Lecture 2 part2.pdf
Document Details
Uploaded by SaneAcer
Princess Nourah Bint Abdulrahman University
Tags
Full Transcript
System Security: Lecture 2 Part2 Security Policies and Plans Dr Tahani Aljohani 1 INFORMATION SECURITY POLICY BASICS Information security policy is the general term referring to any document that conveys an element of the security program in order to...
System Security: Lecture 2 Part2 Security Policies and Plans Dr Tahani Aljohani 1 INFORMATION SECURITY POLICY BASICS Information security policy is the general term referring to any document that conveys an element of the security program in order to enforce organizational security goals and objectives. Information Security Policy (1) Information security policies are the highest level of information security policy sets. These policies are approved and issued by the senior management of the organization as their expectations for the overall security program, system controls, and user behavior. Information security policies are mandatory in that all information systems and users are expected to conform to the policy statements. An example policy statement may read: “The organization shall ensure that all information systems implement authentication with sufficient strength of mechanism for their intended use.” Information Security Policy (2) Key characteristics of information security policies include: Overarching guidance: They establish the overall direction for the organization's security program. Mandated compliance: All systems and users are expected to adhere to the policies. Senior management approval: Policies are typically approved by top-level executives. Four Levels of Information Security Policies Organizational Level: These policies provide a high-level overview of the organization's commitment to information security and define its overall security goals and objectives. Examples include: General security policy Data classification policy Risk management policy Four Levels of Information Security Policies Security Program Level: These policies outline the specific measures and processes that the organization will implement to achieve its security goals. Examples include: Incident response policy Business continuity plan Access control policy Four Levels of Information Security Policies User Level: These policies govern the behavior of individuals within the organization and establish rules for using information systems and data. Examples include: Acceptable use policy Password policy Social media policy Four Levels of Information Security Policies System Level: These policies focus on the technical aspects of information security and provide guidelines for managing systems and networks. Examples include: Network security policy Firewall policy Encryption policy Information security standards Information security standards are specific rules or guidelines that must be followed to achieve the objectives outlined in information security policies. They provide a more granular level of detail than policies, specifying the exact procedures, technologies, or practices that need to be implemented. An example standard statement may read: “The organization shall ensure that for password-based authentication, all information systems enforce the following minimum parameter settings: (a) password complexity—8 characters with both numeric and alphabetic characters, (b) password lifetime—60 days maximum, 1 day minimum, (c) password reuse—6 generations.” Information security standards Key characteristics of information security standards: Detailed requirements: Standards provide specific instructions or specifications. Policy-based: They are derived from and support overarching policies. For example: the information security policy document “System Protection Policy” would have a corresponding information security standard document “System Protection Standard.” Mandatory compliance: Organizations must adhere to standards to ensure compliance with policies. Information security standards Examples of information security standards: Password complexity standards: Specify minimum requirements for passwords, such as length, character types, and frequency of changes. Data encryption standards: Define the encryption algorithms and key management practices that must be used to protect sensitive data. Access control standards: Outline the rules and procedures for granting and revoking access to information systems and data. Information security Guidelines Refinement of policies: Guidelines provide more specific instructions on how to achieve the security goals outlined in policies. Non-mandatory: Unlike standards, which are mandatory, guidelines are optional. They