___________________________________________________________________

ASSIGNMENT 2
TEB 2193: INFORMATION ASSURANCE & SECURITY
SEPTEMBER 2020
___________________________________________________________________

PREPARED BY:

FATIN NASUHA BINTI ABDUL RAZAK (18002908)

ASIHVINI GOVINDA PILAY (16002163)
EUNIZIA ARGENTINA MATINE (17006413)
IFFAT MOHAMAD JEHAN ZAIB (16004742)
SELVANAYAGI MANOGARAN (19000012)

TOPIC: COMPARATIVE ANALYSIS OF DIFFERENT TYPES OF FIREWALL

SYSTEMS/TECHNIQUES

LECTURER:

MADAM NAZLEENI SAMIHA BT HARON

 CONTENT

1. Introduction
2. Analysis
2.0 Cloud firewall
2.1 Detecting DNS tunneling using machine learning
2.2 Packet filter
2.3 Comparison of hardware, software and virtual firewalls
3. Conclusion
4. Reference
Introduction

A firewall is deemed to be a protective boundary layer which protect the

server that is tasked with monitoring and observing filtered network traffic which
are incoming and outgoing. The technique uses a particular set of data rules
which has the objective to determine and proceed in blocking or allowing
specified network traffic. Firewall system can be classified into hardware and
software systems to which there are various number of firewall options. Firewall
plays an important role in being the first line of defense against unauthorized
entry in network security. The features and functionality of firewalls has been
through various advancements whereby firewall not only protect the network
security but also closely examines specific individual packets of data traffic and
running test on them in order to prove if they are safe. One of the very first-
generation firewalls were known to be packet filtering firewalls whereby a
control is established regarding the network access by filtering and monitoring
incoming and outgoing data packets. Packet filter firewalls approach each
packet individually, but it is limited to its function of just allowing or denying
packet and lack the ability to identify whether the data packet is part of the traffic
or existing stream.
There are few known firewall techniques which varies from its
functionality and specialty as each technique transcribes towards the limitations
and advancements. The firewall techniques discussed are Cloud Firewalls,
Next-Generation Firewalls (NGFW) and Circuit-Level Gateways.
2.0 Analysis 1- cloud firewall
Different types of firewalls provide a great number of ways to provide security.
Firewall security is no longer limited to just individual computers or devices but is
inclusive of cloud services that needs protection. These firewalls include Cloud
Firewalls, Next-Generation Firewalls (NGFW) and Circuit-Level Gateways.

A Cloud firewall is a software-based firewalls implemented in cloud devices

that are built for the purpose of controlling and managing access between cloud
networks. This includes preventing cyber-attacks targeted towards cloud devices.
There are two types of Cloud Firewalls, which are Software-as-a-service firewall
(SaaS) and a cloud-based Next Generation Firewall. The SaaS firewall’s purpose is
to protect the network of an organizations as well as its users from within the cloud.
Other names for this firewall include Security-as-a-service (SECaaS) and Firewall-
as-a-service (FWaaS). The cloud-based Next Generation Firewall is a service
deployed within a virtual centre. This firewall exists on a virtual server and manages
incoming and outgoing traffic from cloud-based applications.

A Next-Generation Firewall (NGFW) is a 3rd Generation firewall that

incorporates functions of a traditional firewall with network device filtering
mechanisms. The capabilities of the Next-Generation Firewall include Deep Packet
Inspection (DPI), Intrusion Prevention System (IPS), TLS/SSL encrypted traffic
inspection, website filtering, bandwidth management, antivirus inspection and third-
party identity management integration. NGFW’s offer more control over device
security as well as possessing a better, more thorough inspection capability.

A Circuit-Level Gateway is a simple firewall that operates at the session layer

with reference to the OSI model. The session layer is located between the
application and transport layer and this makes the firewall responsible for monitoring
TCP handoffs between packets to determine the legitimacy of a requested session.
With Circuit-Level Gateways, an individual’s network is protected as it is concealed
from external traffic, making it useful to ward off unwanted parties from attempting
forbidden access to the network.

