Siksha Sarovar

Siksha Sarovar (sikshasarovar.com) is a free educational web application that helps students in India learn programming and prepare for academic and competitive exams. The platform offers structured coding courses (C, C++, Python, Java, HTML, CSS, PHP, Power BI, AI, Machine Learning, Data Science), complete university curriculum notes for BCA/MCA students with previous year question papers, Class 10 and Class 12 CBSE/HBSE school notes, and dedicated preparation material for SSC, UPSC, Banking, Railway and other government exams. Browsing the site is completely free and requires no account. Users may optionally sign in with Google solely to save their learning progress, quiz scores and personal preferences across devices.

Privacy Policy | Terms of Service | Contact Siksha Sarovar | About Siksha Sarovar

v4.0.9 · PWA
Siksha Sarovar logo
Siksha Sarovar
Your Learning Universe

Siksha Sarovar is a free e-learning platform for coding courses, BCA university notes and competitive exam preparation. Optional Google sign-in saves your learning progress across devices.

Initializing knowledge base…
Compiling modules 0%

Web Security, Firewalls, Email Security & Identity Management

Lesson 12 of 15 in the free Cyber Security notes on Siksha Sarovar, written by Rohit Jangra.

Web Security, Firewalls, Email Security & Identity Management

This lesson covers the practical application of security controls to protect web communications, email, and user identities — the three most critical communication channels in modern organizations. These topics bridge the theoretical cryptography from Lessons 9–11 with real-world deployment.

---

HTTP Security — From HTTP to HTTPS

HTTP (HyperText Transfer Protocol) is inherently insecure — all data is transmitted in plaintext, readable by any network observer. HTTPS adds TLS (Transport Layer Security) encryption over HTTP.

TLS Handshake Process (TLS 1.3 — simplified):

  1. ClientHello: Browser sends supported TLS versions, cipher suites, key share (ECDHE)
  2. ServerHello: Server selects cipher suite, responds with key share + certificate
  3. Certificate Verification: Browser verifies server certificate against trusted CA store
  4. Key Derivation: Both sides independently derive same session keys from ECDHE exchange
  5. Finished: Encrypted communication begins
HTTP Security FeatureWhat It DoesHeader / MechanismProtects Against
HTTPS / TLS 1.3Encrypts all HTTP trafficTLS handshake + certificateEavesdropping, MitM
HSTSForces HTTPS, prevents downgradeStrict-Transport-Security headerSSL stripping attacks
CSPControls which resources browser loadsContent-Security-Policy headerXSS, clickjacking
X-Frame-OptionsPrevents embedding in iframesX-Frame-Options: DENY/SAMEORIGINClickjacking
Certificate PinningHardcodes expected certificateIn app/browserMitM with rogue CA
CORSControls cross-origin requestsAccess-Control-Allow-Origin headerCross-origin data theft
SameSite CookiesPrevents cross-site cookie sendingCookie SameSite attributeCSRF attacks

---

Firewalls — Types and Operation

A firewall is a network security device (hardware or software) that monitors and controls incoming/outgoing network traffic based on predetermined security rules. It establishes a barrier between trusted internal networks and untrusted external networks.

Types of Firewalls:

Firewall TypeOSI LayerHow It FiltersSpeedState AwarenessModern Use
Packet FilteringLayer 3–4Source/dest IP, port, protocolVery FastStatelessRouter ACLs, basic perimeter
Stateful InspectionLayer 3–4Tracks TCP connection stateFastStatefulMost enterprise firewalls
Application Layer (Proxy)Layer 7Inspects application contentSlowerFullZscaler, Blue Coat proxies
Next-Gen Firewall (NGFW)Layer 3–7Deep packet inspection + IPS + App IDMediumFullPalo Alto, Fortinet, Check Point
Web Application Firewall (WAF)Layer 7 (HTTP)HTTP request analysis, OWASP rule setsMediumFullModSecurity, AWS WAF, Cloudflare
Host-based FirewallLayer 3–7 (on host)Per-host rulesFastVariesWindows Defender Firewall, iptables

DMZ (Demilitarized Zone) Architecture: A DMZ places publicly accessible servers (web, email, DNS) between two firewalls:

  • Outer Firewall: Separates internet from DMZ — allows only specific ports
  • Inner Firewall: Separates DMZ from internal network — strict rules
  • If a DMZ server is compromised, the attacker still cannot easily access internal systems

---

Email Security — SPF, DKIM, DMARC

Email was designed without security and is trivially forged. Modern email security uses three complementary DNS-based authentication mechanisms:

