4.4 Securing Channels & Networks — SSL, TLS, VPN, Firewall, IDS/IPS
The encryption building blocks of Lesson 3 are assembled into channel security (SSL/TLS, VPN) and network protection (firewalls, IDS/IPS, antivirus).
1. SSL — Secure Sockets Layer (deprecated, replaced by TLS)
SSL (Netscape, 1994) was the first widely adopted protocol for securing channels over TCP. Versions: SSL 1.0 (never released), 2.0 (1995), 3.0 (1996).
All SSL versions are now deprecated due to vulnerabilities (BEAST, POODLE, etc.). Modern systems use TLS.
When people say "SSL" today, they almost always mean TLS. The terms are used interchangeably in casual conversation, but the protocol is TLS.
---
2. TLS — Transport Layer Security
TLS is the successor to SSL — IETF standard, RFC 2246 (1.0, 1999), 4346 (1.1, 2006), 5246 (1.2, 2008), 8446 (1.3, 2018).
| Version | Year | Status |
|---|---|---|
| TLS 1.0 | 1999 | Deprecated (2021) |
| TLS 1.1 | 2006 | Deprecated (2021) |
| TLS 1.2 | 2008 | Current standard (most-used) |
| TLS 1.3 | 2018 | Modern; faster, more secure |
---
How TLS Works — the Handshake
Step-by-step (TLS 1.2)
- ClientHello — client lists supported TLS versions, cipher suites, random nonce
- ServerHello — server picks version + cipher; sends its certificate (with public key) + nonce
- Certificate verification — client validates cert chain up to a trusted root CA
- Key exchange — client generates a pre-master secret, encrypts with server's public key
- Session key derivation — both sides derive session key from pre-master + nonces
- ChangeCipherSpec — both sides switch to symmetric encryption with session key
- Application data — HTTP messages encrypted
TLS 1.3 is faster (1-RTT handshake, vs 2-RTT in 1.2) and removes weak ciphers.
---
What TLS provides
A properly negotiated TLS connection delivers four security properties simultaneously. Confidentiality is achieved by symmetric encryption of the HTTP payload — once the handshake has agreed a session key, all data is encrypted with AES (or ChaCha20), so an eavesdropper sees only ciphertext. Integrity is enforced by a Message Authentication Code (HMAC in TLS 1.2, AEAD construction in TLS 1.3): any tampering with the ciphertext causes the MAC to fail and the connection is torn down. Authentication comes from the server's X.509 certificate — the client verifies the certificate's chain up to a trusted root CA, which proves the server is who it claims to be. Finally, modern TLS provides Forward Secrecy via ephemeral Diffie-Hellman key exchange: each session uses fresh keys that are not derivable from the server's long-term private key, so even if the server's private key is compromised in the future, past recorded sessions cannot be decrypted.
---
HTTPS = HTTP over TLS
Browser ──HTTPS (port 443)──► Web Server
│
└── HTTP layered on top of TLS-encrypted TCP
Visual indicators:
- 🔒 padlock in browser
- "https://" in URL
- "Connection is secure" in browser details
All modern e-commerce sites use HTTPS only. Plain HTTP is shown as "Not secure" by browsers since 2018.
---
Why TLS matters for e-commerce
| Without TLS | With TLS |
|---|---|
| Card number sniffable on public WiFi | Encrypted |
| Login credentials in plaintext | Encrypted |
| Session cookies stealable | Encrypted |
| MITM can inject malicious JS | Cert binding prevents it |
| Lower search ranking (Google penalises HTTP) | Better SEO |
| Browsers show "Not secure" warning | Padlock |
---
3. VPN — Virtual Private Network
A VPN creates an encrypted tunnel between two endpoints over a public network, making it appear as if they are on the same private network.
