The application defense needs more awareness of the content of the payload. Circuit Proxy Firewall (CPF)

This type of firewall operates by relying as an relaying agent that exists between the external and internal hosts (Stephen, 2004). The whole idea is to protect the network's internal hosts from direct exposure to the outside environments.

The CPF firewall operates by accepting various requests from the internal hosts for the sake of establishing the connection to the external world. It then destroys the device's initial IP address as well as the header of the network layer.

Disadvantages of CPF

The payload is then encapsulated in the new header with its own unique IP address and then sent to the outside servers. It is worth noting that the CPF requires some form of authentication prior to establishing the connection. CPFs are capable of supporting a very large number of protocols since they don't have to comprehend the application level protocols. They are sources of system vulnerability since they can never provide adequate defense for the system against certain application level attacks. They are also noted to be prone to malicious content because they can allow them to pass through without any form of filtering.

Application Proxy Firewall (APF)

The APFs are application-level gateways that operate on the seventh layer of the OSI model. Just like the CPF, the APF operates as an intermediary between the external and internal hosts (Panko, 2004).

The APF firewall is aware of the application level. Therefore, it is capable of inspecting the application level commands as well as appropriately discarding the malformed commands.

Disadvantage

The main disadvantage of this system is that there is a need for a separate application proxy to be written for each type of application that is being proxied.

Additionally, the specific application must be appropriately decoded.

Additionally, the specific application must be appropriately modified in order to operate with the APF. The APF system is also never efficient against malwares.

Network Address Translation (NAT)

Network Address Translation (NAT) is a special kind of IETF (Egevang & Francis,1994) standard which allows a local area network (LAN) to effectively modify the port numbers and network IP address in the datagram packets' headers for the sake of remapping a specific address space onto another. The main advantage of the Network Address Translation (NAT)

System is that is provides a solution to the scalability problems if there is a limitation to the number of IP addresses that are allowed to provide access. In light of security, the NAT system can be regarded to be a device which hides the internal private network addresses of a given network from outsiders, while enforcing control on the outbound connections while restricting the incoming traffic.

Disadvantages

NAT is noted to be less effective since it can never provide adequate defense against packets that are malfunctioned, malwares and application level attacks.

Virtual Private Network (VPN)

A Virtual Private Network (VPN) (RFC 2764, 2000) is a method of connecting to a private network via a tunnel which rides on the backbone of a public network like the internet. A Virtual Private Network (VPN) can employ authenticated links in order to ensure that the only authorized entities (hosts) are the ones that successfully connect to the resources located on the private network.

It can also employ encryption techniques in order to ensure that the confidentiality of the data being transmitted is maintained. The Virtual Private Network can be configured at different network layers using different network protocols.

The two protocols that we are going to major on in this paper is SSL/TLS and IPSec. These are the security protocols used in the layer 3 and 4 of the VPN.

IPSec

IPSec is regarded as the de-facto standard that is used network security (Kent & Atkinson,1998).It is the framework that is used in the provision of a number of network security services that includes;

Access control

Authentication of data origin

Anti-reply integrity as well as

Data confidentiality.

Disadvantages of IPSec

The disadvantage of IPSec is that it is extremely difficult to control its usage on a per user basis on a machine that is multiuser since it is implemented on the network layer.

At the same time, the cryptographic algorithm of IPSec has been noted to add overhead to the application and network traffic. There is therefore a need of using a hardware accelerator. It is worth noting that IPSec can mitigate some DoS attacks. It is however...

The meaning of this is that it can never protect the network infrastructure against malicious contents as well as malformed headers.
Transport Layer Security (TLS / SSL)

Secure Sockets Layer (SSL) which is IETF has effectively been renamed to Transport Layer Security (TLS) (Dierks & Rescorla,2008). The Transport Layer Security (TLS / SSL) protocol is used in the provision of security services like confidentiality, integrity as well as authentication in addition to the Transport Control Protocol (TCP).

Disadvantages

Transport Layer Security (TLS) requires to maintain a context for given connection, a fact or feature which is currently never implemented over UDP. UDP never maintains a context. The security mechanism used in this system is specific to the transport protocol. This implies that there is the possibility of duplicating services such as key management for each of the transport protocols.

The other limitation of the TLS is that there is a need for the applications to be modified in order to appropriately request security services which reside on the transport layer. Certain TLS configurations and applications can be subjected successfully to man in the middle attacks.

Network Intrusion Detection System (NIDS)

Network Intrusion Detection System (NIDS) Can best be describe as a packet sniffer system which passively performs inspections on all of the inbound as well as the outbound network traffic and then appropriately issuing a notification to the network administrators whenever it identifies patters that appear suspicious and which are indicative of an attack (Zhang, Li, Zheng,2004).

The air gap architecture