This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
A computer network, is referred to as a network, it is aÂ harvestÂ of computers andÂ instrumentsÂ interconnected viaÂ communication channels that enables communications among users andÂ permitsÂ users toÂ allocated resources. Networks may be classified according to a wideÂ rangeÂ of characteristics. A computer network permitsÂ sharing of resources andÂ knowledgeÂ among interconnected devices.
Fig1:Block diagram of computer network
Computer networks can be classified according to the hardware and software engineering that is accustomed to interconnect the individual devices in the network, such as optical fiber, Ethernet, wireless LAN.
Functional relationship (network architecture)
Computer networks may be classified according to the functional relationships which exist among the elements of the network, e.g., active networking, client-server and peer-to-peer architecture.
Computer networks may be classified according to the network topology upon which the network isÂ grounded,Â such as bus network, star network, ring network,Â meshÂ network. Network topology is the coordinationÂ byÂ whichÂ toolsÂ in the network areÂ organizedÂ in theirÂ rationalÂ family membersÂ to one another, independent of physical arrangement. EvenÂ if networked computers are physically placed in a linear arrangement and areÂ joinedÂ combinedÂ to a hub, the network has a star topology,Â alternativelyÂ a bus topology. In this regard the visual and operationalÂ aspectsÂ of a network are distinct. Networks may be classifiedÂ groundedÂ on theÂ processÂ ofÂ knowledgeÂ adaptedÂ toÂ carryÂ the data; these include digital and analog networks.
Fig2. Mesh topology
Fig3. Star Topology
Fig4. Ring topology
What is a firewall?
A firewall is a component of a computer system or network that is arranged to avoid unauthorized access where letting agent communications. It is a implement or set of tools that is configured to sanction or turn down network transmissions grounded upon a set of administers and other criteria.
Firewalls can be implemented in either hardware or software, or a combination of two. Firewalls are commonly adapted to prevent unauthorized Internet users from accessing private networks joined combined to the Internet, especially intranets. All messages entering or withdrawing the intranet surpass through the firewall, which inspects each outcome and prevents those that do not find the specified protection criteria.
There are several types of firewall techniques:
Packet filter: Packet filtering checks each packet that is passing through the network and accepts or refuses it based on particular IP addresses that is user defined. Although difficult to configure, it is effective and mostly transparent to its users. It is vulnerable toÂ Internet Protocol spoofing.
Fig6. Packet filters
This type of packet filtering pays no heed to if a packet is part of an older stream of traffic (i.e. it stores no information on connection "state"). Instead, it filters each packet based only on information containedÂ in the packet itselfÂ .
TCP and UDP protocols consists most communication over the net, and because TCP and UDP traffic by convention usesÂ well known portsÂ for some types of traffic, a "stateless" packet filter can differentiate between, and hence control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), untill the machines on each side of the packet filter are both using the same non-standard ports.
Packet filtering firewalls work mainly on the initial three layers of the OSI reference model, which means most of the work is done in between the network and physical layers, with a little bit of peeking into the transport layer to find out source and destination port numbers. When a packet originates from the sender and filters through a firewall, the device finds matches to any of the packet filtering rules that are configured in the firewall and removes or rejects the packet accordingly. When the packet goes through the firewall, it checks the packet on a protocol/port number basis (GSS).
Application gateway: Applies security mechanisms to some applications, such asÂ FTPÂ server. This is effective, but can degrade the performance
Fig7.OSI reference model
The benefit ofÂ application layer filteringÂ is that it can "understand" applications and protocols and it can also detect if an unwanted protocol is sneaking through on aÂ non-standard portÂ or if a protocol is being used in any harmful way.
An application firewall more secure and reliable as compared to packet filter firewalls as it works on all 7 layers of theÂ OSI reference model, from the application to the physical layer. This is similar to a packet filter firewall but here it also filters information on the basis of content.
In 2009/2010 the focus of the best comprehensive firewall security vendors turned to expanding the list of applications such firewalls are aware of now covering hundreds and in some cases thousands of applications which can be identified automatically. Many of these applications can not only be blocked or allowed but copied by the more advanced firewall products to allow only certain functionally enabling network security administrations to give users functionality without enabling unnecessary vulnerabilities. As a consequence these advanced versions of the "Second Generation" firewalls are being referred to as "Next Generation" and bypass the "Third Generation" firewall. It is expected that due to malicious communications this trend will have to continue to enable organizations to be truly secure.
