SlideShare a Scribd company logo

L3 defense

Download as PPT, PDF
Rushdi Shams
Rushdi Shams
Technology
1 of 39
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 1
 World wide enterprise loss just because of a simple My Doom email virus is $22.6 Billion.  Plus negative social impact on these enterprises which is worth a trillion dollar.  Enterprises are now freely communicating beyond boundaries.  The trade off is they have to pass through dangerous avenues to reach each other. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
 A properly designed and implemented security policy is an absolute requirement for all types of enterprises  a solid approach to network security not only ensures security of your network, but your overall network reliability, resiliency, business continuity and business productivity. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
 The most basic, fundamental type of firewall is called a packet filter.  Packet filter fire-walls are essentially routing devices that include access control functionality for system addresses and communication sessions.  The access control functionality of a packet filter firewall is governed by a set of directives collectively referred to as a ruleset. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
 packet filters operate at Layer 3 (Network) of the OSI model.  This basic functionality is designed to provide network access control based upon several pieces of information contained in a network packet:  The source address of the packet, L3 address of the device the network packet originated from (an IP address such as 192.168.1.1). Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
 The destination address of the packet, L3 address of device the network packet is trying to reach (e.g., 192.168.1.2).  The type of traffic, i.e., specific protocol  characteristics of the Layer 4 communications sessions- source and destination ports of the sessions  information pertaining interface, i.e., source and destination interface Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
 Packet filter firewalls have two main strengths: speed and flexibility.  Since packet filters do not usually examine data above Layer 3 of the OSI model, they can operate very quickly.  since most modern network protocols can be accommodated using Layer 3 and below, packet filter firewalls can be used to secure nearly any type of network communication or protocol. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
 They are able to block denial-of-service and related attacks, makes them ideal for placement at the outermost boundary with an untrusted network.  Packet filter routers are thus also called Boundary Routers Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
 cannot prevent attacks that employ application- specific vulnerabilities or functions.  For example, a packet filter firewall cannot block specific application commands; if a packet filter firewall allows a given application, all functions available within that application will be permitted. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
 the logging functionality present in packet filter firewalls is limited.  Packet filter logs normally contain the same information used to make access control decisions (source address, destination address, and traffic type). Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
 do not support advanced user authentication schemes.  this limitation is mostly due to the lack of upper- layer functionality by the firewall. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
 vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack, such as network layer address spoofing.  packet filter firewalls cannot detect a network packet in which the OSI Layer 3 addressing information has been altered. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
 susceptible to security breaches caused by improper configurations.  it is easy to accidentally configure a packet filter firewall to allow traf-fic types, sources, and destinations that should be denied based upon an organization.s information security policy. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
 packet filter firewalls are very suitable for high- speed environments where logging and user authentication with network resources are not important.  Most SOHO (Small Office Home Office) firewall appliances and default operating system firewalls are packet filter firewalls. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
 the firewall passes the packet through the firewall as requested  subject to whatever logging capabilities may or may not be in place. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
 the firewall drops the packet, without passing it through the firewall.  Once the packet is dropped, an error message is returned to the source system.  may or may not generate log entries depending on the firewall’s ruleset configuration. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
 the firewall not only drops the packet, but it does not return an error message to the source system.  This particular action is used to implement the black hole.  methodology in which a firewall does not reveal its presence to an outsider.  may or may not generate log entries. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
 Stateful inspection firewalls are packet filters that incorporate added awareness of the OSI model data at Layer 4  When a TCP (connection-oriented transport) application creates a session with a remote host system, a port is also created on the source system for the purpose of receiving network traffic from the destination system. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
 According to the TCP specifications, this client source port will be some number greater than 1023 and less than 16384.  According to convention, the destination port on the re-mote host will likely be a .low-numbered. port, less than 1024. This will be 25 for SMTP, for example. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
 Packet filter firewalls must permit inbound network traffic on all of these .high-numbered.  ports for connection-oriented transport to occur, i.e., return packets from the destination system.  Opening this many ports creates an immense risk of intrusion by un-authorized users who may employ a variety of techniques to abuse the expected conventions. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
 Each individual application-proxy, also referred to as a proxy agent, interfaces directly with the firewall access control ruleset  determines whether a given piece of network traffic should be permitted to transit the firewall.  In addition to the ruleset, each proxy agent has the ability to require authentication of each individual network user. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
 This user authentication can take many forms, including the following: 1. User ID and Password Authentication, 2. Hardware or Software Token Authentication, 3. Source Address Authentication, and 4. Biometric Authentication. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
 application-proxy gateway fire-walls usually have more extensive logging capabilities  able to examine the entire network packet rather than just the network addresses and ports.  Enables enterprise security policy with authentication mechanism  less vulnerable to address spoofing attacks. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
 the firewall is forced to spend quite a bit of time reading and interpreting each packet.  For this reason, application-proxy gateway firewalls are not generally well suited to high- bandwidth or real-time applications.  Another disadvantage is that application-proxy gateway firewalls tend to be limited in terms of support for new network applications and protocols. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
 Mixing up packet filtering/ stateful inspection with application gateway proxy firewalls Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30
 The most common firewall environment implementation is known as a DMZ, or DeMilita- rized Zone network.  A DMZ network is created out of a network connecting two firewalls  when two or more firewalls exist in an environment, the networks connecting the fire- walls can be DMZ networks. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 31
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 32
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 33
 This configuration subjects the firewall to an increased risk of service degradation during a denial-of-service (DOS) attack aimed at servers located on the DMZ.  In a standard DMZ network configuration, a denial-of-service attack against a DMZ-attached resource such as a web server will likely impact only that target resource. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 34
 A virtual private network is constructed on top of existing network media and protocols by using additional protocols and usually, encryption.  virtual private networks are used to provide secure network links across net-works that are not trusted.  virtual private networks are used to provide secure network links across net-works that are not trusted.Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 35
 virtual private network technology is increasingly used in the area of providing remote user access to organizational networks via the global Internet.  By using virtual private network technology, an organization purchases a single connection to the global Internet, and that connection is used to allow remote users access into otherwise pri- vate networks and resources. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 36
 This single Internet connection can also be used to provide many other types of services. As a result, this mechanism is considered to be cost- effective. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 37
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 38
 On the protocol level, there are several possible choices for a modern virtual private net-work.  The first, and perhaps the most currently used is a set of protocols known as IPSec  The IPSec standards consist of IPv6 security features ported over to IPv4  Other current VPN protocols include PPTP, a Microsoft standard, and the L2TP Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 39

