Network Security , Firewall &

VPN
INTRODUCTION

N/w security mechanism is a key aspect in Internet

It is being extensible used in real life

Firewall is a technology widely used by organization to protect

internal n/w from outside attack
Why is firewall needed?
A private network may consist of different platforms with
diverse OS & applications running on them.
Many of the applications were designed and developed for
an ideal environment, without considering the possibility of
the existence of bad guys.
Most of the corporate networks are not designed for
security.
Hence it is essential to deploy a firewall to protect the
vulnerable infrastructure of an enterprise.
 Types of attack from corporation view point
 At broad level
two types of
attack

 Leaking of
valuable
information and
confidential data
in the network
from inside

 Danger of outside
element( virus)
entering the
corporate
network to create
havoc
Firewall
 A network firewall protects a computer
network from unauthorized access.
Network firewalls may be hardware
devices, software programs, or a
combination of the two.
 A firewall has a set of rules which are
applied to each packet. The rules decide
if a packet can pass, or whether it is
discarded.
 Usually a firewall is placed between a
network that is trusted, and one that is
less trusted. When a large network needs A Firewall protects
to be protected, the firewall software number of computers
often runs on a dedicated hardware, LAN against unautho
which does nothing else. access.
 Firewall Characteristics
Technically a firewall is a specialized version of router

All traffic from outside to inside and viceversa should pass

through the firewall , by blocking the access to local
network and access only through firewall

Only traffic authorized as per local security policy should

be allowed to pass

Firewall should be itself be strong enough so as the attack

on it should be useless
 Firewall Characteristics
Some general techniques that firewalls used are as follows.

Service control: Determines the types of internet services that can be

accessed. The firewall may filter traffic on the basis of IP address and TCP
port number.

Direct control: Determines the direction in which particular services

requests may be initiated and allowed to go through the firewall.

User control: Controls access to a service according to which user is

attempting to access it. This is usually applied to inside users. For
incoming traffic from outside of the firewall, some protocols are required
such as IPSec.

Behavior control: Controls how particular services are used. For

example, it may enable external access to only a portion of the information
on a local Web server.
 Types of Firewall

Firewall

Packet Filters Application Gateways

 Packet Filter
It applies a set of rules to each packet & based on the
outcome decides to either forward or discard the message

Also called screening router / screening filter

Implementation involves a router , configured to filter

packet going in either direction

Filtering rules based fields in IP and TCP/UDP headers

 Packet Filter
A packet filter performs 3 main functions

Receive each packet as it arrives

Pass the packet following a set of rules based on the

contents of IP and tcp/udp header.
header If match then decide

If doesn't match then take default action. It can b accept

all the packets or discard all the packets
Packet Filter
Algorithm of the packet filtering
Advantages of Packet Filter
It is simple

User need not be aware of the presence of the packet filter

They are very fast in their operating speed

Disadvantages of Packet Filter

Difficulty in setting up packet filter rules correctly

No authentication
 Types of attack on Packet Filter
1. IP address spoofing:- Intruder from outside can attempt to
send a packet

2. Source routing attack:- specifying the route that a packet

must take it is thought that the packet filter can be fooled

3. Tiny fragment attack:-Packets

Packets need to be fragmented
sometimes when it exceeds the MTU, hence attacker may
take this characteristics advantage and hope that the
packet filter may not always check all the packets.
Dynamic Packet Filter
An advanced type of packet filter

Also called stateful packet filter

It allows examination of packet based on current state of the n/w

Like allowing all incoming packets only if they are responses to the
outgoing TCP packets that have gone through our network

It has to maintain a list of currently open connections & outgoing

packets in order to deal with this rule
Dynamic Packet Filter
 Bastion Host
It is a system identified by the firewall admin as a critical strong point in
the n/w security and it serves as platform for application as well as circuit
level gateway.

