Siksha Sarovar

Siksha Sarovar (sikshasarovar.com) is a free educational web application that helps students in India learn programming and prepare for academic and competitive exams. The platform offers structured coding courses (C, C++, Python, Java, HTML, CSS, PHP, Power BI, AI, Machine Learning, Data Science), complete university curriculum notes for BCA/MCA students with previous year question papers, Class 10 and Class 12 CBSE/HBSE school notes, and dedicated preparation material for SSC, UPSC, Banking, Railway and other government exams. Browsing the site is completely free and requires no account. Users may optionally sign in with Google solely to save their learning progress, quiz scores and personal preferences across devices.

Privacy Policy | Terms of Service | Contact Siksha Sarovar | About Siksha Sarovar

v4.0.9 · PWA
Siksha Sarovar logo
Siksha Sarovar
Your Learning Universe

Siksha Sarovar is a free e-learning platform for coding courses, BCA university notes and competitive exam preparation. Optional Google sign-in saves your learning progress across devices.

Initializing knowledge base…
Compiling modules 0%

4.4 Securing Channels & Networks — SSL, TLS, VPN, Firewall, IDS/IPS

Lesson 21 of 21 in the free E-Commerce notes on Siksha Sarovar, written by Rohit Jangra.

4.4 Securing Channels & Networks — SSL, TLS, VPN, Firewall, IDS/IPS

The encryption building blocks of Lesson 3 are assembled into channel security (SSL/TLS, VPN) and network protection (firewalls, IDS/IPS, antivirus).

1. SSL — Secure Sockets Layer (deprecated, replaced by TLS)

SSL (Netscape, 1994) was the first widely adopted protocol for securing channels over TCP. Versions: SSL 1.0 (never released), 2.0 (1995), 3.0 (1996).

All SSL versions are now deprecated due to vulnerabilities (BEAST, POODLE, etc.). Modern systems use TLS.

When people say "SSL" today, they almost always mean TLS. The terms are used interchangeably in casual conversation, but the protocol is TLS.

---

2. TLS — Transport Layer Security

TLS is the successor to SSL — IETF standard, RFC 2246 (1.0, 1999), 4346 (1.1, 2006), 5246 (1.2, 2008), 8446 (1.3, 2018).

VersionYearStatus
TLS 1.01999Deprecated (2021)
TLS 1.12006Deprecated (2021)
TLS 1.22008Current standard (most-used)
TLS 1.32018Modern; faster, more secure

---

How TLS Works — the Handshake

Step-by-step (TLS 1.2)

  1. ClientHello — client lists supported TLS versions, cipher suites, random nonce
  2. ServerHello — server picks version + cipher; sends its certificate (with public key) + nonce
  3. Certificate verification — client validates cert chain up to a trusted root CA
  4. Key exchange — client generates a pre-master secret, encrypts with server's public key
  5. Session key derivation — both sides derive session key from pre-master + nonces
  6. ChangeCipherSpec — both sides switch to symmetric encryption with session key
  7. Application data — HTTP messages encrypted

TLS 1.3 is faster (1-RTT handshake, vs 2-RTT in 1.2) and removes weak ciphers.

---

What TLS provides

A properly negotiated TLS connection delivers four security properties simultaneously. Confidentiality is achieved by symmetric encryption of the HTTP payload — once the handshake has agreed a session key, all data is encrypted with AES (or ChaCha20), so an eavesdropper sees only ciphertext. Integrity is enforced by a Message Authentication Code (HMAC in TLS 1.2, AEAD construction in TLS 1.3): any tampering with the ciphertext causes the MAC to fail and the connection is torn down. Authentication comes from the server's X.509 certificate — the client verifies the certificate's chain up to a trusted root CA, which proves the server is who it claims to be. Finally, modern TLS provides Forward Secrecy via ephemeral Diffie-Hellman key exchange: each session uses fresh keys that are not derivable from the server's long-term private key, so even if the server's private key is compromised in the future, past recorded sessions cannot be decrypted.