Recommended

J1087181
J1087181J1087181
J1087181IJERD Editor
 
Dn36682688
Dn36682688Dn36682688
Dn36682688IJERA Editor
 
Layered Approach for Preprocessing of Data in Intrusion Prevention Systems
Layered Approach for Preprocessing of Data in Intrusion Prevention SystemsLayered Approach for Preprocessing of Data in Intrusion Prevention Systems
Layered Approach for Preprocessing of Data in Intrusion Prevention SystemsEditor IJCATR
 
Secon2007 bsmr
Secon2007 bsmrSecon2007 bsmr
Secon2007 bsmrchandan_v8
 
Prevention and Detection of Man in the Middle Attack on AODV Protocol
Prevention and Detection of Man in the Middle Attack on AODV ProtocolPrevention and Detection of Man in the Middle Attack on AODV Protocol
Prevention and Detection of Man in the Middle Attack on AODV ProtocolIJSRD
 
TAM new report
TAM new reportTAM new report
TAM new reportSuzit Punk
 
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...IOSR Journals
 
Study of Layering-Based Attacks in a Mobile Ad Hoc Networks
Study of Layering-Based Attacks in a Mobile Ad Hoc NetworksStudy of Layering-Based Attacks in a Mobile Ad Hoc Networks
Study of Layering-Based Attacks in a Mobile Ad Hoc NetworksIRJET Journal
 

Recommended

J1087181
J1087181J1087181
J1087181IJERD Editor
 
Dn36682688
Dn36682688Dn36682688
Dn36682688IJERA Editor
 
Layered Approach for Preprocessing of Data in Intrusion Prevention Systems
Layered Approach for Preprocessing of Data in Intrusion Prevention SystemsLayered Approach for Preprocessing of Data in Intrusion Prevention Systems
Layered Approach for Preprocessing of Data in Intrusion Prevention SystemsEditor IJCATR
 