Third generation: "stateful" filters
Fig8. Stateful filter
Third-generation firewalls, in addition to what first- and second-generation look for, regard placement of each packet within the packet series. This technology is generally referred to as a stateful packet inspectionÂ as it maintains records of all connections going through the firewall and is able to determine whether a packet is the start of a new connection, a part of an existing connection, or is anÂ invalid packet. Though there is still a set of defined rules in such a firewall, the state of a connection can itself be one of the criteria which trigger specific rules.
This type of firewall can actually be exploited by certainÂ Denial-of-service attacksÂ which can fill the connections with illegitimate connections.
Circuit-level gateway: Applies security mechanisms when aÂ TCPÂ orÂ UDPÂ connection is established. Once the connection has been done, packets can go between the hosts without checking further.
Fig8. Stateful filter
Third-generation firewalls, in addition to what first- and second-generation look for, regard placement of each packet within the packet series. This technology is referred to as a stateful packet inspectionÂ as it maintains records of all connections going through the firewall and is able to determine whether a packet is the start of a new connection, a part of an existing connection, or is anÂ invalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can itself be one of the criteria which trigger specific rules.
This type of firewall can actually be abused by someÂ Denial-of-service attacksÂ which can fill the connection tables with false connections.
Checks all messages entering and leaving the network. The proxy server hides the right network addresses.
InÂ computer networks, aÂ proxy serverÂ is aÂ server that acts as an intermediary for requests fromÂ clientsÂ seeking resources from other servers. A client connects to the proxy server, asking for some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server processes the request according to its filtering rules. For example, it may filter traffic byÂ IP address. If the request is passed by the filter, the proxy provides the resource by connecting to the relevant server and requesting the service on behalf of the client. A proxy server may alter the client's request or the server's response, and sometimes it may pass the request without contacting the specified server. In this case, it 'caches' responses from the remote server, and sends back subsequent requests for the same content directly.
Types of proxy
A forward proxy taking requests from an internal network and forwarding them to the Internet.
Forward proxies are proxies where the client server names the target server to connect to. Forward proxies are able to get from a wide range of sources.
The terms "forward proxy" and "forwarding proxy" are a general description of behavior (forwarding traffic) and hence ambiguous. Except for Reverse proxy, the types of proxies described on this article are more specialized sub-types of the general forward proxy concepts.
An open proxy forwarding requests from and to anywhere on the Internet.
An open proxy is a forward proxy server that is accessible by any Internet user.Â Gordon Lyon estimates there are "hundreds of thousands" of open proxies on the Internet.Â AnÂ anonymous open proxyÂ allows users to conceal theirÂ IP address while browsing the Web or using other Internet services.
A reverse proxy taking requests from the Internet and forwarding them to servers in an internal network. Those making requests connect to the proxy and may not be aware of the internal network.
AÂ reverse proxyÂ is a proxy server that appears to clients to be an ordinary server. Requests are forwarded to one or more origin servers which handle the request. The response is returned as if it came directly from the proxy server.
Reverse proxies are installed in the neighborhood of one or more web servers. All traffic coming from the Internet and with a destination of one of the web servers goes through the proxy server. The use of "reverse" originates in its counterpart "forward proxy" since the reverse proxy sits closer to the web server and serves only a restricted set of websites.
There are several reasons for installing reverse proxy servers:
Encryption / SSL acceleration: when secure web sites are created, the SSL encryption is often not done by the web server itself, but by a reverse proxy that is equipped with SSL acceleration hardware. SeeÂ Secure Sockets Layer. Furthermore, a host can provide a single "SSL proxy" to provide SSL encryption for an arbitrary number of hosts; removing the need for a separate SSL Server Certificate for each host, with the downside that all hosts behind the SSL proxy have to share a common DNS name or IP address for SSL connections. This problem can partly be overcome by using theÂ SubjectAltNameÂ feature ofÂ X.509Â certificates.
Load balancing: the reverse proxy can distribute the load to several web servers, each web server serving its own application area. In such a case, the reverse proxy may need to rewrite the URLs in each web page (translation from externally known URLs to the internal locations).
Serve/cache static content: A reverse proxy can offload the web servers by caching static content like pictures and other static graphical content.
Compression: the proxy server can optimize and compress the content to speed up the load time.
Spoon feeding: reduces resource usage caused by slow clients on the web servers by caching the content the web server sent and slowly "spoon feeding" it to the client. This especially benefits dynamically generated pages.
