Functional Relationship Network Architecture

Functional Relationship Network ArchitectureA calculator mesh, is referred to as a network, it is a harvest of computers and instruments interconnected via communication channels that en qualifieds communications among maprs and permits users to allocated re originations. Networks whitethorn be classified check to a wide range of characteristics. A computer network permits sharing of resources and knowledge among interconnected devices.Fig1Block diagram of computer networkConnection methodComputer networks chiffonier be classified according to the hardwargon and softwargon engineering that is accustomed to interconnect the individual devices in the network, such as optical fiber, Ethernet, wireless LAN.Functional relationship (network architecture)Computer networks may be classified according to the functional relationships which exist among the elements of the network, e.g., active networking, client- boniface and peer-to-peer architecture.Network regional anatomyComputer net works may be classified according to the network topology upon which the network is grounded, such as bus network, star network, ring network, mesh network. Network topology is the coordination by which tools in the network ar organized in their rational family members to one an different, independent of visible arrangement. Even if networked computers are physically placed in a linear arrangement and are joined combine to a hub, the network has a star topology, alternatively a bus topology. In this study the visual and operational aspects of a network are distinct. Networks may be classified grounded on the process of knowledge adapted to carry the data these include digital and analog networks.Fig2. Mesh topologyFig3. Star regional anatomyFig4. Ring topologyWhat is a firewall?Fig5. firewallA firewall is a component of a computer system or network that is arranged to avoid unaccredited chafe where letting agent communications. It is a implement or set of tools that is config ured to sanction or turn down network transmissions grounded upon a set of administers and other criteria.Firewalls target be implemented in either hardware or software, or a combination of two. Firewalls are comm unaccompanied adapted to prevent unauthorized lucre users from accessing private networks joined combined to the Internet, especially intranets. All messages entering or withdrawing the intranet surpass through with(predicate) the firewall, which inspects apiece outcome and prevents those that do non get the specified protection criteria. in that location are several types of firewall techniquesPacket filter Packet filtering checks for each one software that is passing through the network and accepts or refuses it establish on particular IP addresses that is user defined. Although difficult to configure, it is effective and mostly transparent to its users. It is vulnerable to Internet Protocol spoofing.Fig6. Packet filtersThis type of bundle filtering pays no heed to if a packet is part of an older stream of traffic (i.e. it stores no information on connection state). Instead, it filters each packet based only on information contained in the packet itself .transmission control protocol and UDP protocols consists most communication over the net, and because transmission control protocol and UDP traffic by convention uses well known ports for well-nigh types of traffic, a stateless packet filter can differentiate between, and hence control, those types of traffic (such as nett browsing, out-of-door printing, email transmission, file transfer), untill the machines on each side of the packet filter are both using the same non-standard ports.Packet filtering firewalls work mainly on the initial three layers of the OSI reference model, which direction most of the work is done in between the network and physical layers, with a little bit of peeking into the transport layer to observe out source and destination port numbers. When a packet origin ates from the sender and filters through a firewall, the device finds matches to any of the packet filtering rules that are configured in the firewall and removes or rejects the packet accordingly. When the packet goes through the firewall, it checks the packet on a protocol/port number basis (GSS).Application ingress Applies protective covering mechanisms to some applications, such as FTP master of ceremonies. This is effective, but can degrade the performanceFig7.OSI reference modelThe benefit of application layer filtering is that it can understand applications and protocols and it can also detect if an unwanted protocol is sneaking through on a non-standard port or if a protocol is being use in any baneful way.An application firewall more secure and reliable as compared to packet filter firewalls as it works on all 7 layers of the OSI reference model, from the application to the physical layer. This is similar to a packet filter firewall but here it also filters information on the basis of content.In 2009/2010 the focus of the best comprehensive firewall surety vendors turned to expanding the list of applications such firewalls are aware of now covering hundreds and in some cases thousands of applications which can be identified automatically. Many of these applications can non only be blocked or allowed but copied by the more advanced firewall products to allow only certain functionally enabling network security administrations to give users functionality without enabling unnecessary vulnerabilities. As a consequence these advanced versions of the Second Generation firewalls are being referred to as Next Generation and revolve the Third Generation firewall. It is expected that due to cattish communications