Secon2007 bsmr
Secon2007 bsmrSecon2007 bsmr
Secon2007 bsmrchandan_v8
 
Prevention and Detection of Man in the Middle Attack on AODV Protocol
Prevention and Detection of Man in the Middle Attack on AODV ProtocolPrevention and Detection of Man in the Middle Attack on AODV Protocol
Prevention and Detection of Man in the Middle Attack on AODV ProtocolIJSRD
 
TAM new report
TAM new reportTAM new report
TAM new reportSuzit Punk
 
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...
Effectual Routine for Trilateral Authentication in Ad-hoc Networks using Mult...IOSR Journals
 
Study of Layering-Based Attacks in a Mobile Ad Hoc Networks
Study of Layering-Based Attacks in a Mobile Ad Hoc NetworksStudy of Layering-Based Attacks in a Mobile Ad Hoc Networks
Study of Layering-Based Attacks in a Mobile Ad Hoc NetworksIRJET Journal
 
Ls3620132016
Ls3620132016Ls3620132016
Ls3620132016IJERA Editor
 
L2 Intrusion Detection System (IDS)
L2 Intrusion Detection System (IDS)L2 Intrusion Detection System (IDS)
L2 Intrusion Detection System (IDS)Rushdi Shams
 
Ericas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideEricas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideErica StJohn
 
10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blockerakila_mano
 
M dgx mde0mdm=
M dgx mde0mdm=M dgx mde0mdm=
M dgx mde0mdm=International Journal of Science and Research (IJSR)
 
Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...
Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...
Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...IJERA Editor
 
complete_thesis
complete_thesiscomplete_thesis
complete_thesisMohammed Aldod
 
IRJET- Secure Data Transmission from Malicious Attacks: A Review
IRJET- Secure Data Transmission from Malicious Attacks: A ReviewIRJET- Secure Data Transmission from Malicious Attacks: A Review
IRJET- Secure Data Transmission from Malicious Attacks: A ReviewIRJET Journal
 
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LAN
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LANAvoiding Man in the Middle Attack Based on ARP Spoofing in the LAN
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LANEditor IJCATR
 
Jamming attacks in wireless networks
Jamming attacks in wireless networksJamming attacks in wireless networks
Jamming attacks in wireless networksThesis Scientist Private Limited
 
4777.team c.final
4777.team c.final4777.team c.final
4777.team c.finalAlexisHarvey8
 
Wp ci securing_layer2
Wp ci securing_layer2Wp ci securing_layer2
Wp ci securing_layer2Amargo Durazno
 
Implementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkImplementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkSalam Shah
 
Providing The Security Against The DDOS Attack In Mobile Ad Hoc Networks
Providing The Security Against The DDOS Attack In Mobile Ad Hoc NetworksProviding The Security Against The DDOS Attack In Mobile Ad Hoc Networks
Providing The Security Against The DDOS Attack In Mobile Ad Hoc NetworksIOSR Journals
 
IRJET- An Intrusion Detection and Protection System by using Data Mining ...
IRJET- An Intrusion Detection and Protection System by using Data Mining ...IRJET- An Intrusion Detection and Protection System by using Data Mining ...
IRJET- An Intrusion Detection and Protection System by using Data Mining ...IRJET Journal
 
Ii2514901494
Ii2514901494Ii2514901494
Ii2514901494IJERA Editor
 
T04506110115
T04506110115T04506110115
T04506110115IJERA Editor
 
Lec 09. Introduction to Functions / Call by Values
Lec 09. Introduction to Functions / Call by ValuesLec 09. Introduction to Functions / Call by Values
Lec 09. Introduction to Functions / Call by ValuesRushdi Shams
 
Lec 02. C Program Structure / C Memory Concept
Lec 02. C Program Structure / C Memory ConceptLec 02. C Program Structure / C Memory Concept
Lec 02. C Program Structure / C Memory ConceptRushdi Shams
 
Lec 15. Pointers and Arrays
Lec 15. Pointers and ArraysLec 15. Pointers and Arrays
Lec 15. Pointers and ArraysRushdi Shams
 
