Network Defense tools

Mr. Rameez Raja, Cyber Security Trainer

Computer Science & Engineering – Cyber Security
 CHAPTER-3

Network Defense tools

What is a Firewall?
What is a Firewall?

A firewall is a network security device that monitors and

controls incoming and outgoing network traffic based on
predetermined security rules. The primary goal is to
establish a barrier between a trusted internal network and
untrusted external networks, such as the internet.
How Firewalls Work?
Key Functions of Firewalls:
1.Packet Filtering:
Firewalls inspect individual data packets and make decisions
about whether to allow or block them based on pre-defined rules.
2.Stateful Inspection:
Stateful inspection, also known as dynamic packet filtering,
keeps track of the state of active connections and makes
decisions based on the context of the traffic.
3.Proxying:
Proxies act as intermediaries between internal and external
systems. They can enhance security by filtering and forwarding
requests and responses.
Key Functions of Firewalls:
4. Network Address Translation (NAT):
Firewalls often use NAT to modify network address information
in packet headers while in transit, helping conceal internal IP
addresses.
5. Virtual Private Network (VPN) Support:
Firewalls can facilitate secure communication over the internet
by supporting VPNs, which encrypt data as it travels between
networks.
6. Logging and Auditing:
Firewalls maintain logs of network traffic and security events,
allowing administrators to monitor and analyze activity for
security purposes.
1. Packet Filtering Firewalls

Packet Filtering Firewalls are a type of network security

mechanism that operates at the network layer of the OSI (Open
Systems Interconnection) model. They are designed to control
and monitor the flow of data packets based on predetermined
rules or criteria. The primary purpose of packet filtering is to
permit or deny the transmission of packets based on specific
attributes such as source and destination IP addresses, source
and destination port numbers, and the protocol type.
How packet filtering works
Parameters for filtering
1.Packet Inspection:
1. Packet filtering firewalls inspect individual packets of data as
they pass through the network.
2. Each packet is examined based on specific criteria defined by
rules.
2.Rule-Based Filtering:
1. Packet filtering is rule-based, where administrators define rules to
dictate which packets are allowed and which are denied.
2. Rules are typically based on attributes such as source and
destination IP addresses, source and destination port numbers,
and the protocol type.
Parameters for filtering Contd.
3.Filtering Criteria:
1. Source IP Address: The IP address of the sender or originator of the
packet.
2. Destination IP Address: The IP address of the intended recipient of the
packet.
3. Source and Destination Port Numbers: Identifies the specific application
or service using the port numbers.
4. Protocol Type: Specifies the communication protocol (e.g., TCP, UDP,
ICMP).
4. Access Control Lists (ACLs):
5. Rules are often implemented using Access Control Lists (ACLs), which are
lists of rules that define what kind of traffic is allowed or denied.
6. ACLs can be configured to permit or deny traffic based on the defined
criteria.
Parameters for filtering Contd.
5. Stateless Filtering:
1. Packet filtering is often stateless, meaning that each packet is
evaluated independently of previous or subsequent packets.
2. Stateless filtering is efficient but may have limitations in handling
dynamic connections and complex protocols.
6. Default Policies:
3. Packet filtering firewalls have default policies that specify the
action to be taken if a packet does not match any explicitly defined
rules.
4. Common default policies include "allow all" (permit all traffic
unless explicitly denied) or "deny all" (deny all traffic unless
explicitly allowed).
Parameters for filtering Contd.
7. Stateful Inspection (Optional):
1. Some packet filtering firewalls incorporate stateful inspection for enhanced
security.
2. Stateful inspection maintains a table of active connections and makes decisions
based on the context of the traffic, considering the state of the connection.
3. This allows firewalls to understand the state of a connection (e.g., whether it is
part of an established session) and make more informed decisions.
8. Logging and Auditing:
4. Packet filtering firewalls often include logging and auditing capabilities to
record information about allowed and denied traffic.
5. Logs can be reviewed for security analysis, troubleshooting, and compliance
purposes.
Parameters for filtering Contd.
9. Network Address Translation (NAT):
1. Some packet filtering firewalls may include Network Address
Translation (NAT) capabilities, allowing them to modify source or
destination IP addresses in the packet headers.
10. Packet Filtering Firewall Deployment:
2. Packet filtering firewalls can be deployed at the perimeter of a
network to control traffic entering and leaving the network.
3. They can also be used within internal networks to segment and
control traffic between different segments.
2. Stateful Multi-Layer Inspection (SMLI)