Characteristics:-

The bastion host h/w platform executes a secure version of O.S making it a
trusted system

Only the services that the n/w admin considers essentials are installed in
the bastion host ; proxy applications like DNS, FTP , TELNET , etc

The bastion host may require additional authentication before the user is
allowed proxy services

 Each proxy runs as a non privileged user in a private & secure directory on
the bastion station
Bastion Host
Each proxy Is configured configures to support only a subnet of the
standard applications command set and to allow access only to specific
host systems

Each proxy maintains detail audit information by logging all traffic ,each
connection and duration of each connection

Each proxy module is a very small s/w package designed for n/w
security and because of its simplicity very easy to check its security
flaws

Each proxy is independent of other proxies on the bastion , and if

discovered faulty the it can be uninstalled without affecting the
operation of the other proxy applications.
applications

A proxy generally performs no disk access other than read initial

configuration files making it difficult for sniffers
 Application Gateway
Also called a proxy server, as it acts like a proxy and decides about the
flow of application level traffic

An internal user contact application gateway using TCP/IP application

The application gateway asks the user about remote host with which
the user need to connect . Also it asks for user id and password

The user provides the id and password

Application gateway access the remote host on behalf of user and

passes the packet

From here application gateway acts as proxy of the actual end user

The application gateway is service specific such as FTP, TELNET, SMTP

or HTTP.
Application Gateway
Circuit -level Gateway

Circuit-level gateway can be a standalone or a specialized system.

It does not allow end-to-end TCP connection;

connection the gateway sets up two
TCP connections.

Once the TCP connections are established, the gateway relays TCP
segments from one connection to the other without examining the
contents.

The security function determines which connections will be allowed

and which are to be disallowed.
Circuit -level Gateway
Network Address Translation
 NAT works by using one set of addresses for communications on the
internet and a separate set of addresses for communication on the private
network.
 IANA set aside three ranges of IP addresses given below for
communication on the internal network, these are not routable
Class A addresses: 10.0.0.0 – 10.255.255.255.255
Class B addresses: 172.16.0.0 – 172.31. 255.255
Class C addresses: 192.168.0.0 – 192.168.255.255
Class

The Firewall performs translation of an internal address to an external IP

address and vice versa to facilitate communication between the private and
the public network .

NAT affords a substantial degree of security by preventing direct

communication. NAT allows the use of same IP addresses in different private
networks prolonging the life expectancy of IPv4 on the internet.

Without NAT the supply of IP addresses would have exhausted long back.
Firewall Configuration

Firewall configuration

Screened host Screened host Screened subnet

firewall, firewall, firewall
Single homed bastion Dual homed bastion
Single homed bastion
 Here a firewall setup consists of 2 parts:-
parts a packet -filtering router & an
application gateway .

 The packet filter ensures that the incoming traffic ( from internet to corporate
n/w) is allowed only if it is destined for application gateway.

 Also ensures that the outgoing traffic is allowed only if it is originating from
application gateway .

 The application gateway performs authentication & proxy functions.

 This configuration increases the security of the network & gives more
flexibility to n/w admin to define more granular security policies

 Problem is that the internal users are connected to the application gateway as
well as packet filter , hence the security is compromised if the packet filter is
attacked
Screened host firewall, Single –homed bastion
Dual homed bastion

To overcome the draw back of screened host firewall, single

homed bastion configuration , screened host firewall, Dual
homed bastion configuration is introduced.

Direct connection between internal host and packet filter is

avoided

Packet filter connects only to the application gateway & the

application gateway has separate internal connection with the
internal hosts.

If the is even attacked successfully still only the application

gateway is visible to the attacker , the internal host is protected
Screened host firewall, Dual –homed bastion
Screened subnet firewall
This type of configuration offers the highest security among possible
firewall configurations

This is an improvement over the previous scheme

Here two packet filters are used one between internet and
application gateway another between application gateway and
internal users

Hence three level of security for the attacker to break into

The attacker needs to break into the two packet filters and the one
application gateway to reach the internal user hence it is more
secure than the rest of the configuration
Screened subnet firewall
Demilitarized Zone
Firewall can be arranged to form DMZ, and is required only when
the servers also need to be accessed by outside world

Here the firewall has at least three network interface: one connects
the internal network , second connects the external public network
and the third connects the public server ( which forms the DMZ
n/w)

Here access to any service can be restricted hence if the web server
needs to be accessed then only that traffic can be allowed
restricting all other through DMZ

As the internal network is not directly connected to the DMZ hence
the internal n/w is safe from the attackers
 DMZ