this trend will have to continue to enable organizations to be truly secure.Third multiplication stateful filtersFig8. Stateful filterThird-generation firewalls, in addition to what first- and second-generation look for, regard placement of ea ch packet within the packet series. This technology is generally referred to as a stateful packet inspection as it maintains records of all connections going through the firewall and is able to determine whether a packet is the start of a new connection, a part of an brisk connection, or is an invalid packet. Though there is still a set of defined rules in such a firewall, the state of a connection can itself be one of the criteria which trigger specific rules.This type of firewall can actually be exploited by certain Denial-of- profit oncomings which can fill the connections with illegitimate connections.Circuit-level gateway Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been done, packets can go between the innkeepers without checking further.Stateful filtersFig8. Stateful filterThird-generation firewalls, in addition to what first- and second-generation look for, regard placement of each packet within the packet series. This t echnology is referred to as a stateful packet inspection as it maintains records of all connections going through the firewall and is able to determine whether a packet is the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can itself be one of the criteria which trigger specific rules.This type of firewall can actually be abused by some Denial-of-service attacks which can fill the connection tables with false connections.Proxy serversChecks all messages entering and leaving the network. The representative server hides the right network addresses.Fig9.Proxy serverIn computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, asking for some service, such as a file, connection, mesh page, or other resource, available from a different server . The proxy server processes the request according to its filtering rules. For example, it may filter traffic by IP address. If the request is passed by the filter, the proxy provides the resource by connecting to the relevant server and requesting the service on behalf of the client. A proxy server may alter the clients request or the servers response, and sometimes it may pass the request without contacting the specified server. In this case, it caches responses from the upstage server, and sends back subsequent requests for the same content directly.Types of proxyForward proxiesFig10.Forward proxiesA send on proxy taking requests from an internal network and forrarding them to the Internet.Forward proxies are proxies where the client server names the target server to connect to. Forward proxies are able to get from a wide range of sources.The terms forward proxy and promotion proxy are a general description of behavior (forwarding traffic) and hence ambiguous. Except for Rever se proxy, the types of proxies described on this article are more specialized sub-types of the general forward proxy concepts.Open proxiesFig11.Open proxiesAn open proxy forwarding requests from and to anywhere on the Internet.An open proxy is a forward proxy server that is accessible by any Internet user. Gordon Lyon estimates there are hundreds of thousands of open proxies on the Internet. An anonymous open proxy allows users to conceal their IP address while browsing the mesh or using other Internet services.Reverse proxiesFig12.Reverse proxiesA hook proxy taking requests from the Internet and forwarding them to servers in an internal network. Those making requests connect to the proxy and may not be aware of the internal network.A reverse proxy is a proxy server that appears to clients to be an ordinary server. Requests are forwarded to one or more origin servers which mucklele the request. The response is returned as if it came directly from the proxy server.Reverse proxies are installed in the neighborhood of one or more web servers. All traffic coming from the Internet and with a destination of one of the web servers goes through the proxy server. The use of reverse originates in its counterpart forward proxy since the reverse proxy sits closer to the web server and serves only a dependant set of websites.There are several reasons for installing reverse proxy serversEncryption / SSL acceleration when secure web sites are created, the SSL encryption is often not done by the web server itself, but by a reverse proxy that is equipped with SSL acceleration hardware. See Secure Sockets Layer. Furthermore, a host can provide a single SSL proxy to provide SSL encryption for an arbitrary number of hosts removing the need for a separate SSL Server Certificate for each host, with the downside that all hosts behind the SSL proxy have to share a common DNS name or IP address for SSL connections. This problem can partly be overcome by using the SubjectAltName fe ature of X.509 certificates.Load balancing the reverse proxy can distribute the load to several web servers, each web server serving its own application area. In such a case, the reverse proxy may need to rewrite the URLs in each web page (translation from externally known URLs to the internal locations).Serve/cache static content A reverse proxy can offload the web servers by caching static content like pictures and other static graphical content.Compression the proxy server can optimize and compress the content to speed up the load time.Spoon feeding reduces resource usage caused by slow clients on the web servers by caching the content the web server sent and late spoon feeding it to the client. This especially benefits dynamically generated pages.Security the proxy server is an additional