MINI PROJECT REPORT- 2006
by: Submitted by:
AMRITA SHANKAR ANJU P ALIAS SATHU G RAJAN VIDYA RADHAKRISHNAN
We presented the design and implementation of the FIREWALL that features high scalability, a variety of scanning methods, easy deployment and extension, distribution of intelligence and compatibility with existing network management systems. It implements a distributed architecture that consists of various-level entities, such as sensors, collectors and analyzers. Collectors gather the audit data and analyzers inspect them for intrusive behavior. Collectors are composed of a controller and a number of sensors. The sensors are lightweight processes that perform the actual data collection. The gathered data is stored in a data repository and is transmitted to the Â¢ zers through the SNMP protocol. The IDS MIB contains the audit data as well as the sensors' configuration information'. The CPU load is divided among the nodes of the system and audit information is aggregated as it -:-e> from lower-level entities to higher-level ones. The controller itself performs a preliminary analysis of the data, based on elementary rules specified in the MIB. The analyzers consist of a communications module, a data repository, a rule base, a network topology base, an inference engine aad a visualization module. The system can currently detect UDP or TCP packet flooding, TCP and UDP port scanning, attempts to retrieve various Sjrstem files containing sensitive information, unauthorized zone transfers,
2. REQUIREMENT ANALYSIS
2.1 .LANGUAGE REQUIREMENTS
' 2.2.FEATURES OF VB.NET
2.3.1 .HARDWARE SPECIFICATION 2.3.2.SOFTWARE SPECIFICATION
4.1 .PACKET MONITORING FORM....
4.2.PACKET SNIFFING FORM
ZONCLUSION itlMBLIOGRAPHY AND WEBLIOGRAPHY
JDW&ftft gV%V%VLJlM COLL<Eg<E OT <ENgi'm(E<RJ!Hg, 'KJKDA(YI<RP(P^V
The Project "firewall" can be used as a server or a client side application which is in this context used by the systems administrator for surveying the systems on the network that are presently connected and vulnerable to attack
Firewall is a software application that watches the traffic in between the server and host machine and examines against the patterns of suspicious activity. Typical port scanner software requires a separate installation and a highly specific and dedicated system to watch packets traveling across a single network segment. The system only monitors the network segment it is installed on.
All firewall systems which were tested were found to be susceptible to packet spoofing which tricks the server into thinking packets have come from a trusted host, or into using its intrusion-detection counter measures to cut connectivity to legitimate sites.
Detection mainly via sending packets (requests) and collecting responses from client machines about packets and thereby getting a detail report about the port to which the packet was send across the Network. When one machine sends its request, the request is encapsulated in an 'IP packet'. The 'IP packet' consists of two parts, i.e. header and data part. The header part consists of all information of data i.e. the 'Source IP Address' and 'Destination IP Addresses', the send time and checksums. This can be used for analyzing data integrity.
wfn. yymjietA90i gv<Rjo%x>LjiM coLL<Eg<E oTKwgim.'EWNg, KAcDjmnivUQW
The 'TCP-IP Protocol Suit' is responsible for converting low-level Network Frames into Packets and Segments. TCP is an independent, general-purpose protocol. Since TCP makes very few assumptions about the underlying network, it is possible to use it over a single network like an Ethernet as well as over a complex Internet, It is a communication protocol. A connection consists of virtual circuit between two application programs. TCP defines an end point to be a pair of integers (host, port).
It defines various protocols they are TCP, UDP, ICMP, IGMP TCP
TCP is a connection oriented reliable protocol. For sniffing purpose like sniffing the details of a packet based on 'TCP' protocol. It would list out the following details of the packet.
Source IP, Destination IP, Source Port, Destination Port, Sequence, Acknowledgement
For sniffing purpose like sniffing the details of a packet based on 'UDP' protocol. UDP is a connectionless unreliable protocol. It would list out the following details of the packet.
Source IP, Destination IP, Source Port, Destination Port, LENGTH
J^DIWm gV'Rp'KVLJtM COLL(Eg<E OT <EWgiMM;<RJWg
For sniffing purpose like sniffing the details of a packet based on 'ICMP' protocol. It would list out the following details of the packet.
Source IP, Destination IP, Source Port, Destination Port IGMP
For sniffing purpose like sniffing the details of a packet based on 'ICMP' protocol. It would list out the following details of the packet.Source IP, Destination IP, Source Port, Destination Port.
Firewall policies must be realistic and reflect the level of security in the entire network .For a firewall to work, it must be a part of a consistent overall organizational security architecture. A firewall cannot replace security-consciousness on the part of your users.