suggest ways to improve security but are not strictly required. Methods, techniques, and devices: Guidelines offer recommendations for specific tools, strategies, and technologies that can enhance security. Approval process: While guidelines can be formally approved by senior management, they often don't require the same level of approval as policies or standards. Subject matter experts: Sometimes, security professionals can create and share guidelines without formal approval. Information security Guidelines Cloud Security Guidelines Data privacy: Suggest best practices for protecting sensitive data stored in the cloud. Access control: Recommend measures for controlling access to cloud resources. Data backup and recovery: Suggest guidelines for backing up and recovering data stored in the cloud. Information security Guidelines Mobile Device Security Guidelines Device management: Recommend using mobile device management (MDM) tools to enforce security policies. Data encryption: Suggest encrypting sensitive data on mobile devices. App store security: Recommend guidelines for selecting and using secure mobile apps. Information security Baselines Information security baselines (also called benchmarks) are mandatory minimum-security controls for a selected area or application. They are also a refinement of security requirements in the information security policies but they are used for devices, applications, or other areas where a number of settings, parameters, and activities are related to the effectiveness of a security control. Information security Baselines An example guideline statement may read, when deploying a browser within the production environment organizations shall implement the associated United States Government Configuration Baseline (USGCB) for the browser. The USGCB is a configuration baseline for various operating information systems and applications and covers security settings and parameters for the specific application. Information security baselines Settings and parameters: Baselines often involve numerous specific configurations to address known vulnerabilities. Vulnerability updates: Baselines need to be regularly updated as new vulnerabilities are discovered. Organizational resources: Many organizations lack the resources to maintain up-to-date baselines. External organizations: Organizations often rely on external sources like NIST, CIS, and security product vendors for baseline creation and maintenance. Information security baselines In summary, information security baselines are a set of specific security requirements that are designed to address known vulnerabilities in applications or systems. They are often complex, requiring extensive knowledge and resources to maintain. Many organizations rely on external experts to create and update baselines to ensure that their security measures are effective and up-to-date. Information security Procedures Information security procedures are step-by-step instructions for the implementation of security controls or processes dictated in the information security policies, standards, guidelines, or baselines. They are also a refinement of security requirements in the information security policies but they provide the “how” and the “who.” For example, an information security procedure in support of an account management/account initialization policy or standard would provide detailed instructions and screenshots for how an account would be created, assigned rights, and communicated to the user. Information security Procedures Examples of procedures: Incident response procedures: Outline the steps to be taken in the event of a security incident. Password management procedures: Specify the rules and procedures for creating, storing, and changing passwords. Access control procedures: Define the processes for granting and revoking access to information systems and data. The Importance of Documenting Procedures Documenting procedures is crucial for several reasons: Clarity and Consistency: Documentation provides a clear and consistent approach to tasks, ensuring that everyone involved understands their roles and responsibilities. Efficiency: Well-documented procedures can streamline processes, reducing errors and improving efficiency. Compliance: Documentation helps organizations demonstrate compliance with regulations and industry standards. Knowledge Transfer: Procedures serve as a valuable resource for training new employees or for reference during audits. Collaboration: Documentation facilitates collaboration among different departments and roles involved in a process. Examples of Information Security Policy Types Using a File System (Policies) Policies General Security Policy: States that all files on the file system must be encrypted at rest and in transit. Access Control Policy: Defines the roles and permissions for accessing files on the file system. For example, administrators may have full access, while regular users may only have read-only access. Data Classification Policy: Specifies different levels of sensitivity for files (e.g., confidential, internal, public) and determines who can access ▎مزايا وعيوب جدار الحماية القائم على تصفية الحزم :▎املزايا : البساطة.1 each level..