Probabilistic logic
Probabilistic logicProbabilistic logic
Probabilistic logicRushdi Shams
 
Lec 23. Files (Part II)
Lec 23. Files (Part II)Lec 23. Files (Part II)
Lec 23. Files (Part II)Rushdi Shams
 

More Related Content

What's hot

L2 Intrusion Detection System (IDS)
L2 Intrusion Detection System (IDS)L2 Intrusion Detection System (IDS)
L2 Intrusion Detection System (IDS)Rushdi Shams
 
Ericas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideEricas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideErica StJohn
 
10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blockerakila_mano
 
Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...
Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...
Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...IJERA Editor
 
IRJET- Secure Data Transmission from Malicious Attacks: A Review
IRJET- Secure Data Transmission from Malicious Attacks: A ReviewIRJET- Secure Data Transmission from Malicious Attacks: A Review
IRJET- Secure Data Transmission from Malicious Attacks: A ReviewIRJET Journal
 
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LAN
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LANAvoiding Man in the Middle Attack Based on ARP Spoofing in the LAN
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LANEditor IJCATR
 
Implementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkImplementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkSalam Shah
 
Providing The Security Against The DDOS Attack In Mobile Ad Hoc Networks
Providing The Security Against The DDOS Attack In Mobile Ad Hoc NetworksProviding The Security Against The DDOS Attack In Mobile Ad Hoc Networks
Providing The Security Against The DDOS Attack In Mobile Ad Hoc NetworksIOSR Journals
 
IRJET- An Intrusion Detection and Protection System by using Data Mining ...
IRJET- An Intrusion Detection and Protection System by using Data Mining ...IRJET- An Intrusion Detection and Protection System by using Data Mining ...
IRJET- An Intrusion Detection and Protection System by using Data Mining ...IRJET Journal
 

What's hot (17)

Ls3620132016
Ls3620132016Ls3620132016
Ls3620132016
 
L2 Intrusion Detection System (IDS)
L2 Intrusion Detection System (IDS)L2 Intrusion Detection System (IDS)
L2 Intrusion Detection System (IDS)
 
Ericas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-GuideEricas-Security-Plus-Study-Guide
Ericas-Security-Plus-Study-Guide
 
10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker
 
M dgx mde0mdm=
M dgx mde0mdm=M dgx mde0mdm=
M dgx mde0mdm=
 
Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...
Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...
Distributed Packet Filtering Firewall for Enhanced Security In Mobile Ad-Hoc ...
 
complete_thesis
complete_thesiscomplete_thesis
complete_thesis
 
IRJET- Secure Data Transmission from Malicious Attacks: A Review
IRJET- Secure Data Transmission from Malicious Attacks: A ReviewIRJET- Secure Data Transmission from Malicious Attacks: A Review
IRJET- Secure Data Transmission from Malicious Attacks: A Review
 
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LAN
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LANAvoiding Man in the Middle Attack Based on ARP Spoofing in the LAN
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LAN
 
Jamming attacks in wireless networks
Jamming attacks in wireless networksJamming attacks in wireless networks
Jamming attacks in wireless networks
 
4777.team c.final
4777.team c.final4777.team c.final
4777.team c.final
 
Wp ci securing_layer2
Wp ci securing_layer2Wp ci securing_layer2
Wp ci securing_layer2
 
Implementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkImplementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud network
 
Providing The Security Against The DDOS Attack In Mobile Ad Hoc Networks
Providing The Security Against The DDOS Attack In Mobile Ad Hoc NetworksProviding The Security Against The DDOS Attack In Mobile Ad Hoc Networks
Providing The Security Against The DDOS Attack In Mobile Ad Hoc Networks
 
IRJET- An Intrusion Detection and Protection System by using Data Mining ...
IRJET- An Intrusion Detection and Protection System by using Data Mining ...IRJET- An Intrusion Detection and Protection System by using Data Mining ...
IRJET- An Intrusion Detection and Protection System by using Data Mining ...
 