User's Device
│
▼
VPN Client (encrypts traffic)
│
▼
Public Internet (encrypted tunnel)
│
▼
VPN Server (decrypts, forwards)
│
▼
Destination
VPN protocols
| Protocol | Notes |
|---|---|
| OpenVPN | Open-source, very common |
| WireGuard | Modern, fast, simpler code |
| IPsec | Network-layer, used in enterprise |
| L2TP / IPsec | Tunnel + encryption |
| PPTP | Legacy, insecure |
| SSTP | Microsoft, TLS-based |
| IKEv2 | Fast reconnect, mobile-friendly |
Uses of VPN
| Use | Detail |
|---|---|
| Privacy | Hide IP from sites, hide traffic from ISP |
| Geo-bypass | Watch region-locked Netflix |
| Site-to-site | Connect two offices over Internet securely |
| Remote access | Employee at home connects to office network |
| Public WiFi safety | Encrypt all traffic on coffee shop WiFi |
| Censorship circumvention | Bypass national firewalls |
Commercial VPN providers
- NordVPN, ExpressVPN, Surfshark
- Mullvad, ProtonVPN (privacy-focused)
- Cloudflare WARP (free, basic)
India's VPN rules (2022)
CERT-In mandated VPN providers log user data for 5 years. Several major providers (NordVPN, ExpressVPN, Surfshark) exited Indian servers in response.
---
4. Firewall
A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on rules.
Types of firewalls
| Type | Operation | Layer |
|---|---|---|
| Packet-filtering | Decisions based on IP/port/protocol | Network layer (3-4) |
| Stateful inspection | Tracks connection state | Network + Transport (3-4) |
| Application-layer (proxy) | Inspects application data | Application (7) |
| Next-generation (NGFW) | Stateful + DPI + app-aware + IPS | All layers |
| Web Application Firewall (WAF) | HTTP-specific (OWASP Top 10) | Application |
| Cloud / virtual | Software-based, in cloud (AWS Security Group, Azure NSG) | Various |
Firewall placement
Internet ──► Firewall ──► DMZ ──► Internal firewall ──► Internal network
(web servers) (DB, internal apps)
Rules example
Allow: TCP/443 (HTTPS) from anywhere to web server
Allow: TCP/22 (SSH) from admin IP to web server
Deny: TCP/3306 (MySQL) from anywhere except app server
Deny: All other traffic
Web Application Firewall (WAF)
Specialised firewall for HTTP traffic. Protects against:
- SQL injection
- XSS
- CSRF
- Bot traffic
- Application-layer DDoS
- OWASP Top 10
WAF examples: AWS WAF, Cloudflare, F5, Imperva, Akamai Kona.
---
5. Proxy Servers
A proxy server sits between client and destination, forwarding requests.
Types
| Type | Purpose |
|---|---|
| Forward proxy | Hide client identity from server (corporate proxy filters web access) |
| Reverse proxy | Hide server identity from client (Nginx, Cloudflare) |
| Transparent proxy | Intercepts without client knowledge |
| Anonymous proxy | Hides client IP completely |
| Open / public proxy | Free to use; often unreliable / malicious |
| HTTP / HTTPS proxy | Specific to HTTP traffic |
| SOCKS proxy | Generic TCP proxy |
Proxy uses
- Caching — speed up repeated requests
- Content filtering — block social media at work
- Logging — track employee web usage
- Load balancing — distribute traffic
- Security — hide internal IPs
- Geo-spoofing — appear from another country
---
6. IDS and IPS
IDS (Intrusion Detection System) — monitors network/host for signs of attack and alerts (passive). IPS (Intrusion Prevention System) — monitors AND blocks attacks (active).
IDS / IPS types
| Type | Description |
|---|---|
| NIDS / NIPS | Network-based — sits on network segment |
| HIDS / HIPS | Host-based — on individual servers/endpoints |
| Signature-based | Detects known attack patterns |
| Anomaly-based | Detects deviations from baseline |
| Hybrid | Both |
IDS vs IPS — exam table
| Aspect | IDS | IPS |
|---|---|---|
| Action | Detects + alerts | Detects + blocks |
| Placement | Out-of-band (mirror port) | In-line |
| Latency added | None | Some |
| False positives | Bothersome but not harmful | Can block legit traffic |
| Configuration | Permissive | Strict |
| Risk | Misses some attacks | Blocks legitimate users |
Popular tools
| Tool | Category |
|---|---|
| Snort | NIDS, signature-based, open-source |
| Suricata | NIDS/NIPS, modern, multi-threaded |
| OSSEC | HIDS, open-source |
| Wazuh | HIDS + SIEM, open-source |
| CrowdStrike Falcon | EDR (host) |
| Palo Alto NGFW | NGFW + IPS |
| Cisco Firepower | NGFW + IPS |
---
7. Antivirus and Anti-Malware
Antivirus software detects and removes malicious software.
