Host Based FireWall

Anti Virus Software

Anti Spam Software
Host Based
Firewall
 Afirewallis a software or hardware-based network security
system that controls the incoming and outgoing network
traffic by analyzing the data packets and determining whether
they should be allowed through or not, based on applied rule
set.

A firewall can help prevent hackers or malicious software (such

as worms) from gaining access to your computer through a
network or the Internet. A firewall can also help stop your
computer from sending malicious software to other computers.

Ahost-based firewallis a piece ofsoftwarerunning on a

singlehostthat can restrict incoming and outgoing
networkactivity for thathostonly. They can prevent
ahostfrom becominginfectedand stopinfectedhosts from
spreadingmalwareto otherhosts.
 Network traffic flowing in and out of your
computer can be categorized as shown in the
following diagram.
 Firewalls operate at different layers to use different
criteria to restrict traffic. The lowest layer at which a
firewall can work is layer three. In the OSI model this is
the network layer. In TCP/IP it is the Internet Protocol
layer.

This layer is concerned with routing packets to their

destination.

Firewalls that operate at the transport layer know a little

more about a packet, and are able to grant or deny
access depending on more sophisticated criteria. At the
application level, firewalls know a great deal about what
is going on and can be very selective in granting access.
Types of Firewalls
The two main firewall types are :

Network perimeter firewallslocated at the

network's perimeter.

Host-based firewallslocated on individual hosts

within the network.
Network perimeter firewalls
Network firewalls, are the ones located at the
boundary between the internal network and
external networks such as the Internet. Such
products are either hardware-based, software-
based, or a combination of both.

Network perimeter firewalls cannot provide

protection for traffic generated inside a trusted
network. For this reason, host-based firewalls
running on individual computers are needed.
Host-based firewalls, for example protect a host
from unauthorized access and attack.
 Host based firewall
Host-based firewalls are software firewalls installed on each
individual system. Depending on the software you choose, a host-
based firewall can offer features beyond those of network
firewalls :

Protects your computer from spyware (a component of some free

software that tracks your Web browsing habits)
Trojan horses (a program that claims to do one thing, but does
another, malicious thing, such as recording your passwords).
Incorporate antivirus software
Intrusion prevention softwarecapabilities
Suppressing Web browserpop-up windows
Blockingcookies,
Identifying potentialprivacyissues withinWeb pages ande-mails.
Host-based firewalls forserverstypically userule setssimilar
to those ofnetwork firewalls. Some host-based firewalls
fordesktopsandlaptopsalso use similarrule sets, but most
allow or deny activity based on lists of applications.

Example : Windows Firewall with Advanced Security, In

addition to blocking unwanted incoming traffic, you can
configure Windows Firewall with Advanced Security to block
specific types of outgoing traffic as well.

Popular host-based firewall products include ZoneAlarm, Tiny

Personal Firewall, Agnitum Outpost Firewall, Kerio Personal
Firewall, and Internet Security Systems BlackICE PC Protection
Evolution of Firewalls
Packet filters
Circuit level Gateways
Proxy server/Application layer
Stateful Filter
Packet Filter
Packet filters inspects the packets. If the packets
doesn't meet up with filtering rules. It is either
rejected or dropped.

It sees each packet in isolation and thus has no

way to determine if a packet is part of an existing
connection or an isolated malicious packet.

It filters the packets based only on information in

the header.
Circuit Level Gateways
Circuit Level Gateways It works at the session layer of the
OSI reference model. Monitors TCP handshaking
between packets to determine whether a requested session
is legitimate. Determines whether a request session is valid.

Used to hide information about the network.

This technique is also called Network Address Translation

where the private IP addresses originating from the different
clients inside the network are all mapped to the public IP
address available through the internet service provider and
then sent to the outside world (Internet).

This way, the packets are tagged with only the Public IP
address (Firewall level) and the internal private IP addresses
Application Level
Firewalls
Application level firewalls decide whether to drop a packet or send
them through based on the application information (available in
the packet).

They do this by setting up various proxies on a single firewall

for different applications. Both the client and the server
connect to these proxies instead of connecting directly to each
other. So, any suspicious data or connections are dropped by these
proxies.

Application level gateways, also called proxies, are similar to

circuit-level gateways except that they are application specific.
They can filter packets at the application layer of the OSI model.

