2009

Douglas
Tochukwu
Chukwu
BITE STUDENT NO:
35953

[ FIRE WALLS & INTRUSION DETECTION

SYSTEM ]
 [INTERNET SECURITY (COURSE WORK)] December 11, 2009

INTRODUCTION:.....................................................................................................3
2.0. FIREWALLS......................................................................................................4
Definition/Function:................................................................................................4
2.2. First Generation – Packet Filters:.................................................................5
2.3. Second Generation – Application Layer:.........................................................5
Third Generation – “stateful” filters:......................................................................5
Subsequent Development:.....................................................................................6
Types:.................................................................................................................... 6
INTRUSION DETECTION SYSTEM (IDS):.................................................................7
3.1. Definition........................................................................................................ 7
3.2. The key Compelling Reasons To Acquire and Use IDSs IDS............................7
3.3.0. Major types of IDSs......................................................................................8
3.3.1. Process model for intrusion detect systems:...............................................8
3.3.1.1 Information Sources: .................................................................................8
3.3.1.2 Analysis:.................................................................................................... 8
3.3.1.3 Response:..................................................................................................8
3.4.0. Type of Intrusion Detection System:............................................................9
3.4.1. Host-Based IDS (HIDS):................................................................................9
3.4.2. Network-Based IDS (NIDS)...........................................................................9
3.4.3. Application-Base IDS (APIDS).....................................................................10
3.4.4. Protocol-Base IDS (PIDS)............................................................................11
CONCLUTION: .................................................................................................... 11
5.0. REFERENCES:...............................................................................................11

© 07/11/2009 The key security of internet prevention from intruders

2
 [INTERNET SECURITY (COURSE WORK)] December 11, 2009

INTRODUCTION:
The idea of a wall to keep intruders dates back thousands of years.
For just a brief example, over ten decade ago, the Chinese built the
Great Wall as protection from neighbouring northern tribes. The
term “Firewall” was in use by Lightoler as early as [1764] to
describe walls which separated the part of a building that is prone to
fire (e.g. a kitchen).
In this project I will rest my ideas on the concept of firewall in a
more modern setting, computer networks. The predecessors to
firewalls for network security were the routers used in the late 1980s
to separate networks from one another. A network which wasn’t
configured properly caused problems on one side of the router and
was largely isolated from the network on the other side; this has
been improved with firewall.
The Intrusion Detection System (IDS) which is designed to detect
unwanted attempts at accessing, manipulating and/or disabling
computer system mainly through a network, such as internet is
either software and/or hardware. It is used to detect several types of
malicious behaviours that can compromise the security and trust of
a computer system. To throw more light to my explanation of ‘An
IDS’; IDS can be composed of several sensors which generate
security events, a console to monitor events and intruders.

© 07/11/2009 The key security of internet prevention from intruders

3
 [INTERNET SECURITY (COURSE WORK)] December 11, 2009

2.0. FIREWALLS
• Definitions/function
• First Generation - Packet Filters
• Second Generation - Application Layer
• Third Generation – “Stateful” Filters
• Subsequent Development
• Types.

Definition/Function:
Firewalls are network devices that enforces an organisations
security policy through a protect network called proxy. Proxies
are program that receive the traffic destination for another
computer system, it also requires a user authentication; they
then verify that users are allowed to connect to the destination
before connecting to the destination server on behalf of the
user.
Firewalls are viewed into several types of techniques which can
be explained using these layers of techniques: Packet Filter,
Application Getaway, Circuit-Level Gateway and Proxy Server.
The firewall is a detected appliance that is running on a
computer system which inspects network traffic passing
through the system denies or permits passage based on a set
rule by the proxy server. It is also software or hardware that is
normally placed in the middle of a protected and unprotected
network. ( ACM Journal Name, Vol. V, No. N, Month 20YY.)

