Network Defense tools

Prof. Rameez Raja

Cyber security trainer
 CHAPTER-3

Network Defense tools

 Network Defense tools
Network defense tools play a crucial role in protecting computer networks from various cyber
threats and attacks. These tools help organizations monitor, detect, and respond to security
incidents, ensuring the integrity, confidentiality, and availability of their network resources.

Example:
• Antivirus and Anti-malware Software (McAfee, Windows Defender).
• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) (Snort,
Suricata, Cisco Firepower)
• Firewalls (Cisco ASA, Palo Alto Networks, pfSense).
• Virtual Private Network (VPN) (OpenVPN, Cisco AnyConnect, Palo Alto
GlobalProtect).
What is a Firewall?
 What is a Firewall?

• Firewalls act as a barrier between a trusted internal network and

untrusted external networks, controlling the flow of network
traffic based on predetermined security rules.

• A firewall is a network security device that monitors and controls

incoming and outgoing network traffic based on predetermined
security rules making our network secure and more reliable.
How Firewalls Work?
 Key Functions of Firewalls:

1.Packet Filtering:
Firewalls inspect individual data packets and make decisions
about whether to allow or block them based on pre-defined rules.

2.Stateful Inspection:
Stateful inspection, also known as dynamic packet filtering,
keeps track of the state of active connections and makes
decisions based on the context of the traffic.
 Key Functions of Firewalls:
3. Proxying:
Proxies act as intermediaries between internal and external
systems. They can enhance security by filtering and forwarding
requests and responses.
4. Network Address Translation (NAT):
Firewalls often use NAT to modify network address information
in packet headers while in transit, helping conceal internal IP
addresses. Example: A firewall with a proxy server may receive
an HTTP request from an internal user, then forward that request
to the internet on behalf of the user, masking the user's internal IP
address.
 Key Functions of Firewalls:
4. Virtual Private Network (VPN) Support:
Firewalls can facilitate secure communication over the internet
by supporting VPNs, which encrypt data as it travels between
networks.
Example: Allowing employees to connect securely to the
corporate network from remote locations using VPN protocols
like IPsec or SSL/TLS.
5. Logging and Auditing:
Firewalls maintain logs of network traffic and security events,
allowing administrators to monitor and analyze activity for
security purposes.
Types of Firewall
1. Packet Filtering Firewalls

Definition: Packet filtering firewalls operate at the network layer

(Layer 3) of the OSI model. They examine each packet of data
entering or leaving the network and decide whether to allow or
block it based on predefined rules.

Uses: Packet filtering is often used to control access based on IP

addresses, protocols, and port numbers.

Example: iptables on Linux is a popular packet filtering firewall

Parameters for filtering
1.Packet Inspection:
1. Packet filtering firewalls inspect individual packets of data as they
pass through the network.
2. Each packet is examined based on specific criteria defined by
rules.
2.Rule-Based Filtering:
1. Packet filtering is rule-based, where administrators define rules to
dictate which packets are allowed and which are denied.
2. Rules are typically based on attributes such as source and
destination IP addresses, source and destination port numbers, and
the protocol type.
Parameters for filtering Contd.
3.Filtering Criteria:
1. Source IP Address: The IP address of the sender or originator of the
packet.
2. Destination IP Address: The IP address of the intended recipient of the
packet.
3. Source and Destination Port Numbers: Identifies the specific application
or service using the port numbers.
4. Protocol Type: Specifies the communication protocol (e.g., TCP, UDP,
ICMP).
4. Access Control Lists (ACLs):
1. Rules are often implemented using Access Control Lists (ACLs), which are
lists of rules that define what kind of traffic is allowed or denied.
2. ACLs can be configured to permit or deny traffic based on the defined
criteria.
2. Stateful Multi-Layer Inspection (SMLI)

Stateful Multi-Layer Inspection (SMLI) is an advanced security

approach that combines stateful inspection with multiple layers of
analysis to provide a more comprehensive and effective means of
protecting computer networks. This approach goes beyond
traditional packet filtering and stateless inspection to consider the
context and content of network traffic. The detailed concept of
Stateful Multi-Layer Inspection is available on next slide

Example: Cisco ASA , Fortinet FortiGate.

Stateful Multi-Layer Inspection (SMLI)
1.Stateful Inspection:
1. Connection Tracking: Stateful inspection involves tracking the state of active
connections and making decisions based on the context of the traffic.
2. Session Awareness: It understands the state of network connections and can
differentiate between new connection requests and established sessions.
2.Multi-Layer Inspection:
1. Network Layer: Analyzes traffic at the network layer (Layer 3), considering
source and destination IP addresses, as well as protocol types (e.g., TCP, UDP).
2. Transport Layer: Examines transport layer information, such as source and
destination port numbers, to identify the specific application or service.
3. Application Layer: Goes beyond the network and transport layers to inspect the
actual content of the data payload at the application layer (Layer 7). This allows
the firewall to understand the context and nature of the traffic, including the
applications being used.
Working of Stateful Inspection
Working of Stateful Inspection

1. Stateful inspection detects communications packets over a period of

time and examines both incoming and outgoing packets.

2. The firewall follows outgoing packets that request specific sorts of

incoming packets and authorize incoming packets to undergo as long
as they constitute an accurate response.