Ii2514901494
Ii2514901494Ii2514901494
Ii2514901494
 
T04506110115
T04506110115T04506110115
T04506110115
 

Viewers also liked

Lec 09. Introduction to Functions / Call by Values
Lec 09. Introduction to Functions / Call by ValuesLec 09. Introduction to Functions / Call by Values
Lec 09. Introduction to Functions / Call by ValuesRushdi Shams
 
Lec 02. C Program Structure / C Memory Concept
Lec 02. C Program Structure / C Memory ConceptLec 02. C Program Structure / C Memory Concept
Lec 02. C Program Structure / C Memory ConceptRushdi Shams
 
Lec 15. Pointers and Arrays
Lec 15. Pointers and ArraysLec 15. Pointers and Arrays
Lec 15. Pointers and ArraysRushdi Shams
 
Probabilistic logic
Probabilistic logicProbabilistic logic
Probabilistic logicRushdi Shams
 
Lec 23. Files (Part II)
Lec 23. Files (Part II)Lec 23. Files (Part II)
Lec 23. Files (Part II)Rushdi Shams
 
L14 l15 Object Oriented DBMS
L14 l15 Object Oriented DBMSL14 l15 Object Oriented DBMS
L14 l15 Object Oriented DBMSRushdi Shams
 
L4 domain integrity
L4 domain integrityL4 domain integrity
L4 domain integrityRushdi Shams
 
L9 l10 server side programming
L9 l10 server side programmingL9 l10 server side programming
L9 l10 server side programmingRushdi Shams
 

Viewers also liked (8)

Lec 09. Introduction to Functions / Call by Values
Lec 09. Introduction to Functions / Call by ValuesLec 09. Introduction to Functions / Call by Values
Lec 09. Introduction to Functions / Call by Values
 
Lec 02. C Program Structure / C Memory Concept
Lec 02. C Program Structure / C Memory ConceptLec 02. C Program Structure / C Memory Concept
Lec 02. C Program Structure / C Memory Concept
 
Lec 15. Pointers and Arrays
Lec 15. Pointers and ArraysLec 15. Pointers and Arrays
Lec 15. Pointers and Arrays
 
Probabilistic logic
Probabilistic logicProbabilistic logic
Probabilistic logic
 
Lec 23. Files (Part II)
Lec 23. Files (Part II)Lec 23. Files (Part II)
Lec 23. Files (Part II)
 
L14 l15 Object Oriented DBMS
L14 l15 Object Oriented DBMSL14 l15 Object Oriented DBMS
L14 l15 Object Oriented DBMS
 
L4 domain integrity
L4 domain integrityL4 domain integrity
L4 domain integrity
 
L9 l10 server side programming
L9 l10 server side programmingL9 l10 server side programming
L9 l10 server side programming
 

Similar to L3 defense

International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Firewall protection
Firewall protectionFirewall protection
Firewall protectionVC Infotech
 
Firewall architectures
Firewall architecturesFirewall architectures
Firewall architecturesArun Mahajan
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.pptRaj Kumar
 
Evaluation the performanc of dmz
Evaluation the performanc of dmzEvaluation the performanc of dmz
Evaluation the performanc of dmzBaha Rababah
 
Cross domain security reference architecture
Cross domain security reference architectureCross domain security reference architecture
Cross domain security reference architectureWen Zhu
 
what is firewall in information security?
what is firewall in information security?what is firewall in information security?
what is firewall in information security?ezoicxcom
 
what is firewall in information security?
what is firewall in information security?what is firewall in information security?
what is firewall in information security?haq107457
 
Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...
Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...
Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...FahmiOlayah
 
Improving Firewall Performance by Eliminating Redundancies In Access Control ...
Improving Firewall Performance by Eliminating Redundancies In Access Control ...Improving Firewall Performance by Eliminating Redundancies In Access Control ...
Improving Firewall Performance by Eliminating Redundancies In Access Control ...CSCJournals
 

Similar to L3 defense (20)

ANS_Ch_04_Handouts.pdf
ANS_Ch_04_Handouts.pdfANS_Ch_04_Handouts.pdf
ANS_Ch_04_Handouts.pdf
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
 
L4 vpn
L4 vpnL4 vpn
L4 vpn
 
Firewall
Firewall Firewall
Firewall
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
 