Incoming or outgoing packets cannot access services for which

there is no proxy. In plain terms, an application level gateway that
is configured to be a web proxy will not allow any ftp, gopher,
Stateful Firewall
A stateful firewall keeps track of the state of network connections

(such as TCP streams or UDP communication) and is able to hold

significant attributes of each connection in memory.

This allows them to keep track of state information and determine

which systems have open, authorized connections at any given

point in time. They only reference the rule base when a new
connection is requested.

This data is stored in dynamic state tables and evaluated, so

that filtering decisions would not only be based on administrator-

defined rules, but also on context that has been built by previous
connections as well as previous packets belonging to the same
connection.
 Iptables
Iptables is a powerfulfirewallbuilt into the Linux kernel. When
you install Ubuntu, iptables is there, but it allows all traffic by
default.
 Lets assume that we want to block all incoming traffic, except for
those coming in on 2 common ports: 22 for SSH and 80 for web
traffic. We proceed by allowing all traffic on the designated
ports with the following commands:

Lets make a rule to block all of the remaining traffic

Anti-Virus Software
What is an Anti-virus Software?

A programs that locates malicious software program

installed on a computer. It blocks the installation of the
unwanted programs, dissolve them and removes
them.
Antivirus software is the equivalent
to penicillin of the computer world.
like penicillin, antivirus applications act as a
guard over your system, scanning incoming files
and applications, quarantining or cleaning up
unwanted viruses looking to cause harm to your
system.
antivirus software is considered to be an aid that
detects, fixes and even prevents viruses and
worms from spreading to your computer as well
as connecting computers.
Why is software an issue?
some antivirus software can considerably reduce
performance.
there should not be more than one antivirus
software installed on a single computer at any
given time.
its sometimes necessary to temporarily disable
virus protection when installing major updates.
some argue that antivirus software often delivers
more pain than value to end users.
 Types of Anti-virus
Software

there are different types of antivirus software for

different computers
some are designed for personal computers
some are for servers and others for enterprises
there are mainly two types of antivirus software:
specific and generic
 Specific Approach
specific scanning or signature detection.
the application scans files to look for known
viruses matching definitions in a virus
dictionary.
when the antivirus looks at a file it refers to a
dictionary of known viruses and matches a
piece of code (specific patterns of bytes) from
the new file to the dictionary.
 Specific Approach cont..
after recognizing the malicious software the
antivirus software can take one of the following
actions:
(1): attempt to repair the file by removing the
virus itself from the file
(2): quarantine the file
(3): or delete the file completely.
 Specific Approach cont..

however, specific scanning is not always reliable

because virus authors are creating new ways of
disguising their viruses so the antivirus software
does not match the virus signature to the virus
dictionary.
 Generic Approach
generic scanning is also referred to as the
suspicious behavior approach.
generic scanning is used when new viruses
appear.
in this method the software does not look for a
specific signature but instead monitors the
behavior of all applications.
 Generic Approach cont..
there, researchers examine it, determine its
signature, name and catalogue it and release
antivirus software to stop its spread.
if the virus never reappears the vendors
categorize the virus as dormant.
Some of the best
Known Anti virus
Software
Popular Anti Virus
Software
 BitDefender
this years best defense against computer
viruses, spyware, hackers and spam is an
antivirus program called BitDefender.
has a user-friendly interface that scans all
existing files on your computer, all incoming and
outgoing emails, and even IM transfers.
features include privacy protection and web
scanning for internet use. a years subscription is
about $24.99
Norton Anti Virus
the most widely used software is the Norton
Antivirus(NAV).
since its release in 1990, over 100 million people
around the world have used it.
its a free program but in order to receive live
updates, a valid subscription is needed.
a yearly subscription is only $29.99.
McAfee Virus Scan
McAfee Virus Scan is another popular antivirus
program.
its designed for home and home-office use.
its used specifically on a Microsoft Windows
platform.
the 2007 edition includes a number of features
including on access file sharing, inbound and
outbound firewall protection, and daily definition
updates.
Anti Spam
Software
Emails hidden dangers
Some internet users are blissfully unaware of the chaos and destruction that a
simple email can cause. Spam email and other unwanted messages can deliver
multiple threats to a user's inbox.
The most common types of email threats that a person will likely encounter are:
1. Email Attachments: Most people have attached a word processing document to
an email.
Friends, coworkers and other associates usually have no qualms opening an email
attachment from someone they know.
The cybercriminal and malicious hacker will exploit this environment of trust.
This method of transmission is how many viruses and worms spread around the
world so quickly.
Frequently an email message contains a small note that attempts to sway the user
into opening the attached file.
Once clicked, the malware installs itself on the unsuspecting user's computer.
Once loaded, the virus or worm attacks the user's contact list and proceeds to
email itself out to all the addresses in the victim's own address book.
Contd.
Key loggers: One of the biggest threats contained in an email
attachment is a key logger. Once the installation is complete, the app
logs every keyboard stroke a user makes. The gathered information
can include sensitive personal information such as usernames,
passwords, account IDs and more. Users who perform online
banking activities, or use the internet to shop are at a high risk .

