Module 5

Intruders
The most common threat to security is an attack by an Intruder. Intruders are often
referred to as hackers and are the most harmful factors contributing to the vulnerability
of security. They have immense knowledge and an in-depth understanding of
technology and security. Intruders breach the privacy of users and aim to steal the
confidential information of the users. The stolen information is then sold to third
parties, which aim at misusing the information for their own personal or professional
gains.

Types of Intruders

Intruders are divided into three categories:

• Masquerader: The category of individuals that are not authorized to use

the system but still exploit users’ privacy and confidential information by
possessing techniques that give them control over the system, such category
of intruders is referred to as Masquerader. Masqueraders are outsiders and
hence they don’t have direct access to the system, their aim is to attack
unethically to steal data/ information.

• Misfeasor: The category of individuals that are authorized to use the

system, but misuse the granted access and privilege. These are individuals
that take undue advantage of the permissions and access given to them, such
category of intruders is referred to as Misfeasor. Misfeasors are insiders and
they have direct access to the system, which they aim to attack unethically
for stealing data/ information.

• Clandestine User: The category of individuals who have

supervision/administrative control over the system and misuse the
authoritative power given to them. The misconduct of power is often done
by superlative authorities for financial gains, such a category of intruders is
referred to as Clandestine Users. A Clandestine User can be any of the two,
insiders or outsiders, and accordingly, they can have direct/ indirect access
to the system, which they aim to attack unethically by stealing data/
information.
Intrusion Techniques
A system called an intrusion detection system (IDS) observes network traffic for
malicious transactions and sends immediate alerts when it is observed. It is software
that checks a network or system for malicious activities or policy violations. Each
illegal activity or violation is often recorded either centrally using a SIEM system or
notified to an administration. IDS monitors a network or system for malicious activity
and protects a computer network from unauthorized access from users, including
perhaps insiders. The intrusion detector learning task is to build a predictive model
(i.e. a classifier) capable of distinguishing between ‘bad connections’
(intrusion/attacks) and ‘good (normal) connections’.

How does an IDS work?

• An IDS (Intrusion Detection System) monitors the traffic on a computer
network to detect any suspicious activity.
• It analyzes the data flowing through the network to look for patterns and
signs of abnormal behavior.
• The IDS compares the network activity to a set of predefined rules and
patterns to identify any activity that might indicate an attack or intrusion.
• If the IDS detects something that matches one of these rules or patterns, it
sends an alert to the system administrator.
• The system administrator can then investigate the alert and take action to
prevent any damage or further intrusion.

Classification of Intrusion Detection System

IDS are classified into 5 types:

• Network Intrusion Detection System (NIDS): Network intrusion

detection systems (NIDS) are set up at a planned point within the network
to examine traffic from all devices on the network. It performs an
observation of passing traffic on the entire subnet and matches the traffic
that is passed on the subnets to the collection of known attacks. Once an
attack is identified or abnormal behavior is observed, the alert can be sent
to the administrator. An example of a NIDS is installing it on the subnet
 where firewalls are located in order to see if someone is trying to crack the
firewall.

• Host Intrusion Detection System (HIDS): Host intrusion detection

systems (HIDS) run on independent hosts or devices on the network. A
HIDS monitors the incoming and outgoing packets from the device only
and will alert the administrator if suspicious or malicious activity is
detected. It takes a snapshot of existing system files and compares it with
the previous snapshot. If the analytical system files were edited or deleted,
an alert is sent to the administrator to investigate. An example of HIDS
usage can be seen on mission-critical machines, which are not expected to
change their layout.
 • Protocol-based Intrusion Detection System (PIDS): Protocol-based
intrusion detection system (PIDS) comprises a system or agent that would
consistently reside at the front end of a server, controlling and interpreting
the protocol between a user/device and the server. It is trying to secure the
web server by regularly monitoring the HTTPS protocol stream and
accepting the related HTTP protocol. As HTTPS is unencrypted and before
instantly entering its web presentation layer then this system would need to
reside in this interface, between to use the HTTPS.
• Application Protocol-based Intrusion Detection System (APIDS): An
application Protocol-based Intrusion Detection System (APIDS) is a system
or agent that generally resides within a group of servers. It identifies the
intrusions by monitoring and interpreting the communication on
application-specific protocols. For example, this would monitor the SQL
protocol explicitly to the middleware as it transacts with the database in the
web server.
• Hybrid Intrusion Detection System: Hybrid intrusion detection system
is made by the combination of two or more approaches to the intrusion
detection system. In the hybrid intrusion detection system, the host agent or
system data is combined with network information to develop a complete
view of the network system. The hybrid intrusion detection system is more
effective in comparison to the other intrusion detection system. Prelude is
an example of Hybrid IDS.