Firewall is a software/hardware which functions in a networked environment to prevent unauthorized access. Its goal is to provide controlled connectivity between internet and internal network. This is acquired by enforcing a security policy .A firewall is that it implements an access control policy .A firewall is a system or group of systems that enforces an access control policy between two or more networks .
TYPES OF FIREWALLS
There are three basic types of firewalls depending on:
-> Whether the communication is being done between a single node and the artwork, or between two or more networks.
-^Whether the communication is intercepted at the network layer, or at the :ri.n layer.
Whether the communication state is being tracked at the firewall or not.
Ã‚Â¦ Â¢.1 Yjim gWRVKVLJUM COLLKgZ OT <ENgiWE<E<RJNg, XACDfl'Yiq&qmJ
-^NETWORKING FIREWALLS-normally running on a dedicated network device or computer positioned on the boundary of two or more networks or DMZs (demilitarized zones). Such a firewall filters all traffic entering or leaving the connected networks.
->PERSONAL FIREWALLS-a software application which normally filters traffic entering or leaving a single computer.
NETWORK LAYER FIREWALLS
Network layer firewalls operate at a (relatively) low level of the TCP/TP protocol stack as IP-Packet filters. They do not allowing packets to pass through the firewall unless they match the rules .The firewall administrator may define the rules .In some inflexible firewall systems, default built-in rules can be applied. Another way is by allowing any packet to pass the filter as long as it does not match one or more "negative-rules", :Â¢: "deny rules". Today network firewalls are built into most computer cperating system and network appliances.
APPLICATION LAYER FIREWALLS
Application-layer firewalls work on the application level of the TCP IP stack. It may intercept all packets traveling to or from an application. They block other packets, usually dropping them without acknowledgement to the sender. In principle, application firewalls can
. Ã‚Â¦ ent all unwanted outside traffic from reaching protected machines.
For a packet of information to be received by a computer across the internet, the packet must include a port number. This identifies the artwork service required to receive the packet. For example if a computer is running an FTP network application ,it can receive packets containing the FTP port number. If no FTP network application is running the computer .: - receive FTP packets.
All network applications are assigned a port number. FTP uses port 21,TELNET uses port 23 and so on. There are a total of 64000 ports.A computer receiving a packet must determine which application uses the port Ã‚Â¦amber or service. If there is a network service running that can receive the packet ,the computer can receive information on that port. A common first Step to gaining access to a computer is to run a port scanning program against the computer. The port attempts to communicate with the computer _ Ã‚Â¦ r ; vh communications port and reports back the port that receive aafermation. Knowing which ports receive information lets an intruder know wrnch network service can be used to access the computer.
\9/xmji gVwJuVLjiM coLL%g% oiÃ‚Â¦'EKgimmwifQ
- ' .j ri%3 gvwtiVrjiM coLL<Eg<E ot <ENgim,<E$jNg
Considering the nature and complexity of the project it must be implemented in a language that has the following characteristics
1 Automatic memory management-The CLR provides the garbage collection feature for managing the life time of an object.
2.Standard Type System- The CLR provides a formal specification called the common type system(CTS). The CTS is an important part of the support provided the CLR for cross-language integration because it provide a type system that is common across all languages.
3. Language Interoptability -Language Interoptability is an ability of an application written in different programming language. It helps maximize code reuse .
4-Platform Independence- When you compile a program developed in a language that targets a CLR. the compiler translates the code into an intermediate language
5.Security Management- The traditional operating system security model provides permissions to access resources, memory and data based on user accounts. This approach is useful in the context of application that are installed from physical media such as a CD-ROM
6.Type Safety- This feature ensures that objects are always accessed in compactable ways Therefore the CLR will prohibit a code from assigning a 10-Byte value to an object that occupies &-bytes
1. VB.NET is a powerful robust object oriented language and comes bundeled with a rich set of namespaces in .net framework from Microsoft,
2. Inheritance-It is possible to create a base class in any language and inherit its properties in a derived class created using another language.This feature provides advantage of code reusability across lanauases.
