Monday, September 30, 2019

Hunger in Haiti Essay

Abstract Haiti is a small Caribbean country with serious hunger problem for many years. Even in 1980s, Haiti had advanced agriculture and hunger problem was far from this country. However, the local wars and conflicts happened in 1990s changed this. Agriculture was disturbed and hunger problem became more and more serious. It has been the key problem of Haitian development so Haitian government and international society have taken lots of measures to improve this situation. The major international supports were from the US and some EU countries. Plenty of data and reports show that hunger population in Haiti has been reduced a lot. Haiti will be most likely to achieve the Millennium Development Goal pronounced in 2000 by 2015. Hunger: the key problem in Haitian development â€Å" Civilization as it is known today could not have evolved, nor can it survive, without an adequate food supply† (Borlaug, 1970). However, the hunger problem troubles a quarter of the world’s population even in these years. The problem of world hunger is serious and has affected economic development in many countries. It is common knowledge that food is the first necessity of people, but to solve the problem of feeding a population of about 6.5 billion is a big challenge to the world. Lindsay (2008) reports that food is in short supply every year because there is not enough to satisfy people’s demand in the impoverished countries. However, food security is the basis of the social development in the world. It is quite clear that a hungry country cannot make great efforts to develop the economy and improve the living standards of its people. For example, during the 3 years from 1959 to 1961, because of the food shortage, China was hesitating, virtually at a standstill , and there was little economic growth and not much of a rise in the standard of living. Therefore, solving hunger problem is vital for world but there are still many problems demanding prompt solution in food supplies in the world, especially in some less-developed nations like Haiti. The Millennium Development Goal (MDG) pronounced by the United Nations in 2000 called for the proportion of people who suffer from hunger to be halved by 2015. This paper will discuss Haiti’s struggle to reduce hunger and explain why this country can probably meet the MDG by 2015. Although many developing countries experience hunger problems, Haiti’s food crisis shows the relationship between food and social stability. This country has suffered from an extremely serious food crisis these years. Plunkett (2000) reports that agriculture accounted for 30% of Haiti’s GDP, employing two thirds of Haitian people before 1980s. However, after the armed conflicts between Haitian opposing political factions happened in 1990s, agriculture was disrupted and hunger problem became both a rural and an urban phenomenon in Haiti. More than half of total population suffered from hunger and the percentage of rural population was higher, about 65% of people living in countryside didn’t have adequate food. Children were the population most hurt by this long-term and intractable problem. One in three Haitian children suffered malnutrition and one in eight died before the age of five as a result (Plunkett, 2000). It was a shock that so serious the Haitian hunger problem was before the new century. Because of its food crisis, Haiti’s social stability has been severely affected. According to Gauthier (2008), riots have happened all over Haiti in past years and many people died in hunger-related riots. Another report shows that a peaceful demonstration turned into a violent incident in Port-au-Prince, the capital city of Haiti (Chatterjee, 2008). Clearly, Haitian people have stored up discontent against their government due to the food insecurity. At the same time, unstable social order and anarchy gravely undermined Haiti’s economy, which came to a standstill. According to Plunkett (2000), the hunger problem caused depression in the market and the closure of industrial and commercial enterprises prevalent in 1990s in Haiti. The factors which caused this crisis are multiple. It is necessary to analyze the complicated factors before taking any measures to solve this problem and help Haiti achieve the MDG by 2015. The long-term local wars at the end of last century had unfavorable impacts on grain production in Haiti so that the domestic supply of food fell short of demand. The decrease of rice production after wars also caused Haitian people’s lower income directly so more than three quarters of the rural population lived below the poverty line by 2000. There was a dramatic increase in price of stable food and this caused devaluation in Haiti. To a certain extent, Haitian people’s purchase ability decreases because of their remarkably small income and the high food price, so they cannot buy enough food (Gauthier, 2008). Chatterjee (2008) points out that the cheap rice imported from the USA caused Haitian national rice production to plummet. Because of advanced agricultural technology, American rice has many advantages such as lower price and higher nutrition. Large quantities food imports from the US in 1990s after Haitian civil wars helped people have more food but also limited the national agriculture growth in Haiti. Besides these, according to Gauthier (2008), the increasing demand of food by local people and reductions in rice imports because of funds burden these years are also the factors that cannot be ignored. In response to the challenges of the food crisis, the Haitian government has spared no effort to help hungry people have enough to eat since 2000. According to Gauthier (2008), Haiti’s new government supports the modernization of agricultural techniques and the restoration of agricultural production. The government decides to open up more wasteland and the newly reclaimed land is now bringing forth bountiful crops. In country areas, government offers relief grain to the people who cannot afford enough food (Chatterjee, 2008). The Haitian government’s efforts are effective and have accomplished a lot but the government is short of funds to give hungry people support continually, so Haiti also takes vigorous action to promote international cooperation in food security. Chatterjee (2008) reports Haiti has recently qualified for debt relief under the World Bank and International Monetary Fund’s Heavily Indebted Poor Country Initiative, and in the meantime, many of Haiti’s creditor countries, especially some developed countries, consider a compassionate discharge because of Haitian domestic food difficulties. Apparently, international aid programs from developed countries and NGOs are of extreme importance to help Haiti’s government. According to Plunkett (2000) and Gauthier (2008), Haitian food crisis has improved significantly these years, the hunger population has been reduced 32% by 2007 and the good momentum is being maintained. To meet the MDG by 2015, efforts should be continued to win aid programs from international organizations and developed countries to help Haitian people get adequate food in following years. Some international organizations such as the UN Food and Agriculture Organization can coordinate the world’s food aid to Haiti. But Haiti cannot rely on foreign assistance and they need to become self-reliant in the future, so the UN peacekeepers should play a bigger role in the social stabilization of Haiti so that a stable political can help Haiti restore its native agricultural production. Self-sufficiency and self-reliance are the fundamental ways to eliminate the hunger problem in Haiti. In conclusion, with the implementation of different measures, an optimistic estimate suggests that the MDG will be achieved by 2015 in Haiti. Ample food is the basic human right in this world. The nations all over the world should join hands to safeguard the food security. Reference Borlaug, N. (1970). The green revolution, peace and humanity. Nobel Lectures. The Nobel Peace Prize Institute. Retrieved on November 12, 2008 from http://www.nobelprize.org/nobel_prizes/peace/laureates/1970/borlaug-lecture.html/ Chatterjee, P. (2008). Haiti’s forgotten emergency. The Lancet, 372 (9639), pp. 615 – 618. Retrieved on November 12, 2008, from http://www.thelancet.com/journals/lancet/article/PIIS0140-6736(08)61259-3/ Gauthier, A. (2008). Food crisis in Haiti: exposing key problems in the process of stabilization. FRIDE Comment, 782 (45), pp. 34-38. Retrieved on November 12, 2008, from PAIS International database. Lindsay, R. (2008). Haiti on the ‘Death Plan’: Protesters decry high food prices and the savage cost of neoliberalism. The Nation, 286 (21), pp. 22-24. Retrieved on November 12, 2008 from PAIS International database. Plunkett, D. (2000). Food security in Haiti: A case study comparing the food security frameworks of the Haitian government , the European Commission and the U.S. Agency for International Development. Retrieved on November 12, 2008 from http://pdf.usaid.gov/pdf_docs/PNACH663.pdf/