There are significant differences between the different types of firewalls. For
example, the difference between a Cloud Firewall and a NGFW is that an NGFW has
newer technologies available to it such as the Intrusion Prevention System (IPS),
Deep Packet Inspection (DPI) as well as application control. Besides that, A Cloud
Firewall may have NGFW capabilities, yet physical device firewalls may be an
NGFW and not a Cloud Firewall. In terms of differences between NGFW Firewalls
and a Circuit-Level Gateway, a Circuit-Level Gateway only operates on one layer of
the OSI model, whereas an NGFW Firewall includes many layers of the OSI model
to maximize inspection and security.
2.1 Analysis 2 - Detecting DNS Tunneling using Machine Learning

DNS tunneling is a misuse of DNS. DNS is one of the essential protocols that plays a
vital role in web browsing and emailing. This can be expressed by allowing
applications to use names such as example.com instead of a hard-to-remember IP
address. DNS tunneling attempts to hijack the protocol to use it as a covert
communications protocol or a means of data exfiltration. It is a broadly overlooked
security threat.

Various types of DNS tunneling detection methods have been proposed, which can
be classified into two key groups. Traffic Analysis and Payload Analysis. The first class
aims to examine the total traffic where some important features may be found, such
as the amount of DNS traffic, the number of hostnames per domain, the location and
the domain history. The goal of the second class is to evaluate the payload of a single
request in order to classify features such as domain length, number of bytes and
content.

An overview based on research, detecting DNS tunnelling using Machine Learning

Technique (MLT) is the one of the best method that can be used. This analysis has
conducted a comparative for three machine learning techniques consists of SVM, NB
and J48. Such classifier can be illustrated as below:

i. J48 - has a flow-chart-like tree structure. Each node on that tree represents the
value of the attribute, each branch is like the result of the test, and the tree
leaves are like classes. The core characteristics behind the J48 are based on
the rule-based design of the classifier that transforms the attribute values into
rules that differentiate the occurrence of DNS tunnelling.
ii. NB - the occurrence of a single feature is being addressed in accordance with
the class labels (i.e. tunnelling or legitimate). The main strength behind NB lies
in its ability to identify independently with the absence or presence of a
particular function.
iii. Support Vector Machine (SVM) - performs a classification based on the division
of data space into multiple class labels using a hyperplane. Hyperplane is
considered to be a margin that should be optimally identified. An accurate
adjustment of the hyperplane leads to accurate classification accuracy.
They are a few comparison while using Machine Learning Technique (MLT) to detect
DNS tunneling:

First technique by using MLT. These techniques have utilized two classifiers Decision
Tree (DT) and Random Forest (RF) in order to be trained on the ciphered flows by
conducting a statistical analysis on the inner protocol. Such analysis aims to identify
the size and the inter arrival delays of the packet in the flow.

Second technique present an approach based on the SVM classifier. The suggested
solution used the statistical features of the DNS queries and answers. This was
achieved by examining the content of the queries and the responses in order to
recognize the malicious data concealed by the legitimate DNS. An extension method
can be use with the same classifier. The purpose of this extension is to take advantage
of the different features related to the payload analysis. This can be interpreted by
evaluating the inter-arrival times and the packet size of the protocol messages.

Third techniques that has been executed by using RF classifier. The features consist
of the number of answers given in the response, the time between two consecutive
packets for a specific domain, and the time between two consecutive responses for a
specific domain.

Fourth techniques by using two approaches including Principal Component Analysis

(PCA) and Mutual Information (MI). Such methods are aimed at analysing the
repeated occurrence of a specific pattern in order to detect tunneling. In addition, the
proposed extraction methods for features have been combined with the KNN
classification. It has shown an efficient efficiency in terms of traffic profiling in the life
of DNS tunneling. As a result, the proposed method used a predictive approach based
on an entropy distribution average.