MechanismFull NameHow It WorksWhat It PreventsDNS Record Type
SPFSender Policy FrameworkLists IP addresses authorized to send email for a domainEmail spoofing (unauthorized senders)TXT record
DKIMDomainKeys Identified MailCryptographic signature on email headers/bodyContent tampering, forgeryTXT record (public key)
DMARCDomain-based Message Authentication, Reporting & ConformancePolicy that combines SPF + DKIM; specifies what to do with failuresPhishing, spoofingTXT record
S/MIMESecure/Multipurpose Internet Mail ExtensionsEnd-to-end encryption + digital signature using X.509 certificatesEavesdropping, forgery, non-repudiationClient-side configuration
PGP/GPGPretty Good PrivacyEnd-to-end encryption using web-of-trust key modelEavesdropping, forgeryClient-side key exchange

DMARC Policy Options:

  • p=none — Monitor only, take no action
  • p=quarantine — Send suspicious emails to spam/junk
  • p=reject — Reject emails failing DMARC checks (strongest protection)

---

Backup Strategies

Backups are a primary control against ransomware and data loss:

Backup TypeWhat It Backs UpTimeStorage NeededRecovery TimeBest Practice
Full BackupAll data, every backupLongLargeFastWeekly
IncrementalOnly changes since last backupShortSmallSlow (chain)Daily
DifferentialChanges since last full backupMediumMediumMediumDaily
Mirror BackupExact real-time copyContinuousSame as sourceInstantFor critical systems

3-2-1 Backup Rule: 3 copies of data, on 2 different media types, with 1 offsite (or cloud).

Exam Tip: Know the three email authentication mechanisms: SPF (who can send), DKIM (message signature), DMARC (policy for failures). Together they significantly reduce email phishing. Also remember: HSTS prevents SSL stripping attacks; CSP prevents XSS attacks via browser policy.

---

Identity Management and Authorization

Identity Management (IdM) is the discipline of managing digital identities (who users are) and their access to resources (what they can do).

Key Concepts:

ConceptDefinitionTechnologyExample
IdentityDigital representation of a person/systemLDAP, Active DirectoryUsername johndoe@company.com
AuthenticationProving you are who you claimPassword, MFA, biometricsGoogle login with 2FA
AuthorizationGranting access to resources based on identityRBAC, ABAC, ACLAdmin can delete, user can read
SSOSingle Sign-On — one login for multiple servicesSAML 2.0, OAuth 2.0, OIDCLogin with Google button
IAMIdentity and Access Management systemAWS IAM, Azure ADManaging cloud permissions
PAMPrivileged Access ManagementCyberArk, BeyondTrustControlling admin account access
FederationTrusting identities across organizationsSAML, WS-FederationUniversity accessing journal via SAML

Authorization Patterns:

PatternFull NameHow It WorksBest ForLimitation
DACDiscretionary Access ControlResource owner grants permissions to othersPersonal file systemsOwner can accidentally grant too much
MACMandatory Access ControlSystem enforces classification levels (Confidential, Secret)Military, governmentRigid, complex to manage
RBACRole-Based Access ControlPermissions assigned to roles; users assigned to rolesEnterprise systemsRole explosion problem
ABACAttribute-Based Access ControlPermissions based on attributes of user, resource, environmentFine-grained cloud IAMComplex policies
PBACPolicy-Based Access ControlCentralized policies combining RBAC + ABACLarge enterprisesRequires sophisticated policy engine

---

Study Deep: Web and Email Security

  1. HTTPS is not the same as safe: A green padlock (HTTPS) only means the connection is encrypted — it does NOT mean the website itself is legitimate or trustworthy. Phishing sites routinely use HTTPS certificates (Let's Encrypt provides free certificates to anyone). Users must check the actual domain name, not just the padlock icon.
  1. DMARC adoption is accelerating: Following high-profile BEC (Business Email Compromise) fraud, CISA issued a directive mandating DMARC for US federal agencies. As of 2023, only ~50% of Fortune 500 companies have DMARC at enforcement level (p=reject). Domains without DMARC can be trivially spoofed for phishing attacks.
  1. Zero Trust Identity (ZTI) replaces perimeter security: Traditional IAM assumed internal network users were trusted. Zero Trust Identity requires continuous re-authentication based on context: device posture, location, time, behavior risk score. Microsoft Conditional Access and Google BeyondCorp Enterprise implement ZTI — even internal requests go through the same security evaluation.
  1. OAuth 2.0 authorization code injection attacks: OAuth 2.0 enables "Login with Google/Facebook." Misconfigured OAuth implementations are vulnerable to authorization code injection, where an attacker substitutes a stolen authorization code for their own. PKCE (Proof Key for Code Exchange) mitigates this by binding the authorization request to the token exchange.
  1. Just-in-Time (JIT) privileged access: Rather than permanently assigning admin roles (standing privileges), JIT access grants elevated privileges only when needed, for a limited time, with approval workflow. CyberArk, BeyondTrust, and Azure AD PIM implement JIT. This dramatically reduces the risk from compromised admin accounts.