Benefits of IDS
• Detects malicious activity: IDS can detect any suspicious activities and
alert the system administrator before any significant damage is done.
• Improves network performance: IDS can identify any performance
issues on the network, which can be addressed to improve network
performance.
• Compliance requirements: IDS can help in meeting compliance
requirements by monitoring network activity and generating reports.
• Provides insights: IDS generates valuable insights into network traffic,
which can be used to identify any weaknesses and improve network
security.

Detection Method of IDS

1. Signature-based Method: Signature-based IDS detects the attacks on the

basis of the specific patterns such as the number of bytes or a number of 1s
or the number of 0s in the network traffic. It also detects on the basis of the
already known malicious instruction sequence that is used by the malware.
The detected patterns in the IDS are known as signatures. Signature-based
IDS can easily detect the attacks whose pattern (signature) already exists in
the system but it is quite difficult to detect new malware attacks as their
pattern (signature) is not known.
 2. Anomaly-based Method: Anomaly-based IDS was introduced to detect
unknown malware attacks as new malware is developed rapidly. In
anomaly-based IDS there is the use of machine learning to create a trustful
activity model and anything coming is compared with that model and it is
declared suspicious if it is not found in the model. The machine learning-
based method has a better-generalized property in comparison to signature-
based IDS as these models can be trained according to the applications and
hardware configurations.

Comparison of IDS with Firewalls

IDS and firewall both are related to network security but an IDS differs from a firewall
as a firewall looks outwardly for intrusions in order to stop them from happening.
Firewalls restrict access between networks to prevent intrusion and if an attack is from
inside the network it doesn’t signal. An IDS describes a suspected intrusion once it
has happened and then signals an alarm.

Password Protection
Password protection aims to create a secure barrier between your sensitive data and
potential cyber threats. It’s like a bouncer for your online accounts that keeps
unauthorized users out by implementing policies, processes, and technologies that make
passwords and authentication methods more secure.
• Password protection helps protect your data from bad actors by detecting
and blocking known weak passwords and weak terms specific to your
organization. Passwords are the most common means of authentication, but
they only work if they are complex and confidential.
• Password security policies are rules created to increase password security
by encouraging users to create strong, secure passwords and then properly
store and utilize them. Passwords should contain at least 12 characters,
uppercase and lowercase letters, and punctuation marks, and avoid memorable
paths on the keyboard or keypad.
• Encryption provides additional protection for passwords, even if
cybercriminals steal them. The best practice is to consider end-to-
end encryption that is non-reversible. In this way, you can protect passwords
in transit over the network. Implementing two-factor authentication is also a
good practice.
• Password managers help prevent and avoid network security threats by
securely storing and managing credentials for online and offline accounts.
Password managers use U.S. government-grade computer encryption to store
passwords. This means that if a cybercriminal ever breached a password
manager company, which has happened, they would not be able to decipher or
use any of the stored passwords. Password managers also encrypt user
passwords and provide safe access.
When done right, password protection can effectively deter hackers and prevent various
forms of data breaches.

Why Is Password Security Important?

Password security is crucial for several reasons that impact both our personal and
professional lives. It’s a foundational component integral in protecting private
information and data that can be devastating if accessed by the wrong people.

• Passwords are the first defense against cybercriminals and their unauthorized
access to your accounts, devices, and files. Resilient, hard-to-crack passwords
protect critical data from bad actors and malicious software.
• Passwords protect our stored account data, and a strong password provides
essential protection from financial fraud and identity theft.

