suspicious behaviour. They can identify and block malicious traffic before it can
infiltrate the network.

• Network Address Translation (NAT): Firewalls can hide or translate internal client or server IP
addresses to a public IP address, protecting the private network from direct exposure to external
threats.

• Logging and monitoring: Firewalls record events and network activity, which administrators can use
to identify patterns, improve rule sets, and respond to threats.

• Various protection levels: Firewalls offer different levels of protection, depending on the type and
configuration. For instance, packet-filtering firewalls primarily focus on basic packet analysis, while

113
 stateful inspection firewalls track the state of connections for more context-aware
filtering. Application-level gateways delve deeper into inspecting the actual content of data being
transmitted.

• Flexibility and scalability: Firewalls can be configured to adapt to the specific requirements of
different networks and systems. They can also be scaled to accommodate increasing network
traffic and evolving security needs.

• User identification and access management: Next-generation firewalls (NGFWs) can implement
security policies based on user identity, enabling more granular access control and consistent
security protocols regardless of user location or device.

• Cloud integration: Modern firewalls integrate with cloud environments, offering comprehensive
security for cloud applications and workloads.

• Advanced threat defence: NGFWs incorporate advanced features like deep packet inspection,
intrusion prevention systems (IPS), application awareness, and threat intelligence to combat
sophisticated threats.

• Task automation and threat prioritization: Firewalls can automate workflows and security tasks,
improving efficiency and enabling faster responses to critical threats.

Access policy

Firewall access policies are the set of rules that dictate how a firewall handles incoming and outgoing
network traffic. They define which connections are allowed and which are blocked, based on factors
such as:

• Source and Destination IP Addresses: Determining the origin and destination of network traffic.

• Ports: Identifying the specific application or service using the connection.

• Protocols: Specifying the communication protocol (e.g., TCP, UDP, ICMP).

• Applications: Controlling access based on the specific application (e.g., web browser, email client)
trying to access resources.

• User Identity or Group: Granting or denying access based on individual user accounts or groups,
implementing the principle of least privilege.

5.4 TYPES OF FIREWALLS

A firewall can monitor network traffic at a number of levels, from low-level net- work packets, either
individually or as part of a flow, to all traffic within a transport connection, upto inspecting details of
application protocols. The choice of which level is appropriate is determined by the desired firewall
access policy.

114
 Fig 5.1 Types of Firewall

It can operate as a positive filter, allowing to pass only packets that meet specific criteria, or as a
negative filter, rejecting any packet that meets certain criteria. The criteria implement the access policy
for the firewall, that we discussed in the previous section. Depending on the type of firewall, it may
examine one or more protocol headers in each packet, the payload of each packet, or the pattern
generated by a sequence of packets. In this section, we look at the principal types of firewalls.

1. Packet Filtering Firewall

2. Stateful Inspection Firewalls
3. Application-Level Gateway
4. Circuit-Level Gateway
Packet Filtering Firewall
Packet filtering firewall is used to control network access by monitoring outgoing and incoming packets

115
and allowing them to pass or stop based on source and destination IP address, protocols, and ports.
It analyses traffic at the transport protocol layer (but mainly uses first 3 layers). Packet firewalls treat
each packet in isolation.
They have no ability to tell whether a packet is part of an existing stream of traffic. Only It can allow or
deny the packets based on unique packet headers.
Packet filtering firewall maintains a filtering table that decides whether the packet will be forwarded or
discarded.
From the given filtering table, the packets will be filtered according to the following rules:

Fig 5.2 Packet Filtering Firewall

Incoming packets from network 192.168.21.0 are blocked.

Incoming packets destined for the internal TELNET server (port 23) are blocked.
Incoming packets destined for host 192.168.21.3 are blocked.
All well-known services to the network 192.168.21.0 are allowed.
Advantages
• A single device can filter traffic for the entire network.

• Extremely fast and efficient in scanning traffic.

• Inexpensive.

• Minimal effect on other resources, network performance and end-user experience.

Disadvantages
• Because traffic filtering is based entirely on IP address or port information, packet filtering lacks
broader context that informs other types of firewalls.
• Doesn't check the payload and can be easily spoofed.

• Not an ideal option for every network.

• Access control lists can be difficult to set up and manage.