---

HTTPS = HTTP over TLS

   Browser ──HTTPS (port 443)──► Web Server
              │
              └── HTTP layered on top of TLS-encrypted TCP

Visual indicators:

  • 🔒 padlock in browser
  • "https://" in URL
  • "Connection is secure" in browser details
All modern e-commerce sites use HTTPS only. Plain HTTP is shown as "Not secure" by browsers since 2018.

---

Why TLS matters for e-commerce

Without TLSWith TLS
Card number sniffable on public WiFiEncrypted
Login credentials in plaintextEncrypted
Session cookies stealableEncrypted
MITM can inject malicious JSCert binding prevents it
Lower search ranking (Google penalises HTTP)Better SEO
Browsers show "Not secure" warningPadlock

---

3. VPN — Virtual Private Network

A VPN creates an encrypted tunnel between two endpoints over a public network, making it appear as if they are on the same private network.

    User's Device
        │
        ▼
    VPN Client (encrypts traffic)
        │
        ▼
    Public Internet (encrypted tunnel)
        │
        ▼
    VPN Server (decrypts, forwards)
        │
        ▼
    Destination

VPN protocols

ProtocolNotes
OpenVPNOpen-source, very common
WireGuardModern, fast, simpler code
IPsecNetwork-layer, used in enterprise
L2TP / IPsecTunnel + encryption
PPTPLegacy, insecure
SSTPMicrosoft, TLS-based
IKEv2Fast reconnect, mobile-friendly

Uses of VPN

UseDetail
PrivacyHide IP from sites, hide traffic from ISP
Geo-bypassWatch region-locked Netflix
Site-to-siteConnect two offices over Internet securely
Remote accessEmployee at home connects to office network
Public WiFi safetyEncrypt all traffic on coffee shop WiFi
Censorship circumventionBypass national firewalls

Commercial VPN providers

  • NordVPN, ExpressVPN, Surfshark
  • Mullvad, ProtonVPN (privacy-focused)
  • Cloudflare WARP (free, basic)

India's VPN rules (2022)

CERT-In mandated VPN providers log user data for 5 years. Several major providers (NordVPN, ExpressVPN, Surfshark) exited Indian servers in response.

---

4. Firewall

A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on rules.

Types of firewalls

TypeOperationLayer
Packet-filteringDecisions based on IP/port/protocolNetwork layer (3-4)
Stateful inspectionTracks connection stateNetwork + Transport (3-4)
Application-layer (proxy)Inspects application dataApplication (7)
Next-generation (NGFW)Stateful + DPI + app-aware + IPSAll layers
Web Application Firewall (WAF)HTTP-specific (OWASP Top 10)Application
Cloud / virtualSoftware-based, in cloud (AWS Security Group, Azure NSG)Various

Firewall placement

   Internet ──► Firewall ──► DMZ ──► Internal firewall ──► Internal network
                          (web servers)               (DB, internal apps)

Rules example

Allow: TCP/443 (HTTPS) from anywhere to web server
Allow: TCP/22 (SSH) from admin IP to web server
Deny:  TCP/3306 (MySQL) from anywhere except app server
Deny:  All other traffic

Web Application Firewall (WAF)

Specialised firewall for HTTP traffic. Protects against:

  • SQL injection
  • XSS
  • CSRF
  • Bot traffic
  • Application-layer DDoS
  • OWASP Top 10

WAF examples: AWS WAF, Cloudflare, F5, Imperva, Akamai Kona.

---

5. Proxy Servers

A proxy server sits between client and destination, forwarding requests.

Types

TypePurpose
Forward proxyHide client identity from server (corporate proxy filters web access)
Reverse proxyHide server identity from client (Nginx, Cloudflare)
Transparent proxyIntercepts without client knowledge
Anonymous proxyHides client IP completely
Open / public proxyFree to use; often unreliable / malicious
HTTP / HTTPS proxySpecific to HTTP traffic
SOCKS proxyGeneric TCP proxy

Proxy uses

  • Caching — speed up repeated requests
  • Content filtering — block social media at work
  • Logging — track employee web usage
  • Load balancing — distribute traffic
  • Security — hide internal IPs
  • Geo-spoofing — appear from another country

---

6. IDS and IPS

IDS (Intrusion Detection System) — monitors network/host for signs of attack and alerts (passive). IPS (Intrusion Prevention System) — monitors AND blocks attacks (active).