3. Oveiioading-It allows to have multiple implementations of a method.
4. Overriding-It provides a new implementation of an inherited member in a derived class.
5. Structured Exception Handling-It supports exception handling that consists of protected blocks of code and filters for possible exceptions that can be raised by the program
6. Multithreading-It provides full support for creating multithreaded applications.
v*3fÃ‚Â»nrjaw gvouuicucjiM. collieq<e or (ENgiWEcE%wg, xftcDAraqyumpv
With VISUAL BASIC .NET and new auto -Â¢wnload deployment, Windows - based applications can be installed and executed simply by pointing a Web browser to a
More Robust Code
VISUAL BASIC .NET delivers the feature most requested by existing Visual Basic developers - fewer bugs in the code they wnte. Features in the new Visual Studio.NET IDE, such as the real - time background compiler and the task list, keep Visual basic developers up - to - date on any coding errors as they occur, enabling quick and effective error resolution. Enhancement to the Visual Basic language, such as strict type checking and structured exception handling, enable developers to write code that is more robust maintainable, and less prone to run - time errors. Powerful Windows - based Applications
Visual Basic .NET is the most productive tool for constructing powerful Microsoft Windows - based applications.
gVtRVlOJLJlM COLC<Eg<E OT cENgi!NlEcE<RJNg, tKA<DJL<n%p<P<PV
Complete, Direct Access to the Platform
VISUAL BASIC NET provides complete, direct access to the Microsoft. NET Framework, enabling Visual Basic developers to quickly access the registry, event log, performance counters, and file system.
Simplified Component Creation
VISUAL BASIC NET brings RAD to component development. Developers can use non-visual toolbox and server explores components to easily incorporate resources and performance counters into their applications without writing a single line of code.
Enhanced Control Creation
VISUAL BASIC .NET provides unprecedented flexibility in building customized user controls. Developers can easily extend pre existing user controls and Windows Forms controls as well as design their own controls that generate custom user interfaces
Integrated Reporting with Crystal Reports
Upgrading to Visual Studio. NET Professional Edition provides Visual Basic developers with the power of Crystal Reports directly within the IDE. Crystal Reports delivers the most productive,
integrated, and RAD experience for creating highly graphical and interactive relational data reports. These reports can be generated for the entire array of VISUAL BASIC .NET application types, including Windows, Web and mobile applications.
Easy Web - based Application Development
VISUAL BASIC .NET delivers "Visual Basic for the Web". Using new Web Forms, we can easily build true thin - client Web - based applications that intelligently render on any browser and on any platform. Web Forms deliver the RAD programming experience of Visual Basic 6.0 forms with the full power of VISUAL BASIC .NET rather than limited scripting capacity.
Requirements vary for different combinations of components
within Visual Studio .NET 2003. Review the table below to determine the
num system requirements for running Visual Studio .NET 2003.
Processor : Pentium 4
RAM :256 GB
Hard disk : 10 GB or above
Development tools : Microsoft Visual Studio 2003.
Operating system : Windows 2000,Windows XP
Ã‚Â¦ucwwc* gzWKVfjiM coLL<Eg<E Q&wfgim&wwg
f&WYjlNjl gVldUXVLJUM COCL'Eg'E OT 'ENgiWE'E'RJNg
System design deals with the user interactive part of the Firewall. Firewall project consist of 3 phases. They are Packet monitoring Alerting Packet sniffing
(packet monitoring phase deals with checking of data coming from one computer to another computer. Data transfer takes place in the form of small packets. These packets are captured and monitored in tins phase.
jLCerting phase consist of checking all the coming from other computer for intruder, if any intruder is detected then an alert message is flashed to the user.
Packet sniffing deals with revealing of a packet about its properties if the user wants to see itThese phases displayed in forms, 1 .Packet monitoring form
2.Packet sniffing form
Packet, in computer communications , the basic unit of data over a network such as Internet .A message to be transferred the network is broken up into small units, or packets .by the sending ter. The packets , which travel independently of one another are with the sender's address , destination address , and other pertinent - â€ ivon . including data about any errors introduced during the transfer, the packets arrive at the receiving computer, they are reassembled.
transfer through Internet
ill mformation is transmitted across the Internet in small units of data called Software on the sending computer divides a large document into packets for transmission; software on the receiving computer regroups packets into the original documents. Similar to a post card each two parts: a packet header specifying the computer to which the should be delivered and a packet pay load containing the data being The header also specify how the data in the packet should be combined data in other packets by recording which piece of a document is in the packet.
A series of rules known as computer communication protocols how packet headers are formed and bow packet processed. The set of used for the Internet are named TCP/TP after the two most protocols in the set: the Transmission Control Protocol and the Protocol. Hardware devices that connect networks in the Internet are IP routers because they follow the IP protocol when forwarding A router examines the header in each packet that arrives to the packet's destination- The router either delivers the packet to ion computer across a local network or forwards the packet to router that is closer to the final destination. Thus, a packet travels router to router as it passes through the internet.