Password Selection Strategies

Four basic techniques are in use:-

• User education
• Computer-generated passwords
• Reactive password checking
• Proactive password checking

1. Users can be told the importance of using hard-to-guess passwords and can be
provided with guidelines for selecting strong passwords.Many users will simply ignore
the guidelines. Others may not be good judges of what is a strong password. For
example, many users believe that reversing a word or capitalizing the last letter makes
a password unguessable.

2. Computer-generated password,If the passwords are quite random in nature, users will
not be able to remember them. Even if the password is pronounceable, the user may
have difficulty remembering it and so be tempted to write it down. In general,
computer-generated password schemes have a history of poor acceptance by users.

3. A reactive password checking strategy is one in which the system periodically runs
its own password cracker to find guessable passwords. The system cancels any
passwords that are guessed and notifies the user. This tactic has a number of drawbacks.
First, it is resource intensive if the job is done right. Because a determined opponent
who is able to steal a password file can devote full CPU time to the task for hours or
even days, an effective reactive password checker is at a distinct disadvantage.
Furthermore, any existing passwords remain vulnerable until the reactive password
checker finds them.
 4. The most promising approach to improved password security is a proactive password
checker. In this scheme, a user is allowed to select his or her own password. However,
at the time of selection, the system checks to see if the password is allowable and, if
not, rejects it. Such checkers are based on the philosophy that, with sufficient guidance
from the system, users can select memorable passwords from a fairly large password
space that are not likely to be guessed in a dictionary attack.

Malwares – Malicious Software

Malware is a software that gets into the system without user consent with an
intention to steal private and confidential data of the user that includes bank details
and password. They also generates annoying pop up ads and makes changes in
system settings
They get into the system through various means:
1. Along with free downloads.
2. Clicking on suspicious link.
3. Opening mails from malicious source.
4. Visiting malicious websites.
5. Not installing an updated version of antivirus in the system.

Types:

1. Virus
2. Worm
3. Logic Bomb
4. Trojan/Backdoor
5. Rootkit
6. Advanced Persistent Threat
7. Spyware and Adware

What is computer virus:

Computer virus refers to a program which damages computer systems and/or destroys
or erases data files. A computer virus is a malicious program that self-replicates by
copying itself to another program. In other words, the computer virus spreads by itself
into other executable code or documents. The purpose of creating a computer virus is
to infect vulnerable systems, gain admin control and steal user sensitive data. Hackers
design computer viruses with malicious intent and prey on online users by tricking
them.
Symptoms:
• Letter looks like they are falling to the bottom of the screen.
• The computer system becomes slow.
• The size of available free memory reduces.
• The hard disk runs out of space.
• The computer does not boot.

Types of Computer Virus:

These are explained as following below.
1. Parasitic –
These are the executable (.COM or .EXE execution starts at first
instruction). Propagated by attaching itself to particular file or program.
Generally resides at the start (prepending) or at the end (appending) of a
file, e.g. Jerusalem.
2. Boot Sector –
Spread with infected floppy or pen drives used to boot the computers.
During system boot, boot sector virus is loaded into main memory and
destroys data stored in hard disk, e.g. Polyboot, Disk killer, Stone,
AntiEXE.
3. Polymorphic –
Changes itself with each infection and creates multiple copies.
Multipartite: use more than one propagation method. >Difficult for
antivirus to detect, e.g. Involutionary, Cascade, Evil, Virus 101.,
Stimulate.
Three major parts: Encrypted virus body, Decryption routine varies from
infection to infection, and Mutation engine.
4. Memory Resident –
Installs code in the computer memory. Gets activated for OS run and
damages all files opened at that time, e.g. Randex, CMJ, Meve.
5. Stealth –
Hides its path after infection. It modifies itself hence difficult to detect and
masks the size of infected file, e.g. Frodo, Joshi, Whale.
6. Macro –
Associated with application software like word and excel. When opening
the infected document, macro virus is loaded into main memory and
destroys the data stored in hard disk. As attached with documents; spreads
with those infected documents only, e.g. DMV, Melissa, A, Relax,
Nuclear, Word Concept.
7. Hybrids –
Features of various viruses are combined, e.g. Happy99 (Email virus).
Worm:
A worm is a destructive program that fills a computer system with self-replicating
information, clogging the system so that its operations are slowed down or stopped.
Types of Worm:
1. Email worm – Attaching to fake email messages.
2. Instant messaging worm – Via instant messaging applications using
loopholes in network.
3. Internet worm – Scans systems using OS services.
4. Internet Relay Chat (IRC) worm – Transfers infected files to web sites.
5. Payloads – Delete or encrypt file, install backdoor, creating zombie etc.
6. Worms with good intent – Downloads application patches.