Phishing Attacks: Spam filter software can help a user fight back
against phishing attacks. A hacker or cybercriminal implements a
phishing attack using HTML spam email. The email looks like it
originates from the user's bank, a social network account, or other
legitimate entity. However, the mail is fraudulent
What is spam?
Spam is any kind of email that you dont want and that
you didnt sign up to receive.
Spam email and other unsolicited messages are unwanted.
These types of email can contain attachments, deceiving
images and viruses , degrading network bandwidth and
consuming unnecessary processing power
Some spam is annoying but harmless, but some might be
part of an identity theft scam or other kind of fraud.
You can get spam in instant messages, text messages, and
on your social networking sites.
 Ways to tell if an email is spam
If It Ends Up In Your Spam Folder :Unless you accidentally
categorized legitimate emails as spam, you can be pretty sure that
all the emails you need will appear in your inbox. You must deal
with emails in spam folder on a case-by-case basis to determine
whether or not theyre legitimate of pushing garbage into your
inbox.
Look at the Email Address: Legitimate companies send emails
through a server based out of their company website (for example,
support@microsoft.com). If you see a long string of numbers in
front of the @ sign or the name of a free email service before the
.com (or any other domain), you need to question the legitimacy of
the email in question.
 Contd.
Look at the Content: Keep an eye for emails that say you need to do something
right at that second or within a certain no. of hours.
Also, be wary of any emails that include links. Most companies tell you what
to do, but they never direct you to where to do it with a link. Finally, rampant
grammatical and spelling errors within the body of an email are good signs that
its spam.

If It Asks for Personal Information: If you get an email that asks you for any
personal information, no matter how legitimate it might seem, delete it right
away.
Personal information is only meant to be entered in secure, encrypted forms,
not emails where anyone and everyone can get their hands on your information.

Look at the Greeting: When you receive a genuine email, the sender addresses
you directly, using either your first or last name. If you receive an email where
they refer to you as a Valued Customer or as a member of some company, its
spam.
How spam looks like??
What Does Spam Filter Software Do?
Spam filter software can help a user create a solid wall of
defense that only lets wanted emails into their inbox.
For the email-recipient, spam is easily recognized. However,
the receiver of spam loses countless hours manually deleting
the intrusive messages from their inbox. Spam filter
software can help mitigate this overwhelming chore. Spam
filter software can reduce the amount of junk mail delivered to
a user's inbox.
Spam is dangerous to both the computer and its users. Junk
mail can contain viruses, keyloggers, phishing attacks and
more. These types of malware can comprise a user's sensitive
private data by capturing bank account information, usernames
and passwords. Spam blocker applications can assist a user in
preventing these types of PC contaminations.
Contd.

No spam filter software is 100% effective. Despite this

limitation, spam filter software can assist parents in blocking
email that contains pornography and other questionable
content.
 What to Look for in Spam Filter Software?

1.The spam filter software you pick should support multiple email clients and webmail
service providers.
2.It is important to choose a spam filter software that meets your needs and fits into the
services and applications you use.
3.Blocking/Filtering
Reliably blocking and filtering spam is the most valuable feature of any spam filter
software.
The best spam filtering software has both black and white lists, sensitivity settings,
community-based filtering, challenge and response techniques, and quarantine
settings. Additional features to evaluate are blocking by IP address, server, email
address, and country code.
community-based filtering: People who observe the kind of spam messages that they
receive would perhaps be able to classify similar spam mails into communities. It
would be a common observation that spam mail classified into various communities
like,online pharmacies,mortgage,vacationoffers,porn mails etc.
Challenge-response techniques:

A challenge-response system is a program that replies to an e-mail message from

an unknown sender by subjecting the sender to a test (CAPTCHA) designed to
differentiate humans from automated senders. When a message is received, the
system sends a reply that includes a URL linking the user to a Web site. At the Web
site, the user is asked to perform some task that, while easy for a human, is beyond
the capabilities of an automated spamming program. Once a sender has passed the
test, the sender is added to the recipient's whitelist of permitted senders that won't
have to prove themselves each time they send a message.

