ASSISTANT PROFESSOR
READ ALL THE NOTES CHAPTER WISE
SUBJECT NAME:- MJ–15 (Th):- INFORMATION SECURITY
FOR B. Sc. IT.
SEM 6 F.Y.U.G.P.
Copyright © by Dr. Ajay kumar pathak
B. Sc. IT. SEMESTER 6 NOTES BASED ON NEP
SUBJECT : MJ–15 (Th): INFORMATION SECURITY
(To be selected by the students from)
UNIT 4 (UNIT NAME):- NETWORK ACCESS CONTROL AND FIREWALLS
Objective: The objective of the course is to enable students to
· The objective of this course is to provide students with a comprehensive understanding of network security concepts and techniques. The course aims to develop students' skills in identifying network vulnerabilities, implementing security measures, and ensuring the confidentiality, integrity, and availability of networked systems.
Learning Outcome:- After completion of this course, a student will be able to–
· Understand the principles and concepts of network security.
· Identify potential security threats and vulnerabilities in networked systems.
· Implement security measures to protect network infrastructure.
· Apply encryption and authentication techniques to secure network communication.
· Analyze and respond to security incidents in networked environments
Semester Examination and Distribution of Marks
INTERNAL MARKS :- 25 (NO PRACTICAL IN THE MJ 15(INFORMATION SECURITY ))
End Semester Examination (ESE) : 75 Marks
-: NOTES READ FROM HERE :-
UNIT- 4 :- NETWORK ACCESS CONTROL AND FIREWALLS
INTRODUCTION TO NETWORK ACCESS CONTROL AND FIREWALLS:-
INTRODUCTION TO NETWORK ACCESS CONTROL:-
NAC also applies to data that travels
over the network, and the resources it helps to secure may be physical (as in
the case of hardware routers or servers) or software-defined, virtual resources
(such as a software firewall or a virtual machine).
How does Network Access Control
work?:-
NAC works by setting rules about who and
what can access your network.
i.
Authentication:- Before
anyone or anything connects to the network, NAC checks their identity. This
could mean entering a password, using a fingerprint, a digital certificate, or
multi-factor authentication (MFA).
ii. Authorization:- Once verified, NAC decides what they’re
allowed to access based on policies, including their role, device security,
location, or time of day.
iii. Device compliance checks:- NAC makes sure every device is
safe with updated antivirus, security patches, and encrypted storage. If
something’s off, access is limited or blocked.
iv. Policy enforcement:- NAC uses tools like VLANs (Virtual
Local Area Networks ), firewall rules, and segmentation to control access. It
can even adjust permissions on the fly if risks pop up.
v. Continuous monitoring and threat detection:- NAC doesn’t
stop after login. It keeps watching for red flags like strange logins, big file
transfers, or suspicious behavior , and
can cut off access instantly if needed.
vi. Integration with your security environment:- NAC works
with your existing SIEM (Security Information and Event Management), EDR (Endpoint
Detection and Response), IAM (Identity and Access Management), and firewalls to
help your security team stay one step ahead.
vii. Access management:- Personal and guest devices get limited
access in isolated zones so they can’t touch critical systems.
viii.Automated remediation:- If NAC finds a risky or
non-compliant device, it can act right away, including quarantining it, asking
for updates, or alerting IT.
Types of Network Access
Control:-
There are primarily two kinds of network
access control:
(1) Pre-admission:- This
type of Network Access Control occurs before users are granted access. Any user
who wants to access the network needs to make a request and can only enter once
their credentials are verified. Pre-admission network control is safe since it
provides access only to devices and users that can be authenticated.
How It Works:- User tries to connect to network, NAC checks, Username &
password, Antivirus installed?, Operating system updated?, If everything is OK
→ Full access, If not → Block or limited access
Example:- Imagine a student trying to connect laptop to college Wi-Fi:-
System checks:- Is this student registered?,
Is antivirus installed?, Is Windows updated?, If yes → Internet allowed, If no
→ Access denied
This is called pre-admission control.
(2) Post-admission:- Post-admission Network Access Control grants authorization to devices or users who enter a new or different area of the network to which they have not been granted access. To get authorization, the user or device must verify their identity again.