TCP IP protocols enable the Internet to automaticalK detect and transmission problems For example, if any network or device s. protocols detect the failure and automatically find an e path for packets to avoid the malfunction Protocol software ahe ens .res mat data arrives complete and intact. If any packets are
tds Jf damaged, protocol software on the receiving computer rÃ‚Â»Ã‚Â»est5 mat the source resend them Only when the data has arrived cocretlh does the protocol software make it available to the receiving iTTOcarjoo program, and therefore to the user.
To be connected to the Internet, a computer must be resigned a unique number, known as its fP(Internet Protocol) address.
packet sent over the Internet contains the IP address of the computer to it is being sent. Internet routers use the address to determine how to die packet Users almost never need to enter or view IP address Instead, to make it easier for users, each computer is also assigned a name: software automatically translates domain names into - ess.
C em Server Architecture
Internet applications , such as the web, are based on the concept of cheat sers er architecture. In a client/server architecture some application act as information providers^servers), while other application act as information receivers(clients).Tbe chent/server architecture one-to-one. That is a single client can access many different servers single server can accessed by a number of clients. Usually , a user runs application such as a Web browser, that contacts one server at a time wo obtain information. Because it only need to access one server at a time , dm software can run on almost any computer, including small handheld devices such as personal organizers and cellular telephone^these devices are called Web appliances) To supply information to others , a must run a server application. Although server software can run on ft computer most companies choose large ,powerful computers to run software because the company expects many clients to be in contact > server at any given time. A faster computer enables the server 10 return information with less delay.
.%HttW QVXUKVCJXM COrjLKgKOT<ENG19fE<E<1U9X;
Alerting phase deals with the user interactive part of the firewall .It is to make the user aware of the coming intruder .It gives the user an alert box saying that there is an intruder , who is trying to hack the data without the prior knowledge of the user or administrator .This phase also deals with the unauthorized access to a computer ,that is , preventing the unauthorized access to the computer.
In the initial phase ,we scan the packets of data coming from other computer .Here the packets are checked for any intruder based on their IP address. A set of valid IP addresses are compared with the coming IP addresses. Mismatching addresses are considered as an intruder. An alerting message is displayed on the window to inform about the intruder to the user.
A common method of attacking involves imitating the address of a trusted host in order to gain access to protected recourses. When spoofing an IP to crack into a protected network, we can detect an IP spoofing by monitoring the packets. If a packet on the external interface that has both ,the source and destination address in the local domain then alert the user that someone is tampering with the system.
:: ' I'VjimyiJOi gv<faJ%%)Lj[M coLL<Eg<E oT<E!HgiN]E,<E<Rj!Kg, %AWYI<rp<P<PV
Sniffing involves observing and gathering compromising information about network traffic in a passive way. Any node on a non-switched Ethernet can do this . Sometimes . Aork problems require a sniffer to find out which packets are hitting a system. It helps to solve network problems especially if a source or destination address is already known.
Firewall does not prevent people from sniffing the external network, however. The firewall keeps external from breaking into the internal network , this effectively prevents Ã‚Â©rternal people from running sniffers on the internal network.
Sniffing the packets individually from the monitored packets to get all the necessary information about the selected packet. The information includes packet delay,time to live,source i: cess, destination address etc.
->:: ~ ' ''Vow gv<RVnVLjiM COLLET, oT<E!HgiWE(E<Rj!xg
forms monitors all the packets transferred across the network. Along with the packets destination address and source address in nbc monitored packets Time of sending, protocol .length of the are also noticed.
PACKET SNIFFING FORM
This form displays the properties of a sniffed packets. Packets destination address .source address .throughput, ly Dme to live etc are captured via sniffing.
The Firewall project is a comprehensive effort towards real time network applications. It effectively detects the packets send through a network and is rejected or accepted as desired.
The package we've prepared cannot be said to be perfect. But we've put the best of our efforts to make this project fool proof. We welcome all those who can offer valuable suggestion and creation in this package to make the project industry quality software.
Before we conclude, once again we thank all those who have helped us bring about this endeavor.
S$fÃ‚Â£<E NJI'RA'XZNJI gVOiVKVLJlM COLL%gE 0<F 'ENgiWE'EWNg
BIBLIOGRAPHY AND WEBLIOGRAPHY
-Visual Basic.Net and .Net Platform" hes
"Firewalls-A complete guide*" JLAadrew . S . Tanenbuam
"Computer Networks' Lhotka
"Professional VB.NET" SGary Cornell, Jonathan Morrison
"Programming VB.NET:A Gaide for experienced programmers"
PmHSES ON THE INTERNET
tap^/ms dn.microsoft.com/vbbasic hup j Avww.gotdotnet.com hdp 'J /www. vbw ire.com hop :'/www .zdnet.com hnp :/www. webped ia.com