Chapter 6: Network Security

and Public Key Infrastructure

Prajwal Gautam
6.1 Overview of Network Security
• Network Security is the process of taking preventive measures to
protect the underlying networking infrastructure from unauthorized
access, misuse, modification or destruction.
• This can include a variety of measures such as firewall, intrusion
detection and prevention system, encryption and secure protocols.
• The goal of network security is to ensure the confidentialit, integrity
and availability of data and resources.
• It is essential part of an organization’s overall security strategy and is
becoming increasingly important as more and more organizations rely
on digital systems and networks to conduct business.
• Network security typically consists of three different controls. Here’s
a brief description of those 3 types of network security.
i. Physical Network Security: Physical security controls are designed to
prevent unauthorized personal from gaining physical access to the
network components such as routers, cabling cupboards and so on.
ii. Technical Network Security: Technical security controls protect data
that is stored on the network or which is in transit across, into or out
of the network.
iii. Administrative Network Security: Administrative security controls
consists of security policies and processes that control user behavior,
including how users are authenticated, their level of access and also
how IT staff members implement changes to the infrastructure.
6.2 Digital Certificates
• Digital Certificates are a type of digital document used to certify the
identity of an individual or organization and to provide proff of
ownership of a public key.
• They are issued by a trusted third party known as Certificate
Authority (CA), and are verified using CA’s digital signature.
• A digital certificate contains information about the certificate holder,
such as their name, address and public key, as well as the digital
signature of issuing CA.
• Digital Certificates are used in a variety of applications to provide
secure communication, authentication, and to prove the identity of
the parties invilved.
• Example: SSL/TLS, Email, VPNs.
X.509 Certificates
• X.509 is a standard defining the format of public key certificates.
• An X.509 certificate is a digital certificate that uses the widely
accepted international X.509 public key Infrastructure (PKI) standard
to verify that a public key belongs to the hostname/domain or
organization or individual within the certificate.
• X.509 Certificate is used to provide a secure method of identifying
and authenticating entities and resources on a network.
• An X.509 certificate can be used to establish an SSL/TLS connection
between a web server and a client.
Certificate Life Cycle Management
• It is the process of managing the entire lifecycle of digtal certificates
from the initial issuance, to the ongoing management and eventual
revocation and management of the certificate.
• Proper CLM ensures security, compliance, and smooth operations in
an organization's Public Key Infrastructure (PKI).
• Many organizations use Managed Public Key Infrastructure (MPKI)
initiative to reduce the strain.
• However much of the MPKI initiative involves resource-intensive
tasks.
Stages of Certificate Life Cycle Management:
• Certificate Issuance: Issuing the certificate after verifying the
identity of the holder.
• Certificate management: Ongoing management of certificate
including renewal, revocation and monitoring for expiration.
• Certificate revocation: Revoking a certificate before its
expiration for various reasons like compromised private key.
• Certificate Expiration: Replacing the certificate once it is expired
as it is no longer valid.
6.3 PKI Trust Models
• The public key infrastructure (PKI) is defined as the set of hardware,
software, people, policies and procedures needed to create, manage,
store, distribute, and revoke digital certificates based on asymmetric
cryptography.
• Public Key Infrastructure (PKI) is also a framework that manages
digital keys and certificates to ensure secure communication and
authentication over networks.
• The principal objectives for developing a PKI is to enable secure,
convenient and efficient acquisition of public keys.
• It follows asymmetric key cryptography ie. it uses two keys public and
private, one for encryption another for decryption.
• It is made up of :
1. Certificates: Represents authentication token
2. Certificate Authority: Holds the decision on subject authentication.
3. Registration Authority: Accepts and processes certificate signing
requests on behalf of end users.
4. Lightweight Directory Access Protocols (LDAP): It is a directory that
hold publicly available certificate information.
PKIX (Public Key Infrastructure X.509)
• The PKIX Working Group was established in the fall of 1995 with the
goal of developing Internet standards to support X.509-based Public
Key Infrastructures (PKIs).