Web security
Web securityWeb security
Web security
 
Firewall architectures
Firewall architecturesFirewall architectures
Firewall architectures
 
Firewalls
FirewallsFirewalls
Firewalls
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.ppt
 
Firewall configuration
Firewall configurationFirewall configuration
Firewall configuration
 
Evaluation the performanc of dmz
Evaluation the performanc of dmzEvaluation the performanc of dmz
Evaluation the performanc of dmz
 
Cross domain security reference architecture
Cross domain security reference architectureCross domain security reference architecture
Cross domain security reference architecture
 
what is firewall in information security?
what is firewall in information security?what is firewall in information security?
what is firewall in information security?
 
what is firewall in information security?
what is firewall in information security?what is firewall in information security?
what is firewall in information security?
 
Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...
Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...
Firewalls.pdfdifferencesCalculate the number of moles of Mg(NO3)2 in 44.4 g o...
 
Cr32585591
Cr32585591Cr32585591
Cr32585591
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewall
FirewallFirewall
Firewall
 
Advance Technology
Advance TechnologyAdvance Technology
Advance Technology
 
Improving Firewall Performance by Eliminating Redundancies In Access Control ...
Improving Firewall Performance by Eliminating Redundancies In Access Control ...Improving Firewall Performance by Eliminating Redundancies In Access Control ...
Improving Firewall Performance by Eliminating Redundancies In Access Control ...
 

More from Rushdi Shams

Research Methodology and Tips on Better Research
Research Methodology and Tips on Better ResearchResearch Methodology and Tips on Better Research
Research Methodology and Tips on Better ResearchRushdi Shams
 
Common evaluation measures in NLP and IR
Common evaluation measures in NLP and IRCommon evaluation measures in NLP and IR
Common evaluation measures in NLP and IRRushdi Shams
 
Machine learning with nlp 101
Machine learning with nlp 101Machine learning with nlp 101
Machine learning with nlp 101Rushdi Shams
 
Semi-supervised classification for natural language processing
Semi-supervised classification for natural language processingSemi-supervised classification for natural language processing
Semi-supervised classification for natural language processingRushdi Shams
 
Natural Language Processing: Parsing
Natural Language Processing: ParsingNatural Language Processing: Parsing
Natural Language Processing: ParsingRushdi Shams
 
Types of machine translation
Types of machine translationTypes of machine translation
Types of machine translationRushdi Shams
 
L1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translationL1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translationRushdi Shams
 
Syntax and semantics
Syntax and semanticsSyntax and semantics
Syntax and semanticsRushdi Shams
 
Propositional logic
Propositional logicPropositional logic
Propositional logicRushdi Shams
 
Knowledge structure
Knowledge structureKnowledge structure
Knowledge structureRushdi Shams
 
Knowledge representation
Knowledge representationKnowledge representation
Knowledge representationRushdi Shams
 
L5 understanding hacking
L5 understanding hackingL5 understanding hacking
L5 understanding hackingRushdi Shams
 
L2 l3 l4 software process models
L2 l3 l4 software process modelsL2 l3 l4 software process models
L2 l3 l4 software process modelsRushdi Shams
 
L1 overview of software engineering
L1 overview of software engineeringL1 overview of software engineering
L1 overview of software engineeringRushdi Shams
 
L13 why software fails
L13 why software failsL13 why software fails
L13 why software failsRushdi Shams
 
Lecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systemsLecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systemsRushdi Shams
 

More from Rushdi Shams (20)

Research Methodology and Tips on Better Research
Research Methodology and Tips on Better ResearchResearch Methodology and Tips on Better Research
Research Methodology and Tips on Better Research
 
Common evaluation measures in NLP and IR
Common evaluation measures in NLP and IRCommon evaluation measures in NLP and IR
Common evaluation measures in NLP and IR
 
Machine learning with nlp 101
Machine learning with nlp 101Machine learning with nlp 101
Machine learning with nlp 101
 
Semi-supervised classification for natural language processing
Semi-supervised classification for natural language processingSemi-supervised classification for natural language processing
Semi-supervised classification for natural language processing
 