Logical Bomb:
A logical bomb is a destructive program that performs an activity when a certain
action has occurred. These are hidden in programming code. Executes only when a
specific condition is met, e.g. Jerusalem.

Script Virus:
Commonly found script viruses are written using the Visual Basic Scripting Edition
(VBS) and the JavaScript programming language.

Trojan / Backdoor:

Trojan Horse is a destructive program. It usually pretends as computer games or

application software. If executed, the computer system will be damaged. Trojan
Horse usually comes with monitoring tools and key loggers. These are active only
when specific events are alive. These are hidden with packers, crypters and
wrappers.< Hence, difficult to detect through antivirus. These can use manual
removal or firewall precaution.

RootKits:
Collection of tools that allow an attacker to take control of a system.
• Can be used to hide evidence of an attacker’s presence and give them
backdoor access.
• Can contain log cleaners to remove traces of attacker.
• Can be divided as:
– Application or file rootkits: replaces binaries in Linux system
– Kernel: targets kernel of OS and is known as a loadable kernel module
(LKM)
• Gains control of infected m/c by:
– DLL injection: by injecting malicious DLL (dynamic link library)
– Direct kernel object manipulation: modify kernel structures and directly
target trusted part of OS
– Hooking: changing applicant’s execution flow
Advanced Persistent Threat:
Created by well funded, organized groups, nation-state actors, etc. Desire to
compromise government and commercial entities, e.g. Flame: used for
reconnaissance and information gathering of system.

Spyware and Adware:

Normally gets installed along with free software downloads. Spies on the end-user,
attempts to redirect the user to specific sites. Main tasks: Behavioral surveillance
and advertising with pop up ads Slows down the system.

Macro Viruses
A macro virus infects a software program and causes a series of actions to begin
automatically when the program is opened. It operates like a normal macro and
often installs itself in the place of an existing macro.

KEY TAKEAWAYS

• A macro virus is a type of computer exploit or malware that automatically

triggers a series of software functions, often with deleterious effect.
• In addition to wreaking havoc on a system, these macro viruses are also
programmed to replicate and spread themselves in order to infect other
systems.
• Macro viruses most often spread online via phony web links or as e-mail
attachments.
• Antivirus software is typically good at detecting and removing macro
viruses before they can do harm.

Understanding Macro Viruses

Macro viruses originate on the internet and infiltrate programs already stalled on
a person's computer. To fully understand what a macro virus is, however, it is
important to first understand what a "macro" is:

A macro is a series of commands that automatically triggers a specific function

within a software program. Macros can be installed in programs such as
Microsoft Word in order to perform complex tasks that the program would
otherwise be unable to do automatically. For example, a company can use a
macro to automatically insert designed letterhead or pre-designed tables into
Microsoft Word page templates, or use custom page formats that aren't available
with the program by itself.
Macro viruses are encoded with the ability to spread - much like the way a virus
infects a person, replicates itself, and spread to other people. A macro virus can
replicate and install material on a computer without the user's knowledge or
consent. If sent through email spam, it often automatically sends itself to
everyone in that user's address book.

How Does a Macro Virus Infect a Computer?

Macro viruses originate on the Internet, often in spam email, and infiltrate
programs installed on a person's computer, such as Microsoft Office, by
imitating a benign macro. They often take the place of pre-installed macros and
are activated when the regular macro is executed, but they can operate even when
the program is not in use without the user's knowledge. The automatic actions
they trigger can range from adding text uncontrollably to a document to sending
spam messages to people in the user's address books.