3. A stateful firewall monitors all sessions and verifies all packets,

although the method it uses can vary counting on the firewall
technology and therefore the communication protocol getting used.
Working of Stateful Inspection
4. For example, when the protocol is TCP, the firewall captures a
packet’s state and context information and compares it to the
prevailing session data.
5. If an identical entry already exists, the packet is allowed to undergo
the firewall.
6. If the match is not found, then the packet must undergo certain
policy checks. At that time, if the packet meets the policy
requirements, the firewall assumes that it’s for a replacement
connection and stores the session data within the appropriate tables.
It then permits the packet to pass.
7. If the packet does not match the policy conditions, the packet is
rejected.
3. Stateless firewall

A Stateless Firewall is a network security device that filters and

controls network traffic based solely on the predefined rules and
criteria, without considering the context or state of the connections.
Unlike Stateful Firewalls, which maintain a table of active
connections and make decisions based on the state of each
connection, Stateless Firewalls treat each packet in isolation

example : Cisco IOS Access Control Lists (ACLs)

 Stateless firewall
1. Packet-Level Filtering:
1. Stateless Firewalls operate at the network layer (Layer 3) of the
OSI model and inspect individual packets of data.
2. Filtering decisions are based on specific attributes of each packet,
such as source and destination IP addresses, source and destination
port numbers, and protocol type (e.g., TCP, UDP, ICMP).
2. Rule-Based Filtering:
1. Administrators define rules that dictate which packets are allowed
and which are denied.
2. Rules are typically based on static criteria, such as IP addresses
and port numbers, without considering the state of connections.
Stateless firewall
3. No Connection Tracking:
1. Unlike Stateful Firewalls, Stateless Firewalls do not maintain a
table of active connections or sessions.
2. Each packet is evaluated independently of previous or
subsequent packets.
4. Efficiency:
1. Stateless Firewalls are generally more efficient than Stateful
Firewalls in terms of processing speed because they don't have
to keep track of connection states.
2. This makes them suitable for high-speed networks and
environments where minimal latency is crucial.
4. Application-level gateway (Proxy firewall)
An Application Layer Gateway (ALG) firewall, also known as a proxy firewall,
operates at the application layer (Layer 7) of the OSI model. Unlike
traditional firewalls that work at lower layers and filter traffic based on IP
addresses and port numbers, ALG firewalls understand specific application
protocols and can make decisions based on the content of the data being
transmitted. ALG firewalls act as intermediaries between clients and servers,
providing enhanced security features.
Example : Squid Proxy Server.

Benefits of Application-level gateways

• Safest firewall
• Deep packet inspection
• Significant slowdowns
• Safeguard resource identity and location
 5. Circuit-level gateway

A Circuit-Level Gateway (CLG) is a type of firewall that operates at the session

layer (Layer 5) of the OSI model. Unlike stateful firewalls or application layer
gateways that inspect and filter packets at higher layers, circuit-level gateways
focus on controlling sessions and connections at a more basic level. The
primary function of a circuit-level gateway is to determine whether a given
communication session is allowed based on network-level information.
Example : Microsoft Forefront Threat Management Gateway (TMG)

Benefits of Circuit-level gateway

• Simple and inexpensive
• A single form of protection is insufficient
• Setup and management are simple
 6. Cloud firewall
A cloud firewall is a network security solution that is specifically designed to
protect cloud-based resources and applications. It serves as a barrier between
an organization's infrastructure hosted in the cloud and external threats, such
as unauthorized access, malicious attacks, and data breaches. Cloud firewalls
provide security for virtualized environments and are often an integral part of
cloud security strategies.
Example: AWS WAF, Azure Firewall, Google Cloud Armor , Cloudflare Firewall

Benefits of Cloud firewall

• Unified security policy
• Flexible deployment
• Simplified deployment and maintenance
• Improved scalability
• Automatic updates
 7. Next-Generation Firewall (NGFW)
The most common type of firewall available today is the Next-Generation
Firewall (NGFW), which provides higher security levels than packet-filtering and
stateful inspection firewalls. An NGFW is a deep-packet inspection firewall with
additional features such as application awareness and control, integrated
intrusion prevention, advanced visibility of their network, and cloud-delivered
threat intelligence. This type of firewall is typically defined as a security device
that combines the features and functionalities of multiple firewalls.
Example: Palo Alto NGFW , Cisco Firepower NGFW, Fortinet FortiGate.

Benefits of Next-Generation Firewall

• Block malware
• Recognizing Advanced Persistent Threats (APTs)
• Financially beneficial
Feature Packet Stateful Proxy Circuit-Level Next- Cloud
Filtering Inspection (Application Gateway Generation Firewall
Firewall Firewall Layer) Firewall Firewall
Firewall (NGFW)

Layer of Network/ Network/ Application Session Network/ Network/

Operation Transport Transport Transport/ Transport
Application

Decision IP Context of Application Session state Application IP

Basis addresses connections content awareness addresses
, ports, , ports,
protocols

protocols User identity

awareness

Granularity of Low Medium High Low High Medium

Control to High
Functionality Filtering at Filtering and Application- Session-level Advanced Cloud
packet context-aware level filtering filtering threat resource
level protection protection

Examples iptables, Cisco ASA, Squid Proxy Microsoft Palo Alto AWS
pfSense Check Point Server Forefront TMG Networks, WAF,
Cisco Azure
Firepower Firewall,
GCP
Cloud
Armor
www.paruluniversity.ac.in