Natural Language Processing: Parsing
Natural Language Processing: ParsingNatural Language Processing: Parsing
Natural Language Processing: Parsing
 
Types of machine translation
Types of machine translationTypes of machine translation
Types of machine translation
 
L1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translationL1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translation
 
Syntax and semantics
Syntax and semanticsSyntax and semantics
Syntax and semantics
 
Propositional logic
Propositional logicPropositional logic
Propositional logic
 
L15 fuzzy logic
L15 fuzzy logicL15 fuzzy logic
L15 fuzzy logic
 
Knowledge structure
Knowledge structureKnowledge structure
Knowledge structure
 
Knowledge representation
Knowledge representationKnowledge representation
Knowledge representation
 
First order logic
First order logicFirst order logic
First order logic
 
Belief function
Belief functionBelief function
Belief function
 
L5 understanding hacking
L5 understanding hackingL5 understanding hacking
L5 understanding hacking
 
L1 phishing
L1 phishingL1 phishing
L1 phishing
 
L2 l3 l4 software process models
L2 l3 l4 software process modelsL2 l3 l4 software process models
L2 l3 l4 software process models
 
L1 overview of software engineering
L1 overview of software engineeringL1 overview of software engineering
L1 overview of software engineering
 
L13 why software fails
L13 why software failsL13 why software fails
L13 why software fails
 
Lecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systemsLecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systems
 

Recently uploaded

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 

Recently uploaded (20)