• Initially PKIX pursued this goal by profiling X.509 standards developed
by the CCITT (Consultative Committee for International Telephony
and Telegraphy) (later the ITU-T).
• Later, PKIX initiated the development of standards that are not
profiles of ITU-T (The International Telecommunication Union
Telecommunication Standardization Sector)work, but rather are
independent initiatives designed to address X.509-based PKI needs in
the Internet.
These elements in PKIX are:
1. End entity: A generic term used to denote end users, devices (e.g.,
servers, routers), or any other entity that can be identified in the
subject field of a public key certificate. End entities typically consume
and/or support PKI-related services.
2. Certification authority (CA): The issuer of certificates and (usually)
certificate revocation lists (CRLs). It may also support a variety of
administrative functions, although these are often delegated to one
or more Registration Authorities.
3. Registration authority (RA): An optional component that can
assume a number of administrative functions from the CA.The RA
is often associated with the end entity registration process but
can assist in a number of other areas as well.
4. CRL issuer: An optional component that a CA can delegate to
publish CRLs (certificate revocation lists)
5. Repository: A generic term used to denote any method for storing
certificates and CRLs so that they can be retrieved by end entities.
PKIX Management Functions
PKIX identifies a number of management functions that potentially
need to be supported by management protocols. These are indicated
in previous Figure and include the following:
• Registration: This is the process whereby a user first makes itself known to a
CA (directly or through an RA), prior to that CA issuing a certificate or cer
tificates for that user. Registration begins the process of enrolling in a PKI.
Registration usually involves some offline or online procedure for mutual
authentication. Typically, the end entity is issued one or more shared secret
keys used for subsequent authentication.
• Initialization: Before a client system can operate securely, it is
necessary to install key materials that have the appropriate
relationship with keys stored elsewhere in the infrastructure. For
example, the client needs to be securely initialized with the public key
and other assured information of the trusted CA(s),to be used in
validating certificate paths.
• Certification: This is the process in which a CA issues a certificate for
a user’s public key, returns that certificate to the user’s client system,
and/or posts that certificate in a repository.
• Key pair recovery: Key pair recovery allows end entities to restore
their encryption/decryption key pair from an authorized key backup
facility (typically, the CA that issued the end entity’s certificate).
• Key pair update: All key pairs need to be updated regularly
(i.e.,replaced with a new key pair) and new certificates issued.
Update is required when the certificate lifetime expires and as a
result of certificate revocation.
• Revocation request: An authorized person advises a CA of an
abnormal situa tion requiring certificate revocation. Reasons for
revocation include private key compromise,change in affiliation, and
name change.
• Cross certification: Two CAs exchange information used in
establishing a cross-certificate.A cross-certificate is a certificate
issued by one CA to another CA that contains a CA signature key used
for issuing certificates
6.4 Email Security: Pretty Good Privacy (PGP)
• Email security refers to the measures taken to protect email
communication from unauthorized access, use, disclosure, disruption,
modificatioin or destruction.
• Electronic communication has made it easy to intercept and read
messages.
• So Encryption of emails and other forms of communication is vital for
security, confidentiality and privacy for everyone.
• This is where PGP comes in this and Why PGP is popular today.
• In fact PGP is one of the popular encryption and digital signature
schemes in personal communication.
Preety Good Privacy (PGP)
• PGP is an open-source, freely available software program used for
data encryption and decryption and provides cryptographic privacy
and authentication for data communication.
• It is often used for signing, encryption & decrypting texts, emails, files
and directories to increase the security of email communication.
• PGP is regarded as hard encryption which is impossible to crack in
near future.
Operations of PGP
The actual operation of PGP is based on 5 services, they are:
1. Authentication:
• PGP authentication is done through the use of digital signature.
• A hash code of message is created using SHA-1
• The hash code is encrypted ussing DSS or RSA eith the sender’s private
key including message.
• The receiver uses RSA with the sender’s public key to decrypt and
recover the hash code.
