Intrusion Detection System (IDS) - PowerPoint PPT Presentation

Loading...

PPT – Intrusion Detection System (IDS) PowerPoint presentation | free to download - id: 734136-YmJiZ



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Intrusion Detection System (IDS)

Description:

Title: Lab 12A: Intrusion Detection System (IDS) Author: shlam Last modified by: UTCC Created Date: 11/11/2002 3:30:48 AM Document presentation format – PowerPoint PPT presentation

Number of Views:82
Avg rating:3.0/5.0
Slides: 85
Provided by: shl54
Learn more at: http://elearning2.utcc.ac.th
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Intrusion Detection System (IDS)


1
Intrusion Detection System (IDS)
  • Outlines
  • Host-base IDS Tripewire
  • Network IDS Snort
  • How to defeat an IDS

2
Intrusion Detection System (IDS)
  • Host-base IDS Tripewire
  • Tripwire is a very popular system integrity
    checker, a utility that compares properties of
    designated files and directories against
    information stored in a previously generated
    database. Any changes to these files are flagged
    and logged, including those that were added or
    deleted,with optional email and pager reporting.
    Support files (databases, reports, etc.) are
    cryptographically signed.

3
Intrusion Detection System (IDS)
  • Host-base IDS Tripewire
  • Lab 7 install tripewire IDS to monitor the the
    integrity of the data of your hosts

4
Intrusion Detection System (IDS)
  • Network IDS Snort
  • Snort is a lightweight network intrusion
    detection system, capable of performing 
    real-time  traffic analysis and packet logging on
    IP networks.  It  can perform protocol analysis,
    content searching/matching and can be used to
    detect a variety of attacks and probes,  such as
    buffer overflows, stealth port scans, CGI
    attacks, SMB probes, OS fingerprinting attempts,
    and much  more

5
Intrusion Detection System (IDS)
  • Network IDS Snort
  • Snort  uses a flexible rules language to
    describe traffic that it should collect or pass,
    as well as a detection engine  that  utilizes a
    modular plugin architecture.  Snort has a
    real-time alerting capability as well,
    incorporating alerting mechanisms for syslog, a
    user specified file, a UNIX socket, or WinPopup
    messages to Windows clients using Samba's
    smbclient.

6
Intrusion Detection System (IDS)
  • Network IDS Snort
  • Snort has three primary uses. It can be used as
    a straight packet sniffer like tcpdump(1), a
    packet logger (useful for network traffic
    debugging, etc), or as a full blown network
    intrusion detection system.

7
Intrusion Detection System (IDS)
  • Network IDS Snort
  • snort is a very flexible tool. You can customize
    the rulesets to suit your needs. We have just
    give you a very simple introduction in this
    workshop. For more details of rule setting, you
    should go to http//www.snort.org/docs/writing_rul
    es/

8
Intrusion Detection System (IDS)
  • Network IDS Snort
  • Lab7 Install a snort IDS on your host and use
    nessus network scanner to test your snort IDS

9
Intrusion Detection System (IDS)
  • How to defeat a Network IDS
  • Insertion Attack
  • Insert packets that the end-point server will
    ignore but picked up by IDS as vaild packets. An
    attacker can use insertion attacks to defeat
    signature analysis, allowing her to slip attacks
    past an IDS.

10
Intrusion Detection System (IDS)
  • How to defeat a Network IDS
  • Insertion Attack
  • E.G.The signature of the php attack may be
    something like GET /cgi-bin/phf?''. We may
    insert extra packets such the IDS detect the
    packets as
  • GET /cgi-bin/pleasedontdetecttthisform
    e?'' while the end-point server still read as
  • GET /cgi-bin/phf?''

11
Intrusion Detection System (IDS)
  • How to defeat a Network IDS
  • Insertion Attack

12
Intrusion Detection System (IDS)
  • How to defeat a Network IDS
  • Insertion Attack
  • Techniques
  • Using Invalid Sequence no. Most IDS do not check
    sequence no. Invalid sequence no. packets are
    reject by end-point servers but may be picked up
    by these IDS

13
Intrusion Detection System (IDS)
  • How to defeat a Network IDS
  • Insertion Attack
  • Techniques
  • Using incorrect TCP checksum.Most IDS do not
    check TCP checksums. Incorrect TCP checksum
    packets are reject by end-point servers but may
    be picked up by these IDS

14
Intrusion Detection System (IDS)
  • How to defeat a Network IDS
  • Insertion Attack
  • Techniques
  • Using incorrect TCP checksum.Most IDS do not
    check TCP checksums. Incorrect TCP checksum
    packets are reject by end-point servers but may
    be picked up by these IDS

15
Intrusion Detection System (IDS)
  • How to defeat a Network IDS
  • Insertion Attack
  • Techniques
  • Using short TTL.If the IDS sit on the network
    have many hops away from the end-point servers,
    short TTL packets will be dropped before they
    reach the end-point servers. We can just tune the
    insert packet TTL such that they can pass the IDS
    but are dropped before the end-point servers.

