The application defense needs more awareness of the content of the payload. Circuit Proxy Firewall (CPF)

This type of firewall operates by relying as an relaying agent that exists between the external and internal hosts (Stephen, 2004). The whole idea is to protect the network's internal hosts from direct exposure to the outside environments.

The CPF firewall operates by accepting various requests from the internal hosts for the sake of establishing the connection to the external world. It then destroys the device's initial IP address as well as the header of the network layer.

Disadvantages of CPF

The payload is then encapsulated in the new header with its own unique IP address and then sent to the outside servers. It is worth noting that the CPF requires some form of authentication prior to establishing the connection. CPFs are capable of supporting a very large number of protocols since they don't have to comprehend the application level protocols. They are sources of system vulnerability since they can never provide adequate defense for the system against certain application level attacks. They are also noted to be prone to malicious content because they can allow them to pass through without any form of filtering.

Application Proxy Firewall (APF)

The APFs are application-level gateways that operate on the seventh layer of the OSI model. Just like the CPF, the APF operates as an intermediary between the external and internal hosts (Panko, 2004).

The APF firewall is aware of the application level. Therefore, it is capable of inspecting the application level commands as well as appropriately discarding the malformed commands.

Disadvantage

The main disadvantage of this system is that there is a need for a separate application proxy to be written for each type of application that is being proxied.

Additionally, the specific application must be appropriately decoded.

Additionally, the specific application must be appropriately modified in order to operate with the APF. The APF system is also never efficient against malwares.

Network Address Translation (NAT)

Network Address Translation (NAT) is a special kind of IETF (Egevang & Francis,1994) standard which allows a local area network (LAN) to effectively modify the port numbers and network IP address in the datagram packets' headers for the sake of remapping a specific address space onto another. The main advantage of the Network Address Translation (NAT)

System is that is provides a solution to the scalability problems if there is a limitation to the number of IP addresses that are allowed to provide access. In light of security, the NAT system can be regarded to be a device which hides the internal private network addresses of a given network from outsiders, while enforcing control on the outbound connections while restricting the incoming traffic.

Disadvantages

NAT is noted to be less effective since it can never provide adequate defense against packets that are malfunctioned, malwares and application level attacks.

Virtual Private Network (VPN)

A Virtual Private Network (VPN) (RFC 2764, 2000) is a method of connecting to a private network via a tunnel which rides on the backbone of a public network like the internet. A Virtual Private Network (VPN) can employ authenticated links in order to ensure that the only authorized entities (hosts) are the ones that successfully connect to the resources located on the private network.

It can also employ encryption techniques in order to ensure that the confidentiality of the data being transmitted is maintained. The Virtual Private Network can be configured at different network layers using different network protocols.

The two protocols that we are going to major on in this paper is SSL/TLS and IPSec. These are the security protocols used in the layer 3 and 4 of the VPN.

IPSec

IPSec is regarded as the de-facto standard that is used network security (Kent & Atkinson,1998).It is the framework that is used in the provision of a number of network security services that includes;

Access control

Authentication of data origin

Anti-reply integrity as well as

Data confidentiality.

Disadvantages of IPSec

The disadvantage of IPSec is that it is extremely difficult to control its usage on a per user basis on a machine that is multiuser since it is implemented on the network layer.

At the same time, the cryptographic algorithm of IPSec has been noted to add overhead to the application and network traffic. There is therefore a need of using a hardware accelerator. It is worth noting that IPSec can mitigate some DoS attacks. It is however...

The meaning of this is that it can never protect the network infrastructure against malicious contents as well as malformed headers.
Transport Layer Security (TLS / SSL)

Secure Sockets Layer (SSL) which is IETF has effectively been renamed to Transport Layer Security (TLS) (Dierks & Rescorla,2008). The Transport Layer Security (TLS / SSL) protocol is used in the provision of security services like confidentiality, integrity as well as authentication in addition to the Transport Control Protocol (TCP).

Disadvantages

Transport Layer Security (TLS) requires to maintain a context for given connection, a fact or feature which is currently never implemented over UDP. UDP never maintains a context. The security mechanism used in this system is specific to the transport protocol. This implies that there is the possibility of duplicating services such as key management for each of the transport protocols.

The other limitation of the TLS is that there is a need for the applications to be modified in order to appropriately request security services which reside on the transport layer. Certain TLS configurations and applications can be subjected successfully to man in the middle attacks.

Network Intrusion Detection System (NIDS)

Network Intrusion Detection System (NIDS) Can best be describe as a packet sniffer system which passively performs inspections on all of the inbound as well as the outbound network traffic and then appropriately issuing a notification to the network administrators whenever it identifies patters that appear suspicious and which are indicative of an attack (Zhang, Li, Zheng,2004).

The air gap architecture

References

[1] N. Thanthry, M.S. Ali, and R. Pendse, "Security,

Internet Connectivity and Aircraft Data Networks,"

IEEE Aerospace and Electronic System

Magazine, November 2006

[2] Reinhart, Tod; Boettcher, Carolyn; Gandara, GA;

Hama, Mark; "Defining a Security Architecture for Real-Time Embedded Systems." Report of AIR

FORCE RESEARCH LAB WRIGHTPATTERSON

AFB ON EMBEDDED

INFORMATION SYSTEMS BRANCH. Jun 2004.

[3] Albin Zuccato, "Holistic Security Requirement for Electronic Ecommerce," Computer Security, 23,

2004

[4] Kenneth Ingham and Stephanie Forrest, "A

History and Survey of Network Firewalls,"

Technical Report, TR-CS-2002-37, University

New Mexico, 2002.

[5] Zwicky, E.D.; Cooper S. And Chapman D.B.:

"Building Internet Firewalls," Orielly & Associates

Inc., 2nd Edition, June 2000

[6] Al-Shaer, E.; Hamed, H.; Boutaba, R. And Hasan,

M.: "Conflict Classification and Analysis of Distributed Firewall Policies," In IEEE Journal on Selected Areas in Communications, Volume 23,

No. 10, pp. 2069 -- 2084, October 2005.

[7] Siyan, Karanjit and Hare, Chris, "Internet

Firewalls and Network Security," Indianapolis:

New Riders Publishing, 1995

[8] Bob Stephens, "Security Architecture for Aeronautical Networks," Proceedings of the Fourth Integrated Communications, Navigation,

and Surveillance (ICNS) Conference and Workshop; August 2004; 27.

[9] Panko, "Corporate Computer and Network

Security," Prentice-Hall, 2004

[10] Egevang, K. And P. Francis, "The IP Network

Address Translator (NAT)," IETF RFC 1631, May

1994.

[11] RFC 2764 A Framework for IP-Based Virtual

Private Networks. B. Gleeson, A. Lin, J.

Heinanen, G. Armitage, A. Malis. February 2000.

[12] Kent, S., Atkinson, R., Security architecture for the Internet protocol. IETF, RFC2401,Nov. 1998.

5.

[13] Dierks, T., Rescorla, E., "The Transport Layer

Security (TLS) Protocol, Version 1.2," IETF, RFC

5246, August 2008.

[14] R. Sekar, Y. Guang, S. Verma & T. Shanbhag, A

high- performance network intrusion detection

system, Proc. Of the 6th ACM conference on Computer and communications security, 1999

[15] Xinyou Zhang, Chengzhong Li, Wenbin Zheng,

Intrusion prevention system design, in: The

Fourth International Conference on Computer

and Information Technology (CIT'04), 2004.

[16] Konstantinos Xinidis, Kostas G. Anagnostakis,

and Evangelos P. Markatos: "Design and Implementation of a High-Performance Network

Intrusion Prevention System," in Proceedings of