• The receiver generates a new hash code for the message and compares
it with the decrypted hash code.
• If the two match, the message is accepted as authentic.
2. Confidentiality
• PGP provides confidentiality through the use of symmetric block
encryption. A message is encrypted using CAST-128, or IDEA or 3DES
with one time session key generated by the sender.
• The sessionn key is encrypted using RSA with the recepients public key
and included with the message.
• The receiver uses RSA with its private key to decrypt and recover the
session key.
• The session key is used to decrypt the message.
3. Compression
• PGP compresses the message after applying the signature but before
encryption.
• This has the benefit of saving space both fro email transmission and for
file storage.
• Message encryption is applied after compression to strengthen
cryptographic security.
4. Email Compatibility
• The scheme used for email compatibility is radix-64 conversion.
• To provide transparency for email application, and encrypted message
may be converted to an ASCII string using radix-64 converison. The use
of radix 64 expands a message by 33%.
5. Segmentation
• PGP automaticity subdivides a message that is too long into segments
that are small enough to send via email.
• The segmentation is done after all of the other processing, including the
radix-64 conversion.
6.5 Secure Socket Layer (SSL) and Transport Layer
Security(TLS)
• Secure Socket Layer is a internet protocol for secure exchange of
information between a web browser and a web server.
• SSL encrypts the link between a web server and a browser which
ensures that all data passed between them remain private and free
from attack.
• SSL uses a combination of public key and symmetric key encryption to
secure data transmission.
• When a user connects to a website using SSL, the websites SSL
certificate is sent to the user’s browser. The browser then verifies
that the certificate is valid, the browser and the website establish an
SSL session, during which all data transferred between the browser
and the website is encrypted.
SSL Architecture
• SSL is designed to make use of TCP to provide a reliable end-to-end secure
service.
• SSL is not a single protocol but rather two layers of protocols, as illustrated in
Figure below.
• The SSL Record Protocol provides basic security services to various higher
layer protocols. In particular, the Hypertext Transfer Protocol (HTTP), which
provides the transfer service for Web client/server interaction, can operate on
top of SSL.
• Three higher-layer protocols are defined as part of SSL: the Handshake
Protocol,The Change Cipher Spec Protocol,and the Alert Protocol.
• These SSL-specific protocols are used in the management of SSL exchanges.
Two important SSL concepts are the SSL session and the SSL connection, which
are defined in the specification as follows.
• Connection: A connection is a transport (in the OSI layering model definition)
that provides a suitable type of service. For SSL, such connections are
peer-to-peer relationships. The connections are transient (lasting for short
time). Every connection is associated with one session.
• Session: An SSL session is an association between a client and a server.
Sessions are created by the Handshake Protocol. Sessions define a set of
cryptographic security parameters which can be shared among multiple
connections. Sessions are used to avoid the expensive negotiation of new
security parameters for each connection.
SSL Session State
A session state is defined by the following parameters.
• Session identifier: An arbitrary byte sequence chosen by the server to
identify an active or resumable session state.
• Peer certificate: An X509.v3 certificate of the peer. This element of the state
may be null.
• Compression method: The algorithm used to compress data prior to
encryption.
• Cipher spec: Specifies the bulk data encryption algorithm (such as null,AES,
etc.) and a hash algorithm (such as MD5 or SHA-1) used for MAC calculation. It
also defines cryptographic attributes such as the hash_size.
• Master secret: 48-byte secret shared between the client and server.
• Is resumable: A flag indicating whether the session can be used to initiate
new connections
SSL Connection State
A connection state is defined by the following parameters.
• Server and client random: Byte sequences that are chosen by the server and
client for each connection.
• Server write MAC secret: The secret key used in MAC operations on datasent
by the server.
• Client write MAC secret: The secret key used in MAC operations on data sent
by the client.
• Server write key: The secret encryption key for data encrypted by the server
and decrypted by the client.
• Client write key: The symmetric encryption key for data encrypted by the
client and decrypted by the server.