16
Intrusion Detection System (IDS)
  • How to defeat a Network IDS
  • Insertion Attack
  • Techniques
  • Using short TTL

17
Intrusion Detection System (IDS)
  • How to defeat a Network IDS
  • Evasion Attack
  • An end-system can accept a packet that an IDS
    rejects. An IDS that mistakenly rejects such a
    packet misses its contents entirely.
  • E.G.The packets of GET /cgi-bin/phf?''may
    show as GET /gin/f'' in IDS detection

18
Intrusion Detection System (IDS)
  • How to defeat a Network IDS
  • Evasion Attack

19
Intrusion Detection System (IDS)
  • How to defeat a Network IDS
  • Evasion Attack
  • Techniques
  • Some IDS can only keep track of one host/port
    connection at a time. Flood the target port with
    non-existent SNY packet first so that these IDS
    ignore our real connection afterwards

20
Intrusion Detection System (IDS)
  • How to defeat a Network IDS
  • Evasion Attack
  • Techniques
  • IP Fragmentation
  • Sending out fragment packets out of orderSome
    IDS assume the fragment packets arrive in order.
    They just reassemble the data as soon as the
    marked final fragment arrives. Sending out
    fragment packets out of order may fool these IDS

21
Intrusion Detection System (IDS)
  • How to defeat a Network IDS
  • Evasion Attack
  • Techniques
  • Sending overlapping fragment packetsThere may be
    a gap between the IDS and end-point server
    handling overlapping fragment. If the IDS does
    not handle overlapping fragments in a manner
    consistent with the systems it watches, it may,
    given a stream of fragments, reassemble a
    completely different packet than an end system in
    receipt of the same fragments.

22
Firewall
  • Outlines
  • Variations on Firewall Architecture
  • Setting up network layer Firewalls
  • Firewall log
  • Setting private network with NAT

23
Firewall
  • Firewall
  • In brief, a firewall is typically the first line
    of defense for any Internet-connected network.
    What a firewall does and how it behaves depends
    on what level it operates on. (Those familiar
    with the OSI model will understand this.)
    Firewalls generally operate at the network layer
    (IP), or the application layer, such as HTTP
    proxies.

24
Firewall
  • Firewall

25
Lab 12B Firewall
  • Firewall
  • Those firewalls at the network layer are often
    called screening routers. A screening router
    examines the IP header on each incoming (and
    possibly outgoing) datagram and determines
    whether or not it should pass. It makes this
    determination by comparing key fields such as the
    source and destination addresses to the policy
    set by the administrator. Most screening routers
    will also examine the packet at the next layer
    (the transport layer), which allows you to create
    policies based on TCP or UDP port, or ICMP type
    and code.

26
Firewall
  • Firewall
  • Firewalls at the application layer are called
    gateways or proxies, and are designed to
    understand protocols at this level, such as HTTP
    or telnet. Application gateways are useful
    because they can offer very high level control
    over traffic, and so they are in some ways more
    secure than screening routers. For example, an
    application gateway may choose to filter all HTTP
    POST commands. Most importantly, gateways can
    maintain logging specific to application layer
    protocols. A paranoid (and privacy-ignorant)
    company may choose to have all mail pass through
    a gateway to log the To, From, and Subject fields
    of the header, for instance.

27
Firewall
  • Variations on Firewall Architecture
  • Single layer firewall architecture
  • Two layer firewall architecture
  • Merged interior and exterior firewall
    architecture
  • Two layer firewall architecture with two internal
    network
  • Two layer firewall architecture with merged
    bastion host and exterior firewall

28
Firewall
  • Bastion host
  • A system exposed to the Internet that is
    expected to come under thorough attack. The term
    contrasts those hosts that are inside a
    firewall's protection.
  • DMZ (Demilitarized Zone)
  • In firewalls, a DMZ is an area that is mostly
    public to the Internet. This is where a companies
    web, e-mail, and DNS servers are located. A DMZ
    often has some limited protection, but since it
    is very exposed to the Internet, the assumption
    is that the machines in the zone will eventually
    be compromised. Therefore, the machines often
    have as little connectivity to the private
    network as any other machine from the Internet.

