Network Security Firewalls - Network Security

What is Network Security Firewalls?

Almost each medium and large-scale organization has a presence at the internet and has an organizational network related to it. network partitioning on the boundary among the outside internet and the inner network is important for network security. sometimes the inside network (intranet) is called the “trusted” side and the outside internet as the “un-trusted” side.

Types of Firewall

Firewall is a network device that isolates organization’s internal network from larger outside network/net. it could be a hardware, software, or mixed system that prevents unauthorized access to or from inner network.

All information packets entering or leaving the inner network pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria.

Network Security – Firewalls

Deploying firewall at network boundary is like aggregating the security at a single factor. it is analogous to locking an apartment at the entrance and not always at each door.

Firewall is considered as an important element to achieve network security for the following reasons −

  • Internal network and hosts are unlikely to be properly secured.
  • Internet is a dangerous area with criminals, users from competing companies, disgruntled ex-employees, spies from unfriendly countries, vandals, etc.
  • To save you an attacker from launching denial of carrier assaults on network resource.
  • To prevent illegal change/access to internal information through an outsider attacker.

Firewall is classified into three basic types –

  • Packet filter (Stateless & Stateful)
  • Application-level gateway
  • Circuit-level gateway

These three categories, however, are not mutually unique. modern firewalls have a mix of competencies that may region them in extra than one of the three categories.

Network Security – Firewalls

Stateless & StateFul Packet Filtering Firewall

In this type of firewall deployment, the inner network is attached to the outside network/internet through a router firewall. The firewall inspects and filters records packet-through-packet.

Packet-filtering firewalls permit or block the packets usually based on standards including source and/or destination IP addresses, protocol, supply and/or destination port numbers, and numerous other parameters in the IP header.

The decision can be based on elements other than IP header fields such as ICMP message type, TCP SYN and ACK bits, etc.

Packet filter rule has parts −

  • Selection Criteria − it is a used as a situation and sample matching for decision making.
  • Action Field − This part specifies action to be taken if an IP packet meets the choice standards. The movement can be either block (deny) or permit (allow) the packet across the firewall.

Packet filtering is usually done via configuring access control Lists (ACL) on routers or switches. ACL is a table of packet filter rules.

As traffic enters or exits an interface, firewall applies ACLs from top to bottom to every incoming packet, reveals matching standards and both allows or denies the individual packets.

Network Security – Firewalls

Stateless firewall is a type of a rigid device. It seems at packet and permits it if its meets the standards even if it is not part of any established ongoing communication.

Hence, such firewalls are replaced through stateful firewalls in modern networks. This form of firewalls provide inspection technique over the only ACL based packet inspection techniques of stateless firewalls.

Stateful firewall monitors the connection setup and teardown manner to preserve a check on connections on the TCP/IP level. This allows them to keep track of connections state and determine which hosts have open, legal connections at any given point in time.

They reference the rule base only when a new connection is asked. Packets belonging to present connections are compared to the firewall's state table of open connections, and selection to allow or block is taken. This technique saves time and presents added security as well. No packet is allowed to trespass the firewall unless it belongs to already installed connection. it can timeout inactive connections at firewall and then it not admit packets for that connection.

Application Gateways

An application-level gateway acts as a relay node for the application-level traffic. They intercept incoming and outgoing packets, run proxies that copy and forward data throughout the gateway, and feature as a proxy server, preventing any direct connection between a trusted server or client and an untrusted host.

The proxies are application unique. they can filter packets at the application layer of the OSI model.

Application-Specific Proxies

Network Security – Firewalls

An application-unique proxy accepts packets generated through only certain application for which they are designed to copy, forward, and filter. for example, only a Telnet proxy can copy, ahead, and filter Telnet traffic.

If a network is based best on an application-level gateway, incoming and outgoing packets can not access services that have no proxies configured. as an example, if a gateway runs FTP and Telnet proxies, best packets generated through those services can pass through the firewall. All different services are blocked.

Application-level Filtering

An application-level proxy gateway, examines and filters individual packets, rather than simply copying them and blindly forwarding them throughout the gateway. application-unique proxies check each packet that passes through the gateway, verifying the contents of the packet up through the utility layer. those proxies can filter specific types of instructions or data in the application protocols.

Application gateways can limit unique moves from being completed. for example, the gateway can be configured to prevent users from performing the ‘FTP placed’ command. this could save you change of the data saved on the server by using an attacker.


Although application-level gateways may be transparent, many implementations require user authentication before users can access an untrusted network, a system that reduces real transparency. Authentication can be unique if the user is from the inner network or from the net. For an internal network, a simple list of IP addresses can be allowed to connect to outside applications. but from the internet side a strong authentication have to be carried out.

An application gateway actually relays TCP segments between the two TCP connections in the two directions (client ↔ Proxy ↔ Server).

For outbound packets, the gateway may also update the source IP address through its personal IP address. The technique is called network address Translation (NAT). It ensures that internal IP addresses are not exposed to the internet.

Circuit-level Gateway

The circuit-level gateway is an intermediate answer among the packet filter and the application gateway. It runs on the transport layer and for this reason can act as proxy for any application.