• Initialization vectors: When a block cipher in CBC mode is used,an
initialization vector (IV) is maintained for each key.This field is first
initialized by the SSL Handshake Protocol. Thereafter, the final
ciphertext block from each record is preserved for use as the IV with
the following record.
• Sequence numbers: Each party maintains separate sequence
numbers for transmitted and received messages for each
connection.When a party sends or receives a change cipher spec
message,the appropriate sequence number is set to zero. Sequence
numbers may not exceed 2^64 – 1.
SSL Record Protocol
• The SSL Record Protocol provides two services for SSL connections:
• Confidentiality: The Handshake Protocol defines a shared secret key
that is used for conventional encryption of SSL payloads.
• Message Integrity: The Handshake Protocol also defines a shared
secret key that is used to form a message authentication code (MAC).
• The Record Protocol takes an application message to be
transmitted,fragments the data into manageable blocks, optionally
compresses the data, applies a MAC, encrypts, adds a header, and transmits
the resulting unit in a TCP segment. Received data are decrypted, verified,
decompressed, and reassembled before being delivered to higher-level users.
SSL Record Protocol Operations
• The first step is fragmentation. Each upper-layer message is fragmented into
blocks of 2^14 bytes (16384 bytes) or less.
• Next, compression is optionally applied. Compression must be lossless and
may not increase the content length by more than 1024 bytes.
• The next step in processing is to compute a message authentication code
over the compressed data. For this purpose, a shared secret key is used.
• Next, the compressed message plus the MAC are encrypted using symmetric
encryption. Encryption may not increase the content length by more than
1024 bytes, so that the total length may not exceed 2^14 + 2048.
The final step of SSL Record Protocol processing is to prepare a header
consisting of the following fields:
• Content Type (8 bits): The higher-layer protocol used to process the enclosed
fragment.
• Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the
value is 3.
• Minor Version (8 bits): Indicates minor version in use.For SSLv3,the value is
0.
• Compressed Length (16 bits): The length in bytes of the plaintext fragment
(or compressed fragment if compression is used).The maximum value is 2^14
+2048
Change Cipher Spec Protocol
• The Change Cipher Spec Protocol is one o the three SSL-Specific
protocols that use the SSL Record Protocol, and it is the simplest.
• This protocol consists of a single message whichh consists of a single
byte with the value 1.
• The sole purpose of this message is to cause the pending state to be
copied into the current state, which updates the cipher suite to be
used on this connection.
Alert Protcol
• The Alert Protocol is used to convey SSL- related alerts to the peer
entity.
• As with other application that use SSL, alert message are compressed
and encrypted, as specified by the current state.
• Each message in this protocol consists of teo bytes as in previous
figure.
• The first byte takes the value warning(1) or fatal(2) to convey the
severity of the message.
• If level is fatal, SSL immediately terminates the connection.
• The second byte contains a code that indicates the specific alert.
• Message for fatal alerts:
• unexpected_message: An inappropriate message was received.
• bad_record_mac: An incorrect MAC was received.
• decompression_failure:The decompression function received improper input
(e.g., unable to decompress or decompress to greater than maximum
allowable length).
• handshake_failure: Sender was unable to negotiate an acceptable set of
security parameters given the options available.
• illegal_parameter: A field in a handshake message was out of range or
inconsistent with other fields.
The remaining alerts are the following:
• close_notify: Notifies the recipient that the sender will not send any more
messages on this connection. Each party is required to send a close_notify
alert before closing the write side of a connection.
• no_certificate: May be sent in response to a certificate request if no
appropriate certificate is available.
• bad_certificate: A received certificate was corrupt (e.g., contained a
signature that did not verify).
• unsupported_certificate: The type of the received certificate is not
supported.
• certificate_revoked: A certificate has been revoked by its signer.
• certificate_expired: A certificate has expired.
• certificate_unknown: Some other unspecified issue arose in processing the
certificate, rendering it unacceptable.
SSL Handshake Protocol
• The most complex part of SSL is the Handshake Protocol.