The last techniques that can make it as a comparison in this analysis by detection of
DNS tunneling within mobile network. Used a traditional SVM classifier with a number
of features, such as source, destination and duration of queries, to define tunneling.

Based on the few of different techniques that can figure out, as a security analyst, I
will be prefer this company use SVM method for detecting tunneling while using
machine learning technique to secure company in terms of data and network
perimeters. A benchmark dataset for the DNS tunneling has been used in the
experiment in order to facilitate the comparison. Results showed that SVM has been
outperformed compared the other classifiers by achieving the highest f-measure which
is 83%.
2.2 Analysis 3 - packet filter

Firewalls primary role is filtering. Firewalls can also do auditing. More than
that, firewalls can also look at an entire packet’s contents, including the data area,
whereas a router is worried only with source and destination MAC and IP addresses.
There are three main types of firewalls which are packet filters, application gateways
and stateful inspection firewalls.

First, packet filters. A packet filter is the simplest form of firewall. A packet
filter firewall will evaluate any IP packet that attempts to traverse the firewall against
its access control list. If the packet is certified, it is sent from first to last. If not, the
packet filter can either without a sound drop the packet or sends back an ICMP error
response. Packet filters only look at five things: the source and destination IP
addresses, the source and destination ports, and the protocol such as UDP, TCP/IP,
and so on.

Next, application gateways. An application gateway actually looks at the

application layer data. Single application gateways are often called proxies, such as
an SMTP proxy that understand the SMTP protocol. These check the data that is
being sent and authenticate that the particular protocol is being used perfectly. As
long as the protocol is obeyed, the proxy will shuttle the commands from the client to
the server. The application gateway must understand the protocol and process both
sides of the conversation.

Besides, stateful inspection. Stateful inspection aims to monitor the active

connections on a network. Moreover, the process of stateful inspection determines
which network packets should be allowed through the firewall by utilizing the
information regarding active connections. Stateful inspection keeps track of each
connection and constantly checks if they are valid.

Even though they are one of the main firewalls they are all different in various
aspects which is why not everyone use the same firewall all the time. This is
because it is specially for itself based on their functions not only for the definitions.
Packet filter is all about simplicity and speed. Due to its simplicity and speed, a
packet filter can be enabling on your routers, eliminating the need for a dedicated
firewall. Even though it is well known for simplicity and speed, it also has some
problems whereby that they generally do not look extremely enough into the packet
to have any idea what is essentially being sent in the packet. A packet filter which
will access the port 25, the Simple Mail Transfer Protocol (SMTP) port, a packet filter
would never know if some other protocol was used on that port. For example, a user
on one system might run his Secure Shell daemon on that port, knowing that the
traffic would be allowed by the packet filter, and be able to SSH through the firewall
against plan. Packet filter also encounters another problem whereby they are not
successfully able to handle protocols that rely on various dynamic connections. For
example, whenever data is transferred between the hosts, such as files or the LIST
output, a separate connection is established. You would need to have an ACL that
would allow these data associations through for FTP to work. However, packet filters
do not read the FTP command channel to know when such an ACL should be
allowed.

Next, compare to packet filters, application gateways have much more CPU
exhaustive process. However, this also lends it a larger element of security. You will
not be able to run the earlier described SSHover-port-25 trick when an application
gateway is in the way because it will realize that SMTP is not in use. Furthermore,
because an application gateway understands the protocols in use, it is able to
support difficult protocols such as FTP that create casual data channels for each file
transfer. FTP command protocol is a protocol that is not directly understood by the
application gateway but that must be allowed to traverse the firewall. SSH and
HTTPS are two effortless examples. This is because they are encrypted end to end
whereby an application gateway cannot read the traffic actually being sent. In these
scenarios, there is usually a way to configure the firewall to allow the appropriate
packets to be sent without invasion by the firewall. It can be difficult to put together
application gateways into your standard routing hardware due to the processing
overhead. Some newer high-end routers are able to function as application
gateways, but we will need plenty of CPU power for satisfactory presentation.

