Network Security: Firewalls, IDS/IPS, VPN, PKI and SIEM

A packet filter inspects each packet against an access control list of source IP, destination IP, source port, destination port and protocol. The DEC SEAL (Secure External Access Link, first sold in 1991 and shipped in 1992) was an application-layer proxy firewall, not a packet filter; the Cisco IOS access lists of the early 1990s are the canonical packet-filter example. They are stateless: the firewall does not know that packet 2 is part of the same conversation as packet 1, so the operator must write a return-path rule for every outbound rule. Stateless filters are still appropriate at very high speeds (BGP-edge ACLs, DDoS scrubbing fronts) where state tracking is too expensive.

Stateful packet inspection, introduced commercially by Check Point FireWall-1 in 1994, tracks the TCP state machine. The firewall sees the SYN, records the 5-tuple plus initial sequence number in a connection table, and permits the matching SYN-ACK and subsequent ACKed segments without re-evaluating the rule base. For UDP, which has no connection state in the protocol, the firewall uses idle timers as a proxy for state. SPI is the baseline for every production perimeter.

Application-layer firewalls, also called proxy firewalls, terminate the connection at the firewall, parse the application protocol (HTTP, SMTP, FTP), and reconstruct a new connection to the destination. The 1990s WinGate and the Squid HTTP proxy are the classic examples. The cost is latency and per-protocol code; the gain is full visibility into the application payload.

Next-generation firewalls combine SPI, application identification (App-ID in Palo Alto, FortiGuard in Fortinet), integrated IPS signatures, TLS inspection (the firewall acts as a controlled man-in-the-middle with a trusted-by-endpoint CA), user-identity mapping from Active Directory or LDAP, and threat-intel-fed URL and IP reputation. Web Application Firewalls are a specialised subset focused on HTTP and HTTPS at Layer 7, with rule sets like the OWASP ModSecurity Core Rule Set, AWS WAF managed rules, or Cloudflare's managed rule packs.

The Indian anchor is the public-sector NGFW rollout under the MeitY-driven secure perimeter standards. RBI's master directions on Cyber Security for banks require NGFW deployment at internet-facing perimeters with logged TLS inspection where legally permissible. CERT-In's 2024 perimeter advisory for state DCs named Palo Alto PA-Series, Fortinet FortiGate and Check Point Quantum as conformant choices. A state SFSL examining a bank breach in 2024 found that the perimeter NGFW had logged the initial command-and-control beacon under the App-ID tor two weeks before the data exfiltration, but no SIEM correlation rule fired because the alert tier was set to informational.

An IDS sits off the data path, typically on a SPAN or TAP port, and observes a copy of network traffic. Detection latency is irrelevant because the IDS is not blocking; the IDS produces alerts that humans or SOAR workflows act on. An IPS sits inline on the data path and either passes or drops each packet in real time. The functional engine is often the same software (Snort and Suricata both support inline mode); the deployment is what makes it an IDS or IPS.

Snort, written by Martin Roesch in 1998, is the original and still widely deployed. Its rule syntax is the de facto teaching standard. A Snort rule looks like alert tcp any any -> $HOME_NET 445 (msg:"SMB exploit attempt"; content:"|FF|SMB"; sid:1000001; rev:1;). The rule header is action, protocol, source, port, direction, destination, port. The options are content matches, regex, flow state and metadata. Subscribed rule sets from Cisco Talos (formerly VRT) and Emerging Threats keep the corpus current.

Suricata, first released in 2010, is the modern multi-threaded reimplementation with broad rule compatibility with Snort plus protocol-aware logging, file extraction and JSON output via the EVE format. The EVE JSON stream is the standard input to a SIEM. Zeek, originally Bro, is a different model entirely: instead of pattern-matching, Zeek scripts produce structured flow logs (conn.log, http.log, dns.log, ssl.log, x509.log, files.log) that an analyst queries. Zeek is detection by query, not detection by signature.

The HIDS versus NIDS split matters for placement and for the kind of evidence each produces. A NIDS sees what crosses the wire and is blind to encrypted payloads (unless TLS is terminated upstream). A HIDS sees process executions, file changes, login events and local logs on the endpoint, and is blind to traffic the host did not generate. OSSEC and its modern fork Wazuh are the dominant open-source HIDS agents, integrating with file integrity monitoring (which directories are monitored, what change triggered the alert), rootkit detection, and a manager that ships events to a SIEM.

Signature-based detection finds what you have already seen elsewhere. Anomaly-based detection (statistical baselines, machine-learning flow classifiers) finds deviations from learned normal. Anomaly detection has a higher false-positive cost and a higher operator-skill ceiling, which is why most Indian enterprise SOC teams run signature-driven Suricata or NGFW IPS as the primary engine and reserve anomaly detection (Darktrace, ExtraHop, in-house Zeek scripts) for the threat-hunting layer.