• This protocol allows the server and client to authenticate each other
and to negotiate an encryption and MAC algorithm and cryptographic
keys to be used to protect data sent in an SSL record.
• The Handshake Protocol is used before any application data is
transmitted.
• The Handshake Protocol consists of a series of messages exchanged
by client and server. All of these have the format shown in Figure
below.
• Each message has three fields:
• Type (1 byte): Indicates one of 10 messages. Table 16.2 lists the
defined message types.
• Length (3 bytes): The length of the message in bytes.
• Content (>=0 bytes) : The parameters associated with this
message;these are listed in Table below:
SSL handshake
Phase 1: Establish Security capabilities : This phase is used by the
client to initiate a logical connection and to establish the security
capabilities that will be associated with it.
• This phase comprises of exchange of two message - client_hello and
server_hello.
• client_hello contains of the list of cryptographic algorithms supported
by the client, in decreasing order of preference.
• server_hello contains the selected Cipher Specification (CipherSpec)
and a new session_id.
• The CipherSpec contains fields like:
• Cipher Algorithm (DES, 3DES, RC2, and RC4)
• MAC algorithm (based on MD5, SHA-1)
• Public-key algorithm (RSA)
• Both messages have “nonce” to prevent replay attack.
SSL Handshake Phases
Phase 1
Phase 2: Client Authentication and Key Exchange:
The server begins this phase by sending its certificate if it needs to be
authenticated.
• Server sends chosen cipher suite.
• Server may request client certificate. Usually it is not done.
• Server indicates end of server_hello
Phase 2
Phase 3: Client Authentication and Key Exchange: The client should
verify that the server provided a valid certificate if required and check
that the server_hello parameters are acceptable.
• Client sends certificate, only if requested by the server.
• It also sends the Pre-master Secret (PMS) enncrypted with the
server’s public key.
• Client also sends Certificate_verify message if certificate is sent by
him to prove he has the private key associated with this certificate.
Basically the client signs a hash of the previous messages.
Phase 3
Phase 4 Finish: This phase completes the setting up of a secure
connection. The client sends a change_cipher_spec message and
copies the pending CipherSpec into the current CipherSpec.
Phase 4
Transport Layer Security
• The TLS protocol is the Internet Engineering Task Force (IETF)
standard version of the SSL protocol.
• The protocol allows client-server application to communicate across a
network in a way designed to prevent eavesdropping and tampering.
• It ensures priivacy between communicating applications and their use
on the internet.
• Following are the additional features of TLS:
i. Interoperability: Ability to exchange TLS parameters by either party, with no
need for one party to know the other’s TLS implementation details.
ii. Expandability: To pplan for future expansions and accomodation of new
protocols.
6.6 IP Security (IPSec)
• IPSec is an Internet Engineering Task Force (IETF) standard suite of
protocols between 2 communication points across the IP network
that provide data authentication, integrity, and confidentiality.
• It also defines the encrypted, decrypted and authenticated packets.
• Although it was designed to run in the new version of IP Version 6
IPv6, it has also successfully run in the older IPv4 as well.
• IPSec can be used to protect data flows between a pair of hosts
(host-host) between a pair of security gateways (network to
network), or between a security gateway and a host (network to
host).
IP Security (IPSec) Document Format
• Architecture: Covers the general concepts, security requirement
definition and mechanism defining IPSec technology.
• Encapsulating Security Payload (ESP): Covers packet format and
general issues related to the use of ESP for packet encryption and
optional authentication.
• Authenticaton Header (AH): Covers the packet format and general
issues related to the use of AH for packet authentication.
• Encryption algorithm: A set of documents that describes how vaious
authentication algorithms are usd for AH and authenntcation option
of ESP.
• Domain of Interpretation (DOI or O): Contains the values needed for
the other documents to relate to each other.
• Key Management : Documents that describe key management
schemes.
IPSec Services in Network Layer
• Access Control : to prevent an unauthorized access to the resource.