This checks the device after it has
already connected to the network.:- Even after allowing access, NAC keeps
monitoring.:- If, Virus detected, Suspicious
activity, Malware spreading,
Then:- Device is isolated, Access removed
Example:- A device connects successfully in morning.
Later:- It downloads malware, Starts
sending spam emails
NAC detects abnormal behavior and:- Moves device to quarantine network, Blocks access This is post-admission control.
Advantages of Network Access
Control:-
i.
Stronger security:- Blocks
unauthorized users and risky devices before they ever connect.
ii. Built-in compliance:- Makes sure every device follows
security rules, helping you stay in line with standards like GDPR (General Data
Protection Regulation ), HIPAA (Health Insurance Portability and Accountability
Act ), and PCI (Payment Card Industry).
iii. Smaller attack surface:- Limits access and stops threats
from spreading through the network.
iv. Zero Trust friendly:- Always verifies users and devices , not just at login, but continuously.
v. Smart threat response:- Automatically spots and isolates
devices that aren’t safe.
vi. Full network visibility:- Lets IT teams see every
connected device and what it’s doing.
vii. Better performance:- Cuts out junk traffic and rogue
devices, keeping things running smoothly.
viii.Easy on users:- Keeps access simple for trusted users
while staying strict on security.
ix. Faster incident response:- Works with tools like SIEM ((Security
Information and Event Management) and SOAR (Security Orchestration (panning),
Automation, and Response ) to speed up investigations and fixes.
x. Ready to scale:- Works across on-premises, cloud, and
hybrid networks, built for modern IT.
Network Access Control (NAC):-
(i) Limited
Visibility for IoT Devices:- NAC has low
visibility and control over IoT devices or endpoints without specific user
identities.
(ii) No
Internal Threat Protection:- NAC does
not protect against threats that originate within the network, such as insider
attacks or compromised internal devices.
(iii) Compatibility
Issues:- NAC solutions may not function effectively if they
are incompatible with existing security tools or infrastructure within the
organization.
What are Network Access Control
Mechanisms?:-
Access Control Mechanisms refer to the
techniques and processes used to control and manage access to resources within
a system. They play a crucial role in ensuring the security and integrity of
sensitive data and information.
Access Control Mechanisms determine who
can access what resources, under what conditions, and with what level of
privileges. They are designed to prevent unauthorized access, protect against
data breaches, and enforce security policies.
Types of Network Access Control
Mechanisms Tools:-
When the peoples or Workers move from
offices to public wifi and from laptops to mobile devices, Unsecured devices
can transmit malware to network resources, User credentials may be stolen and
used to steal data, Unauthorized users may roam freely across network assets,
putting them at risk.
That’s a lot of risks. But NAC helps to
solve these issues through what is known as the AAA model. This model comprises
three processes: authentication, authorization, and accounting.
(1) Authentication:- NAC
systems use client software to verify
the identity of every user connecting to a network. Verification
measures usually include usernames and passwords. But they can also include MAC
address scanning and digital certificates. The aim is to identify every user and device at the network edge before
establishing a connection.
(2) Authorization:- The next step in NAC is determining access levels for users and devices. NAC solutions apply various criteria when
deciding which resources to make available. For instance, the NAC system may
provide groups of users with similar privileges. Alternatively, each individual
may have specific permissions for their role.
NAC solutions
may also restrict access by time zones, service, or network type. In-depth
filtering methods like this make it easier to block illegitimate access
requests.
(3) Accounting:- NAC systems keep a record of user
access requests. This information can be used in security auditing and makes connected devices visible to security managers at all
times.
NAC systems monitor network activity to
ensure that users follow security policies. If users violate security policies, the access control software may
revoke their privileges and quarantine the user’s device. Agents installed on
endpoints can monitor hardware continuously, blocking connections when
violations occur.
NETWORK FIREWALLS:-
A firewall is
the first line of defense that monitors incoming and outgoing traffic and
decides to allow or block specific traffic based on a defined set of security
rules.
A network
firewall is a critical security device or software that monitors and controls
network traffic based on predetermined rules. It acts as a barrier between
trusted internal networks and untrusted external networks, such as the
internet.
Firewalls play
a vital role in protecting computer networks by filtering traffic, controlling
access, segmenting networks, and logging activities. They examine data packets
entering or leaving the network, deciding whether to allow or block them based
on set policies. This helps prevent unauthorized access, malware infections,
and data breaches.