How to Prevent a Macro Viruses

Most antivirus software packages today are designed to find and destroy any
existing macro viruses on a computer, and prevent new ones from taking root.
However, not all macro viruses are detected by antivirus software, and not all
antivirus software are alike. It's important to maintain up-to-date antivirus
software, but it's equally important to be conscious of what you download or
open from the Internet.

For example, you should not open an attachment in an email sent from an address
you don't know. Email spam can be easily identifiable, but it can also use tricks
to make a person think the content is legitimate.
Antivirus
In computer systems, the security of data is always a major concern because there are
some unidentified people (known as hackers) who always try to steal or harm the
personal data or information of the users using viruses, worms, trojans, etc. So, to
protect computer systems from these viruses or any other harmful activity, software
is developed and that software is known as Antivirus software.

What is Antivirus Software?

Antivirus software (computer protection software) is a program(s) that is created to
search, detect, prevent and remove software viruses from your system that can harm
your system. Other harmful software such as worms, adware, and other threats can
also be detected and removed via antivirus. This software is designed to be used as a
proactive approach to cyber security, preventing threats from entering your computer
and causing issues. Most antivirus software operates in the background once installed,
providing real-time protection against virus attacks.

The three most common types of cyber threats are –

1. Malware
2. spyware
3. phishing

How Antivirus Works?

Antivirus software works by comparing your computer applications and files to

a database of known malware kinds. Because hackers are continually creating and
disseminating new viruses, they will also check systems for the presence of new or
undiscovered malware threats. The antivirus checks files, programs, and applications
going in and out of your computer to its database to identify matches. Similar and
identical matches to the database are segregated, scanned, and eliminated.
Most Antivirus programs will employ these four types of detection techniques:

• Signature detection is a method by which an antivirus keenly scans files

that are brought into a system to analyze more likely hazardous files.
• Specific detection, which looks for known parts or types of malware or
patterns that are linked by a common codebase
• A genericthe detection is a type of detection that looks for known parts or
types of malware or patterns that are related to a common codebase.
• Heuristic detection is a type of virus detection that looks for unknown
infections by spotting suspicious file structures.

Examples of Antivirus Software

The antivirus software is available in 2 types:
(i) Free: Free anti-virus software provides basic virus protection
(ii) Paid: commercial anti-virus software provides more extensive protection.

The following are some commonly used antivirus software:

1. Bitdefender: Bitdefender Total Security is a comprehensive security suite that

protects against viruses and dangerous malware of all varieties. This user-friendly
antivirus software is compatible with all four major operating systems and smart
homes, and it also includes a free VPN with a daily limit of 200MB, parental controls,
camera protection, a password manager, etc. This security suite is reasonably priced
and will protect up to five devices 24 hours a day, seven days a week.
2. AVAST: This is a free antivirus available. All you have to do to obtain top-notch
protection on your computer, emails, downloads, and instant messages in the free
version is register (for free) once a year. It includes a sophisticated heuristics engine
that enables it to detect viruses.
3. Panda: It can detect viruses, trojans, spyware, adware, worms, and malware at the
same level as other antiviruses do. It is different from others because using this
software, when you scan your computer, it doesn’t consume any of your computer’s
resources instead, it runs in the cloud, allowing your machine to continue to function
normally.
Benefits of Antivirus Software

• Spam and advertisements are blocked: Viruses exploit pop-up

advertising and spam websites as one of the most common ways to infect
your computer and destroy your files. Antivirus acts against harmful virus-
infected adverts and websites by denying them direct access to
your computer network.
• Virus protection and transmission prevention: It identifies any possible
infection and then attempts to eliminate it.
• Hackers and data thieves are thwarted: Antivirus do regular checks to
see if there are any hackers or hacking-related apps on the network. As a
result, antivirus offers complete security against hackers.
• Protected against devices that can be detached: Antivirus scans all
removable devices for potential viruses, ensuring that no viruses are
transferred.
• To improve security from the toweb, restrict website access: Antivirus
restricts your online access in order to prevent you from accessing
unauthorized networks. This is done to ensure that you only visit websites
that are safe and non-harmful to your computer.
• Password Protection: Using antivirus, you should consider using a
password manager for added security.