116
Stateful Inspection Firewalls

Stateful firewalls (performs Stateful Packet Inspection) are able to determine the connection state of
packet, unlike Packet filtering firewall, which makes it more efficient.

It keeps track of the state of networks connection travelling across it, such as TCP streams.

So the filtering decisions would not only be based on defined rules, but also on packet’s history in the
state table.

Fig 5.3 Stateful Inspection Firewalls

Advantages

• Monitors the entire session for the state of the connection, while also checking IP addresses and
payloads for more thorough security.

• Offers a high degree of control over what content is let in or out of the network.

• Does not need to open numerous ports to allow traffic in or out.

• Delivers substantive logging capabilities.

Disadvantages

• Resource-intensive and interferes with the speed of network communications.

• More expensive than other firewall options.

• Doesn't provide authentication capabilities to validate traffic sources aren't spoofed.

117
Application-Level Gateway

Application layer firewall can inspect and filter the packets on any OSI layer, up to the application layer.
It has the ability to block specific content, also recognize when certain application and protocols
(like HTTP, FTP) are being misused. In other words, Application layer firewalls are hosts that run proxy
servers. A proxy firewall prevents the direct connection between either side of the firewall, each packet
has to pass through the proxy.

Advantages

• Examines all communications between outside sources and devices behind the firewall, checking
not just address, port and TCP header information, but the content itself before it lets any traffic
pass through the proxy.

• Provides fine-grained security controls that can, for example, allow access to a website but restrict
which pages on that site the user can open.

• Protects user anonymity.

Disadvantages

• Can inhibit network performance.

• Costlier than some other firewall options.

• Requires a high degree of effort to derive the maximum benefit from the gateway.

• Doesn't work with all network protocols.

Circuit-Level Gateway

This works as the Sessions layer of the OSI Model's . This allows for the simultaneous setup of
two Transmission Control Protocol (TCP) connections. It can effortlessly allow data packets to flow
without using quite a lot of computing power. These firewalls are ineffective because they do not
inspect data packets; if malware is found in a data packet, they will permit it to pass provided that TCP
connections are established properly.

5.5 FIREWALL BASING

"Firewall Basing" refers to the strategies and considerations involved in deploying and configuring
firewalls within a network's security architecture. A key concept related to firewall basing is the bastion
host.

A bastion host is a specially hardened computer system designed to withstand attacks. It acts as a
critical strong point in the network's security, often serving as a platform for application-level or circuit-

118
level gateways (like proxy servers). These hosts are typically placed either on the outside of a firewall
or within a demilitarized zone (DMZ), and they are configured with minimal services to reduce their
attack surface. Their primary purpose is to control and monitor secure access to internal networks from
untrusted external networks, such as the internet.

Here are some key characteristics and aspects of firewall basing, especially concerning bastion hosts:

Hardened Systems: Bastion hosts run secure versions of their operating systems, with only essential
services installed (e.g., proxy applications for DNS, FTP, HTTP, SMTP). This minimizes vulnerabilities.

Layered Security: Firewalls and bastion hosts work together to create a layered defense system.
While firewalls block unwanted traffic based on rules, bastion hosts provide controlled and
authenticated access for authorized users.

Placement: Bastion hosts can be placed in various configurations:

o Single-Bastion Inline: A single fortified server sits between untrusted networks (like the
internet) and internal assets.

o Dual-Bastion Inline: Two bastion hosts are used, with the first facing the internet for basic
security tasks (like packet inspection and firewall filtering), and the second facing internal
network devices.

o Within a DMZ: Bastion hosts are commonly located in a DMZ, which is a segment of
the network that acts as a buffer zone between the internal trusted network and the
external untrusted network.

Access Control: Bastion hosts enforce strict access control policies, often requiring multiple
authentication factors and checking user credentials against secure directories. They frequently act as
secure proxy gateways for SSH (Secure Shell) or RDP (Remote Desktop Protocol) connections,
encrypting data passing through.

Logging and Monitoring: Every action on a bastion host is meticulously logged and monitored for
suspicious activity, enabling security teams to identify and respond to potential threats quickly.

Purpose: Bastion hosts are used for:

o Secure remote access for administrators (often as "jump servers").

o Authentication gateways.

o Alternatives to VPNs for specific access control.

o Secure file transfers.