Modern
firewalls can be updated and configured to address new challenges posed by
continuously evolving cyber threats, making them adaptable and indispensable
components of a comprehensive cyber security strategy.
How
network firewalls work in a computer network:-
(1) Traffic filtering:- This process involves examining data
packets entering or leaving the network and deciding whether to allow or block
them based on predefined security policies. Firewalls use various filtering
techniques to achieve this:
(2) IP address filtering:- The firewall checks the source and
destination IP addresses of incoming and outgoing packets. It compares these
addresses against a list of allowed or blocked IPs, determining whether to
permit or deny the traffic.
(3) Packet filtering:- This is a more advanced technique
that examines the IP addresses and other information in the packet header, such
as port numbers, protocols, and packet types. This provides more rough control
over network traffic, enabling or blocking specific services or applications.
(4) Stateful inspection:- This process tracks the state of
network connections. It maintains a state table to remember the context of each
communication session, enabling it to make more informed decisions about
incoming packets based on their relationship to previous traffic.
(5) Application-layer filtering:- Also known as deep packet inspection,
application-layer filtering examines the actual content of the data packets
rather than just their headers. This enables the firewall to identify and block
specific applications or protocols, regardless of their port.
(6) Intrusion detection and prevention:- Many modern firewalls also
incorporate interruption detection and prevention systems (IDS/IPS), which
identify and respond to potential security threats in real time. They may also
include features like virtual private network (VPN) support for secure remote
access and network address translation (NAT) to hide internal network addresses
from external view.
Types
of firewalls:-
(1) Packet-filtering firewall:- This is the most basic type of network
security firewall that examines incoming and outgoing network traffic based on
predefined parameters. It inspects packet headers, including source and
destination IP addresses, port numbers, and protocols. Packet-filtering
firewalls are fast and efficient but cannot understand the context of
connections or inspect packet contents.
(2) Stateful inspection firewall:- An evolution of packet filtering,
stateful inspection firewalls maintain awareness of the state of network
connections. They track the state of sessions and make decisions based on
predefined rules and the context of the traffic. This allows for more
intelligent filtering decisions and better protection against certain types of
attacks.
(3) Proxy firewall:- Also known as application-level
gateways, proxy firewalls act as intermediaries between internal and external
networks. They terminate incoming connections and establish new ones to the
destination, effectively hiding the internal network. Proxy firewalls can
perform deep packet inspection and provide content filtering, making them more
secure but potentially slower than other types of firewalls.
(4) Web application firewall (WAF):- WAFs are specifically designed to
protect web applications from common web-based attacks. An example would be
Amazon Web Services (AWS) firewalls. They inspect HTTP traffic and can detect
and block threats like SQL injection, cross-site scripting (XSS), and other
application-layer attacks. WAFs are crucial for protecting web-facing assets
and ensuring compliance with data protection standards.
(5) Unified threat management (UTM) firewall:-
UTM firewalls
combine multiple security features into a single appliance. They typically
include traditional firewall capabilities along with intrusion prevention,
antivirus, content filtering, and sometimes even VPN functionality. UTM
firewalls offer comprehensive protection but may sacrifice some performance for
smaller- to medium-sized organizations, although modern platforms have become
significantly more efficient.
(6) Next-gen firewall (NGFW):- An NGFW is a cutting-edge firewall
technology that incorporates features of traditional firewalls with advanced
capabilities. It provides deep packet inspection, application-level filtering,
and intrusion prevention, all within a platform that can integrate with threat
intelligence feeds. NGFWs often include features like user identity management
and SSL/TLS inspection.
Advantages
of Network Firewalls:-
These are the
most common network firewall benefits:
(1) Enhance specialized effectiveness:- Improve specialized efficiency by excelling at
certain security tasks such as filtering network traffic, enforcing access
controls, and identifying malicious activity using established rules and
criteria.
(2) Ensure high speed and data throughput:- Process data quickly, reducing the
impact of high speed data on network performance and promoting more efficient
communication across networks.
(3) Enable rapid installation and setup:- Deploy and configure rapidly,
allowing enterprises to implement strong security measures while maintaining
business continuity with less inconvenience.
(4) Protect against external threats:- Prevent unwanted access attempts and
secure login credentials from being intercepted by malicious actors outside the
company, guaranteeing network integrity and privacy.