Internet

Internal Private Firewall

network

Demilitarized
Zone(DMZ)
 Limitations of a Firewall
Main limitations of a firewall system are given below:

 A firewall cannot protect against any attacks that bypass the firewall.
Many organizations buy expensive firewalls but neglect numerous other
back-doors into their network

 A firewall does not protect

8.3.5 against the internal threats from traitors.
An attacker
may be able to break into network by completely bypassing the firewall, if
he can find a ``helpful'' insider who can be fooled into giving access to a
modem pool

Firewalls can't protect against tunneling over most application

protocols. For example, firewall cannot protect against the transfer of
virus-infected programs or
files
IPSec applications
Secure Branch office connectivity over the internet: A company can
built secure VPN over internet.
Secure remote access over internet :- reduces charges of traveling
for employees
Establishing extranet and intranet connectivity with partners:-
ensure security with organizations ensuring security, authenticity ,
confidentiality
Enhancing electronic commerce study:-uses
study enhances security
 Benefits of IPSec
When IPSec is implemented in a firewall or a router , it provides
strong security that can be applied to all traffic crossing the
perimeter
IPSec in firewall is resistant to bypass all traffic from outside must
use IP, the firewall is the only means of entry point from internet to
organization
 IPSec is below transport layer hence transparent to application
hence no need of changing s/w when IPSec is implemented in
firewall.
IPSec can be transparent to end user hence no need to train the
user
Can provide security for individual user too.
IPSec

IPSec encrypts and seal the transport and application layer during
transmission
It also provides integrity protection for Internet layer
The internet header is not encrypted like other layers rather it is
follows some other procedure
The sender and the receiver looks at IPSec as another layer in
TCP/IP protocol stack
Conceptual IPSec positioning in the TCP/IP protocol stack
 IPSec Basic concepts

IPSec has IP headers known as extensions headers and offers two

main services
a) authentication b) confidentiality
The two extension headers are
1) Authentication Header(AH)
2) Encapsulating Security Payload(ESP)
 IPSec Protocols

IPSec

Authentication Header(AH) Encapsulating Security Payload(ESP)

Authentication Header
This protocol provides authentication ,security & optional anti-replay
service for IP datagram
Data integrity ensures that data is not tampered , authentication
ensures that IP spoofing attacks are prohibited
 AH is a header in an IP packet which contains a cryptographic
checksum for contents of the packet
 The AH is simply inserted between the IP header and any subsequent
packet
No exchange are required to the data contents of the packet hence
security resides in the contents of the AH
AH is based on MAC protocol where two communicating parties share
a secret key to use MAC
Encapsulating Security Payload
This protocol provides data confidentiality
 ESP defines a new header to be inserted into the IP packet
 ESP processing also includes transformation of protected data
into an unreadable , encrypted format
 Generally ESP will be inside AH
Encryption precedes authentication
 On reception of the IP packet that was processed by IPSec the
receiver first process the AH first to see if the contents are in
order then only the key is extracted and the algorithm associated
is decrypted
AH & ESP modes of operation

AH & ESP modes of operation

Tunnel Mode Transportation Mode

Tunnel Mode

Here an encrypted tunnel is established between two hosts

where the tunnel carries the transmission
Implementation of Tunnel Mode
Here there are two sets of IP header : internal and external
 The internal IP header (encrypted) contains the original source and
destination address(X & Y)
External IP header contains source and destination IP address of
proxies (P1& P2)
 In this mode , IPSec protects the entire IP datagram where it takes
an IP datagram , adds the IPSec header & trailer & encrypts the
whole thing
It then adds the new IP header to this encrypted datagram
This mode is used between two routers, a host and a router or a
router and a host
Not used between two hosts
IPSec Tunnel Mode
Implementation of Transport Mode

Here it doesn’t hide actual source and destination address

and visible in plain text while in transit
 IP Sec takes the transport layer payload , adds IPSec header
and trailer encrypts the whole thing and add the IP header
The IP header is not encrypted
This mode is used for host to host encryption
The sending host sends IPSec to authenticate & encrypt the
transport layer payload & receiver verifies it.
IPSec Transport Mode
Internet Key Exchange protocol (IKE)