119
 o Intrusion detection.

Firewall basing involves strategically deploying firewalls and specialized systems like bastion hosts to
create robust security perimeters, control network traffic, and provide secure access points while
minimizing the risk of unauthorized intrusions.

5.6 FIREWALL LOCATION AND CONFIGURATIONS

A firewall is positioned to provide a protective barrier between an external (potentially

untrusted) source of traffic and an internal network. With that general principle in mind, a
security administrator must decide on the location and on the number of firewalls needed. In
this section, we look at some common options.

DMZ Networks
An external firewall is placed at the edge of a local or enterprise network, just inside the boundary
router that connects to the Internet or some wide area net- work (WAN). One or more internal firewalls
protect the bulk of the enterprise net- work. Between these two types of firewalls are one or more
networked devices in a region referred to as a DMZ (demilitarized zone) network. Systems that are
externally accessible but need some protections are usually located on DMZ networks. Typically, the
systems in the DMZ require or foster external connectivity, such as a corporate Web site, an e-mail
server, or a DNS (domain name system) server.
The external firewall provides a measure of access control and protection for the DMZ systems
consistent with their need for external connectivity. The external firewall also provides a basic level of
protection for the remainder of the enterprise network.
In this type of configuration, internal firewalls serve three purposes:

1. The internal firewall adds more stringent filtering capability, compared to the external firewall, in
order to protect enterprise servers and workstations from external attack.

2. The internal firewall provides two-way protection with respect to the DMZ. First, the internal firewall
protects the remainder of the network from attacks launched from DMZ systems. Such attacks might
originate from worms, rootkits, bots, or other malware lodged in a DMZ system. Second, an internal
firewall can protect the DMZ systems from attack from the internal protected network.

3. Multiple internal firewalls can be used to protect portions of the internal network from each other.
Figure (network intrusion detection system) shows a configuration in which the internal servers are
protected from internal workstations and vice versa. It also illustrates the common practice of placing
the DMZ on a different network interface on the external firewall from that used to access the internal
networks.

120
 Fig 5.4 Example of Firewall Configuration

Virtual Private Networks

In today’s distributed computing environment, the virtual private network (VPN) offers an attractive
solution to network managers. In essence, a VPN consists of a set of computers that

interconnect by means of a relatively unsecure network and that make use of encryption and special
protocols to provide security.

121
 Fig 5.5 A VPN Security Scenario

This is a typical scenario of IPSec usage.1 An organization maintains LANs at dispersed locations.
Nonsecure IP traffic is used on each LAN. For traf- fic off site, through some sort of private or public
WAN, IPSec protocols are used. These protocols operate in networking devices, such as a router or
firewall, that connect each LAN to the outside world. The IPSec networking device will typically encrypt
and compress all traffic going into the WAN and decrypt and uncompress traffic coming from the WAN;
authentication may also be provided. These opera- tions are transparent to workstations and servers
on the LAN. Secure transmis- sion is also possible with individual users who dial into the WAN. Such
user work- stations must implement the IPSec protocols to provide security. They must also implement
high levels of host security, as they are directly connected to the wider Internet. This makes them an
attractive target for attackers attempting to access the corporate network.

Distributed Firewalls

A distributed firewall configuration involves stand-alone firewall devices plus host- based firewalls
working together under a central administrative control. Figure 9.4 suggests a distributed firewall
configuration. Administrators can configure host- resident firewalls on hundreds of servers and
workstation as well as configure personal firewalls on local and remote user systems.

Summary of Firewall Locations and Topologies

We can now summarize to define a spectrum of firewall locations and topologies. The following
alternatives can be identified:

Host-resident firewall: This category includes personal firewall software and firewall software on
servers. Such firewalls can be used alone or as part of an in-depth firewall deployment.

122
 Fig 5.6 Example Distributes Firewall Configuration
Screening router: A single router between internal and external networks with stateless or full packet
filtering. This arrangement is typical for small office/ home office (SOHO) applications.

Single bastion inline: A single firewall device between an internal and external router. The firewall may
implement stateful filters and/ or application proxies. This is the typical firewall appliance configuration
for small to medium-sized organizations.