How antivirus works
| Technique | Description |
|---|---|
| Signature scanning | Match files against known malware signatures |
| Heuristic analysis | Detect suspicious behaviour, even novel |
| Sandboxing | Run suspicious file in isolated env, observe |
| Cloud lookup | Check file hash against cloud DB |
| Behaviour monitoring | Block suspicious actions in real-time |
| Machine learning | Classify files as good/bad |
Major antivirus products
| Product | Origin |
|---|---|
| Microsoft Defender | Built into Windows |
| Norton 360 | USA |
| McAfee | USA |
| Kaspersky | Russia (banned in some countries) |
| Bitdefender | Romania |
| Sophos | UK |
| Quick Heal | India-built |
| K7 Computing | India-built |
Anti-malware vs antivirus
The terminology has evolved as the threat landscape has. Antivirus historically meant software that detects and removes computer viruses — self-replicating programs that infected files; in modern usage the term loosely covers all desktop endpoint protection. Anti-malware is the more accurate umbrella term, covering viruses, worms, trojans, ransomware, spyware, adware, and rootkits — essentially anything malicious. EDR (Endpoint Detection and Response) is the modern generation of endpoint security: instead of relying on signatures, EDR (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) continuously records what every process does and uses behaviour analysis plus machine learning to flag anomalies in real time. XDR (Extended Detection and Response) widens that lens beyond the endpoint — it correlates events from endpoints, network sensors, email gateways, and cloud workloads to detect attacks that span layers.
---
Defence-in-Depth
No single tool stops every attack. Defence-in-depth layers multiple controls:
┌─ Layer 1 — Physical Security ──────────────┐
│ ┌─ Layer 2 — Network Security ──────────┐ │
│ │ (Firewall, VPN, IDS/IPS) │ │
│ │ ┌─ Layer 3 — Host Security ────────┐ │ │
│ │ │ (Antivirus, HIDS, patching) │ │ │
│ │ │ ┌─ Layer 4 — Application Sec. ─┐ │ │ │
│ │ │ │ (Code review, WAF, SAST/DAST)│ │ │ │
│ │ │ │ ┌─ Layer 5 — Data Security ─┐│ │ │ │
│ │ │ │ │ (Encryption, DLP) ││ │ │ │
│ │ │ │ │ ┌─ Layer 6 — IAM ────────┐ ││ │ │ │
│ │ │ │ │ │ (MFA, RBAC, audit) │ ││ │ │ │
│ │ │ │ │ │ ┌─ Layer 7 — User ────┐│ ││ │ │ │
│ │ │ │ │ │ │ (Awareness training)││ ││ │ │ │
│ │ │ │ │ │ └─────────────────────┘│ ││ │ │ │
│ │ │ │ │ └────────────────────────┘ ││ │ │ │
│ │ │ │ └────────────────────────────┘│ │ │ │
│ │ │ └─────────────────────────────────┘ │ │
│ │ └────────────────────────────────────┘ │
│ └────────────────────────────────────────┘ │
└─────────────────────────────────────────────┘
A breach must penetrate every layer — much harder than breaking one.
---
Compliance Frameworks (recap)
| Framework | Focus |
|---|---|
| PCI-DSS | Card data |
| GDPR / DPDP Act | Personal data |
| ISO 27001 | ISMS |
| SOC 2 | Service organisation controls |
| HIPAA | Health data (US) |
| NIST CSF | Comprehensive cybersecurity framework |
A typical Indian e-commerce site needs: PCI-DSS (cards) + DPDP Act (personal data) + RBI guidelines (if handling payments).