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

L3 defense

  • 1. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 1
  • 2.  World wide enterprise loss just because of a simple My Doom email virus is $22.6 Billion.  Plus negative social impact on these enterprises which is worth a trillion dollar.  Enterprises are now freely communicating beyond boundaries.  The trade off is they have to pass through dangerous avenues to reach each other. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
  • 3.  A properly designed and implemented security policy is an absolute requirement for all types of enterprises  a solid approach to network security not only ensures security of your network, but your overall network reliability, resiliency, business continuity and business productivity. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
  • 4. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
  • 5.  The most basic, fundamental type of firewall is called a packet filter.  Packet filter fire-walls are essentially routing devices that include access control functionality for system addresses and communication sessions.  The access control functionality of a packet filter firewall is governed by a set of directives collectively referred to as a ruleset. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
  • 6.  packet filters operate at Layer 3 (Network) of the OSI model.  This basic functionality is designed to provide network access control based upon several pieces of information contained in a network packet:  The source address of the packet, L3 address of the device the network packet originated from (an IP address such as 192.168.1.1). Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
  • 7.  The destination address of the packet, L3 address of device the network packet is trying to reach (e.g., 192.168.1.2).  The type of traffic, i.e., specific protocol  characteristics of the Layer 4 communications sessions- source and destination ports of the sessions  information pertaining interface, i.e., source and destination interface Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
  • 8.  Packet filter firewalls have two main strengths: speed and flexibility.  Since packet filters do not usually examine data above Layer 3 of the OSI model, they can operate very quickly.  since most modern network protocols can be accommodated using Layer 3 and below, packet filter firewalls can be used to secure nearly any type of network communication or protocol. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
  • 9.  They are able to block denial-of-service and related attacks, makes them ideal for placement at the outermost boundary with an untrusted network.  Packet filter routers are thus also called Boundary Routers Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
  • 10. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
  • 11.  cannot prevent attacks that employ application- specific vulnerabilities or functions.  For example, a packet filter firewall cannot block specific application commands; if a packet filter firewall allows a given application, all functions available within that application will be permitted. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
  • 12.  the logging functionality present in packet filter firewalls is limited.  Packet filter logs normally contain the same information used to make access control decisions (source address, destination address, and traffic type). Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
  • 13.  do not support advanced user authentication schemes.  this limitation is mostly due to the lack of upper- layer functionality by the firewall. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
  • 14.  vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack, such as network layer address spoofing.  packet filter firewalls cannot detect a network packet in which the OSI Layer 3 addressing information has been altered. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
  • 15.  susceptible to security breaches caused by improper configurations.  it is easy to accidentally configure a packet filter firewall to allow traf-fic types, sources, and destinations that should be denied based upon an organization.s information security policy. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
  • 16.  packet filter firewalls are very suitable for high- speed environments where logging and user authentication with network resources are not important.  Most SOHO (Small Office Home Office) firewall appliances and default operating system firewalls are packet filter firewalls. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
  • 17. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
  • 18.  the firewall passes the packet through the firewall as requested  subject to whatever logging capabilities may or may not be in place. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
  • 19.  the firewall drops the packet, without passing it through the firewall.  Once the packet is dropped, an error message is returned to the source system.  may or may not generate log entries depending on the firewall’s ruleset configuration. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
  • 20.  the firewall not only drops the packet, but it does not return an error message to the source system.  This particular action is used to implement the black hole.  methodology in which a firewall does not reveal its presence to an outsider.  may or may not generate log entries. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
  • 21.  Stateful inspection firewalls are packet filters that incorporate added awareness of the OSI model data at Layer 4  When a TCP (connection-oriented transport) application creates a session with a remote host system, a port is also created on the source system for the purpose of receiving network traffic from the destination system. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
  • 22.  According to the TCP specifications, this client source port will be some number greater than 1023 and less than 16384.  According to convention, the destination port on the re-mote host will likely be a .low-numbered. port, less than 1024. This will be 25 for SMTP, for example. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
  • 23.  Packet filter firewalls must permit inbound network traffic on all of these .high-numbered.  ports for connection-oriented transport to occur, i.e., return packets from the destination system.  Opening this many ports creates an immense risk of intrusion by un-authorized users who may employ a variety of techniques to abuse the expected conventions. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
  • 24. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
  • 25.  Each individual application-proxy, also referred to as a proxy agent, interfaces directly with the firewall access control ruleset  determines whether a given piece of network traffic should be permitted to transit the firewall.  In addition to the ruleset, each proxy agent has the ability to require authentication of each individual network user. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
  • 26.  This user authentication can take many forms, including the following: 1. User ID and Password Authentication, 2. Hardware or Software Token Authentication, 3. Source Address Authentication, and 4. Biometric Authentication. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
  • 27.  application-proxy gateway fire-walls usually have more extensive logging capabilities  able to examine the entire network packet rather than just the network addresses and ports.  Enables enterprise security policy with authentication mechanism  less vulnerable to address spoofing attacks. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
  • 28.  the firewall is forced to spend quite a bit of time reading and interpreting each packet.  For this reason, application-proxy gateway firewalls are not generally well suited to high- bandwidth or real-time applications.  Another disadvantage is that application-proxy gateway firewalls tend to be limited in terms of support for new network applications and protocols. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
  • 29. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
  • 30.  Mixing up packet filtering/ stateful inspection with application gateway proxy firewalls Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30
  • 31.  The most common firewall environment implementation is known as a DMZ, or DeMilita- rized Zone network.  A DMZ network is created out of a network connecting two firewalls  when two or more firewalls exist in an environment, the networks connecting the fire- walls can be DMZ networks. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 31
  • 32. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 32
  • 33. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 33
  • 34.  This configuration subjects the firewall to an increased risk of service degradation during a denial-of-service (DOS) attack aimed at servers located on the DMZ.  In a standard DMZ network configuration, a denial-of-service attack against a DMZ-attached resource such as a web server will likely impact only that target resource. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 34
  • 35.  A virtual private network is constructed on top of existing network media and protocols by using additional protocols and usually, encryption.  virtual private networks are used to provide secure network links across net-works that are not trusted.  virtual private networks are used to provide secure network links across net-works that are not trusted.Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 35
  • 36.  virtual private network technology is increasingly used in the area of providing remote user access to organizational networks via the global Internet.  By using virtual private network technology, an organization purchases a single connection to the global Internet, and that connection is used to allow remote users access into otherwise pri- vate networks and resources. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 36
  • 37.  This single Internet connection can also be used to provide many other types of services. As a result, this mechanism is considered to be cost- effective. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 37
  • 38. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 38
  • 39.  On the protocol level, there are several possible choices for a modern virtual private net-work.  The first, and perhaps the most currently used is a set of protocols known as IPSec  The IPSec standards consist of IPv6 security features ported over to IPv4  Other current VPN protocols include PPTP, a Microsoft standard, and the L2TP Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 39