IDS / IPS types

TypeDescription
NIDS / NIPSNetwork-based — sits on network segment
HIDS / HIPSHost-based — on individual servers/endpoints
Signature-basedDetects known attack patterns
Anomaly-basedDetects deviations from baseline
HybridBoth

IDS vs IPS — exam table

AspectIDSIPS
ActionDetects + alertsDetects + blocks
PlacementOut-of-band (mirror port)In-line
Latency addedNoneSome
False positivesBothersome but not harmfulCan block legit traffic
ConfigurationPermissiveStrict
RiskMisses some attacksBlocks legitimate users

Popular tools

ToolCategory
SnortNIDS, signature-based, open-source
SuricataNIDS/NIPS, modern, multi-threaded
OSSECHIDS, open-source
WazuhHIDS + SIEM, open-source
CrowdStrike FalconEDR (host)
Palo Alto NGFWNGFW + IPS
Cisco FirepowerNGFW + IPS

---

7. Antivirus and Anti-Malware

Antivirus software detects and removes malicious software.

How antivirus works

TechniqueDescription
Signature scanningMatch files against known malware signatures
Heuristic analysisDetect suspicious behaviour, even novel
SandboxingRun suspicious file in isolated env, observe
Cloud lookupCheck file hash against cloud DB
Behaviour monitoringBlock suspicious actions in real-time
Machine learningClassify files as good/bad

Major antivirus products

ProductOrigin
Microsoft DefenderBuilt into Windows
Norton 360USA
McAfeeUSA
KasperskyRussia (banned in some countries)
BitdefenderRomania
SophosUK
Quick HealIndia-built
K7 ComputingIndia-built

Anti-malware vs antivirus

The terminology has evolved as the threat landscape has. Antivirus historically meant software that detects and removes computer viruses — self-replicating programs that infected files; in modern usage the term loosely covers all desktop endpoint protection. Anti-malware is the more accurate umbrella term, covering viruses, worms, trojans, ransomware, spyware, adware, and rootkits — essentially anything malicious. EDR (Endpoint Detection and Response) is the modern generation of endpoint security: instead of relying on signatures, EDR (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) continuously records what every process does and uses behaviour analysis plus machine learning to flag anomalies in real time. XDR (Extended Detection and Response) widens that lens beyond the endpoint — it correlates events from endpoints, network sensors, email gateways, and cloud workloads to detect attacks that span layers.

---

Defence-in-Depth

No single tool stops every attack. Defence-in-depth layers multiple controls:

   ┌─ Layer 1 — Physical Security ──────────────┐
   │ ┌─ Layer 2 — Network Security ──────────┐  │
   │ │ (Firewall, VPN, IDS/IPS)              │  │
   │ │ ┌─ Layer 3 — Host Security ────────┐  │  │
   │ │ │ (Antivirus, HIDS, patching)      │  │  │
   │ │ │ ┌─ Layer 4 — Application Sec. ─┐ │  │  │
   │ │ │ │ (Code review, WAF, SAST/DAST)│ │  │  │
   │ │ │ │ ┌─ Layer 5 — Data Security ─┐│ │  │  │
   │ │ │ │ │ (Encryption, DLP)          ││ │  │  │
   │ │ │ │ │ ┌─ Layer 6 — IAM ────────┐ ││ │  │  │
   │ │ │ │ │ │ (MFA, RBAC, audit)     │ ││ │  │  │
   │ │ │ │ │ │ ┌─ Layer 7 — User ────┐│ ││ │  │  │
   │ │ │ │ │ │ │ (Awareness training)││ ││ │  │  │
   │ │ │ │ │ │ └─────────────────────┘│ ││ │  │  │
   │ │ │ │ │ └────────────────────────┘ ││ │  │  │
   │ │ │ │ └────────────────────────────┘│ │  │  │
   │ │ │ └─────────────────────────────────┘ │  │
   │ │ └────────────────────────────────────┘  │
   │ └────────────────────────────────────────┘  │
   └─────────────────────────────────────────────┘

A breach must penetrate every layer — much harder than breaking one.