خيارا شائ ًعا للعديد من املؤسسات ً مما يجعلها، جدران الحماية القائم على تصفية الحزم سهلة الفهم والتكوين- : الشفافية وسرعة األداء.2. فهي تعالج الحزم بسرعة دون الحاجة إلى فحص البيانات في الطبقات العليا. وال تؤثر بشكل كبير على أداء الشبكة، تعمل جدران الحماية بشكل شفاف للمستخدمني- : سجالت بسيطة.3. مما يساعد في اتخاذ قرارات التحكم بالوصول، ونوع الحركة، عنوان الوجهة، تحتوي سجالت تصفية الحزم عادةً على معلومات مفيدة مثل عنوان املصدر- :▎العيوب .1عدم فحص البيانات في الطبقات العليا: Examples of Information Security -ال تفحص جدران الحماية البيانات في الطبقات العليا )مثل طبقة التطبيق( ،مما يجعلها غير قادرة على منع الهجمات التي تستغل الثغرات الخاصة بالتطبيقات. .2التكوين غير الصحيح: -من السهل تكوين جدار الحماية بشكل خاطئ ،مما قد يسمح بحركة مرور غير مرغوب فيها أو مصادر ووجهات يجب أن تُحظر وف ًقا لسياسة األمان املعلوماتية. Policy Types Using a File System .3عرضة للهجمات: -جدران الحماية القائم على تصفية الحزم عرضة لهجمات تستغل مشكالت في مواصفات بروتوكول TCP/IPمثل انتحال عنوان الشبكة ).(IP Spoo ng .4معلومات محدودة: )(Standards نظرا لقلة املتغيرات املستخدمة في اتخاذ قرارات التحكم بالوصول ،فإن املعلومات املتاحة لجدار الحماية محدودة ،مما يؤثر على فعالية وظيفة السجل. ً - .5عرضة لالختراقات األمنية: -يمكن أن تؤدي التكوينات غير الصحيحة إلى ثغرات أمنية ،حيث أن قلة املتغيرات تجعل من السهل استغالل األخطاء. Standards ▎الهجمات املحتملة ضد جدران الحماية القائم على تصفية الحزم: .1انتحال عنوان :IP -يمكن للمهاجم تغيير عنوان IPالخاص به ليبدو كأنه أحد األجهزة املوثوقة في الشبكة. Password Complexity Standard: Requires .2هجمات التوجيه املصدر: -يمكن للمهاجم استخدام تقنيات توجيه غير صحيحة لتجاوز جدار الحماية. passwords for file system access to be at least .3هجمات الشظايا الصغيرة: -تتضمن إرسال حزم صغيرة ج ًدا لتجاوز آليات فحص الحزم. ▎تدابير مضادة: 12 characters long, containing a combination of uppercase and lowercase letters, numbers, and -تحديث التكوينات بانتظام :التأكد من أن إعدادات جدار الحماية تتماشى مع سياسة األمان. -استخدام أنواع أخرى من جدران الحماية :مثل جدران الحماية القائمة على الحالة ) (Stateful Firewallsالتي تفحص حالة االتصال. -تفعيل سجالت مفصلة :لتحليل حركة املرور والكشف عن األنشطة املشبوهة. ▎خالصة: symbols. جدران الحماية القائم على تصفية الحزم تقدم مزايا عديدة من حيث البساطة والسرعة ،ولكنها تأتي مع مجموعة من العيوب التي يجب أخذها بعني االعتبار عند تصميم بنية أمان الشبكة. Data Retention Standard: Defines the retention periods for different types of files on the file system. For example, financial records may need to be retained for seven years. Examples of Information Security Policy Types Using a File System (Procedures) Procedures Incident Response Procedure: Outlines the steps to be taken if a file system is compromised, such as isolating the affected system, notifying relevant parties, and restoring data. Backup and Recovery Procedure: Specifies the frequency and method for backing up files on the file system, as well as the process for recovering data in case of a loss. Examples of Information Security Policy Types Using a File System (Baselines) Baselines File System Configuration Baseline: Defines the minimum security settings for the file system, such as disabling guest accounts, enabling auditing, and setting appropriate permissions. Antivirus Baseline: Specifies the minimum antivirus software requirements for the file system, including signature updates and scanning frequency. Examples of Information Security Policy Types Using a File System (Guidelines) Guidelines Best Practices for File Sharing: Recommends using secure protocols (e.g., FTPs, SFTP) for sharing files over a network. Data Encryption Guidelines: Suggests using strong encryption algorithms and appropriate key management practices. Exercise Write an information security policies for cloud application. Information Security Plans: An Overview Security Plans Physical security, firewalls, data encryption, backups, Access Control Lists (ACL), Detecting security issues. Firewalls Firewall can monitor network traffic at a number of levels, from low-level network packets, either individually or as part of a flow, to all traffic within a transport connection, up to inspecting details of application protocols. The choice of which level is appropriate