Single bastion T: Similar to single bastion inline but has a third network inter- face on bastion to a DMZ
where externally visible servers are placed. Again, this is a common appliance configuration for
medium to large organizations.

123
Double bastion inline: Fig illustrates this configuration, where the DMZ is sandwiched between
bastion firewalls. This configuration is common for large businesses and government organizations.

Double bastion T: Fig illustrates this configuration. The DMZ is on a separate network interface on the
bastion firewall. This configuration is also common for large businesses and government organizations
and may be required.

Distributed firewall configuration:This configuration is used by some large businesses and

government organizations.

5.7 INTRUSION PREVENTION SYSTEMS

Intrusion Prevention System is also known as Intrusion Detection and Prevention System. It is a
network security application that monitors network or system activities for malicious activity. Major
functions of intrusion prevention systems are to identify malicious activity, collect information about this
activity, report it and attempt to block or stop it.

Working of IPS

An IPS works by analyzing network traffic in real-time and comparing it against known attack patterns
and signatures. When the system detects suspicious traffic, it blocks it from entering the network.

Types of IPS

There are two main types of IPS:

1. Network-Based IPS: A Network-Based IPS is installed at the network perimeter and monitors all
traffic that enters and exits the network.

2. Host-Based IPS: A Host-Based IPS is installed on individual hosts and monitors the traffic that goes
in and out of that host.

Need of IPS

An IPS is an essential tool for network security. Here are some reasons why:

Protection Against Known and Unknown Threats: An IPS can block known threats and also detect and
block unknown threats that haven't been seen before.

Real-Time Protection: An IPS can detect and block malicious traffic in real-time, preventing attacks
from doing any damage.

Compliance Requirements: Many industries have regulations that require the use of an IPS to protect
sensitive information and prevent data breaches.

124
Cost-Effective: An IPS is a cost-effective way to protect your network compared to the cost of dealing
with the aftermath of a security breach.

Increased Network Visibility: An IPS provides increased network visibility, allowing you to see what's
happening on your network and identify potential security risks.

Classification of Intrusion Prevention System (IPS): Intrusion Prevention System (IPS) is classified
into four types:

1. Network-based intrusion prevention systems (NIPS)

A network-based intrusion prevention system (NIPS) monitors inbound and outbound traffic to devices
across the network, inspecting individual packets for suspicious activity. NIPS monitors are placed at
strategic points in the network. They often sit immediately behind firewalls at the network perimeter so
they can stop malicious traffic breaking through. NIPS's may also be placed inside the network to
monitor traffic to and from key assets, like critical data centers or devices.

It is in essence an inline NIDS with the authority to modify or discard packets and tear down TCP
connections. As with a NIDS, a NIPS makes use of techniques such as signature/heuristic detection
and anomaly detection.

Among the techniques used in a NIPS but not commonly found in a firewall is flow data protection. This
requires that the application payload in a sequence of packets be reassembled. The IPS device applies
filters to the full content of the flow every time a new packet for the flow arrives. When a flow is
determined to be mali- cious, the latest and all subsequent packets belonging to the suspect flow are
dropped.

In terms of the general methods used by a NIPS device to identify malicious packets, the following are
typical:
Pattern matching: Scans incoming packets for specific byte sequences (the signature) stored in a
database of known attacks.

Stateful matching: Scans for attack signatures in the context of a traffic stream rather than individual
packets.
Protocol anomaly: Looks for deviation from standards set forth in RFCs.

Traffic anomaly: Watches for unusual traffic activities, such as a flood of UDP packets or a new service
appearing on the network.
Statistical anomaly: Develops baselines of normal traffic activity and through- put, and alerts on
deviations from those baselines.

1. The server forwards its information to a protected environment, where the potential malware may
be sandboxed for analysis and testing.

125
2. The protected system tests the suspicious software against an appropriately instrumented version
of the targeted application to identify the vulnerability.

3. The protected system generates one or more software patches and tests these.

4. If the patch is not susceptible to the infection and does not compromise the application’s
functionality, the system sends the patch to the application host to update the targeted
application.

