Evolution of Network Security

The birth of the Internet, forged in a collaborative military and academic environment, carried an implicit trust among its users. However, the foundational Internet Protocol (IP) and standard applications like DNS, FTP, SMTP, and HTTP were conceived without security considerations, exposing the digital realm to unforeseen vulnerabilities.

Fast-forward to the present, and the Internet, powered by the same insecure IP, stands at the forefront of global connectivity. Despite its indispensable role, the core technologies and long-standing services at the heart of the Internet have seen limited security enhancements. This stagnation, coupled with the Internet’s exponential growth and diverse user base, has opened the floodgates to a surge in online threats, ranging from cybercrime and espionage to extortion.

Recognizing the urgency prompted by the escalating value of data and the surging wave of cyber threats, the networking industry has risen to the challenge. A plethora of security devices and software solutions have been crafted, forming a formidable arsenal designed to counteract the evolving challenges posed by a dynamic and unpredictable online environment.

We can cite three important phases as a kickstart to network security:
1. Packet Filtering Era
2. Session Inspection Era
3. Application Control Era

Packet Filtering Era

While these eras represent a simplified framework, it’s crucial to recognize that network security is an ongoing, dynamic evolution. Advancements in technology and changes in the threat landscape continue to shape the strategies and tools employed in securing networks. Understanding the characteristics and driving forces behind each era provides valuable insights into the evolving nature of network security.

Implementation of Packet Filtering Device:

Introduce a device tasked with scrutinizing each packet it receives, determining adherence to the predefined “allow through” criteria.

The criteria examined by packet filters to make decisions are encapsulated in the “5-Tuple,” which includes:

· Source IP Address
· Destination IP Address
· IP Protocol Type
· Source Port Number
· Destination Port Number

From a distance or close up, distinguishing between good and bad packets is challenging. The advent of packet filtering marked an essential step in securing networks, allowing for selective passage of legitimate data while impeding potential threats based on specified criteria.
The IP Protocol Type is a number that gives some indication of the type of communication the packet is involved in. Examples of IP protocol type are:

· TCP
· UDP
· ICMP
· Signaling Protocols
· VPN Protocols

By enforcing these criteria, packet filters enforce a stringent access control policy, mitigating the risk of unauthorized or potentially harmful packets entering or leaving the network. This approach aligns with the overarching goal of allowing only the necessary and legitimate traffic to traverse the network perimeter.

This firewalling approach demonstrated certain advantages:

1. Identification of Clearly Malicious Traffic: Effectively filtered out clearly malicious traffic, such as incoming sessions to unusual TCP port numbers
2. Simplicity in Understanding and Implementation: Simple to understand and implement, making it accessible for a broad range of users and adaptable for hardware devices.
3. Hardware Acceleration: As the logic was straightforward, it could be easily realized in hardware devices, ensuring accelerated performance.

However, it also exhibited significant shortcomings:
1. Ineffectiveness Against Denial of Service (DoS) Attacks
2. Challenges with FTP Handling
3. Limited Session Awareness
4. Inability to Detect Deep Packet Attack

Session Inspection Era

The majority of data communication involves conversations, either dialogues or monologues. Packet Filtering can be likened to examining each individual word of a conversation in isolation, determining whether they belong to a legitimate exchange. The subsequent advancement in firewall development shifted towards tracking the progress of entire conversations, or “sessions.” Referred to as “Stateful Inspection,” these firewalls maintain awareness of the state of the sessions passing through them.

TCP proves particularly well-suited to session tracking. A TCP session initiates with the “3-way handshake,” utilizing specific flags in the TCP header to signal a request to start a session and an agreement to that request. Stateful Inspection represents an evolution beyond isolated packet scrutiny, enabling firewalls to comprehend the context of complete conversations and improve the accuracy of distinguishing between legitimate and malicious activities.

Similarly, concluding a TCP session involves a distinct “goodbye” handshake where the “FIN” flag signals the closure. Within a TCP session, packets include “Sequence” and “Acknowledgement” counters, indicating the exchanged data’s perceived progress. These counters aid in detecting lost data, enabling participants to request the retransmission of missing packets.

These factors justify a firewall’s active tracking of TCP session states, enabling it to:

1. Selective Packet Allowance
2. Hijack Detection
3. DoS Attack Recognition
4. Identification of Subtle Attacks
5. NAT Application
6. Network Scanning Detection

While TCP is highly session-oriented, extending session tracking to other protocols like UDP, ICMP, and IPSEC allows the firewall to recognize existing sessions and identify scanning attempts and other malicious activities.