29
Firewall
  • Type A Single layer firewall architecture

30
Lab 12B Firewall
  • Type B Two layer firewall architecture

31
Firewall
  • Type C Merged interior and exterior firewall
    architecture

32
Firewall
  • Type D Two layer firewall architecture with two
    internal network

33
Firewall
  • Type E Two layer firewall architecture with
    merged bastion host and exterior firewall

34
Firewall
  • Lab 8 Deploy firewall on your host using ipchains

35
Firewall
  • Linux firewall log
  • All the traffic going through the firewall is
    part of a connection. A connection consists of
    the pair of IP addresses that are talking to each
    other, as well a pair of port numbers. The
    destination port number often indicates the type
    of service being connected to. When a firewall
    blocks a connection, it will save the destination
    port number to its logfile.

36
Firewall
  • Linux firewall log
  • Here is an example
  • Packet log input DENY eth0 PROTO17
    192.168.2.153 192.168.1.11025 L34 S0x00 I18
    F0x0000 T254
  • input' is the chain which contained the rule
    which matched the packet, causing the log
    message.
  • DENY' is what the rule said to do to the packet.
    If this is -' then the rule didn't effect the
    packet at all (an accounting rule).
  • eth0' is the interface name. Because this was
    the input chain, it means that the packet came in
    eth0'.
  • PROTO17' means that the packet was protocol 17.
    A list of protocol numbers is given in
    /etc/protocols'. The most common are 1 (ICMP), 6
    (TCP) and 17 (UDP).

37
Firewall
  • Linux firewall log
  • Here is an example
  • Packet log input DENY eth0 PROTO17
    192.168.2.153 192.168.1.11025 L34 S0x00 I18
    F0x0000 T254
  • 192.168.2.1' means that the packet's source IP
    address was 192.168.2.1.
  • 53' means that the source port was port 53.
    Looking in /etc/services' shows that this is the
    domain' port (ie. this is probably an DNS
    reply). For UDP and TCP, this number is the
    source port. For ICMP, it's the ICMP type. For
    others, it will be 65535.
  • 192.168.1.1' is the destination IP address.

38
Firewall
  • Linux firewall log
  • Here is an example
  • Packet log input DENY eth0 PROTO17
    192.168.2.153 192.168.1.11025 L34 S0x00 I18
    F0x0000 T254
  • 1025' means that the destination port was 1025.
    For UDP and TCP, this number is the destination
    port. For ICMP, it's the ICMP code. For others,
    it will be 65535.
  • L34' means that packet was a total of 34 bytes
    long.
  • S0x00' means the Type of Service field (divide
    by 4 to get the Type of Service as used by
    ipchains).
  • I18' is the IP ID.

39
Firewall
  • Linux firewall log
  • Here is an example
  • Packet log input DENY eth0 PROTO17
    192.168.2.153 192.168.1.11025 L34 S0x00 I18
    F0x0000 T254
  • F0x0000' is the 16-bit fragment offset plus
    flags. A value starting with 0x4' or 0x5' means
    that the Don't Fragment bit is set. 0x2' or
    0x3' means the More Fragments' bit is set
    expect more fragments after this. The rest of the
    number is the offset of this fragment, divided by
    8.

40
Firewall
  • Linux firewall log
  • Here is an example
  • Packet log input DENY eth0 PROTO17
    192.168.2.153 192.168.1.11025 L34 S0x00 I18
    F0x0000 T254
  • T254' is the Time To Live of the packet. One is
    subtracted from this value for every hop, and it
    usually starts at 15 or 255.
  • (5)' there may be a final number in brackets on
    more recent kernels (perhaps after 2.2.9). This
    is the rule number which caused the packet log.