(5) Defend against viruses and malware:- Serve as a firewall against
internet-borne threats by analyzing incoming and outgoing traffic and blocking
potentially hazardous content before it enters the network.
(6) Manage network performance:- Monitor and maintain the overall
network performance and availability by filtering out unnecessary or dangerous
traffic to ensure more effective data processing.
(7) Secure cloud storage:- Stop unauthorized access and safeguard
sensitive data stored remotely, hence improving your overall data security and
regulatory compliance management procedures.
Disadvantages
of Network Firewalls:-
(1) Occasionally fail to block complex attacks:- Lack defense against advanced attacks
targeting applications or HTML-based threats, leaving it exposed to
exploitation.
(2) Can be misled by manipulated headers:- Vulnerable to attacks that manipulate
packet headers to avoid firewall defenses, potentially allowing unauthorized
access.
(3) Have restricted capacity:- Struggle with high traffic volumes,
which limits its usefulness in larger or busier networks and impedes smooth
operation.
(4) Require large investment:- Cost additional expenses for expert
consulting and deployment, making budget allocation difficult.
(5) Remain vulnerable to malware attacks: Need extra security measures against
advanced malware that evades firewall defenses.
(6) Restrict user access:- Limit network access per user, which
may slow down processes and lead to exploits that complicate network
management.
HOW
TO CONFIGURE FIREWALLS: STEP-BY-STEP GUIDE TO FIREWALL CONFIGURATION:-
(1) Blocking Traffic by Default:- This doesn’t mean you’ll have issues with internal access, but it’s focused on allowing only necessary connections. A big benefit to this configuration is that it closes unknown pathways, while ensuring those who need access don’t run into any issues. You’ll find this an important aspect of reducing attack surfaces, but it also demands a thorough understanding of what your internal traffic needs are. Of course, in the long term, this will need consistent review to maintain a security posture you can rely on.
(2) IP
Restrictions:- Another aspect of keeping network access in line is with IP restrictions.
It’s understandable that certain IP addresses will need access, but this should
come with a few restrictions. This means outbound traffic will be limited to
approved IP destinations only.
More
specifically, taking this stand is great for mitigating issues like DDoS (Distributed
Denial of Service, It is a malicious cyberattack that disrupts normal traffic
to a targeted server) attacks. Overall, you want to reduce network exposure
without leaving authorized users in the dark. This is another area that’ll
require maintenance, especially if you’re dealing with remote or dynamic IPs..
(3) Managing Open Ports:- You only want the most essential ports
open for your daily business operations. Take this one step further by
assigning specific ports to help restrict access. On the other end of this,
always close or disable ports that aren’t in use anymore. With many modern
firewall hardware, this is easier than ever to achieve with their cohesive dashboard
management.
(4) Intrusion Prevention System and
Detection (IPS/IDS):- If you aren’t already familiar, intrusion (interruption) prevention and
detection systems are a big benefit to next-gen firewall hardware. Where IPS
can help with blocking malicious traffic, IDS works to keep your team alert to
suspicious activity on the network.
It’s a combined
approach that’s proactive, while also giving you control over the situation
with incident response. Another upside to this approach to configuration is
that it helps a lot with regulation compliance in the long run.
(5) Principle of Least Privilege (PoLP):- This can go hand in hand with zero
trust architecture (means that a particular security technology, policy, or
strategy works synergistically with the "never trust, always verify"),
but it’s important to understand the individual benefits of PoLP. Putting this
into place ensures users are only able to access parts of the network that are
vital to their specific roles. If a user
or account is compromised, PoLP does well to limit damage potential. For a more
comprehensive stand here, make sure to combine this with identity and access
management control.
(6) Logging and Continuous Monitoring:- This is a given for anyone who’s dealt
with firewall configuration and management before. Logging and continuous
monitoring are crucial for things like incident investigation and forensic
analysis of your traffic. You can make this easier for yourself through
real-time alerts and reviewing log information on a regular basis. It’s a
crucial component to keeping a bird’s-eye view of your network.
(7) Regular Firmware Updates and Testing:- Even with the rising prevalence of
automation within firewall tech, it’s important you stay on top of regular
firmware updates. You don’t want any potential weaknesses sticking around for
very long, and regular penetration testing can help with that as well. Handling
consistent reviews of your firmware and testing your defenses helps you stay
one step ahead of any potential issues. Preventing exploitation of outdated
software and your network as a whole demands a proactive strategy.