Sunday, September 29, 2019

An Analysis of Pieter Brueghel’s Painting, Landscape with the Fall of Icarus And W.H. Auden’s Poem, Musee des Beaux Arts

Pieter Brueghel, a 16th century Renaissance painter whose paintings have allegorical meanings. His painting Landscape with the Fall of Icarus was his only subject taken from Greek mythology. While his contemporaries’ work focused more on religious subjects, Brueghel on the other hand made his own mark by creating his own painting style; he was famous for his landscape paintings inhabited by peasants. His painting which is rich in imagery portrays the season of spring when Icarus fell into the sea, there is a farmer plowing the field, and the sea shore is busy with different activities. All these things come to life in Brueghel’s painting (www. pieter-bruegel-the-elder. org). W. H. Auden’s poem, Musee des Beaux Arts was written upon his visit to the Museum of Fine Arts in Brussels in 1938. His poem was influenced by Pieter Brueghel’s painting, Landscape with the Fall of Icarus. For Auden, the poem reflected the people’s indifference toward human suffering. The â€Å"miraculous birth† of a child was seen as insignificant since the children went about â€Å"skating on a pond at the edge of the wood† not mindful of the great occurrence which Auden likened to the birth of Christ. While ordinary people could disregard such phenomenal events; Auden pointed out that the Old Masters concentrated on such themes that were reflected on their art works (www. audensociety. org). It is also surprising that no one noticed the fall of Icarus into the sea, there was a splatter and there was an implication that Icarus was drowning and yet no one cared. The farmer continued plowing his field, the ship did not bother to stop and help Icarus instead it continued to sail. Auden believed that in Breughel’s painting, the fall of Icarus is parallel to the martyrdom of Christ. The Old Masters like Pieter Brueghel managed to create such great works of art to serve as a reminder of human suffering (www. audensociety. org).