---

Compliance Frameworks (recap)

FrameworkFocus
PCI-DSSCard data
GDPR / DPDP ActPersonal data
ISO 27001ISMS
SOC 2Service organisation controls
HIPAAHealth data (US)
NIST CSFComprehensive cybersecurity framework

A typical Indian e-commerce site needs: PCI-DSS (cards) + DPDP Act (personal data) + RBI guidelines (if handling payments).

---

Key Terms — Lesson 4.4

The terms below are the channel- and network-security vocabulary that every UNIT IV exam question expects you to deploy fluently.

SSL (Secure Sockets Layer) — The original protocol (Netscape, 1994) for securing channels over TCP. All SSL versions (1.0, 2.0, 3.0) are now deprecated due to known vulnerabilities — BEAST (2011), CRIME (2012), POODLE (2014). The term "SSL" survives in casual usage to mean "TLS"; the underlying protocol today is always TLS.

TLS (Transport Layer Security) — The IETF-standardised successor to SSL. Versions: TLS 1.0 (1999, deprecated 2021), 1.1 (2006, deprecated 2021), TLS 1.2 (2008, current widely-used), TLS 1.3 (2018, modern best practice). TLS 1.3 has a single round-trip handshake (vs two in 1.2), removes legacy weak ciphers, and is the standard for new deployments.

TLS Handshake — The initial negotiation between client and server that establishes a TLS session. Client sends supported versions and cipher suites; server picks one and sends its X.509 certificate; client verifies the certificate, generates a pre-master secret (or DH share), encrypts/agrees it; both derive a fresh symmetric session key from the secret plus client and server randoms; both switch to symmetric encryption. The handshake gives you authentication, key exchange, and the beginning of confidentiality in one short flow.

Cipher Suite — A named combination of algorithms used in a TLS connection — typically the key exchange algorithm (ECDHE, DHE, RSA), the authentication algorithm (RSA, ECDSA), the symmetric cipher (AES-GCM, ChaCha20-Poly1305), and the MAC/AEAD mode. A cipher suite name like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 encodes all four. TLS 1.3 dramatically simplified the cipher-suite namespace.

Forward Secrecy (Perfect Forward Secrecy, PFS) — A property of modern TLS where each session uses fresh, ephemeral keys derived from an ephemeral Diffie-Hellman (ECDHE / DHE) exchange. If an attacker later compromises the server's long-term private key, they still cannot decrypt past sessions they had recorded — the session keys are gone forever once the session ends. PFS is achieved by using ECDHE/DHE key exchange (not static RSA).

HTTPS (HTTP Secure) — HTTP transported over a TLS-encrypted TCP connection, on the default port 443. Modern browsers mark non-HTTPS sites as "Not secure", search engines penalise them, and almost every modern API and payment gateway refuses to operate over plain HTTP. HTTPS is the universal baseline for any modern e-commerce site.

HSTS (HTTP Strict Transport Security) — An HTTP response header that tells the browser "always use HTTPS for this domain, never HTTP, for the next N seconds (or years)". HSTS defeats SSL-stripping attacks because the browser refuses to ever try HTTP for that domain again, even if a man-in-the-middle tries to downgrade.

X.509 Certificate — The format of digital certificates used in TLS (and elsewhere). An X.509 certificate binds a subject (e.g., the server's domain name) to a public key, with the binding signed by a trusted Certificate Authority. The TLS handshake includes the server's certificate so the client can authenticate the server.

Server Name Indication (SNI) — A TLS extension that lets the client tell the server which hostname it is trying to reach at the start of the handshake — necessary when multiple TLS sites share a single IP (almost universal today). Without SNI, the server would not know which certificate to present. Encrypted SNI / Encrypted ClientHello (ECH) is the modern further step that hides even the hostname from the network.

VPN (Virtual Private Network) — A technology that creates an encrypted tunnel between two endpoints over a public network, making it appear to applications and routers as if the endpoints are on the same private network. Used for site-to-site links (connecting two offices), remote access (employee from home), privacy (hiding traffic from ISP or public Wi-Fi), and circumvention of geo-restrictions.

