Operating Systems and

Computer Security
Network and Transport Security Protocols
Internet Protocol Security
Internet Protocol Security (IPSec) is a framework to
open standards for ensuring secure private
communications over private IP networks.
Based on standards developed by Internet Engineering
Task Force (IETF), IPSec ensures confidentiality,
integrity, and authenticity of data communication
across a public IP network.
IPSec is a necessary component of a standard-based,
flexible solution for deploying a network-wide security
policy
 SMTP HTTP NNTP
Network Security

TCP

IP/IPSec

SMTP HTTP NNTP

TCP

SSL
Transport Security
IP
IP Security Architecture
IPSec is a combination of several security technologies
to protect the confidentiality, integrity, and
authenticity of IP packets.
There are no any extra cost for implementation and
management when using IPSec instead of ordinary IP
packets. They also can easily routed through any IP
network.
IPSec Services
IP layer based security is provided as secure protocols,
determining algorithms, services, and cryptographic
keys.
Access control
Connectionless integrity (detection of IP packet itself)
Authentication of Data origin
Rejection of replayed packets (partial sequence
integrity)
Confidentiality (encryption)
Limited traffic-flow confidentiality
 Authentication Header
Next Header Payload Length Reserved

Security Parameters Index (SPI)

Sequence Number

Authentication Data (variable length)

Integrity Check Value Calculation, a truncated version of a message authentication

code (MAC), is calculated by a MAC algorithm. IPSec requires that all
implementations support at least HMAC-MD5 and HMAC-SHA1 hashes to guarantee
minimal interoperability, an IPSec implementation must support at least these
schemes
Transport and Tunnel Modes
Authentication Header services can be employed in
two ways: Transport mode or Tunnel mode
In transport mode, the AH applies only to host
implementations and provides protection for upper-
layer protocols in addition to selected IP header fields.

Original IP Header TCP Data

Original IP Header AH TCP Data

In tunnel mode, the AH can be employed in either
host or security gateways. When AH is implemented in
a security gateway (to protect transit traffic), tunnel
mode must be used.

New IP Header Original IP Header AH TCP Data

Network Security
Firewall
Firewalls
A firewall provides a secondary protection when
antivirus fails,
A firewall refers to a network device which blocks certain
kinds of network traffic, forming a barrier between a
trusted and an untrusted network. It is analogous to a
physical firewall in the sense that firewall security
attempts to block the spread of computer attacks.
A firewall is software or hardware that checks information that comes from the
Internet or from a network. Then, the firewall either blocks the information or
lets the information pass through to your computer. Whether information is
blocked or passed through depends on your firewall settings. A firewall can help
prevent malicious software (such as worms) from gaining access to your
computer through a network or the Internet. A firewall can also help stop your
computer from sending malicious software to other computers.
Role of Firewall
A firewall management program can be configured one of two basic ways:
A default-deny policy. The firewall administrator lists the allowed network
services, and everything else is denied.
A default-allow policy. The firewall administrator lists network services which
are not allowed, and everything else is accepted.

A default-deny approach to firewall security is by far the more secure, but due to the
difficulty in configuring and managing a network in that fashion, many networks
instead use the default-allow approach.

Assume for the moment that your firewall management program utilizes a default-
deny policy, and you only have certain services enabled that you want people to be
able to use from the Internet. For example, you have a web server which you want
the general public to be able to access. What happens next depends on what kind of
firewall security you have.
Packet filtering firewall
This type of firewall has a list of firewall security rules
which can block traffic based on IP protocol, IP
address and/or port number.

Under this firewall management program, all web traffic will

be allowed, including web-based attacks. In this situation,
you need to have intrusion prevention, in addition to firewall
security, in order to differentiate between good web traffic
(simple web requests from people browsing your website)
and bad web traffic (people attacking your website).
Packet filtering firewall
A packet filtering firewall has no way to tell the
difference of some special events. An additional
problem with packet filtering firewalls which are not
tasteful is that the firewall can't tell the difference
between a legitimate return packet and a packet which
pretends to be from an established connection, which
means your firewall management system
configuration will have to allow both kinds of packets
into the network.
Stateful firewall
This is similar to a packet filtering firewall, but it is more
intelligent about keeping track of active connections,
so you can define firewall management rules such as
"only allow packets into the network that are part of an
already established outbound connection." You have
solved the established connection issue described
above, but you still can't tell the difference between
"good" and "bad" web traffic. You need intrusion
prevention to detect and block web attacks.
Packet inspection firewall
An application firewall actually examines the data in the packet,
and can therefore look at application layer attacks. This kind of
firewall security is similar to intrusion prevention technology, and,
therefore, may be able to provide some of the same functionality.

There are three caveats(warnings), however: first, for some vendors, the
definition of "deep" extends to some particular depth in the packet and
does not necessarily examine the entire packet. This can result in missing
some kinds of attacks.
Second, depending on the hardware, a firewall may not have adequate
processing power to handle the deep packet inspection for your network.
Be sure to ask questions about how much bandwidth it can handle while
performing such inspection. And finally, embedded firewall management
technology may not have the flexibility to handle all attacks.
Application-aware firewall
Similar to deep packet inspection, except that the firewall
understands certain protocols and can parse them, so that
signatures or rules can specifically address certain fields in
the protocol.

The flexibility of this approach to computer firewall protection is great and

permits the signatures or rules to be both specific and comprehensive.
There are no specific drawbacks to this approach to firewall security as
generally it will yield improvements over a standard "deep packet
inspection" approach. However, some actual attacks may be overlooked
(false negatives) because the firewall security parsing routines are not
robust enough to handle variations in real-world traffic.
Proxy firewall
An application proxy acts as an intermediary for certain application traffic
(such as HTTP, or web, traffic), intercepting all requests and validating
them before passing them along. Again, an application proxy firewall is
similar to certain kinds of intrusion prevention. The implementation of a
full application proxy is, however, quite difficult, and each proxy can only
handle one protocol (e.g. web or incoming email).
For an application proxy firewall to be effective as computer firewall
protection, it has to be able to understand the protocol completely and to
enforce blocking on violations of the protocol. Because implementations
of the protocol being examined often do not follow a protocol correctly, or
because implementers add their own extensions to a protocol, this can
result in the proxy blocking valid traffic ( false positives). Because of these
kinds of problems, end users will often not enable these technologies.

http://www.secureworks.com/research/articles/other_articles/firewall-security/