Quarantine settings: Incoming messages filtered as spam or otherwise diverted from

delivery to a user, can be placed in a Quarantine where administrators can go to

review and manage them. Review and safely open quarantined messages for analysis.
Find messages based on sender, subject, or content.(virus infected also)

Deliver legitimate messages to the user.

Deliver messages you want to review further to your own administrator account.

Delete messages.

Users with the appropriate User Access permissions can view and manage their
own quarantined messages
4.Rules:
The spam filter software should give the user the ability to edit predefined rule
settings as well as the creation of new rules. The best spam filter software can
adapt to meet the needs of the user, not the other way around.
5.Protection :
Spam blocker apps should have the capability of protecting multiple user
accounts with a single installation.
Moreover, the spam blocker must protect the user from email that contains
worms, viruses, Trojans, attachments with embedded keyloggers and other
malware.
Additionally, robust spam filter software can identify HTML email that contains
phishing attacks designed to garner a user's sensitive personal information.
6.Compatibility
When selecting a spam blocker, one needs to evaluate if the spam filtering
software they select is compatible with their current email client or webmail
service provider. Common supported email clients include Thunderbird, Outlook,
Outlook Express and other POP3/SMPT applications. The spam filtering
software should also support several webmail service providers like Gmail,
Yahoo, Hotmail and others.
How Anti Spam Software Works
Blacklist :
One of the primary anti spam methods is known as blacklisting.
This software identifies the IP address of the spam sender, and
then communicates with the Internet Service Provider of the
sender and instructs the ISP to block mail from that IP address to
your email account.
Spam Votes :
Spam voting software works through the participation of users.
When you receive email you have the option of classifying it as
spam, usually by pushing a button which says, unsurprisingly,
spam. Once enough people classify a piece of mail or an IP as
spam it falls in trust until ultimately it becomes completely
blocked from addresses.
 Contd.
Profiling :
Profiling involves learning the common characteristics of spammers and
spam mail. It is software that looks for things like bugs, invalid message
IDs and other traits and uses these characteristics to evaluate incoming
pieces of mail. Each piece of mail is then given a score depending upon
how it fares against these criteria. The user is then given the option of
how high or how low to set the bar with regard to which emails are let in.
Bayesian Filtering :
The most promising spam blocking software follows no rules. Rather, it
constantly learns new techniques to fight spam by scanning the mail
youve read and comparing it to the mail that you have rejected. This
highly sophisticated software uses the data that it gleans from thousands
of users to identify which items are spam and which are not. It then has
the capability to adjust its standards to your particular preferences. Over
time, it becomes adept at sending you only the emails that you want, and
blocking the emails that you do not. Eg.mailBee.NET antispam
 Examples of spam filters
SPAMfighter Pro
Cloudmark DesktopOne Pro
Although SPAMfighter Pro and Cloudmark DesktopOne Pro are similar,
each handles the user's ability to manage and create black and white lists
differently. In most instances, the spam blocker's whitelist consists of a
user's known contacts such as family, friends, coworkers and other
legitimate email addresses. The spam filter software always allows email
messages from whitelisted senders. Alternately, the app always blocks
email messages from spam senders entered into the spam blocker's
blacklist.
MailWasher Pro 2010
ChoiceMail One
iHateSpam
CleanMail Home
Spam Bully
 Why do spam filters fail?
A challenge-response filter basically will not allow an e-mail message
from someone who has not been pre-approved. When a message
arrives from a new sender a spam filter using this method would
automatically reply to the senders asking them to validate themselves.
Rules based systems simply look for key words or phrases in the
message and block based when matches were found. Simple rules
based spam blockers are very poor at filtering out spam. They will
often block a legitimate message and also let through a good
percentage of the actual spam.
They usually list the physical IP address (Internet Protocol Address) of
where a message has come from. An e-mail server using spam-filtering
software can then check each message against the black list as it
arrives
Contd.
The problem is that these lists are based on reports by end-
users, so a spammer may well get a few thousand (Or even
million) messages sent out before he is listed on a black list.
Spammers often send their e-mail out through different
addresses, they even sometimes used hacked networks to send
out through other peoples machines (And addresses) which
can then lead to legitimate people being black listed.
The main problem is that these black lists do take time to
update, and until they are updated it does mean that the
spammers message will get through the filter.
Thank you