© 07/11/2009 The key security of internet prevention from intruders

4
 [INTERNET SECURITY (COURSE WORK)] December 11, 2009

2.2. First Generation – Packet Filters:

The first filter system known as Packet Filters Firewalls was
developed 1988 by ‘’Digital Equipment Corporation
(DEC)’’.
Mainly, packet filter is responsible for inspecting the packets
which represent the unit that transfer the data between
computers on the internet. Most importantly ‘Bill Cheswick and
Steve Bellovin’ stated: “packet filters pays no attention to
whether a packet is part of an existing stream of traffic (it
stores no information on connection ‘’state’’)”. Instead, it filters
each packet based only on information contained in the packet
itself. (Bill Cheswick, System development.pp111, 1990)

2.3. Second Generation – Application Layer:

An application layer firewalls is mainly a computer networking
firewall that is known as proxy – based firewall. It is usually
implemented in a single computer or a stand-alone piece of
hardware. It works on the application layer of TCP/IP stack. (Bill
Cheswick, System development.pp112, 1990)

Third Generation – “stateful” filters:

Stateful filter firewall is any firewalls that perform stateful
packet inspection (SPI), keeping track of the network
connection (such as TCP steams and UDP communication)
travelling across it. From 1989 to 1990 Dave Presetto, Janartan

© 07/11/2009 The key security of internet prevention from intruders

5
 [INTERNET SECURITY (COURSE WORK)] December 11, 2009

Sharma and Kshitij Nagam developed the third generation of

firewalls; which is widely known as circuit - level firewall. I
think, the trigger specific rule of the third generation, is to help
prevent attacks which take advantage of the existing
connection. (Bill Cheswick, System development.pp114, 1990)

Subsequent Development:
This technique was developed by Bob Braden and Annette
DeSchon at the University of Southern California in 1992. The
product is known as “Visas”, which is the first system to have
the virtual integration interface with colours and icons. It is also
the improvement of the other techniques and the existence
deep packet inspection functionality of modern firewalls which
can be shared by the Intrusion Prevention System (IPS). (Bill
Cheswick, System development.pp117, 1990)

Types:
There is several classification of firewall pending where the
communication is taking place. Below are the four important
types of firewall/packet filter:
• Network layer and packet filters
• Application – layer
• Proxies
• Network address translation

© 07/11/2009 The key security of internet prevention from intruders

6
 [INTERNET SECURITY (COURSE WORK)] December 11, 2009

INTRUSION DETECTION SYSTEM (IDS):

3.1. Definition
“Intrusion detection systems (IDSs) are software or hardware
systems that automate the process of monitoring the events
occurring in a computer system or network, analyzing them for
signs of security problems (intrusions)”. It does also can be
viewed as attempts to accommodation the confidentiality,
integrity, availability, or to bypass the security mechanisms of
a computer or network. ()

3.2. The key Compelling Reasons To Acquire

and Use IDSs IDS.
• To prevent problem behaviours by increasing the
perceived risk of discovery and punishment for those who
would attack or otherwise abuse the system.
• To detect attacks and other security violations not
prevented by other security measures.
• To detect and deal with the preamble to attacks
(commonly experienced as network probes and other
“doorknob rattling” activities).
• To document the existing threat to an organization.
• To act as quality control for security design and
administration, especially of large and complex
enterprises.
• To provide useful information about intrusions that do
take place, allowing improved diagnosis, recovery, and
correction of causative factors

© 07/11/2009 The key security of internet prevention from intruders

7
 [INTERNET SECURITY (COURSE WORK)] December 11, 2009

3.3.0. Major types of IDSs

In intrusion detection system, there are several types available
today and they are characterized by different monitoring and
analysis approaches. These approaches can be described in
terms of a generic process model for intrusion detection
system.

3.3.1. Process model for intrusion detect

systems:
Intrusion Detection System is specifically divided into three main
fundamental functional components, which are:

3.3.1.1 Information Sources:

Apparently there are different sources of event information
used to determine whether an intrusion has taken place. These
sources can be explained from different level of the system,
with network, host and application monitoring most common.

3.3.1.2 Analysis:
The part of intrusion detection system that actually organizes
and makes sense of the event derived from the information
sources, deciding when those events indicate that intrusion are
occurring or have already taken place. The most common
analysis approaches are misuse detection and anomaly
detection.