IPSec operates at Layer 3. It protects entire IP datagrams (transport mode protects the payload; tunnel mode wraps the whole original packet inside a new outer IP header). Authentication Header is the older choice and provides integrity plus origin authentication, computed across the IP header and payload. AH does not provide confidentiality. Encapsulating Security Payload is the standard choice and provides confidentiality (with an optional integrity tag) over the payload only (transport) or the inner packet (tunnel). Almost all modern deployments use ESP.

Key exchange in IPSec is Internet Key Exchange. IKEv1 (RFC 2409, 1998) is the legacy version with main mode and aggressive mode; aggressive mode is deprecated because it leaks the PSK hash in the clear. IKEv2 (RFC 7296, 2014) is the modern version with simpler state, EAP integration, and built-in NAT traversal. IKEv2 negotiates the SA parameters and the keying material; ESP carries the data once the SA is up.

TLS operates at Layer 4 and above. Where IPSec wraps the IP packet, TLS wraps the application stream over a TCP connection (or a QUIC stream over UDP). TLS 1.0 (1999) and TLS 1.1 (2006) are deprecated and removed from modern browsers since 2020; they fell to BEAST and to known weaknesses in their MAC-then-encrypt construction with RC4 and CBC ciphers. SSL 3.0 (1996) fell to POODLE in 2014. TLS 1.2 (2008) remains widely supported and secure when configured with AEAD cipher suites (AES-GCM, ChaCha20-Poly1305) and modern key exchange (ECDHE).

TLS 1.3 (2018) is a near-rewrite. The handshake is a single round-trip in most cases (1-RTT, with 0-RTT for resumed sessions). All non-AEAD ciphers and all RSA key exchange are removed. Forward secrecy is mandatory. The cipher-suite namespace is reduced from over a hundred TLS 1.2 suites to five: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256. A cipher-suite string like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 is unambiguously TLS 1.2 because TLS 1.3 strings have a different structure.

Certificate validation in TLS chains from the server's leaf certificate through one or more intermediates to a trusted root. Revocation is checked via Certificate Revocation Lists (long, slow, downloaded periodically) or Online Certificate Status Protocol (per-cert query at handshake time, with OCSP stapling allowing the server to attach a recent OCSP response so the client does not have to contact the CA at all). OCSP stapling is the modern default and is what an examiner expects to see in a clean TLS 1.3 capture.

Site-to-site VPNs are typically IPSec ESP in tunnel mode between two gateway routers or firewalls. Cisco IOS, FortiGate, Palo Alto, Juniper SRX and pfSense all interop on IKEv2 plus ESP. Configuration is identical in shape: phase 1 (IKE SA) negotiation parameters, phase 2 (IPSec SA) parameters, traffic selectors that name the source and destination subnets, plus a pre-shared key or X.509 certificate.

Remote-access VPNs come in three families. IPSec remote access (Cisco's classic AnyConnect predecessor, strongSwan, Windows built-in IKEv2) uses IKEv2 with EAP for user authentication. OpenVPN, originally an open-source community project, runs over TCP or UDP on a single configurable port (often 1194 or 443), uses TLS for the control channel and a separate symmetric session key for the data channel. WireGuard, designed by Jason Donenfeld and added to the Linux kernel in 5.6 (March 2020), is a deliberately minimal protocol: a single Noise-IK handshake, ChaCha20-Poly1305 AEAD, no negotiation, fewer than 5000 lines of kernel code. WireGuard is the modern default for new deployments where both ends are under operator control.

SSL VPNs are TLS-terminated at the gateway: the client speaks TLS to a portal (Cisco AnyConnect, Pulse Connect Secure, Citrix Gateway, Fortinet SSL VPN) and the gateway proxies traffic into the corporate network. The advantage is that TLS on TCP 443 traverses any firewall that allows web browsing. The disadvantage is the proxy gateway becomes a high-value target; CVE-2019-11510 (Pulse), CVE-2020-3452 (Cisco ASA) and CVE-2023-27997 (Fortinet) all demonstrated the cost when the SSL VPN gateway is the attacker's entry point.

The Indian anchor in this section is the Direction itself. Every Indian enterprise SOC has a documented logging baseline that maps each system class (firewall, IDS, server, VPN concentrator, AD controller) to the events required to meet the 180-day retention. CERT-In Form A and Form B templates name the categories of incident that trigger the 6-hour reporting clock (data breaches, unauthorised access, ransomware, identity theft, DDoS, large-scale spam, intrusion into critical information infrastructure). Failing to report is itself an offence under IT Act Section 70B.

Password-only authentication has been considered insufficient on its own for production systems since at least the NIST SP 800-63 revisions of the mid-2010s. The replacements come in layers. Challenge-response protocols (CHAP, MS-CHAP-v2) avoid sending the password in the clear and prove possession to the server, but the captured exchange is offline-crackable; the eaphammer rogue-AP attack pattern from the wireless topic targets exactly this.