Security: the proxy server is an additional layer of defense and can protect against some OS and Web Server specific attacks. However, it does not provide any protection to attacks against the web application or service itself, which is generally considered the larger threat.
Extranet Publishing: a reverse proxy server facing the Internet can be used to communicate to a firewalled server internal to an organization, providing extranet access to some functions while keeping the servers behind the firewalls. If used in this way, security measures should be considered to protect the rest of your infrastructure in case this server is compromised, as its web application is exposed to attack from the Internet.
AÂ virtual private networkÂ (VPN) is aÂ computer networkÂ that uses a public telecommunication infrastructure such as theÂ InternetÂ to provide remote offices or individual users with secure access to their organization's network. It aims to avoid an expensive system of owned or leased lines that can be used by only one organization.
ItÂ encapsulatesÂ data transfersÂ between two or moreÂ networked devicesÂ which are not on the sameÂ private networkÂ so as to keep the transferred data private from other devices on one or more interveningÂ localÂ orÂ wide area networks. There are many different classifications, implementations, and uses for VPNs.
This simply means that people who shouldn't use your computer services are able to connect and use them. For example, people outside your company might try to connect to your company accounting machine or to your network file server. There are various ways to avoid this attack by carefully specifying who can gain access through these services. You can prevent network access to all except the intended users.
Exploitation of known weaknesses:
Some programs and network services were not originally designed with strong security in mind and are inherently vulnerable to attack. The BSD remote services (rlogin, rexec, etc.) are an example. The best way to protect yourself against this type of attack is to disable any vulnerable services or find alternatives. With Open Source, it is sometimes possible to repair the weaknesses in the software.
Denial of service: Denial of service attacks cause the service or program to cease functioning or prevent others from making use of the service or program. These may be performed at the network layer by sending carefully crafted and malicious datagram's that cause network connections to fail. They may also be performed at the application layer, where carefully crafted application commands are given to a program that cause it to become extremely busy or stop functioning. Preventing suspicious network traffic from reaching your hosts and preventing suspicious program commands and requests are the best ways of minimizing the risk of a denial of service attack. It's useful to know the details of the attack method, so you should educate yourself about each new attack as it gets publicized.
Spoofing: This type of attack causes a host or application to mimic the actions of another. Typically the attacker pretends to be an innocent host by following IP addresses in network packets. For example, a well-documented exploit of the BSD rlogin service can use this method to mimic a TCP connection from another host by guessing TCP sequence numbers. To protect against this type of attack, verify the authenticity of datagram's and commands. Prevent datagram routing with invalid source addresses. Introduce unpredictability into connection control mechanisms, such as TCP sequence numbers and the allocation of dynamic port addresses.
Eavesdropping: This is the simplest type of attack. A host is configured to "listen" to and capture data not belonging to it. Carefully written eavesdropping programs can take usernames and passwords from user login network connections. Broadcast networks like Ethernet are especially vulnerable to this type of attack
Here are a few examples of firewalls :-
These firewalls can be affected by the above vulnerabilities.
One way how a firewall/web filter can be bypassed is by using VPN.
As studied above we can VPN to some external network and use that network.
So we can bypass the firewall by doing VPN to a remote network and using its default gateway.
Below are the precise steps how to setup a VPN server, Client, AD and LB configurations.
Complete VPN Configuration
Below is the complete procedure on how to setup VPN server and client side
Note:- Windows XP and Windows 7 both have the capability to act as VPN servers
VPN Server Configuration
Open Network connections and follow the belowÂ :-
Click next on the welcome page
Select the options highlighted in the below snagsÂ :-
Once you have followed the steps above you are done with the server side configuration.
VPN Client Configuration
Below snags show the client side configuration
Once the above steps are followed the client side is also setup
The work is still not over
Port needs to be forwarded from the modem/LB etc
Follow the instructions below to get it rollingÂ :-
Dial in Rights on AD
The final step is to give the user permissions to VPN
First RDP to the AD
Open Active Directory
Find the user and go in properties
Follow the snag it once the above is doneÂ :-
The best firewall:-
According to the first hand experience we found Untangle to be the best firewall as it is free and has a host of functions too.
Below is a screenshot of the untangle dashboard:-
Fig14. Untangle dashboard
Our aim was to explain what a firewall is and expose a few vulnerabilities in it. We have studied how a firewall works, it's architecture, types of firewalls and vulnerabilities. We have thus compared the firewalls on various parameters and have concluded that Untangle is the best firewall with reference to the features and cost of it.