Used for key management procedures

It is used to negotiate the cryptographic algorithms to be later
used by AH & ESP
 This is the initial phase of IPSec where algorithms & keys are
decided
After this phase AH & ESP protocol takes over
Security association
The o/p of IKE phase is Security association phase which is an
agreement between the communication parties regarding
 IPSec protocol versions in use
 mode of operation
 cryptographic algorithms
 cryptographic keys
 life time of keys
 The principle objective of IKE is to establish an SA b/w two
parties after which major protocol make use for their operation
Security association

SA is simples i.e . Unidirectional hence needs two sets of SA

per communication
 For two communicating parties AH & ESP would require 4
sets
 a standard storage area must be allocated for
communicating parties for storing SA information at respective
end called Security Association Database (SAD) which is
predefined and used by IPSec
 The SAD contains active SA entries
Dealing with replay attack

In replay attack attacker obtain the copy of the

packet and then later sends it to the receiver ,
flooding destination
 Hence AH contains a field called sequence
number
Whenever a sender sends a packet to same
sender over the same SA it increments the value of
sequence number by 1 & this number must not
circle back from 232 -1 to 0
Dealing with replay attack-
attack- sender site

On establishing a new connection the sender initializes

the sequence number to zero, and increments it each time
a packet is sent over the SA
If anti replay attack is enables then the counter doesn’t
past 232 -1 to 0
On reaching the limit 232 -1 the SA is terminated & a new
SA is negotiated with a new key else multiple packets
would be received with same value
Dealing with replay attack-
attack- Receiver site

Receiver maintains a sliding window of size W, with

default of W=64 , where the right edge of window
represents the highest sequence number =N , received
till then for a valid packet
 For any sequence number from (N-W+1) to N that has
been correctly received the slot is marked in the window
else it is unmarked on incorrect reception
Dealing with replay attack-
attack- Receiver site ..contd
..contd

When a packet is received

If the receive packet falls within the window and is new , the
MAC is checked . If after MAC checking the packet is authenticate
the corresponding slot is marked
 If the received packet is to the right of window and is new then
the MAC is checked ,if the packet is authenticate, then the window
is advanced so that the sequence number is to the right edge of
the window and the slot is marked
 If the received packet is to the left of window or authentication
fails then the packet is discarded **
** this action thwarts the replay attack
Receiver’s sliding window

N-W N

Receiver’s sliding window W=8

Marked if a Unmarked if a valid

valid packet packet is not yet received
is received
Modes of operation
Both AH & ESP work in tunnel and transport mode
AH transport Mode
Before applying AH
IP Header TCP Header Original data

After applying AH

IP Header AH TCP Header Original data

 In transport mode the position of AH is in between the

original IP header and the original TCP header of the IP
packet
AH tunnel Mode
Before applying AH
IP Header TCP Header Original data

After applying AH
New IP AH Original IP TCP Header Original data
Header Header

 In tunnel mode the entire IP packet is authenticated and

the AH is inserted between original IP header and the new
outer IP header , where the inner IP header contains the
original destination address & the outer new IP header
contains address of firewall or router
ESP Transport Mode
• Before applying ESP

IP TCP Original
header header data

• After applying ESP

Encrypted
Original ESP TCP ESP ESP
Original data
IP header Header header trailer auth

authenticated
ESP Transport Mode
Used to encrypt & optionally authenticate the data carried by IP

The ESP header is inserted into the IP packet immediately before

the transport layer header( TCP / UDP)

The ESP trailer is added after the IP packet

If authentication is used then the Esp authentication data field is

added after the ESP trailer

The entire transport layer segment along with the ESP trailer are
encrypted

The entire CT along with the ESP header is authenticated

ESP Transport Mode Operation
1) The CT is ready for transmission at the sender end

2) The packet is routed to destination where the intermediate

routers look at the IP header but not the CT

3) The IP header is examined at receivers end & the

remaining portion is decrypted to get the PT
ESP Tunnel Mode
• Before applying ESP
IP TCP Original
header header data

• After applying ESP

Encrypted
New ESP Original TCP ESP ESP
Original data
IP header Header IP header header trailer auth
authenticated
 ESP Tunnel Mode
Used to encrypt the entire IP packet

The ESP header is prefixed to the packet and then the packet along
with ESP trailer is encrypted

Since the IP header contains destination address & intermediate

routing information hence this packet can't be transmitted as it is.