Besides, stateful inspection also known as dynamic packet filtering takes the
basic ethics of packet filtering and adds the concept, so that the Firewall considers
the packets in the context of before packets. So, for example, it records when it sees
a packet in an internal table and in many executions will only allow TCP packets that
match an existing conversation to be forwarded to the network. This has a number of
advantages over simpler packet filtering: It is possible to build up firewall rules for
protocols which cannot be correctly controlled by packet filtering. There is a risk that
vulnerabilities in individual protocol decoders could permit an attacker to gain control
over the firewall. This worry highlights the need to keep firewall software updated.
Some of these firewalls also increase the possibility that personally hosts can be
trick into solicit outside connections. This option can only be totally eliminated by
auditing the host software. Some firewalls can be conquered in this way by simply
screening a web page. More complete control of traffic is possible. Equally, there are
some disadvantages to this assessment solution, in that the execution is
automatically more complex and therefore more likely to be errors. It also requires a
device with more memory and a more influential CPU for a given traffic weight, as
data has to be stored about each and every load flow seen over a period of time.

As a conclusion, firewalls have their own advantages and disadvantages. One

firewall can be applicable for one situation while another cannot. When implementing
a firewall solution an organization needs to evaluate the and disadvantages of each
firewall technology and apply the best solution to meet the organization's security
requirements.
2.3 Analysis 4 - hardware, software and virtual firewalls

Firewalls protect a trusted network from an untrusted network. They are

classified either as: hardware firewall, software firewall and virtual firewall. These 3
types of firewall differ from themselves in the network and each consists of advantages
and disadvantages which we will be discussing below.

Software firewalls include any type of firewall that is installed on a local device
rather than a separate piece of hardware (or a cloud server). The big benefit of a
software firewall is that it is highly useful for creating defence in depth by isolating
individual network endpoints from one another.

However, maintaining individual software firewalls on different devices can be difficult

and time-consuming. Furthermore, not every device on a network may be compatible
with a single software firewall, which may mean having to use several different
software firewalls to cover every asset.

Hardware firewalls use a physical appliance that acts in a manner similar to a

traffic router to intercept data packets and traffic requests before they're connected to
the network's servers. Physical appliance-based firewalls like this excel at perimeter
security by making sure malicious traffic from outside the network is intercepted before
the company's network endpoints are exposed to risk.

The major weakness of a hardware-based firewall, however, is that it is often easy for
insider attacks to bypass them. Also, the actual capabilities of a hardware firewall may
vary depending on the manufacturer—some may have a more limited capacity to
handle simultaneous connections than others, for example.

Whenever a cloud solution is used to deliver a firewall, it can be called a cloud firewall
or virtual firewall or firewall-as-a-service (FaaS). Cloud firewalls are considered
synonymous with proxy firewalls by many, since a cloud server is often used in a proxy
firewall setup (though the proxy does not necessarily have to be on the cloud, it
frequently is).

The big benefit of having cloud-based firewalls is that they are very easy to scale within
the organization. As it needs grow, can be added additional capacity to the cloud
server to filter larger traffic loads. Cloud firewalls, like hardware firewalls, excel at
perimeter security.
 The hardware firewall is a stand-alone network device. It has dedicated
components and the resources that it possesses are optimally tailored for correct and
rapid work. Selecting a specific model of a hardware firewall, the manufacturers
technical documentation should be carefully analysed. An important feature of the
hardware firewalls is that they are not dependent on third-part software. A software
firewall is typically represented by a server with two network interfaces and a special
application that is responsible for such functions as packet filtering, NAT or proxy. It
controls the network traffic using configured bridge mode interfaces. All packets
passing from the one subnet to the other are filtered according to the rules written by
the administrator. Software firewalls do not have their dedicated resources. They use
the resources of the operating system on which they are installed and cannot operate
automatically. Software firewalls are very flexible, they can be extended with additional
modules for proper operation, although their configuration is much more difficult since
the majority of programs have only a textual interface. The advantage of the software
firewall is that many free versions are available in the Internet. Virtual machines are
running an environment monitored by the hypervisor. When multiple machines are
running within a single virtual environment, a virtual network including all the physical
network elements (routers, switches, and firewalls) is created. Virtual firewall is
responsible for the security of virtual host communication, but also for communication
between the physical and virtual networks. Some virtual firewalls integrate additional
network features such as VPN or QoS. Virtual firewalls do not have dedicated
hardware resources but use the resources provided by the virtualization layer. The
advantage of such solutions is the flexibility to change the hardware parameters of
each machine