INTRUSION
DETECTION AND PREVENTION SYSTEMS (IDPS):-
An Intrusion
(INTERRUPTION) Detection and Prevention System, or IDPS, is designed to help
you identify and stop security threats within your network. It monitors your
network traffic and system activities, looking for anything that appears out of
place or harmful. When a threat is detected, it alerts your team and, in many
cases, takes immediate action to block the danger.
The system
focuses on two main tasks, detecting potential threats and preventing them from
causing harm. Detection is continuously analyzing traffic and behavior,
comparing what it sees to known attack patterns or baseline activities.
Prevention is
when the system identifies a threat, it acts automatically by blocking harmful
traffic, severing unauthorized connections, or adjusting security settings to
close off a potential entry point. These actions reduce the time an attacker
has to exploit a weakness, limiting the damage they can do.
So, an IDPS not
only provides visibility into your network’s activity but also helps to stop
threats before they escalate into serious incidents.
IDPS are
somewhat like having a security guard for your digital infrastructure: they
don't sleep, they don't doze off, and they are always watching.
There are two
main components:-
(i) Intrusion Detection System (IDS): It
identifies the suspicious activities.
(ii) Intrusion Prevention System (IPS): This
system detects and prevents the attack from occurring.
While IDS
behaves like a camera which raises an alarm, IPS behaves like a security guard
who immediately locks the door.
How
Does IDPS Work?:-
IDPS operates
by performing continuous traffic monitoring and intelligent traffic analysis.
Four
significant steps can be considered to describe how it functions:-
(1) Traffic Monitoring:- IPS (Intrusion
Prevention Systems) continuously monitors incoming and outgoing network traffic,
examining data packets as they traverse the network.
(2) Packet Inspection:- It performs deep
packet inspection, which involves examining the content of each data packet,
including the header and payload. This thorough inspection allows the IPS to
analyze the behavior and characteristics of the traffic.
(3) Signature-Based Detection:- One of the
primary methods an IPS uses is signature-based detection. It compares the
characteristics of the data packets to a database of known attack signatures
associated with malware, viruses, or other malicious activities. If a match is
found, the IPS can block or log the malicious traffic.
(4) Anomaly-Based Detection:- Some IPS
employ anomaly-based detection. They establish a baseline of what is considered
normal network behavior. If the IPS detects traffic that turns significantly
from this baseline, it may flag it as suspicious.
(5) Traffic Blocking:- When the IPS
identifies potentially malicious traffic based on its analysis, it can take
various actions to protect the network. These actions may include blocking
malicious traffic, dropping packets, or rerouting traffic to a quarantine area
for further analysis.
(6) Alerting and Reporting:- The IPS usually
generates alerts to notify network administrators of detected threats or
suspicious activities. These alerts provide information about the threat's
nature, the traffic's source and destination, and the action taken by the IPS.
Network administrators can then investigate and respond to the alerts.
(7) Integration with Other Security Tools:-
IPS often works in conjunction with other security technologies to provide
layered security defenses.
(8) Continuous Updates:- To effectively
protect against new and evolving threats, IPS databases of attack signatures
and anomaly detection models need to be regularly updated. These updates ensure
that the IPS can recognize the latest threats.
TYPES
OF IDPS:-
(1) NETWORK-BASED IDPS (INTRUSION DETECTION
AND PREVENTION SYSTEMS)
(2) HOST-BASED IDPS
(3) DETECTION METHODS
(4) PREVENTION ACTIONS
(1) NETWORK-BASED IDPS:- Network-based IDPS (NIPS) is a type of
IDPS installed at specific points within a network to monitor all of that
network’s traffic and scan for threats. The NIPS often does this by analyzing
activity and matching it against a database of known attacks configured
manually by a security expert. If the activity matches a known threat in the
database, it isn’t allowed to proceed through the network. A NIPS is often
deployed at the boundaries of networks, such as in routers or modems, behind
firewalls, and at network remote access points.
There
are 2 subcategories of NIPS:-
(a) Wireless intrusion prevention systems
(WIPS):- Monitor wireless networks for the presence of access points
and unrecognized devices by analyzing the network's radio
frequencies. WIPS are deployed in wireless networks and in places that are exposed
to unauthorized wireless access.