Similar to an application gateway, the circuit-level gateway additionally does now not allow an end-to-end TCP connection throughout the gateway. It sets up TCP connections and relays the TCP segments from one network to the other. but, it does not examine the software information like application gateway. therefore, sometime it is known as as ‘Pipe Proxy’.


SOCKS (RFC 1928) refers to a circuit-level gateway. it is a networking proxy mechanism that allows hosts on one aspect of a SOCKS server to gain complete access to hosts on the alternative side without requiring direct IP reachability. The client connects to the SOCKS server on the firewall. Then the client enters a negotiation for the authentication technique to be used, and authenticates with the selected method.

The client sends a connection relay request to the SOCKS server, containing the preferred destination IP address and shipping port. The server accepts the request after checking that the customer meets the fundamental filtering criteria. Then, on behalf of the client, the gateway opens a connection to the asked untrusted host and then closely monitors the TCP handshaking that follows.

The SOCKS server informs the customer, and in case of success, begins relaying the information between the two connections. Circuit stage gateways are used when the company trusts the inner users, and does now not need to check out the contents or application information sent on the internet.

Firewall Deployment with DMZ

A firewall is a mechanism used to control network traffic ‘into’ and ‘out’ of an organizational inner network. In maximum instances those systems have two network interfaces, one for the external network including the net and the other for the internal aspect.

The firewall technique can tightly manage what is allowed to traverse from one side to the other. An company that wishes to provide outside access to its web server can limit all traffic arriving at firewall expect for port 80 (the standard http port). All different traffic including mail visitors, FTP, SNMP, etc., is not allowed across the firewall into the internal network. An example of a easy firewall is proven in the following diagram.

Network Security – Firewalls

In the above easy deployment, though all different accesses from outside are blocked, it is possible for an attacker to touch not only a web server but another host on internal network that has left port 80 open through accident or otherwise.

Hence, the problem most companies face is the way to allow valid access to public services including internet, FTP, and e-mail while preserving tight security of the internal network. the typical technique is deploying firewalls to offer a Demilitarized zone (DMZ) in the network.

In this setup (illustrated in following diagram), two firewalls are deployed; one among the outside network and the DMZ, and any other between the DMZ and the internal network. All public servers are located within the DMZ.

With this setup, it is possible to have firewall rules which allow public access to the public servers but the interior firewall can limit all incoming connections. through having the DMZ, the public servers are provided with adequate safety in place of setting them at once on external network.

Network Security – Firewalls

Intrusion Detection / Prevention system

The packet filtering firewalls operate based on rules regarding TCP/UDP/IP headers only. They do not try and set up correlation exams among unique sessions.

Intrusion Detection/Prevention system (IDS/IPS) perform Deep Packet Inspection (DPI) through searching at the packet contents. for example, checking person strings in packet against database of recognised virus, assault strings.

Application gateways do examine the packet contents but best for unique applications. They do not look for suspicious information in the packet. IDS/IPS looks for suspicious data contained in packets and attempts to observe correlation amongst multiple packets to identify any attacks including port scanning, network mapping, and denial of provider and so on.

Difference Between IDS and IPS

IDS and IPS are similar in detection of anomalies within the network. IDS is a ‘visibility’ device whereas IPS is considered as a ‘manage’ tool.

Intrusion Detection systems take a seat off to the aspect of the network, monitoring visitors at many unique points, and provide visibility into the security state of the network. In case of reporting of anomaly through IDS, the corrective moves are initiated by means of the network administrator or different device at the network.

Intrusion Prevention system are like firewall and they sit in-line between networks and manage the visitors going through them. It enforces a specific policy on detection of anomaly in the network traffic. usually, it drops all packets and blocks the entire network traffic on noticing an anomaly till such time an anomaly is addressed through the administrator.

Network Security – Firewalls

Types of IDS

There are simple types of IDS.

  • Signature-based IDS
    • It needs a database of recognized attacks with their signatures.
    • Signature is defined through sorts and order of packets characterizing a selected assault.
    • Issue of this form of IDS is that only recognized attacks can be detected. This IDS can also throw up a false alarm. false alarm can arise while a normal packet move matches the signature of an assault.
    • Well-known public open-source IDS example is “snort” IDS.

Anomaly-Based IDS

  • This sort of IDS creates a traffic pattern of normal network operation.
  • During IDS mode, it looks at traffic patterns which can be statistically unusual. for example, ICMP unusual load, exponential increase in port scans, etc.
  • Detection of any unusual visitors sample generates the alarm.
  • The primary project faced in this form of IDS deployment is the difficulty in distinguishing between normal traffic and unusual traffic.


On this chapter, we mentioned the various mechanisms employed for network access manage. The method to network security through access manage is technically unique than implementing security controls at unique network layers discussed in the earlier chapters of this tutorial. however, even though the approaches of implementation are special, they're complementary to each other.

Network access manage comprises of two major components: user authentication and network boundary safety. RADIUS is a popular mechanism for providing important authentication in the network.

Firewall presents network boundary safety through separating an internal network from the public internet. Firewall can function at special layers of network protocol. IDS/IPS permits to monitor the anomalies within the network traffic to detect the assault and take preventive action against the same.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status

Network Security Topics