41
Firewall
  • Linux firewall log
  • Here is another example
  • Feb 26 111556 iegatea0 kernel Packet log
    input DENY eth0 PROTO6 200.223.111.2421956
    137.189.97.6725 L60 S0x60 I59731 F0x4000
    T42 SYN (77)
  • The TCP SYN packet of the SMTP (port 25) access
    to the host 137.189.97.67 from the host
    200.223.111.242 client port 1956 was blocked by
    the ipchains rule 77

42
Firewall
  • Linux firewall log
  • Port numbers are divided into three ranges
  • The Well Known Ports are those from 0 through
    1023. These are tightly bound to services, and
    usually traffic on this port clearly indicates
    the protocol for that service. For example, port
    80 virtually always indicates HTTP traffic.
  • The Registered Ports are those from 1024 through
    49151. These are loosely bound to services, which
    means that while there are numerous services
    "bound" to these ports, these ports are likewise
    used for many other purposes. For example, most
    systems start handing out dynamic ports starting
    around 1024.

43
Firewall
  • Linux firewall log
  • Port numbers are divided into three ranges
  • The Dynamic and/or Private Ports are those from
    49152 through 65535. In theory, no service should
    be assigned to these ports.
  • In reality, machines start assigning "dynamic"
    ports starting at 1024. We also see strangeness,
    such as Sun starting their RPC ports at 32768.
  • For a complete complete list of port info, you
    may refer
  • http//www.iana.org/assignments/port-numbers

44
Firewall
  • Setting private network with IP Masquerade
  • IP Masquerade is a networking function in Linux
    similar to the one-to-many (1Many) NAT (Network
    Address Translation) servers found in many
    commercial firewalls and network routers.

45
Firewall
  • Setting private network with IP Masquerade
  • MASQ allows a set of machines to invisibly
    access the Internet via the MASQ gateway. To
    other machines on the Internet, the outgoing
    traffic will appear to be from the IP MASQ Linux
    server itself. In addition to the added
    functionality, IP Masquerade provides the
    foundation to create a HEAVILY secured networking
    environment. With a well built firewall, breaking
    the security of a well configured masquerading
    system and internal LAN should be considerably
    difficult to accomplish.

46
Firewall
  • Setting private network with IP Masquerade

47
Firewall
  • Setting private network with IP Masquerade
  • EG.
  • /sbin/ipchains -A forward -s 192.168.0.0/16 -j
    MASQ
  • This setting will allow all the clients in the
    private network 192.168.0.0/16 to have IP
    masquerade in Linux Masquerade gateway

48
Firewall
  • Setting private network with iptable NAT
  • Linux iptable provides two different types of
    NAT Source NAT (SNAT) and Destination NAT
    (DNAT).
  • Source NAT is when you alter the source address
    of the first packet ie. you are changing where
    the connection is coming from. Masquerading is a
    specialized form of SNAT.
  • Destination NAT is when you alter the destination
    address of the first packet ie. you are changing
    where the connection is going to. Port
    forwarding, load sharing, and transparent
    proxying are all forms of DNAT.

49
Firewall
  • Setting private network with iptable NAT
  • Example of source NAT
  • Change source addresses to 1.2.3.4.
  • iptables -t nat -A POSTROUTING -o eth0 -j SNAT
    --to 1.2.3.4
  • Example of destination NAT
  • Change destination addresses to 5.6.7.8
  • iptables -t nat -A PREROUTING -i eth1 -j DNAT
    --to 5.6.7.8

50
Network Address Translation (NAT)
10.42.6.9
35.9.20.20
NAT
Client
Server
  • (Linux calls it masquerading)

51
NAT Pro/Con
  • Pro
  • Enforces control over outbound connections
  • Dynamic translation is more restrictivechanged
    mapping increases attack difficulty
  • Conceals internal configuration
  • Con
  • Dynamic translation requires maintaining state
    (how long to keep connection open?)
  • Interferes with some encryption schemes
  • Dynamic translation interferes with logging
  • Dynamic translation of ports can interfere with
    filtering

52
Firewall
Your network
Evil Hackers
53
  • Firewalls mitigate risk
  • Block many threats
  • They have vulnerabilities

54
  • Firewalls can be your connection to the Internet.
    As a prerequisite to this course you already
    know about networking, but it is worthwhile to
    look at the interface to the Internet with
    respect to security.

55
Typical Network Stack
  • Application Layer (FTP, HTTP, SSH, etc.)
  • Transport Layer (TCP, UDP, ICMP)
  • Internet Layer (IP)
  • Network Access Layer (Ethernet, FDDI, etc.)
  • (If you have a Novel or AppleShare network, the
    IP layer will be different.)
  • (Carrier Pigeon Network Layer RFC1149 on 1 April
    1990 defines the Avian Transport Protocol)

56
Packet Organization
  • Each layers packet organization has a header and
    data fields.
  • Each layer treats the information it gets from
    the layer above it as data, i.e. every layer
    adds a header.