layer of defense and can protect against some OS and Web Server specific attacks. However, it does not provide any protection to attacks against the web application or service itself, which is generally considered the larger threat.Extranet Publishing a reverse proxy server facing the Internet can be used to communicate to a firewalled server internal to an organization, providing extranet access to some functions while care the servers behind the firewalls. If used in this way, security measures should be considered to protect the rest of your infrastructure in case this server is compromised, as its web application is unresolved to attack from the Internet.VPNA virtual private network (VPN) is a computer network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organizations network. It aims to avoid an expensive system of owned or leased lines that can be used by only one organization.It encapsulates data transfers between two or more networked devices which are not on the same private network so as to keep the transferred data private from other devices on one or more i ntervening local or wide area networks. There are many different classifications, implementations, and uses for VPNs.Fig13 VPNVulnerabilities-Unauthorized accessThis simply means that people who shouldnt use your computer services are able to connect and use them. For example, people outside your company might try to connect to your company accounting machine or to your network file server. There are mixed ways to avoid this attack by carefully specifying who can gain access through these services. You can prevent network access to all but the intended users.Exploitation of known weaknessesSome programs and network services were not originally designed with strong security in mind and are inherently vulnerable to attack. The BSD remote services (rlogin, rexec, etc.) are an example. The best way to protect yourself against this type of attack is to disable any vulnerable services or find alternatives. With Open Source, it is sometimes possible to repair the weaknesses in the softwar e.Denial of service Denial of service attacks cause the service or program to cease surgical process or prevent others from making use of the service or program. These may be performed at the network layer by sending carefully crafted and malicious datagrams that cause network connections to fail. They may also be performed at the application layer, where carefully crafted application commands are given to a program that cause it to establish extremely busy or stop functioning. Preventing suspicious network traffic from reaching your hosts and preventing suspicious program commands and requests are the best ways of minimizing the risk of a denial of service attack. Its useful to know the details of the attack method, so you should educate yourself about each new attack as it gets publicized.Spoofing This type of attack causes a host or application to mimic the actions of another. Typically the attacker pretends to be an innocent host by following IP addresses in network packets. F or example, a well-documented exploit of the BSD rlogin service can use this method to mimic a TCP connection from another host by guessing TCP sequence numbers. To protect against this type of attack, verify the authenticity of datagrams and commands. Prevent datagram routing with invalid source addresses. Introduce unpredictability into connection control mechanisms, such as TCP sequence numbers and the allocation of dynamic port addresses.Eavesdropping This is the simplest type of attack. A host is configured to listen to and capture data not belonging to it. carefully written eavesdropping programs can take usernames and passwords from user login network connections. Broadcast networks like Ethernet are especially vulnerable to this type of attackHere are a few examples of firewalls -UntangleFortiguardNetnannyWebsenseClearOSThese firewalls can be affected by the above vulnerabilities.One way how a firewall/web filter can be bypassed is by using VPN.As studied above we can VPN t o some external network and use that network.So we can bypass the firewall by doing VPN to a remote network and using its default gateway.Below are the precise locomote how to setup a VPN server, Client, AD and LB configurations.Complete VPN patternBelow is the stop procedure on how to setup VPN server and client sideNote- Windows XP and Windows 7 both have the capability to act as VPN serversVPN Server ConfigurationOpen Network connections and follow the below -Click next on the welcome pageSelect the options highlighted in the below snags -Once you have followed the stairs above you are done with the server side configuration.VPN Client ConfigurationBelow snags show the client side configurationOnce the above steps are followed the client side is also setupThe work is still not overPort ForwardPort needs to be forwarded from the modem/LB etcFollow the instructions below to get it rolling -Dial in Rights on ADThe final step is to give the user permissions to VPNFirst RDP to the ADLoginOpen Active DirectoryFind the user and go in propertiesFollow the snag it once the above is done -The best firewall-According to the first hand experience we found Untangle to be the best firewall as it is free and has a host of functions too.Below is a screenshot of the untangle washboard-Fig14. Untangle dashboardConclusion-Our aim was to explain what a firewall is and expose a few vulnerabilities in it. We have studied how a firewall works, its architecture, types of firewalls and vulnerabilities. We have thus compared the firewalls on several(a) parameters and have concluded that Untangle is the best firewall with reference to the features and cost of it.