In conclusion, there is no better firewall type. The point is to choose the one
which fits the user needs and criteria.
Conclusion

As a conclusion, the techniques of firewalls observed and discussed

which are Cloud firewall, detecting DNS tunneling using machine learning,
Packet filter, and the comparison between hardware, software, and virtual
firewalls it is contemplated that firewalls have their own advantages and
disadvantages. One firewall can be applicable for one situation while another
cannot. When implementing a firewall solution an organization needs to
evaluate the and disadvantages of each firewall technology and apply the best
solution to meet the organization's security requirements. Firewalls have their
own set of uniqueness and accountability to specific criteria of the system, by
analysing and implementing the appropriate firewalls is the best solution in
selected a proper firewall technique.
Reference

Firewalls: hardware vs software retrieved from https://www.techadvisory.org/2017/03/firewalls-

hardware-vs-software/

Processing Time Comparison of a Hardware-Based Firewall and its Virtualized Counterpart . Retrived
fromhttps://www.informatik.uni-wuerzburg.de/comnet/team/mitarbeiter/nicholas-
gray/?tx_extbibsonomycsl_publicationlist%5BuserName%5D=uniwue_info3&tx_extbibsonomycsl_p
ublicationlist%5BintraHash%5D=ee5cd30a11582eea5e48913738995002&tx_extbibsonomycsl_public
ationlist%5BfileName%5D=firewall_author.pdf&tx_extbibsonomycsl_publicationlist%5Baction%5D=
download&tx_extbibsonomycsl_publicationlist%5Bcontroller%5D=Document&cHash=e336f8929913
0d889a5b021296eb44e3

ANALYSIS OF PERFORMANCE AND EFFICIENCY OF HARDWARE AND SOFTWARE FIREWALLS

https://www.researchgate.net/publication/322857184_Analysis_of_Performance_and_Efficiency_of
_Hardware_and_Software_Firewalls/fulltext/5a732bb5458515512076d0cd/Analysis-of-
Performance-and-Efficiency-of-Hardware-and-Software-Firewalls.pdf?origin=publication_detail

Circuit-Level Gateway. Retrieved from https://en.wikipedia.org/wiki/Circuit-

level_gateway#:~:text=A%20circuit%2Dlevel%20gateway%20is,a%20requested%20session%20is%20
legitimate.

Cloud Firewalls. Retrieved from https://www.barracuda.com/glossary/cloud-

firewall#:~:text=Cloud%20Firewalls%20are%20software%2Dbased,sit%20within%20online%20applic
ation%20environments.

Next-Generation Firewall. Retrieved from https://en.wikipedia.org/wiki/Next-generation_firewall

What is a Cloud Firewall? | Firewall as a Service. Retrieved from

https://www.cloudflare.com/learning/cloud/what-is-a-cloud-firewall/
("What is Network Security?", 2020) What is Network Security?. (2020) Retrieved from
https://www.forcepoint.com/cyber-edu/network
security#:~:text=Network%20security%20is%20a%20broad,both%20software%20and%20hardware%
20technologies.

(Journal, 2020) What is Network Security?. (2020). Retrieved 8 December 2020, from
https://www.forcepoint.com/cyber-edu/network-
security#:~:text=Network%20security%20is%20a%20broad,both%20software%20and%20hardware%
20technologies.

http://www.ripublication.com/ijaer17/ijaerv12n22_137.pdf