• Connectionless integrity : to give an assurance that the traffic
received has not been modified in any way.
• Confidentiality : to ensure that Internet traffic is not examined by
non-authorixed parties. This requires all IP datagrams to have their
data field, TCP, UDP, IMCP, or any other datagram data field segment
encrypted.
• Authentication: Particularly source authentication so that when a
destination host receives an IP datagram, with a particaular IP source
address, it is possible to be sure that the IP datagram was indeed
generated by the host with the source IP address. This prevents
spoofed addresses.
• Replay Protection: to guarantee that each packet exchanged between
two parties is different.
Authentication Header (AH)
• AH protocol provides source authentication and data integrity but not
confidentiality.
• This is done by a source that wants to send a datagram first establishing an
Security Associations (SA), through which the source can send the datagram.
• A Source datagram includes AH insterted between the original IP datagram
data and the IP header to shield the data field ehich is now encapsulated as a
standard IP datagram.
• Upon receipt of the IP datagram, the destination host notices the AH and
processes it using the AH protocol.
• Intermediate hosts such as routers, however do their usual job of examining
every datagram for the destination IP address and then forwarding it on.
Encapsulating Security Payload (ESP)
• Unlike the AH protocol, ESP protocol provides source authentication,
data integrity, and confidentiality. This has made ESP the most
commonly used IPSec header.
• Similar to AH, ESP begins with source host establishing an AS which it
uses to send secure datagrams to the destination.
• Destination are secured by ESP by surrounding their original IP
datagrams to the destination.
• Datagram are secured by ESP by surrounding their original IP
datagrams with a new header and trailer fields all encapsulatedd into
a new IP datagram. Confidentiality is provided by DES_CBC
encryption.
• Next to the ESP trailer field on the datagram is the ESP Authentication
Data field.
Security Associations
• In order to perform the security services that IPSec provides, IPSec
must get as much information as possible on the security
arrangement of the two communicating hosts.Such security
arrangements are called security associations (SAs).
• A security association is a unidirectional security arrangement
defining a set of items and procedures that must be shared between
the two communicating entities in order to protect the
communication process.
IPSec Operation Modes
1. Transport mode
• Only the payload or data of the original IP packet is protected in
transport mode.
• The protected payload is then encapsulaed by the IPSec headers and
trailers while the original IP header remains intact and is not protected
by IPSec.
2. Tunnel mode
• The entire original IP packet is protected in tunnel mode.
• The packet is then encapsulated by the IPSec header and trailers.
• Finally a new IP header is prefixed to the packet specifying the IPSec
endpoints as the source and destination.
6.7 Firewalls and their Types
• A firewall forms a barrier through which the traffic going in each
direction must pass.
• A firewall security policy dictates which traffic is authorized to pass in
each direction.
• A firewall may be designed to operate as a filter at the level of IP
packets, or may operate at a higher protocol layer.
• Network firewalls are typically hardware or software based
appliances that sit on the network and control traffic at the network
layer (layer 3 in OSI model).
• Firewalls can be used to control access to a network block certain
types of traffic, and monitor and log traffic passing through the
firewall.
• By definition a “firewall” is a tool that provides a filter of both
incoming and outgoing packets.
• Most firewalls perform two basic security functions:
• Packet filtering based on accepts or deny policy that is itself based on
rules of the security policy.
• Application proy gateways that provide services to the inside users and
at tje same time protect each individual host from the bad outside
users.
Firewall Characterstics
• A firewall defines a single choke point that keeps unauthorized users
out of the protected network, prohibits potentially vulnerable
services from entering or leaving the network, and provides
protection from various kinds of IP spoofing and routing attacks.
• A firewall provides a location for monitoring security-related events.
• A firewall is a convenient platform for several Internet functions that
are not security related, such as NAT (Network Address Translation)
and Internet usage audits or logs.
• A firewall can serve as the platform for IPSec to implement virtual
private networks (VPNs).
Limitations of Firewall
• The firewall cannot protect against attacks that bypass the firewall.