is determined by the desired firewall access policy. shots firewall E Firewalls i I II It can operate as a positive filter, allowing to pass only packets that meet specific criteria, or a negative filter, rejecting any packet that meets certain criteria. The criteria implement the access policy for the firewall. Depending on the type of firewall, it may examine one or more protocol headers in each packet, the payload of each packet, or the pattern generated by a sequence of packets. so sI static Packet Filtering Firewall 25 M E's firewall A packet filtering firewall applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet. The firewall is typically configured to filter packets going in both directions (from and to the internal network). Filtering rules are based on information contained in a network packet: bi III w 8 2.990 Ibm Packet Filtering Firewall Source IP address: The IP address of the system that originated the IP packet (e.g., 192.178.1.1). Destination IP address: The IP address of the system the IP packet is trying to reach (e.g., 192.168.1.2). I Source and destination transport-level address: 2561835 The transport-level (e.g., TCP or UDP) port number, which defines applications such as SNMP or TELNET. IP protocol field: Defines the transport protocol. Interface: For a firewall with three or more ports, which interface of the firewall the packet came from or which interface of the firewall the packet is destined for. Packet Filtering Firewall The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header. If there is a match to one of the rules, that rule is invoked to determine whether to forward or discard the packet. If there is no match to any rule, then a default action is taken. Two default policies are possible: Default = discard. Default = forward. Packet Filtering Firewall The default discard policy is more conservative. Initially, everything is blocked, and services must be added on a case-by-case basis. This is the policy likely to be preferred by businesses and government organizations. The default forward policy increases ease of use for end users but provides reduced security This policy may be used by generally more open organizations, such as universities. Packet Filtering Firewall Table 9.1 is a simplified example of a rule set for SMTP traffic. The goal is to allow inbound and outbound email traffic but to block all other traffic. The intent of each rule is: 1. Inbound mail from an external source is allowed (port 25 is for SMTP incoming). 2. This rule is intended to allow a response to an inbound SMTP connection. 3. Outbound mail to an external source is allowed. 4. This rule is intended to allow a response to an inbound SMTP connection. 5. This is an explicit statement of the default policy. All rule sets include this rule implicitly as the last rule. Packet Filtering Firewall Example 1. Inbound mail from an external source is allowed (port 25 is for SMTP incoming). 2. This rule is intended to allow a response to an inbound SMTP connection. 3. Outbound mail to an external source is allowed. 4. This rule is intended to allow a response to an inbound SMTP connection. 5. This is an explicit statement of the default policy. All rule sets include this rule implicitly as the last rule. Packet Filtering Firewall There are several problems with this rule set. Rule 4 allows external traffic to any destination port above 1023. As an example of an exploit of this rule, an external attacker can open a connection from the attacker’s port 5150 to an internal Web proxy server on port 8080. This is supposed to be forbidden and could allow an attack on the server. To counter this attack, the firewall rule set can be configured with a source port field for each row. For rules 2 and 4, the source port is set to 25; for rules 1 and 3, the source port is set to >1023. Real-World Firewall Scenario Real-World Firewall Scenario: Protecting a Small Business Network i Scenario: A small business, "Tech Solutions," has a network consisting of several computers, servers, and a printer. They have a public-facing website and allow remote access for employees. Real-World Firewall Scenario Security Concerns: Malware and Viruses: The internet is full of malicious software that could compromise the network Unauthorized Access: Hackers could attempt to gain access to the network and steal sensitive data. Denial of Service (DoS) Attacks: Malicious actors could flood the network with traffic, making it inaccessible Real-World Firewall Scenario Firewall Solution: To mitigate these risks, Tech Solutions deploys a firewall at the network's gateway. The firewall is configured with the following rules: HTTP and HTTPS traffic to