---
Key Terms — Lesson 4.4
The terms below are the channel- and network-security vocabulary that every UNIT IV exam question expects you to deploy fluently.
SSL (Secure Sockets Layer) — The original protocol (Netscape, 1994) for securing channels over TCP. All SSL versions (1.0, 2.0, 3.0) are now deprecated due to known vulnerabilities — BEAST (2011), CRIME (2012), POODLE (2014). The term "SSL" survives in casual usage to mean "TLS"; the underlying protocol today is always TLS.
TLS (Transport Layer Security) — The IETF-standardised successor to SSL. Versions: TLS 1.0 (1999, deprecated 2021), 1.1 (2006, deprecated 2021), TLS 1.2 (2008, current widely-used), TLS 1.3 (2018, modern best practice). TLS 1.3 has a single round-trip handshake (vs two in 1.2), removes legacy weak ciphers, and is the standard for new deployments.
TLS Handshake — The initial negotiation between client and server that establishes a TLS session. Client sends supported versions and cipher suites; server picks one and sends its X.509 certificate; client verifies the certificate, generates a pre-master secret (or DH share), encrypts/agrees it; both derive a fresh symmetric session key from the secret plus client and server randoms; both switch to symmetric encryption. The handshake gives you authentication, key exchange, and the beginning of confidentiality in one short flow.
Cipher Suite — A named combination of algorithms used in a TLS connection — typically the key exchange algorithm (ECDHE, DHE, RSA), the authentication algorithm (RSA, ECDSA), the symmetric cipher (AES-GCM, ChaCha20-Poly1305), and the MAC/AEAD mode. A cipher suite name like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 encodes all four. TLS 1.3 dramatically simplified the cipher-suite namespace.
Forward Secrecy (Perfect Forward Secrecy, PFS) — A property of modern TLS where each session uses fresh, ephemeral keys derived from an ephemeral Diffie-Hellman (ECDHE / DHE) exchange. If an attacker later compromises the server's long-term private key, they still cannot decrypt past sessions they had recorded — the session keys are gone forever once the session ends. PFS is achieved by using ECDHE/DHE key exchange (not static RSA).
HTTPS (HTTP Secure) — HTTP transported over a TLS-encrypted TCP connection, on the default port 443. Modern browsers mark non-HTTPS sites as "Not secure", search engines penalise them, and almost every modern API and payment gateway refuses to operate over plain HTTP. HTTPS is the universal baseline for any modern e-commerce site.
HSTS (HTTP Strict Transport Security) — An HTTP response header that tells the browser "always use HTTPS for this domain, never HTTP, for the next N seconds (or years)". HSTS defeats SSL-stripping attacks because the browser refuses to ever try HTTP for that domain again, even if a man-in-the-middle tries to downgrade.
X.509 Certificate — The format of digital certificates used in TLS (and elsewhere). An X.509 certificate binds a subject (e.g., the server's domain name) to a public key, with the binding signed by a trusted Certificate Authority. The TLS handshake includes the server's certificate so the client can authenticate the server.
Server Name Indication (SNI) — A TLS extension that lets the client tell the server which hostname it is trying to reach at the start of the handshake — necessary when multiple TLS sites share a single IP (almost universal today). Without SNI, the server would not know which certificate to present. Encrypted SNI / Encrypted ClientHello (ECH) is the modern further step that hides even the hostname from the network.
VPN (Virtual Private Network) — A technology that creates an encrypted tunnel between two endpoints over a public network, making it appear to applications and routers as if the endpoints are on the same private network. Used for site-to-site links (connecting two offices), remote access (employee from home), privacy (hiding traffic from ISP or public Wi-Fi), and circumvention of geo-restrictions.
OpenVPN — A widely-adopted open-source VPN protocol. OpenVPN runs over TLS in user space; it is highly portable and well-supported but has older-style performance overheads.