57
Encapsulation
Application (FTP, HTTP, )
Data
Header
Transport (TCP,UDP,)
Header
Internet (IP)
Header
Network (Ethernet)
58
Ethernet Layer
  • Header
  • Packet Type, e.g. IP
  • Source Address
  • Original source or last router on path
  • Destination Address
  • Final destination or next router
  • Maybe multicast or broadcast
  • Addresses are Media Access Control (MAC)
  • Data is an IP packet

59
IP Layer
  • Header
  • IP Source Address, e.g. 35.9.20.20
  • IP Destination Address
  • IP Protocol Type, e.g. TCP, UDP, ICMP
  • Data TCP packet (or UDP, etc.)
  • FragmentationIf (network max packet size lt IP
    max size) split data into multiple packets
    (fragments)

60
TCP Layer
  • Header
  • TCP Source Port (2-bytes)
  • TCP Destination Port
  • TCP Flags designates packet type
  • ACK, SYN, etc.
  • Data application data, e.g. FTP data

61
Multicast or Broadcast Source
  • Legitimate use DHCP request uses a broadcast
    source since it doesnt have a valid address
  • Illegitimate use sending a broadcast source to
    a single destination will prompt a broadcast
    reply allowing you to use the destination as a
    broadcast source
  • Since DHCP isnt external (normally), block
    broadcast source

62
IP Fragmentation
  • Prevent fragmentation withpath MTU discovery
  • Maximum Transmission Unit (MTU)
  • Send message with dont fragment set
  • If (error returned), decrease sizeelse increase
    size

63
Packet Filters Fragmentation
  • Solution packet filter only first packet and let
    non-first packets throughIf you drop the first,
    a higher level protocol (TCP) will invalidate the
    rest.
  • Problem 1 destination holds non-first packets
    waiting for the missing one (until timeout)
    resulting inDenial of Service!

64
Packet Filter Fragmentation
  • Problem 2 attacker carefully constructs
    overlapping fragments so that non-first packets
    contain useful information.Overlapping fragments
    may be reassembled into invalid packets causing
    the OS to crash.

65
Packet Filter Fragmentation
  • Problem 3 Attacker can get information to
    otherwise blocked ports by having valid TCP
    packets in non-first fragments which slip through.

66
Packet Filter Fragmentation
  • Solutions
  • Fragment reassembly before filtering
  • Time consuming
  • Reject all non-first fragments
  • May reject otherwise good connections, but they
    will retransmit.
  • Increased use of MTU is reducing fragmentation

67
TCP
  • TCP is reliable because it guarantees to the
    application layer
  • Provide data in order it was sent
  • Provide all data sent
  • Will not provide duplicates
  • It will kill a connection before violating any.

68
Blocking TCP
  • To block a TCP connection, simply block the
    first packet.
  • The first packet is unique ACK is not set
  • start-of-connection packet
  • Can enforce a policy of only allowing connections
    to external servers, i.e. deny external
    connection requests to internal servers

69
TCP Options
  • Common TCP Options
  • ACK (acknowledgement)
  • SYN (synchronize)
  • RST (reset)
  • FIN (finish)
  • 3-way handshake uses ACK SYN
  • RST FIN are used to close connections

70
TCP Options
  • Firewalls use ACK and RST
  • ACK indicates first packet of connection
  • RST tells people to shut upwithout providing a
    useful error message

71
TCP Sequence Numbers
  • Sequence numbers allow reconstruction of correct
    order of packets
  • Supposed to begin with a random number, but often
    is not randomvulnerability!
  • How to hijack a TCP connection?

72
Hijacking a TCP Connection
  • Attackers needs
  • Ability to forge TCP/IP packets.
  • Initial sequence number
  • Knowledge that a TCP connection has started (but
    not the ability to see it)
  • When the TCP connection started
  • Ability to redirect responses to you OR continue
    the conversation without responses to you while
    achieving your goal
  • Thought to be too hard, but exists in the wild.