the web server on port 80 and 443. Remote desktop protocol (RDP) traffic to specific servers on port 3389 for authorized employees. All other traffic from the internet. All traffic from the internal network to the internet. Real-World Firewall Scenario Advantages and Disadvantages of Packet filter firewall Ad One advantage of a packet filtering firewall is its simplicity. Also, packet filters typically are transparent to users and are very fast. Packet filter firewalls do not examine upper-layer dis data, they cannot prevent attacks that employ application-specific vulnerabilities or functions. The limited information available to the firewall, the logging functionality present in packet filter firewalls is limited. Packet filter logs normally contain the same information used to make access control decisions (source address, destination address, and traffic type). Advantages and Disadvantages of Packet filter firewall i_ Packet filter firewalls are generally vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack, such as network layer address spoofing. Due to the small number of variables used in access control decisions, packet filter firewalls are susceptible to security breaches caused by improper configurations. In other words, it is easy to accidentally configure a packet filter firewall to allow traffic types, sources, and destinations that should be denied based on an organization’s information security policy. Advantages and Disadvantages of Packet filter firewall Some of the attacks that can be made on packet filtering firewalls and the appropriate countermeasures are the following: attainers To IP address spoofing. is a Tagnis used by disgise thire true ppl Source routing attacks. Tiny fragment attacks. ▎مزايا وعيوب جدار الحماية القائم على تصفية الحزم ▎املزايا: .1البساطة: خيارا شائ ًعا للعديد من املؤسسات. ً -جدران الحماية القائم على تصفية الحزم سهلة الفهم والتكوين ،مما يجعلها .2الشفافية وسرعة األداء: -تعمل جدران الحماية بشكل شفاف للمستخدمني ،وال تؤثر بشكل كبير على أداء الشبكة.فهي تعالج الحزم بسرعة دون الحاجة إلى فحص البيانات في الطبقات العليا. .3سجالت بسيطة: -تحتوي سجالت تصفية الحزم عادةً على معلومات مفيدة مثل عنوان املصدر ،عنوان الوجهة ،ونوع الحركة ،مما يساعد في اتخاذ قرارات التحكم بالوصول. ▎العيوب: .1عدم فحص البيانات في الطبقات العليا: -ال تفحص جدران الحماية البيانات في الطبقات العليا )مثل طبقة التطبيق( ،مما يجعلها غير قادرة على منع الهجمات التي تستغل الثغرات الخاصة بالتطبيقات. .2التكوين غير الصحيح: -من السهل تكوين جدار الحماية بشكل خاطئ ،مما قد يسمح بحركة مرور غير مرغوب فيها أو مصادر ووجهات يجب أن تُحظر وف ًقا لسياسة األمان املعلوماتية. .3عرضة للهجمات: -جدران الحماية القائم على تصفية الحزم عرضة لهجمات تستغل مشكالت في مواصفات بروتوكول TCP/IPمثل انتحال عنوان الشبكة ).(IP Spoo ng .4معلومات محدودة: نظرا لقلة املتغيرات املستخدمة في اتخاذ قرارات التحكم بالوصول ،فإن املعلومات املتاحة لجدار الحماية محدودة ،مما يؤثر على فعالية وظيفة السجل. ً - .5عرضة لالختراقات األمنية: -يمكن أن تؤدي التكوينات غير الصحيحة إلى ثغرات أمنية ،حيث أن قلة املتغيرات تجعل من السهل استغالل األخطاء. ▎الهجمات املحتملة ضد جدران الحماية القائم على تصفية الحزم: .1انتحال عنوان :IP -يمكن للمهاجم تغيير عنوان IPالخاص به ليبدو كأنه أحد األجهزة املوثوقة في الشبكة. .2هجمات التوجيه املصدر: -يمكن للمهاجم استخدام تقنيات توجيه غير صحيحة لتجاوز جدار الحماية. .3هجمات الشظايا الصغيرة: -تتضمن إرسال حزم صغيرة ج ًدا لتجاوز آليات فحص الحزم. ▎تدابير مضادة: -تحديث التكوينات بانتظام :التأكد من أن إعدادات جدار الحماية تتماشى مع سياسة األمان. -استخدام أنواع أخرى من جدران الحماية :مثل جدران الحماية القائمة على الحالة ) (Stateful Firewallsالتي تفحص حالة االتصال. -تفعيل سجالت مفصلة :لتحليل حركة املرور والكشف عن األنشطة املشبوهة. ▎خالصة: جدران الحماية القائم على تصفية الحزم تقدم مزايا عديدة من حيث البساطة والسرعة ،ولكنها تأتي مع مجموعة من العيوب التي يجب أخذها بعني االعتبار عند تصميم بنية أمان الشبكة. dynamic Wl EI firewall I Stateful Inspection Firewalls 631 g Traditional packet filters make decisions based on individual packets, lacking context about the overall communication. Many applications, like SMTP, follow a client-server model. SMTP uses a TCP connection between a client and server. The server port is typically 25, while the client port is randomly assigned. Packet filters can't analyze the entire conversation between a client and server. They might miss attacks that exploit application-specific vulnerabilities. Stateful Inspection Firewalls When a device within the network initiates a TCP connection (e.g., a web browser requesting a webpage), the firewall records the connection details (source IP, destination IP, source port, destination port). The firewall creates an entry in its directory for this outbound connection. Now, when any incoming TCP packet