2. Host-based intrusion prevention systems (HIPS)

A host-based intrusion prevention system (HIPS) is installed on a specific endpoint, like a laptop or
server, and monitors only traffic to and from that device. HIPS are usually used in conjunction with
NIPS to add extra security to vital assets. HIPS can also block malicious activity from a compromised
network node, like ransomware spreading from an infected device.

A host-based IPS (HIPS) can make use of either signature/heuristic or anomaly detection techniques to
identify attacks. In the former case, the focus is on the specific content of application network traffic, or
of sequences of system calls, looking for patterns that have been identified as malicious. In the case of
anomaly detection, the IPS is looking for behavior patterns that indicate malware. Examples of the
types of malicious behavior addressed by a HIPS include the following:

Modification of system resources: Rootkits, Trojan horses, and backdoors operate by changing system
resources, such as libraries, directories, registry settings, and user accounts.
Privilege-escalation exploits: These attacks attempt to give ordinary users root access.

Access to e-mail contact list: Many worms spread by mailing a copy of them- selves to addresses in the
local system’s e-mail address book.
Directory traversal: A directory traversal vulnerability in a Web server allows the hacker to access files
outside the range of what a server application user would normally need to access.

The following as areas for which a HIPS typically offers desk- top protection:

• System calls
• File system access
• System registry settings
• Host input/output Network-Based IPS

3. Network behavior analysis (NBA):

It examines network traffic to identify threats that generate unusual traffic flows, such as distributed
denial of service attacks, specific forms of malware and policy violations.

126
4. Host-based intrusion prevention system (HIPS):
It is an inbuilt software package which operates a single host for doubtful activity by scanning events
that occur within that host.

Detection Method of Intrusion Prevention System (IPS):

Signature-based detection:
Signature-based IDS operates packets in the network and compares with pre-built and preordained
attack patterns known as signatures.

Statistical anomaly-based detection:

Anomaly based IDS monitors network traffic and compares it against an established baseline. The
baseline will identify what is normal for that network and what protocols are used. However, It may
raise a false alarm if the baselines are not intelligently configured.

Stateful protocol analysis detection:

This IDS method recognizes divergence of protocols stated by comparing observed events with pre-
built profiles of generally accepted definitions of not harmful activity.

5.8 EXAMPLE UNIFIED THREAT MANAGEMENT PRODUCTS

Unified Threat Management (UTM) is an all-in-one security mechanism that integrates various features
and operations of security into one appliance. Composed of several security technologies, such as the
firewall, IDPS, antivirus/antimalware, content/spam filter, and VPN support, among others, UTM strives
to enhance the efficiency of managing security technologies.

Desired Features of a Unified Threat Manager

• Firewall: A firewall is required to filter the inbound and outbound traffic in the system based on the set
security parameters.

• Intrusion Detection and Prevention Systems (IDPS): monitor the traffic to the network to detect
suspicious behavior or threats potentially afoot and deal with interruptions.

• Antivirus and Antimalware: prevents viruses, worms, trojans, and other malware by detecting and
eliminating the malicious software.

• Content Filtering: Web and material filtering keep people safe from such things as obscene and
risky websites and material.

• Spam filtering: This technique considers and removes spam emails, therefore reducing potential
phishing scams and strengthening email protection.

127
Benefits

Simplified Management: They are more manageable and trackable, as well as simpler to coordinate
and monitor when operations are centrally settled.

Integrated Protection: Converged security is an all-in-one security where multiple protection

components are covered, like the intrusion system, firewall systems, and antivirus.

Decreased Complexity: Reduces the burden of managing multiple systems as well as improving
security processes.

Enhanced Visibility: Gives comprehensive analysis and detailed reports of the security status of the
network for better comprehension.

Improved Security: Its ability to coordinate one protection front against many dangerous adversities,
including malware, phishing, and unauthorized access.

Next-Generation Firewalls Unified Threat Management

Feature (NGFWs) (UTM)
Advanced threat prevention Comprehensive, all-in-one
Primary Focus
and control security management
Deep packet inspection, Basic threat detection
Threat Detection
application awareness integrated with other features
Detailed application-level Limited application control and
Layer 7 Control
control and visibility visibility
Advanced intrusion prevention Integrated intrusion detection
Intrusion Prevention
and detection and prevention
Detailed content filtering,
Content Filtering Basic content and web filtering
including SSL inspection
Strong user and device User identity management
User Identity
identity integration may be basic

Examples of UTM products and their key features:

o Barracuda CloudGen Firewall

Offers comprehensive security features, including firewall, VPN, intrusion detection and prevention,
antivirus, and web filtering.

o Check Point Next Generation Firewall (NGFW)

Provides advanced threat prevention, application control, and threat intelligence features.