73
UDP
  • Since UDP does not guarantee reliability there is
    no uniquely identifiable first packet

74
ICMP
  • Examples
  • Echo Request send by ping
  • Echo Response
  • Time exceeded (really hops exceeded)
  • Destination unreachable
  • Redirect (router redirected a packet and is
    telling the sender that a better way exists)

75
ICMP
  • Destination Unreachable has codesto indicate
    reason
  • The relevant ones are
  • Fragmentation Needed and
  • Dont Fragment
  • used for path MTU discovery
  • Desirable to drop all other unreachable replies
    since they provide useful information to
    scanners.
  • Most firewalls do not allow discrimination on
    ICMP reason.

76
ICMP Attacks
  • ICMP packets should be very smalllarge one
    indicate a problem so filter out large ones.
  • For example, echo packets allow padding which
    could contain data. Not useful for cracking,
    but could be used to maintain a connection to a
    compromised site.

77
IP over IP
  • Encapsulating IP over IP
  • Encrypted traffic
  • Mobile IP (movement with fixed IP)
  • Burying protocol
  • Multicast over non-supporting networks
  • IPv6 over IPv4
  • VPN virtual private networks
  • Problem cannot see actual IP packet
    (encrypted) or may not look at it

78
Low-level attacks
  • Port scanning
  • Send SYN without ACK receives SYN if open or
    RST if not
  • Send FIN
  • all options on Christmas tree (lights it up)
  • all options off null
  • Either can crash a weak TCP/IP stack

79
Low-level Attacks
  • IP Spoofing Apparent problem reply not sent to
    attacker
  • Attacker can intercept reply
  • Attacker doesnt care to see it (e.g. DoS)
  • Attacker doesnt want reply smurf
    attackredirects response to attack while
    multiplying replies with broadcast source

80
Packet Filtering Pro/Con
  • Pro
  • One filter can protect an entire network
  • Simple filtering is efficient
  • Widely available
  • Con
  • Not perfect hard to configure and test
  • Reduces router performance
  • Some security policies cannot be enforced, e.g.
    block a user

81
Three main categories of firewalls
  • Network layer firewalls. An example would be
    iptables.
  • Application layer firewalls. An example would be
    TCP Wrappers.
  • Application firewalls. An example would be
    restricting ftp services through /etc/ftpaccess
    file

82
Network layer firewalls
  • operate at a (relatively) low level of the TCP/IP
    protocol stack as IP-packet filters, not allowing
    packets to pass through the firewall unless they
    match the rules. The firewall administrator may
    define the rules or default built-in rules may
    apply (as in some inflexible firewall systems).
  • A more permissive setup could allow any packet to
    pass the filter as long as it does not match one
    or more "negative-rules", or "deny rules". Today
    network firewalls are built into most computer
    operating systems and network appliances.
  • Modern firewalls can filter traffic based on many
    packet attributes like source IP address, source
    port, destination IP address or port, destination
    service like WWW or FTP. They can filter based on
    protocols, TTL values, netblock of originator,
    domain name of the source, and many other
    attributes.

83
Application-layer firewalls
  • work on the application level of the TCP/IP stack
    (i.e., all browser traffic, or all telnet or ftp
    traffic), and may intercept all packets traveling
    to or from an application. They block other
    packets (usually dropping them without
    acknowledgement to the sender). In principle,
    application firewalls can prevent all unwanted
    outside traffic from reaching protected machines.
  • By inspecting all packets for improper content,
    firewalls can even prevent the spread of the
    likes of viruses. In practice, however, this
    becomes so complex and so difficult to attempt
    (given the variety of applications and the
    diversity of content each may allow in its packet
    traffic) that comprehensive firewall design does
    not generally attempt this approach.
  • The XML firewall exemplifies a more recent kind
    of application-layer firewall.

84
A proxy device
  • (running either on dedicated hardware or as
    software on a general-purpose machine) may act as
    a firewall by responding to input packets
    (connection requests, for example) in the manner
    of an application, whilst blocking other packets.
  • Proxies make tampering with an internal system
    from the external network more difficult and
    misuse of one internal system would not
    necessarily cause a security breach exploitable
    from outside the firewall (as long as the
    application proxy remains intact and properly
    configured). Conversely, intruders may hijack a
    publicly-reachable system and use it as a proxy
    for their own purposes the proxy then
    masquerades as that system to other internal
    machines. While use of internal address spaces
    enhances security, crackers may still employ
    methods such as IP spoofing to attempt to pass
    packets to a target network..
About PowerShow.com