OpenVPN — A widely-adopted open-source VPN protocol. OpenVPN runs over TLS in user space; it is highly portable and well-supported but has older-style performance overheads.

WireGuard — A modern, fast VPN protocol designed in 2016 by Jason Donenfeld. WireGuard uses a much smaller codebase than OpenVPN or IPsec (~4,000 lines), runs in the Linux kernel, uses modern primitives (Curve25519, ChaCha20-Poly1305), and reconnects nearly instantly when the network changes — making it ideal for mobile.

IPsec (Internet Protocol Security) — A suite of network-layer protocols (AH for authentication, ESP for encryption + auth, IKE for key exchange) that secures IP packets directly. IPsec is the enterprise default for site-to-site VPNs and is the underlying technology of L2TP/IPsec and IKEv2 remote-access VPNs.

Firewall — A network security device (hardware or software) that monitors and controls traffic crossing a boundary based on rules. Types include packet-filtering (decisions on IP/port/protocol), stateful inspection (also tracks connection state), application-layer proxy (inspects application data), next-generation firewall (NGFW — combines stateful + DPI + IPS + application-awareness), and web application firewall (WAF — HTTP-specific).

Stateful Inspection — A firewall technique that tracks the state of each connection (TCP handshake state, sequence numbers, established sessions) so that return traffic for an established connection is permitted automatically without a separate inbound rule. Stateful is the baseline modern firewall behaviour.

Next-Generation Firewall (NGFW) — A firewall that combines stateful inspection with deep packet inspection, application identification (recognising "this traffic is Skype" or "this is Dropbox"), and integrated IPS. Major NGFW vendors: Palo Alto Networks, Fortinet (FortiGate), Cisco Firepower, Check Point.

Web Application Firewall (WAF) — A firewall specialised for HTTP/HTTPS traffic. WAFs inspect request payloads and block patterns matching OWASP Top 10 attacks — SQL injection, XSS, CSRF, application-layer DDoS, malicious bots. Examples: AWS WAF, Cloudflare, Akamai Kona Site Defender, Imperva, F5.

DMZ (Demilitarised Zone) — A perimeter network between the public Internet and the internal network. Servers that must be Internet-accessible — web servers, mail relays, public APIs — live in the DMZ; sensitive systems (databases, internal apps) stay in the internal network. If a DMZ server is compromised, the attacker is still one firewall away from the crown jewels.

Proxy Server — A server that sits between client and destination, forwarding requests. A forward proxy hides the client from the server (corporate web filter, anonymising proxy). A reverse proxy hides the server from the client (Nginx, Cloudflare in front of an origin server) and adds load balancing, caching, and TLS termination. A transparent proxy intercepts traffic without the client knowing.

IDS (Intrusion Detection System) — A system that monitors network traffic or host activity for signs of attack and alerts an operator. IDS is passive — it watches and reports, it does not block. Variants: NIDS (network-based, sits on a span port), HIDS (host-based, runs on individual servers).

IPS (Intrusion Prevention System) — An in-line version of IDS that, in addition to detecting, actively blocks the offending traffic. IPS adds some latency and risks blocking legitimate traffic on false positives, but stops attacks at the boundary instead of merely alerting.

Signature-Based vs Anomaly-Based Detection — Two complementary detection strategies. Signature-based matches traffic against a database of known attack patterns (Snort/Suricata signatures, antivirus signatures) — accurate for known threats, blind to novel ones. Anomaly-based builds a baseline of "normal" behaviour and flags deviations — catches novel attacks but generates more false positives.

Snort / Suricata — The two leading open-source NIDS/NIPS engines. Snort (Cisco) is the classic, signature-based, single-threaded engine with a huge community ruleset. Suricata (Open Information Security Foundation) is the modern multi-threaded successor that also speaks Snort rules and adds protocol-aware logging.

EDR (Endpoint Detection and Response) — A modern generation of endpoint security that continuously records process, file, network, and registry activity on each endpoint, applies behaviour analysis and ML, and lets analysts hunt for threats and respond remotely. CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, and Carbon Black are leading EDRs.