WireGuard — A modern, fast VPN protocol designed in 2016 by Jason Donenfeld. WireGuard uses a much smaller codebase than OpenVPN or IPsec (~4,000 lines), runs in the Linux kernel, uses modern primitives (Curve25519, ChaCha20-Poly1305), and reconnects nearly instantly when the network changes — making it ideal for mobile.
IPsec (Internet Protocol Security) — A suite of network-layer protocols (AH for authentication, ESP for encryption + auth, IKE for key exchange) that secures IP packets directly. IPsec is the enterprise default for site-to-site VPNs and is the underlying technology of L2TP/IPsec and IKEv2 remote-access VPNs.
Firewall — A network security device (hardware or software) that monitors and controls traffic crossing a boundary based on rules. Types include packet-filtering (decisions on IP/port/protocol), stateful inspection (also tracks connection state), application-layer proxy (inspects application data), next-generation firewall (NGFW — combines stateful + DPI + IPS + application-awareness), and web application firewall (WAF — HTTP-specific).
Stateful Inspection — A firewall technique that tracks the state of each connection (TCP handshake state, sequence numbers, established sessions) so that return traffic for an established connection is permitted automatically without a separate inbound rule. Stateful is the baseline modern firewall behaviour.
Next-Generation Firewall (NGFW) — A firewall that combines stateful inspection with deep packet inspection, application identification (recognising "this traffic is Skype" or "this is Dropbox"), and integrated IPS. Major NGFW vendors: Palo Alto Networks, Fortinet (FortiGate), Cisco Firepower, Check Point.
Web Application Firewall (WAF) — A firewall specialised for HTTP/HTTPS traffic. WAFs inspect request payloads and block patterns matching OWASP Top 10 attacks — SQL injection, XSS, CSRF, application-layer DDoS, malicious bots. Examples: AWS WAF, Cloudflare, Akamai Kona Site Defender, Imperva, F5.
DMZ (Demilitarised Zone) — A perimeter network between the public Internet and the internal network. Servers that must be Internet-accessible — web servers, mail relays, public APIs — live in the DMZ; sensitive systems (databases, internal apps) stay in the internal network. If a DMZ server is compromised, the attacker is still one firewall away from the crown jewels.
Proxy Server — A server that sits between client and destination, forwarding requests. A forward proxy hides the client from the server (corporate web filter, anonymising proxy). A reverse proxy hides the server from the client (Nginx, Cloudflare in front of an origin server) and adds load balancing, caching, and TLS termination. A transparent proxy intercepts traffic without the client knowing.
IDS (Intrusion Detection System) — A system that monitors network traffic or host activity for signs of attack and alerts an operator. IDS is passive — it watches and reports, it does not block. Variants: NIDS (network-based, sits on a span port), HIDS (host-based, runs on individual servers).
IPS (Intrusion Prevention System) — An in-line version of IDS that, in addition to detecting, actively blocks the offending traffic. IPS adds some latency and risks blocking legitimate traffic on false positives, but stops attacks at the boundary instead of merely alerting.
Signature-Based vs Anomaly-Based Detection — Two complementary detection strategies. Signature-based matches traffic against a database of known attack patterns (Snort/Suricata signatures, antivirus signatures) — accurate for known threats, blind to novel ones. Anomaly-based builds a baseline of "normal" behaviour and flags deviations — catches novel attacks but generates more false positives.
Snort / Suricata — The two leading open-source NIDS/NIPS engines. Snort (Cisco) is the classic, signature-based, single-threaded engine with a huge community ruleset. Suricata (Open Information Security Foundation) is the modern multi-threaded successor that also speaks Snort rules and adds protocol-aware logging.
EDR (Endpoint Detection and Response) — A modern generation of endpoint security that continuously records process, file, network, and registry activity on each endpoint, applies behaviour analysis and ML, and lets analysts hunt for threats and respond remotely. CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, and Carbon Black are leading EDRs.
XDR (Extended Detection and Response) — A broader correlation layer that ingests data from endpoints, network sensors, email gateways, identity providers, and cloud workloads, and uses that combined view to detect attacks that span multiple layers. XDR is essentially "EDR plus everything else."