A new IP header is added which contains the required information

for routing
 ESP Tunnel Mode Operation

1) At the senders end the sender prepares an inner IP packet

with the destination address as the internal destination

2) The outer packet is routed to destination firewall

3) At receivers end the destination firewall processes the outer IP

packet & any extension header and recover the plain test from
the CT & this packet is sent to actual destination
IPSec Key management

• There is another key management protocol ,apart from AH &

ESP, without which IPSec can't exists

• It consists of two aspects a) Key determination b) Key

distribution & need four keys for communication for both AH &
ESP

• Default automated key management protocol for IPSec is

ISAKMP/ Oakley
 Diffie--Hellman
Diffie
Advantages :- a)creation of secret key when required

b) no pre existing infrastructure needed

Disadvantages :- a)No mechanism for authentication

b) vulnerable to man-in-the-middle attack

c) Involves a lot of mathematical processing hence attacker can take this

advantage & send hoax Diffie-Hellman
Hellman request to host hence making
host do unnecessary computing .ThisThis is called Congestion/ clogging
attack
 Oakley
Refined version of Diffie-Hellman key exchange protocol

Designed to take advantages of Diffie-Hellman & remove

drawbacks

Features :-

a) Defeat replay attack

b) Implements cookies to defeat congestion attack

c) Enables exchange of Diffie-Hellman

Hellman public key values
d) Provides authentication mechanism to thwart man-in-the-middle
attack
 Oakley
Oakley employs nonce's to ensure against replay attacks , where it is
locally generated pseudo random number

Authentication Methods used by Oakley are

a) Digital signature:- generation of a message digest & its encryption

with senders private key

b) Public key encryption:- encryption of some info with recipients

public key

c) Symmetric key encryption:- key derived from some mechanism

 Oakley
Oakley provides a number of message types .eg: Aggressive key
exchange, consisting of three message exchange between two parties X
&Y

Message 1: X sends a cookie & the public Diffie-Hellman key of X & X

signs this block with its private key

Message 2 : Y receiving this message verifies the signature of X , sends

acknowledge to X ,containing cookie of sent by X. Y sends a cookie &
the public Diffie-Hellman key & signs this block with its private key

Message 3: After receiving message 2 ,X verifies it with public key of Y

& sends a message to Y about reception of Y's public key
 VPN
A Private network is made up of computers owned by a single
organization which share information with one another, eg, LAN,
MAN, WAN

Firewall separates a private n/w from public n/w

VPN is a mechanism of employing encryption , authentication &

integrity protection enabling to use public n/w like a private n/w

Combines advantages of public & private n/w

Can connect distant n/ws of organizations or allow mobile user to

remotely access a private n/w
 VPN
Its a mechanism of simulating a private n/w over public n/w where the
connections are temporary and there is actual no physical connections
Made up of packets
VPN Architecture
Two firewalls are virtually connected to each other via internet by VPN
tunnel connecting them

How does VPN works

For sending a packet from host X in net1
net to host Y in net 2 :
X creates the packet ,inserts its own IP address as source and the IP
address of host Y as destination & sends.
sends
The packet reaching the firewall 1 , adds its own header ,changing the
source IP address of the packet to its own IP address ,changes the
destination IP address , encrypts & authenticates the packet & sends the
modified packet
 How does VPN works
On reaching the 2nd firewall , the firewall discards the outer packet
and performs necessary decryption and other functions

It then looks into the packet to realize that it is meant for host Y ,
hence delivers to Y
Destination
Address
X Y Other header & actual data
Source
Address

Original Packet
How does VPN works

XY Other header & actual data F1F2 XY Other header & actual data

Destination Destination
Address Address

F1F2 XY Other header & actual data XY Other header & actual data
Source
Address Source
Address

Settings-dependent encryption
& authentication
Additional
headers Firewall 2 retrieves the original packet
content
Firewall 1 changes the packet content