XDR (Extended Detection and Response) — A broader correlation layer that ingests data from endpoints, network sensors, email gateways, identity providers, and cloud workloads, and uses that combined view to detect attacks that span multiple layers. XDR is essentially "EDR plus everything else."

Antivirus (AV) — Software that detects and removes malicious programs using signature scanning, heuristic analysis, sandboxing, cloud lookups, and behaviour monitoring. Examples: Microsoft Defender (built into Windows), Norton, McAfee, Kaspersky, Bitdefender, Sophos, Quick Heal and K7 Computing (India-built).

Defence in Depth — A security design principle: multiple layers of independent controls so that a single failure does not lead to total compromise. Typical layers (outermost to innermost): physical security, network security (firewall, VPN, IDS/IPS), host security (antivirus, patching), application security (code review, WAF, SAST/DAST), data security (encryption, DLP), identity (MFA, RBAC), and user awareness training. An attacker must breach every layer to reach the data.

Zero Trust Architecture — A modern security model that replaces the traditional perimeter ("inside = trusted, outside = untrusted") with "never trust, always verify". Every access request — even from inside the corporate network — is authenticated, authorised, and continuously evaluated. Pioneered by Google's BeyondCorp and now adopted by most large enterprises.

SIEM (Security Information and Event Management) — A platform that aggregates logs and security events from across the organisation (firewalls, IDS, servers, applications, cloud), correlates them, and surfaces alerts and dashboards to a Security Operations Centre. Splunk, IBM QRadar, Microsoft Sentinel, Elastic Security are leading SIEMs.

Penetration Testing (Pen Test) — A planned, authorised simulation of a real attack against the system, conducted by ethical hackers or a specialised firm. Pen tests find vulnerabilities before real attackers do. Indian e-commerce firms typically commission pen tests annually (and after major release) — sometimes mandated by RBI, PCI-DSS, or enterprise customers.

SOC (Security Operations Centre) — The team and the room where security alerts are triaged 24×7. SOCs operate the SIEM, respond to incidents, run threat-hunting exercises, and coordinate with engineering for remediation. Many companies outsource the SOC to a Managed Security Services Provider (MSSP).

---

Study deep

  1. TLS 1.3 is the standard for 2024. All major sites and browsers support it. TLS 1.2 still common (fallback). TLS 1.0 / 1.1 disabled. TLS 1.3 cuts handshake to 1-RTT — faster page loads.
  1. HTTPS is no longer optional. Google ranks HTTPS higher (since 2014). Chrome marks HTTP "Not secure" (since 2018). All payment systems and modern frameworks require HTTPS.
  1. NGFW + WAF + IPS together. Modern enterprise security uses Next-Gen Firewall (perimeter), Web Application Firewall (HTTP), and IPS (deep inspection) as a stack. Cloud equivalents: AWS Security Hub + AWS WAF + GuardDuty.
  1. Zero Trust replaces the perimeter model. Traditional firewalls assume "inside = trusted". Zero Trust says "never trust, always verify" — every request is authenticated and authorised, no matter the source. Google's BeyondCorp pioneered this.
  1. Indian context. RBI requires multi-factor for online payments. CERT-In requires log retention. DPDP Act 2023 mandates breach notification within 72 hours. Compliance is not optional; non-compliance carries financial and reputational risk.
PYQ pattern (very common): "What is SSL / TLS? Explain its working with diagram." — Define SSL → TLS evolution; diagram the handshake (5 steps); list properties (confidentiality, integrity, auth, forward secrecy); mention HTTPS as HTTP+TLS.
PYQ pattern: "What is a firewall? Explain its types." — Network security device; 5 types (packet-filter, stateful, app-proxy, NGFW, WAF); rule-based control; mention placement (perimeter, DMZ).
PYQ pattern: "Differentiate IDS and IPS." — IDS detects + alerts (out-of-band); IPS detects + blocks (in-line); 5 differences in a table; mention Snort, Suricata, OSSEC.
PYQ pattern: "What is a VPN? Explain its uses." — Encrypted tunnel; protocols (OpenVPN, WireGuard, IPsec); uses (privacy, geo-bypass, site-to-site, public WiFi, remote work); 2022 India CERT-In rules.