Internal systems may have dial-out capability to connect to an ISP. An
internal LAN may support a modem pool that provides dial-in
capability for traveling employees and telecommuters.
• The firewall may not protect fully against internal threats, such as a
disgruntled employee or an employee who unwittingly cooperates
with an external attacker.
• A laptop, PDA, or portable storage device may be used and infected
outside the corporate network, and then attached and used
internally.
• An improperly secured wireless LAN may be accessed from outside
the organization. An internal firewall that separates portions of an
enterprise network cannot guard against wireless communications
between local systems on different sides of the internal firewall.
Types of Firewall
1. Packet Filtering Firewall:
• Packet filtering firewalls are normally deployed on the routers which
connect the internal network to internet.
• It can only be implemented in network layer of OSI model.
• Packet filtering works on the basis of rules defined by Access Control
Lists (ACL).
• They all check the packets and screen them against the rules defined by
the network administrator as per the ACLs.
• If in case any packet doesnot meet the criteria then that packet is
dropped and logs are updated about this information.
• Administrators can create their ACLs on the basis of address, protocols
and packet attributes.
Fig: Packet filtering firewall
2. Circuit Level Gateway Firewalls
• Circuit level gateways are deployed at the session layer of the OSI
model and they monitor sessions like TCP three way handshake to
see whether a requested connection is legitimate or not.
• Major screening before the connection is established. Information is
sent to a computer outside the network through a circuit level
gateway appears to have originated from the gateway. This helps in
creating a stealth cover for the private network from outsiders.
• One advantage of circuit level gateway is it is compratively intensive
and provides anonymity to the private network.
• One disadvantage of circuit level gateway is it does not filter
individual packets.
Fig : Circuit-level Proxy firewall
3. Application Level Gateway Firewalls
• Application level gateways work on the application layer of the OSI
model and provide protection for a specific application layer protocol.
• Proxy server is the best example of application level gateways
firewalls.
• Application level gateway would work only for the protocols which
are configured.
• Application lecel firewalls can also be configured as caching servers
which in turn increase the network performance and makes easier to
log traffic.
Fig : Application proxy firewall
4. Stateful Multilayer Inspection Firewalls
• Stateful Multilayer inspection firewalls is a combination of all the
firewalls that we have studied till now.
• They can filter packets at network layer using ACLs, check for
legitimate sessions on the session layers and they also evaluate
packets on the application layer.
• Stateful Multilayer inspection firewall can work on a transparent
mode allowing direct connections between the client and the server
which was earlier not possible.
• Stateful multilayer inspection firewall can also implement algorithms
and complex security models which are protocol specific, making the
connections and data transfer more secure.
Fig : Stateful inspection firewall
Demilitarized Zone (DMZ)
• Portion of network separating purely internal network from external
network which allows control of accesses to some trusted systems
inside the corporate perimeter is called DMZ network.
• If DMZ systems breached, internal systems will be still safe and can
perform different types of checks at boundary of internal, DMZ
networks and DMZ, Internet network.
• Internet or some wide area network (WAN). One or more internal
firewalls protect the bulk of the enterprise network.
• Systems that are externally accessible but need some protections are
usually located on DMZ networks.
Advantages of Firewall

• They can stop incoming requests to inherently insecure services, e.g.

you can disallow rlogin, or RPC (Remote Procedure Call) services such
as NFS(Network File System).
• They can control access to services.
• They are more cost effective than securing each host on the
corporate network since there are often only one or a few firewall
systems to concentrate on.
Disadvantages of Firewall

• They are a central point for attack, and if an intruder breaks through
the firewall they may have unlimited access to the corporate
network.
• They may restrict legitimate users from accessing valuable services,
for example, corporate users may not be let out onto the Web, or
when working away from home a corporate user may not have full
access to the organization's network.
• They do not protect against back door attacks.
Assignment
• PKI vs Kerberos differences.
• PGP vs PEM
• Next Gen Firewall