3.3.1.3 Response:
The response been taken once the system detect Intrusion.
By these set of action they are typically grouped into active and

© 07/11/2009 The key security of internet prevention from intruders

8
 [INTERNET SECURITY (COURSE WORK)] December 11, 2009

passive measures. With active measures involving some

automated intervention on the part of the system and passive
measures involving reporting Intrusion Detection System.

3.4.0. Type of Intrusion Detection System:

Traditionally, there are just three general types of IDS.
I. Host Based intrusion detection system (HIDS).
II. Network Based intrusion detection system (NIDS).
III. Application-Based intrusion detection system (APIDS).
IV. Protocol-Based intrusion detection system (PIDS).

3.4.1. Host-Based IDS (HIDS):

HIDSs operate on information collected from within an
Individual computer system; HIDSs can “see” the outcome of
an attempted attack, as they can directly access and monitor
the data files and system. Normally utilize information sources
of two types, operating system audit trails, and system logs. eg
(OSSEC).

3.4.2. Network-Based IDS (NIDS).

The majority of commercial intrusion detection systems are
network based which are systems that operate on network data
flows, detect attacks by capturing and analyzing network
packets, listening on a network segment or switch, monitoring
the network traffic affecting multiple host and consist of a set
of single-purpose sensor or hosts placed at various points in a
network. Eg (SNORT).

© 07/11/2009 The key security of internet prevention from intruders

9
 [INTERNET SECURITY (COURSE WORK)] December 11, 2009

3.4.3. Application-Base IDS (APIDS).

2.0. APIDS are subset of host-based IDSs that analyze the
events transpiring in software application. They are
mostly use by applications transaction log files, which
stands as a system or agent that would typically sit
within a group of servers, monitoring and analyzing the
communication on application specific protocols.
Example of place or location been use; in a web server
with a database. (Denning, Dorothy E., "An Intrusion
Detection Model," Proceedings of the Seventh IEEE
Symposium on Security and Privacy, May 1986, pages
119-131)

© 07/11/2009 The key security of internet prevention from intruders

10
 [INTERNET SECURITY (COURSE WORK)] December 11, 2009

3.4.4. Protocol-Base IDS (PIDS).

It is also consists of a system or agent like the “Application-
based IDS”, it sit at the front end of a server, monitoring and
analyzing the communication protocol between a connected
device. It is used to monitor HTTPS protocol stream for a web
server. (Barbara, Daniel, Couto, Julia, Jajodia, Sushil, Popyack,
Leonard, and Wu, Ningning, "ADAM: Detecting Intrusions by
Data Mining," Proceedings of the IEEE Workshop on Information
Assurance.)

CONCLUTION:
Though they both relate to network security, an intrusion
detection system (IDS) differs from a firewall in that a firewall
looks outwardly for intrusions in order to stop them from
happening. Firewalls limit access between networks to prevent
intrusion and do not signal an attack from inside the network.
An IDS evaluates a suspected intrusion once it has taken place
and signals an alarm. An IDS also watches for attacks that
originate from within a system. This is traditionally achieved by
examining network communications, identifying heuristics and
patterns (often known as signatures) of common computer
attacks, and taking action to alert operators. A system that
terminates connections is called an intrusion prevention
system.

5.0. REFERENCES:
2.0. ACM Journal Name, Vol. V, No. N, Month 20YY.

© 07/11/2009 The key security of internet prevention from intruders

11
 [INTERNET SECURITY (COURSE WORK)] December 11, 2009

2.1. Bill Cheswick, System development.pp104, 1990.

3.0. Denning, Dorothy E., "An Intrusion Detection Model,"
Proceedings of the Seventh IEEE Symposium on
Security and Privacy, May 1986, pages 119-131
3.1. Lunt, Teresa F., "IDES: An Intelligent System for
Detecting Intruders," Proceedings of the Symposium on
Computer Security; Threats, and Countermeasures;
Rome, Italy, November 22-23, 1990, pages 110-121.
3.2. Barbara, Daniel, Couto, Julia, Jajodia, Sushil,
Popyack, Leonard, and Wu, Ningning, "ADAM: Detecting
Intrusions by Data Mining," Proceedings of the IEEE
Workshop on Information Assurance.

© 07/11/2009 The key security of internet prevention from intruders

12