Stateful Multi-Layer Inspection (SMLI) is an advanced security

approach that combines stateful inspection with multiple layers of
analysis to provide a more comprehensive and effective means of
protecting computer networks. This approach goes beyond
traditional packet filtering and stateless inspection to consider the
context and content of network traffic. Th detailed concept of
Stateful Multi-Layer Inspection is available on next slide
Stateful Multi-Layer Inspection (SMLI)
1.Stateful Inspection:
1. Connection Tracking: Stateful inspection involves tracking the state of active
connections and making decisions based on the context of the traffic.
2. Session Awareness: It understands the state of network connections and can
differentiate between new connection requests and established sessions.
2.Multi-Layer Inspection:
1. Network Layer: Analyzes traffic at the network layer (Layer 3), considering
source and destination IP addresses, as well as protocol types (e.g., TCP, UDP).
2. Transport Layer: Examines transport layer information, such as source and
destination port numbers, to identify the specific application or service.
3. Application Layer: Goes beyond the network and transport layers to inspect
the actual content of the data payload at the application layer (Layer 7). This
allows the firewall to understand the context and nature of the traffic, including
the applications being used.
Working of Stateful Inspection
Working of Stateful Inspection
1. Stateful inspection detects communications packets over a period of
your time and examines both incoming and outgoing packets.
2. The firewall follows outgoing packets that request specific sorts of
incoming packets and authorize incoming packets to undergo as
long as they constitute an accurate response.
3. A stateful firewall monitors all sessions and verifies all packets,
although the method it uses can vary counting on the firewall
technology and therefore the communication protocol getting used.
Working of Stateful Inspection
For example, when the protocol is TCP, the firewall captures a packet’s
state and context information and compares it to the prevailing session
data.
4. If an identical entry already exists, the packet is allowed to undergo
the firewall.
5. If the match is not found, then the packet must undergo certain
policy checks. At that time, if the packet meets the policy
requirements, the firewall assumes that it’s for a replacement
connection and stores the session data within the appropriate tables.
It then permits the packet to pass.
6. If the packet does not match the policy conditions, the packet is
rejected.
Benefits of Stateful inspection

1. Reduced traffic flow

2. High-level protection
3. Consumed significant system
resources
4. Provides extensive logging
capabilities
3. Stateless firewall

A Stateless Firewall is a network security device that filters and

controls network traffic based solely on the predefined rules and
criteria, without considering the context or state of the connections.
Unlike Stateful Firewalls, which maintain a table of active
connections and make decisions based on the state of each
connection, Stateless Firewalls treat each packet in isolation
Stateless firewall
1. Packet-Level Filtering:
1. Stateless Firewalls operate at the network layer (Layer 3) of the
OSI model and inspect individual packets of data.
2. Filtering decisions are based on specific attributes of each packet,
such as source and destination IP addresses, source and destination
port numbers, and protocol type (e.g., TCP, UDP, ICMP).
2. Rule-Based Filtering:
3. Administrators define rules that dictate which packets are allowed
and which are denied.
4. Rules are typically based on static criteria, such as IP addresses
and port numbers, without considering the state of connections.
Stateless firewall
3. No Connection Tracking:
1. Unlike Stateful Firewalls, Stateless Firewalls do not maintain a
table of active connections or sessions.
2. Each packet is evaluated independently of previous or
subsequent packets.
4. Efficiency:
3. Stateless Firewalls are generally more efficient than Stateful
Firewalls in terms of processing speed because they don't have
to keep track of connection states.
4. This makes them suitable for high-speed networks and
environments where minimal latency is crucial.
Benefits of Stateless firewall

1. Less complex
2. Easy to implement
3. Fast performance delivery
4. Performs effectively in heavy traffic
situations
4. Application-level gateway (Proxy firewall)
Application-level gateway, also called Proxy firewall, is used to protect data at the
application level. It protects from potential internet hackers by not disclosing our
computer’s identity (IP address). Proxy firewalls analyze the context and content of
data packets and compare them to a set of previously defined rules using stateful and
deep packet inspection. They either permit or reject a package based on the outcome.
Because this firewall checks the payload of received data packets, it is much slower
than a packet-filtering firewall.

Benefits of Application-level gateways

• Safest firewall
• Deep packet inspection
• Significant slowdowns
• Safeguard resource identity and location
5. Circuit-level gateway

Circuit-level gateway validates established Transmission Control Protocol (TCP)

connections. These firewalls typically operate at the OSI model’s session level,
verifying Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
connections and sessions. These firewalls are implemented as security software or as
pre-installed firewalls. Like packet filtering firewalls, these firewalls do not examine
the actual data packet but observe the information about the transaction.

Benefits of Circuit-level gateway

• Simple and inexpensive

• A single form of protection is insufficient
• Setup and management are simple
6. Next-Generation Firewall (NGFW)
The most common type of firewall available today is the Next-Generation Firewall
(NGFW), which provides higher security levels than packet-filtering and stateful
inspection firewalls. An NGFW is a deep-packet inspection firewall with additional
features such as application awareness and control, integrated intrusion prevention,
advanced visibility of their network, and cloud-delivered threat intelligence. This type
of firewall is typically defined as a security device that combines the features and
functionalities of multiple firewalls. NGFW monitors the entire data transaction,
including packet headers, contents, and sources.
Benefits of Next-Generation Firewall
• Block malware
• Recognizing Advanced Persistent Threats (APTs)
• Less expensive
• Financially beneficial
7. Cloud firewall
A Cloud firewall, also known as FaaS (firewall-as-service), is a firewall that is
designed using a cloud solution for network protection. Third-party vendors typically
manage and operate cloud firewalls on the internet, and they are configured based on
the requirements. Today, most businesses use cloud firewalls to protect their private
networks or overall cloud infrastructure.

Benefits of Cloud firewall

• Unified security policy

• Flexible deployment
• Simplified deployment and maintenance
• Improved scalability
• Automatic updates
Comparison Table: Types of Firewall
www.paruluniversity.ac.in