arrives at a high-numbered port, the firewall checks its directory. Stateful Inspection Firewalls If the packet matches an existing entry (e.g., the source IP and port match an established outbound connection), it is allowed. If there's no matching entry, the incoming packet is likely considered unauthorized and is blocked. Stateful vs. Packet Filtering: Stateful packet inspection firewalls go beyond packet filtering by tracking TCP connection information. Stateful Inspection Firewalls Additional Information: They record details like TCP sequence numbers to prevent attacks like session hijacking. Application-Level Inspection: Some stateful firewalls examine limited application data for protocols like FTP, IM, and SIPS to identify related connections. ▎جدران الحماية القائمة على الفحص القائم على الحالة )(Stateful Inspection Firewalls ▎الفحص التقليدي للحزم: -قرارات فردية :جدران الحماية التقليدية تقوم بتحليل كل حزمة بشكل منفصل ،مما يعني أنها ال تأخذ في االعتبار السياق العام للتواصل بني األجهزة. -نموذج العميل-الخادم :العديد من التطبيقات ،مثل ) SMTPبروتوكول نقل البريد البسيط( ،تعتمد على نموذج العميل-الخادم.في هذا النموذج، يقوم العميل بإرسال طلبات إلى الخادم عبر اتصال .TCP -أرقام املنافذ :عادةً ما يستخدم SMTPاملنفذ 25للخادم ،بينما يتم تخصيص منفذ عشوائي للعميل. ▎القيود: -عدم القدرة على تحليل املحادثة بالكامل :جدران الحماية التقليدية ال تستطيع تحليل املحادثة الكاملة بني العميل والخادم ،مما يجعلها عرضة لفقدان الهجمات التي تستغل ثغرات معينة في التطبيقات. ▎جدران الحماية القائمة على الفحص القائم على الحالة: -تسجيل تفاصيل االتصال :عندما يقوم جهاز داخل الشبكة ببدء اتصال ) TCPمثل متصفح الويب الذي يطلب صفحة ويب( ،يقوم جدار الحماية بتسجيل تفاصيل االتصال مثل: -عنوان IPاملصدر -عنوان IPالوجهة -منفذ املصدر -منفذ الوجهة -إنشاء إدخال في الدليل :يتم إنشاء إدخال لهذا االتصال الصادر في دليل جدار الحماية. ▎كيف تعمل: .1التحقق من الحزم الواردة :عندما تصل حزمة TCPواردة إلى منفذ عالي الرقم ،يقوم جدار الحماية بالتحقق من الدليل. .2املطابقة مع اإلدخاالت املوجودة :إذا كانت الحزمة تتطابق مع إدخال موجود )مثل تطابق عنوان IPواملنفذ مع اتصال صادر قائم( ،يتم السماح لها بالدخول. .3الرفض إذا لم توجد مطابقة :إذا لم توجد مطابقة ،فإن الحزمة تعتبر غير مصرح بها ويتم حظرها. ▎الفروقات بني الفحص القائم على الحالة والفحص التقليدي: -تتبع املعلومات :جدران الحماية القائمة على الفحص القائم على الحالة تتجاوز الفحص التقليدي من خالل تتبع معلومات اتصال ،TCPمما يمنحها القدرة على فهم السياق الكامل للتواصل. ▎معلومات إضافية: -تفاصيل إضافية :تسجل هذه الجدران تفاصيل مثل أرقام تسلسل TCPملنع هجمات مثل اختطاف الجلسات ).(Session Hijacking -فحص مستوى التطبيق :بعض جدران الحماية القائمة على الفحص القائم على الحالة تقوم بفحص بيانات تطبيق محدودة لبروتوكوالت مثل FTPو IMو SIPSلتحديد االتصاالت ذات الصلة. ▎الخالصة: جدران الحماية القائمة على الفحص القائم على الحالة توفر مستوى أعلى من األمان مقارنة بالفحص التقليدي للحزم ،حيث تقوم بتتبع االتصاالت وتسجيل التفاصيل الضرورية لحماية الشبكة بشكل أفضل من الهجمات املحتملة. Mi Application-Level Gateway An application-level u gateway, or application proxy, acts as a middleman between a user's device and a remote application. It intercepts and relays application-level traffic, providing additional security and functionality. The gateway acts as a go-between for applications like Telnet or FTP. It receives traffic from the user, processes it, and forwards it to the intended destination. in Application-Level Gateway Imagine a company using an application-level gateway to control access to its email server. The gateway might require users to authenticate using a corporate username and password. It could also be configured to block attachments of certain file types (e.g., executable files) to prevent malware from entering the network. Application-Level Gateway User Connects: The user initiates a connection to the gateway using a TCP/IP application (e.g., Telnet, FTP). Authentication: The gateway prompts the user for authentication credentials (e.g., username, password). Authentication Verification: The gateway verifies the credentials against a centralized authentication server or database. Connection Establishment: If the credentials are valid, the gateway establishes a connection to the remote application. Traffic Relay: The gateway acts as a proxy, forwarding TCP segments containing application data between the user and the remote application. Application-Level Gateway Filtering and Control: The gateway can apply various security measures, such as: Filtering: Blocking specific types of traffic or content. Encryption: Encrypting data to protect it from eavesdropping. Rate Limiting: Limiting the rate of data transfer to prevent DoS attacks. Refence “Computer Security: Principles and Practice” , 1/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention Systems”.