Disadvantages of Antivirus programs

• Slows down system’s speed: When you use antivirus programs, you’re
using a lot of resources like your RAM and hard drive. As a result, the
computer’s overall speed may be significantly slowed.
• Popping up of Advertisements: Apart from commercial antivirus
applications, free antivirus must make money in some way. One approach
to attaining these is through advertising. Many times these advertisements
degrade the user experience by popping up every time.
• Security Holes: When security flaws exist in the operating system or
networking software, the virus will be able to defeat antivirus protection.
The antivirus software will be ineffective unless the user takes steps to
keep it updated.
 Firewalls

Characteristics of Firewall

Firewalls are a crucial component of any organization’s cybersecurity strategy.

As the primary defense against external threats, firewalls employ a variety of
techniques to control and monitor incoming and outgoing network traffic. In this
comprehensive guide, we’ll explore the core characteristics of firewall and the
capabilities of modern firewalls.

What is a Firewall?

A firewall is a network security device or software application that monitors and

controls network traffic based on a defined set of security rules. Firewalls act as a
barrier between your internal network and external networks, such as the Internet.
They allow or block traffic based on factors like the protocol, port, source IP
address, destination IP address, and more.

The primary functions of a firewall include:

▪ Filtering traffic to allow or block access based on source, destination, protocol, port, etc. This
prevents unauthorized access and stops malicious traffic.
▪ Obscuring information about your network and systems from the outside world. Firewalls
hide your internal IP addresses and other details.
▪ Providing a single point of control for security between networks. All traffic must pass
through the firewall, allowing consolidated control and security policy enforcement.
▪ Logging traffic details for analysis and detecting network-based attacks. Firewalls provide
visibility into who is accessing your network and what they are trying to do.

By carefully configuring the firewall rule set, network administrators can

selectively allow or block traffic and create a tightly controlled access policy for
their networks. This provides robust protection from many types of external cyber
threats.

How Does a Firewall Work?

Firewalls use one or more filtering methods to control traffic. The most common
techniques include:
Packet filtering:- With packet filtering firewalls, traffic is examined at the
network protocol layer and allowed or blocked based on source/destination IP
addresses, protocols, and ports numbers. This doesn’t inspect the actual packet
contents beyond the header.
Stateful inspection:- Stateful firewalls not only examine individual packets but
also monitor connections by remembering the status of network connections. This
allows them to differentiate legitimate packets for existing connections from
suspicious traffic.
Application-level gateway (Proxy server):- This type of firewall verifies
contents at the application layer, not just the network layer. The firewall effectively
bridges connections between internal and external networks by receiving and
analyzing the actual data. This provides deep inspection capabilities.

Next generation firewall (NGFW):- NGFWs combine traditional firewall

capabilities like packet filtering with deeper traffic analysis techniques, including
intrusion detection and prevention. They can detect and block sophisticated
application-layer attacks that simple packet filters would miss.
Firewalls use a clearly defined rule set to examine traffic and make allow/deny
decisions about access. Anything not explicitly allowed by a firewall rule is
blocked. By default, firewalls take a “deny all” stance and administrators must
explicitly allow specific types of traffic that are required.

The firewall rule set is based on factors like:

▪ Source and destination IP addresses
▪ Network protocols (TCP, UDP, ICMP, etc.)
▪ Port numbers
▪ Applications
▪ User identity
▪ Geographic location
▪ Time of day
▪ And many others

Types of Firewalls
There are several classifications of firewalls based on where they are deployed and
how they filter traffic:

Network-Based Firewalls

Packet filtering firewall – A packet filtering firewall examines traffic at the

network layer (layer 3 of the OSI model) and allows or blocks packets based on
source/destination IP addresses, protocols, and port numbers. As noted above, this
doesn’t inspect the actual packet contents beyond the header. Packet filtering
provides high performance but low-level of security.