Session-oriented firewalling represents a significant advancement over simple packet filtering. However, certain security breaches, like the HTTP GET Flood attack, may elude standard Stateful Inspection firewalls. Attacks of this nature, requiring knowledge of higher-layer protocol syntax such as HTTP, fall beyond the typical firewall’s scope.

Proxy firewalls

A competing session-aware technology to Stateful Inspection is the Proxy Firewall. Unlike traditional firewalls that merely pass packets through, a Proxy operates as a dual end-point. It responds to the TCP connection from the initiator and establishes another, independent session to the other participant. Essentially, it engages in separate conversations with the two endpoints, serving as an intermediary — relaying messages between them but preventing direct communication.

This approach offers several advantages:

1. Involvement in Higher Network Layers: The Proxy operates in the higher network layers of the conversation, enabling it to better detect invalid or malicious behavior at these upper layers.

2.Enhanced Logging Capability: The Proxy can log more detailed information about the upper layers of the conversations, providing a comprehensive audit trail for potential later investigations.

By actively participating in the communication process, a Proxy Firewall adds an additional layer of scrutiny, enhancing its ability to identify and mitigate security threats at a more granular level. This approach aligns with the evolving nature of cyber threats, where attacks often involve sophisticated tactics at higher protocol layers.

The Proxy Firewall, while offering certain advantages, comes with notable disadvantages:
1.Latency Addition
2. Emulation Complexity
3. Vulnerability to Hacking
4. Incomplete Security Coverage

Application Control

Application Control is a key innovation in modern firewalls, shifting focus from content delivery to managing a diverse range of Internet applications. Internet is now an extensive Application Server hosting interactive applications, transforming our online interactions.

Significance:

• Web 2.0 Impact: Web-based services have diversified for both business and personal use, making it crucial for organizations to control application usage.
• Paradigm Shift: TCP/UDP port-based categorization is outdated; Next-Generation Firewalls focus on identifying the application generating a dataflow.

Key Aspects:

• User Awareness: Application Control operates in a user-aware manner, acknowledging varying user rights within an organization.
• Granular Control: Firewalls not only allow or deny communication but also control specific features within applications based on business rules.

Advantages:

• Dynamic Control: Enables organizations to dictate how applications are used, who uses them, and what features are accessible.
• User-Specific Policies: Recognizes different user rights, allowing tailored access to features within applications.
• Single-Pass Security Scanning: Utilizes sophisticated hardware-accelerated content filtering for efficient, high-speed security checks.

Setbacks:

• Latency Concerns: Introducing latency is a drawback, particularly as Application Control involves deep inspection of dataflows.
• Emulation Challenges: Keeping up with evolving web services and creating emulations for new applications is a complex and ongoing task.
• Potential Target: Application Proxies can become targets for hacking, as security flaws in their service emulations may be exploited.

Other Methods Including :

• Sandboxing — Sandboxing is a cybersecurity practice where you run code or open files in a safe, isolated environment on a host machine that mimics end-user operating environments. Sandboxing observes the files or code as they are opened and looks for malicious behavior to prevent threats from getting on the network. For example malware in files such as PDF, Microsoft Word, Excel and PowerPoint can be safely detected and blocked before the files reach an unsuspecting end user.
• Zero Trust Network Access (ZTNA) — The zero trust security model states that a user should only have the access and permissions that they require to fulfill their role. This is a very different approach from that provided by traditional security solutions, like VPNs, that grant a user full access to the target network. Zero trust network access (ZTNA) also known as software-defined perimeter (SDP) solutions permits granular access to an organization’s applications from users who require that access to perform their duties.
• Remote Access VPN — Remote access VPN provides remote and secure access to a company network to individual hosts or clients, such as telecommuters, mobile users, and extranet consumers. Each host typically has VPN client software loaded or uses a web-based client. Privacy and integrity of sensitive information is ensured through multi-factor authentication, endpoint compliance scanning, and encryption of all transmitted data.

As we reflect on the evolution of Internet security, from its trusting origins to the complex, interconnected landscape of today, one truth stands clear: the journey is ongoing. From the rudimentary packet filtering to the nuanced application control, each phase has been a response to the challenges posed by an ever-expanding and evolving digital realm.

In our pursuit of a secure digital future, the importance of staying ahead, adapting, and fortifying our defenses cannot be overstated. As technologies advance and new threats emerge, our collective responsibility is to continue the journey, embracing innovation, and safeguarding the integrity of the digital world.

Team Members:
Ojas Ketkar
Pranav Joshi
Akash Ingle
Atharva Jayappa