(b) Network behavior analysis (NBA):-
systems check network traffic for unusual patterns of activity. For
example, in a DISTRIBUTED DENIAL OF SERVICE attack (DDOS), thousands of
requests are sent to the network to overcome it. Any of these requests alone
might look valid, but together illustrate a problem. NBA systems often
reinforce a more standard NIPS in an organization’s internal networks.
(2) HOST-BASED IDPS:- Host-based IDPS (HIPS) (Host-based Intrusion Prevention System) are deployed on a single host—often a key server with critical data—or public servers that are gateways to an organization’s internal network. A HIPS specifically monitors traffic flow on its host system. HIPS are generally set to detect host operating system activity and internet protocol suite (TCP/IP) activity.
(3) DETECTION METHODS:- Once in place, an IDPS uses a variety of techniques to identify threats.
Theses
techniques broadly fall into 3 categories:-
(a) Signature-based threat detection matches
monitored activity to a database filled with signatures—a unique pattern or
identifier—of previously identified threats. While this method is good at
detecting well-known threats, novel threats will go undetected.
(b) Anomaly-based threat detection matches a
random selection of network activity against a baseline standard of network
activity. If the random selection is different enough from the baseline, then
the threat triggers action. While this detection method captures novel threats,
it also creates more false positives than signature-based threat detection.
(c ) Protocol-based (or policy-based) threat
detection is similar to signature-based threat detection, but it uses a
database of specific protocols defined by the organization and blocks any
activity violates those protocols. The protocols must be manually configured by
a security expert.
(4) PREVENTION ACTIONS:- Once the IDPS detects a perceived
threat, it can take several courses of action—depending on how it’s set up and
the type of threat detected. Common preventative actions against attacks are
to:-
(a) Alert administrators:- In this most basic type of response, the IDPS
alerts human security administrators, much like an intrusion detection system
would. Alerts like this are created when an automatic action might not be
appropriate, or when the system is unsure if there is a false positive.
(b) Employ banishment vigilance:- When the IDPS takes this action, it stops
incidents before they have a chance to occur by blocking traffic or flagged
users from a threatening IP address. A common example is blocking an IP address
that has failed a password check too many times.
(c ) Change the security environment:- Similar to exclusion vigilance, this technique
has the IDPS change the security setup of the network to prevent the threat
from gaining access. An example of this response would be reconfiguring a
firewall.
(d) Modify the attack content:- This
technique involves automatically altering the content of the attack. For
example, if a suspicious email is flagged, the IDPS would remove any aspect of
the email that might contain content malicious to the network, such as email
attachments.
Benefits
of an IDPS:-
(i) Scan activity and respond to threats
without human intervention:- Although
complex threats often require human intervention, an IDPS enables methodical
and rapid response to simpler threats, and it can flag complex threats for
human intervention more rapidly. As a result, security teams can respond to
threats before they do damage, and they are able to handle increasing numbers
of threats.
(ii) Find threats that might slip through:- An IDPS—especially if it’s using anomaly-based
detection—can flag threats that human security experts might miss.
(iii) Enforce user and security policies
continuously:- The rule-based nature of an IDPS means that threat detection is
applied in a consistent way.
(iv) Meet obedience requirements:- The use of an IDPS means that less humans have
to interact with private data—which is a regulatory requirement in many
industries.
Challenges
of Implementing An Intrusion Detection System OR An Intrusion Prevention
System:-
i.
High volume of alerts:- Intrusion detection and prevention systems tend
to cause a substantial number of alerts, most of which may be false positives.
Monitoring and correctly replying to these alerts can be resource-intensive.
ii.
Resource intensity:- Using and sustaining intrusion detection and
prevention systems involves considerable resources. For instance, it's not only
hardware and software, but also skilled security teams who are familiar with an
organization's internal networks.
iii.
Encrypted traffic:- Ensuring threats are real and remain encrypted is a
complex challenge for security teams.
iv.
Integration with existing systems:- Integration with other systems and
infrastructure can be difficult.
THE
END UNIT 4 (NETWORK ACCESS CONTROL AND FIREWALLS )
No comments:
Post a Comment
PLEASE DO LEAVE YOUR COMMENTS