Antivirus (AV) — Software that detects and removes malicious programs using signature scanning, heuristic analysis, sandboxing, cloud lookups, and behaviour monitoring. Examples: Microsoft Defender (built into Windows), Norton, McAfee, Kaspersky, Bitdefender, Sophos, Quick Heal and K7 Computing (India-built).
Defence in Depth — A security design principle: multiple layers of independent controls so that a single failure does not lead to total compromise. Typical layers (outermost to innermost): physical security, network security (firewall, VPN, IDS/IPS), host security (antivirus, patching), application security (code review, WAF, SAST/DAST), data security (encryption, DLP), identity (MFA, RBAC), and user awareness training. An attacker must breach every layer to reach the data.
Zero Trust Architecture — A modern security model that replaces the traditional perimeter ("inside = trusted, outside = untrusted") with "never trust, always verify". Every access request — even from inside the corporate network — is authenticated, authorised, and continuously evaluated. Pioneered by Google's BeyondCorp and now adopted by most large enterprises.
SIEM (Security Information and Event Management) — A platform that aggregates logs and security events from across the organisation (firewalls, IDS, servers, applications, cloud), correlates them, and surfaces alerts and dashboards to a Security Operations Centre. Splunk, IBM QRadar, Microsoft Sentinel, Elastic Security are leading SIEMs.
Penetration Testing (Pen Test) — A planned, authorised simulation of a real attack against the system, conducted by ethical hackers or a specialised firm. Pen tests find vulnerabilities before real attackers do. Indian e-commerce firms typically commission pen tests annually (and after major release) — sometimes mandated by RBI, PCI-DSS, or enterprise customers.
SOC (Security Operations Centre) — The team and the room where security alerts are triaged 24×7. SOCs operate the SIEM, respond to incidents, run threat-hunting exercises, and coordinate with engineering for remediation. Many companies outsource the SOC to a Managed Security Services Provider (MSSP).
---
Study deep
- TLS 1.3 is the standard for 2024. All major sites and browsers support it. TLS 1.2 still common (fallback). TLS 1.0 / 1.1 disabled. TLS 1.3 cuts handshake to 1-RTT — faster page loads.
- HTTPS is no longer optional. Google ranks HTTPS higher (since 2014). Chrome marks HTTP "Not secure" (since 2018). All payment systems and modern frameworks require HTTPS.
- NGFW + WAF + IPS together. Modern enterprise security uses Next-Gen Firewall (perimeter), Web Application Firewall (HTTP), and IPS (deep inspection) as a stack. Cloud equivalents: AWS Security Hub + AWS WAF + GuardDuty.
- Zero Trust replaces the perimeter model. Traditional firewalls assume "inside = trusted". Zero Trust says "never trust, always verify" — every request is authenticated and authorised, no matter the source. Google's BeyondCorp pioneered this.
- Indian context. RBI requires multi-factor for online payments. CERT-In requires log retention. DPDP Act 2023 mandates breach notification within 72 hours. Compliance is not optional; non-compliance carries financial and reputational risk.
PYQ pattern (very common): "What is SSL / TLS? Explain its working with diagram." — Define SSL → TLS evolution; diagram the handshake (5 steps); list properties (confidentiality, integrity, auth, forward secrecy); mention HTTPS as HTTP+TLS.
PYQ pattern: "What is a firewall? Explain its types." — Network security device; 5 types (packet-filter, stateful, app-proxy, NGFW, WAF); rule-based control; mention placement (perimeter, DMZ).
PYQ pattern: "Differentiate IDS and IPS." — IDS detects + alerts (out-of-band); IPS detects + blocks (in-line); 5 differences in a table; mention Snort, Suricata, OSSEC.
PYQ pattern: "What is a VPN? Explain its uses." — Encrypted tunnel; protocols (OpenVPN, WireGuard, IPsec); uses (privacy, geo-bypass, site-to-site, public WiFi, remote work); 2022 India CERT-In rules.