Kerberos is the dominant network authentication protocol on Windows networks because Active Directory is built on it. The Key Distribution Centre is the AD domain controller. A user authenticates once to the KDC and receives a Ticket Granting Ticket. To access a service (a file share, SQL server, web app on IIS), the user presents the TGT and asks the KDC for a service ticket scoped to that service's principal name. The service ticket is encrypted with the service account's long-term key. Replay protection is via timestamps and a clock-skew tolerance, which is why AD domains require their clocks aligned within 5 minutes; Kerberoasting and Pass-the-Ticket attacks exploit weaknesses in service-account keys and ticket lifetimes respectively.

LDAP is the directory protocol Kerberos rides on top of in AD. Each user, group and computer is an object in the directory with a distinguished name (DN) that names the path through organisational units (CN=ravi,OU=Mumbai,OU=Branches,DC=bank,DC=in). The schema defines what attributes exist on each object class. ldapsearch is the standard query tool; the LDAP filter language ((&(objectClass=user)(memberOf=CN=Admins,...))) is the language an examiner uses to enumerate accounts during incident response.

1. MFA factor 1: password
   Something you know. Required, not sufficient. Subject to phishing, credential stuffing, password spraying.
2. MFA factor 2: TOTP or HOTP
   Something you have, as a software token. Google Authenticator, Authy, FreeOTP implement RFC 6238 TOTP. The shared seed is provisioned by QR scan; verification is a 6-digit code valid for 30 seconds.
3. MFA factor 2 alternative: push
   Duo Push, Microsoft Authenticator push. The user taps approve on a prompt. Faster than TOTP but vulnerable to MFA fatigue attacks where the attacker spams prompts until the user taps.
4. MFA factor 2 stronger: FIDO2 / WebAuthn hardware
   YubiKey, Feitian, Solokey. Public-key challenge bound to the relying party origin, phishing-resistant by construction. The recommended factor for high-value accounts.

PKI is the framework that makes asymmetric authentication usable at scale. A Certifying Authority (CA) signs subordinate intermediate CAs, which sign leaf certificates for users, servers and code-signing identities. The chain is validated by walking from the leaf back to a trusted root that the verifier already has installed. Revocation is via CRL or OCSP. The Indian anchor is the Controller of Certifying Authorities under MeitY, established under IT Act 2000 Section 17. The CCA issues licences to a small set of Indian CAs: eMudhra, Sify (operating as SafeScrypt CA), the National Informatics Centre's NICCA, Capricorn, Verasys (Vsign) and the Institute for Development and Research in Banking Technology's IDRBT. Class 2 and Class 3 Digital Signature Certificates issued by these CAs are what an Indian taxpayer or company director uses to sign income-tax returns, ROC filings and GST documents. Class 3 DSCs on hardware tokens (USB cryptographic tokens like ePass2003, mToken, ProxKey) are the practical implementation; private key extraction from a properly configured Class 3 token is computationally infeasible.

Network segmentation prevents a compromise in one zone from spreading laterally. Classical segmentation uses VLANs to separate broadcast domains and a DMZ to isolate internet-facing services from the internal LAN. The DMZ holds the public web server, mail relay and reverse-proxy gateway; a compromise of any of these reaches the internal network only through firewalled paths the DMZ-to-internal rules explicitly allow.

Micro-segmentation pushes the boundary down to the workload. Each VM, container or even process gets its own policy, enforced by a host-resident agent (Illumio, Guardicore Centra, VMware NSX). The 2014 Google BeyondCorp paper and the subsequent zero-trust movement reframed the perimeter entirely: no implicit trust from network location, every request authenticated and authorised at the application layer, device posture continuously evaluated. NIST SP 800-207 (2020) is the canonical zero-trust architecture document. Indian government adoption of zero-trust is uneven; MeitY's 2023 cybersecurity guidance for critical sector entities references the model without mandating it.

NAC is the older bridge between network identity and physical access. 802.1X port-based authentication requires every device that plugs into a switch port (or associates with a corporate Wi-Fi BSSID) to authenticate via EAP before the port carries any non-EAP traffic. Posture assessment extends this: a device that authenticates but has out-of-date AV signatures or missing patches is placed in a remediation VLAN. Cisco Identity Services Engine and Aruba ClearPass are the dominant NAC platforms in the Indian enterprise.

SIEM workflow has three layers. Collection: log shippers (Filebeat, Fluentd, Splunk Universal Forwarder, Wazuh agent) carry events from firewalls, IDS, servers, AD, VPN concentrators and cloud audit logs into the SIEM. Normalisation: events are parsed into a common schema (Elastic Common Schema, Splunk CIM, OCSF) so a "failed login" looks the same regardless of source. Correlation: rules and queries fire detections, often expressed in Sigma rules that translate into the platform's native query language (SPL for Splunk, KQL for Sentinel, EQL for Elastic). Threat-intel integration enriches events with IoC matches from MISP, OTX or commercial feeds.

The 180-day retention from the CERT-In Direction is a SIEM problem in practice: indexed log volume at an Indian Tier-1 bank runs to tens of terabytes per day, so the SIEM design splits hot storage (fast search, 30 to 60 days) from warm/cold storage (slower search, 180+ days) on object storage with tiered policies. The cross-link to live packet capture and traffic analysis covers the packet-level side that feeds the network logs into this stack.