Stateful inspection firewall – Stateful firewalls monitor connections and remember

session states to differentiate legitimate traffic from suspicious packets. This
provides additional protection over simple packet filters by analyzing connections
rather than just individual packets. Popular stateful firewall options include Cisco
ASA and Palo Alto Networks.
Next generation firewall (NGFW) – As discussed earlier, NGFWs combine
traditional firewall capabilities with deeper traffic analysis techniques for detecting
sophisticated threats at the application layer. In addition to inspecting packet
headers, NGFWs examine packet contents to block attacks like malware downloads,
exploit payloads, and infected file attachments. Leading NGFW vendors include
Check Point, Fortinet, and Barracuda.

Web application firewall (WAF) – A WAF is designed specifically to protect web

applications and APIs by analyzing HTTP/S traffic. WAFs detect and block common
attacks against web apps like cross-site scripting (XSS), SQL injection, command
injection, and more. WAFs can be implemented as dedicated hardware, virtual
appliances, cloud services, or modules in application delivery controllers.

Host-Based Firewalls
The firewall solutions above focus on network perimeter security. Host-based
firewalls secure individual hosts or endpoints:
▪ Windows Firewall – The built-in firewall included with Microsoft Windows provides stateful
packet filtering to monitor traffic in and out of the host computer.
▪ Linux iptables – Netfilter/iptables provides host-based firewall capabilities for Linux operating
systems. Tables of security rules can filter traffic and masquerade internal IP addresses.
▪ Third-party firewalls – Endpoint security suites from vendors like Symantec, McAfee, and
Trend Micro include host firewall components to control traffic at the endpoint level.

Cloud Firewalls
Major cloud platforms offer managed firewall services including:
▪ Amazon Web Services (AWS) security groups – Virtual firewalls can control traffic in and out
of AWS resources like EC2 instances and VPCs.
▪ Microsoft Azure firewall – Azure firewall policies secure virtual networks with stateful packet
filtering, intrusion detection, and identity-based controls.
▪ Google Cloud firewall – Cloud firewall rules manage connections between resources like VMs,
serverless applications, and services.

These integrate natively with other cloud security controls.

Key Characteristics of Firewalls

 There are several core features common to most firewall implementations:

1. Traffic Filtering
The primary function of any firewall is filtering incoming and outgoing
network traffic based on a defined policy. As traffic passes through the firewall,
each packet is examined and matched to the criteria in the ruleset to determine
whether it should be allowed or blocked.
Sophisticated firewalls can filter on various packet attributes like IP address,
protocol, port number, ports and connectors and even application or website
category. Traffic filtering enables administrators to control what types of
connections are permitted for enhanced security.

2. Access Control
Firewalls govern access between network zones by allowing specific types of
traffic to pass while explicitly denying all other traffic. For example, a firewall can
be configured to allow only web traffic on port 80/443 between a private network
and the internet.
By default, everything else incoming or outgoing would be denied –
controlling external access to the network. Firewalls grant access based on
protocol, IP address range, subnet, and other criteria.

3. Network Segmentation
Internal firewalls can subdivide large private networks into smaller segments.
This provides perimeter security for the intranet, restricting lateral movement
between departments, branches, etc. Network segmentation contains threats and
limits the impact of breaches.
4. Security Logging & Monitoring
Modern firewalls provide robust logging capabilities, recording network
events like blocked connections or policy violations. Logging and reporting enable
administrators to monitor activity, analyze trends, and be alerted about suspicious
traffic.

5. Stateful Inspection
Stateful inspection firewalls maintain context about active connections,
allowing return traffic for established sessions while dropping other packets that
don’t match any approved flows. This dynamic filtering provides better protection
compared to static packet filtering.

6. SSL/SSH Inspection
Many firewalls can decrypt outbound encrypted traffic, scan its contents, and
then re-encrypt before forwarding permitted connections. Decryption defeats
threats trying to conceal malicious payloads within encrypted tunnels.
The Critical Role of Firewalls

Firewalls deliver a crucial set of capabilities for securing private networks:

▪ Defending against external attacks by allowing only safe, approved traffic flows.
▪ Containing threats and stopping lateral movement between network segments.
▪ Providing visibility through robust logging and reporting.
▪ Shielding devices with weak security postures.
▪ Enabling policy enforcement based on users, groups, applications, and content.