128
o Cisco Meraki Threat Protection
A cloud-managed solution with features like firewall, intrusion detection and prevention, and web
content filtering.

o Fortinet NGFW
Known for its high performance and comprehensive security capabilities, including firewall, VPN,
application control, and intrusion prevention.

o Juniper NGFW
Offers a range of security features, including firewall, VPN, threat intelligence, and advanced threat
detection.

129
 PART -A

1. What is the primary purpose of a firewall?

A) To store data securely
B) To monitor physical access
C) To filter and control network traffic
D) To compress network packets
2. Which of the following is an example of a Unified Threat Management (UTM) product?
A) Windows Defender
B) Cisco Meraki MX
C) SQL Server
D) Adobe Acrobat
3. Which statement best describes a stateful firewall?
A) It blocks all incoming packets by default.
B) It filters traffic based only on MAC address.
C) It monitors the state of active connections.
D) It only protects against phishing attacks.
4. Why is access policy important in a firewall configuration?
A) It reduces internet speed.
B) It helps install applications.
C) It determines rules for traffic filtering.
D) It encrypts all outgoing data.
5. You are deploying a firewall for a small business. Which type of firewall would be most appropriate if
you need application-level inspection?
A) Packet-filtering firewall
B) Circuit-level gateway
C) Proxy firewall
D) Stateless firewall
6. A company wants to deploy a firewall at the network perimeter. Which configuration is most
suitable?
A) Placing it on an individual host only
B) Placing it within the internal LAN
C) Placing it between the internal network and external network
D) Placing it behind all routers and switches
7. What is the key difference between a firewall and an intrusion prevention system (IPS)?
A) Firewalls are software-only; IPS is hardware-only
B) Firewalls encrypt data; IPS decrypts data

130
 C) Firewalls filter traffic; IPS detects and prevents threats
D) Firewalls block spam; IPS blocks websites
8. Which combination of firewall types provides both filtering and session tracking?
A) Packet-filtering and proxy
B) Stateless and circuit-level
C) Stateful and application-layer
D) VPN and stateless
9. What type of firewall inspects traffic at the application layer?
A) Packet-filtering firewall
B) Stateful firewall
C) Proxy firewall
D) Circuit-level gateway
10. An intrusion prevention system (IPS) focuses on:
A) Detecting attacks after they occur
B) Proactively blocking attacks
C) Only monitoring network traffic
D) Encrypting data packets

PART – B

1. Define a firewall. List any two basic functions of a firewall.

2. Explain the importance of access policies in firewall configuration. How do they influence network
security?
3. List and explain any four key characteristics of a firewall.
4. What is an access policy in firewall configuration? Why is it important?
5. Explain the concept of firewall basing. What are the types of firewall basing?
6. List and explain any two common firewall configurations used in networks.
7. What is an Intrusion Prevention System (IPS)? How does it differ from a firewall?
8. Write a short note on the working of Intrusion Prevention Systems (IPS).
9. Give any four examples of Unified Threat Management (UTM) products and list two features of any
one.
10. Show the characteristics of firewalls. List the types of firewalls. ( Nov/Dec 2024)

PART – C & D

1. Define a firewall. Explain in detail the need for firewalls in network security. Discuss the key
characteristics and the role of access policies in firewalls.

2. Explain the fundamental differences in how a traditional packet-filtering firewall, a stateful inspection

131
 firewall, and an application-level gateway (proxy firewall) operate. Discuss the security advantages
each type offers over the preceding one.

3. Compare and contrast Firewalls and Intrusion Prevention Systems (IPS) in terms of functionality,
placement, and effectiveness. Evaluate which combination would best protect an enterprise
network and why.

4. Describe the different types of firewalls and their configurations. ( Nov/Dec 2024)

5. Illustrate about how IPS integrates with firewalls to enhance security. ( Nov/Dec 2024)

132