Saturday, September 28, 2019

The Work and Tools of a Surveyor Essay Example | Topics and Well Written Essays - 1000 words

The Work and Tools of a Surveyor - Essay Example This very well depicts that the area is a hot spot and opening a shop in this locality can be an added benefit. Since the proximity to upper parliament and market square is quite close, there is no doubt about the potentiality of the location. The construction of external walls is of bricks and concrete and roof is of concrete alone. The appeal of the building is unconventional and as a result reflects an element of antiquity to the outsiders. The window frames look fragile and not well maintained with defective glass panes. The interiors of the building was checked thoroughly in order to have an analysis of the defects in construction .This would help in understanding the short comings which could negatively affect the potentiality of the property and can give rise to excessive expenditure in future. Even though some areas were not accessible to be inspected .Apart from roofs to which access was not possible, the inspection took place from basement to second floor. The ladder was used for some areas in the ceilings in the look out for defects. At the time of evaluating the property was not occupied and was semi –furnished with well maintained carpets. The building is not in a very good condition and looks not maintained well. The doors have become weak and flooring needs to be refurbished. Ceilings are moderately in good form and skirting of the wall made of timber need some varnishing. The exterior of the building needs to be painted in order to retain a novelty appearance. The windows frame joints needs some finishing as the joints are visible. The window pane needs to be painted as its is fading and wood is detoriating and ageing. The lintel of the first floor main door is corroding and this can happen to other doors as well. The windows are single glazed and could be changed to double glazed if the expense allow. Some of the wood works are in poor condition and the mastics showing around the frame are shrinking. Bathrooms

Friday, September 27, 2019

Marketing Essay Example | Topics and Well Written Essays - 5000 words

Marketing - Essay Example 8).† The engagement This engagement relates to the period during the second half of the last year, when a distant relation of mine wanted me to help him in designing the marketing department and developing the marketing aspects of his start-up family restaurant. This relation of mine took retirement from the Royal Navy as a Chief Petty Officer. He approached me to help him in designing and developing the marketing aspects of his business. I being a student of business studies, he thought I would be in a better position to help him in guiding on the marketing aspects. According to him, the navy taught him everything about cooking and gave him enough exposure on the culinary skills, managing the production facilities and managing men, but he lacked seriously on marketing knowledge. Although he believed if he starts a restaurant, with his culinary skills and personnel management as the chief cook in a frigate, he would be able to do good business. On the flipside, he was sceptical that the different and highly competitive environment may make it very difficult for him in the formative days. He felt that some help in marketing would make him more confident. He was undecided about to how to go about the whole thing about marketing. For me this was an opportunity to make application of my lessons in marketing. Defining Marketing To gauge his understanding on marketing, I asked him to tell me what he knows about marketing. According to him, marketing includes such activities as selling, advertising, marketing research and so on. I explained him that marketing is a way of doing business which starts with a focus on customer needs and expectations. I quoted the definition of UK Chartered Institute of Marketing which states: Marketing is the management process which identifies, anticipates, and supplies customer requirements efficiently and profitably. (Blythe, 2001, p. 11; cited by Schaefer, 2010, p.8) I explained him that to begin with we have to understand what he visualises about his would be customers, their likings and dislikes in respect to their food habits and decor and ambience. I continued that in addition to these factors, we need to know about their level of income to gauge about their affordability, so that we can plan to meet their requirements both efficiently and profitability. With this information, we would have to apply the marketing concepts. Setting the orientation I discussed with him about the four types of orientations a business can have, namely the (1) product orientation, (2) the production orientation, (3) selling orientation and (4) the marketing orientation. I advised that we develop a marketing orientation of the business, which in reality is an ‘outside-in’ approach in contrast to the other three approaches of inside-out approaches. Here, we had to start with a thorough assessment of the needs and expectations of buyers and then trying to fulfil those needs and expectations in order to attract cus tomers. I explained that in this perspective, he not only have to assume what its potential customers may want, but also he has to find out what his customers would actually want. Accordingly, the business offering have to be

Thursday, September 26, 2019

The Titanic OR The Love Canal OR BP Deepwater Horizon Spill OR Essay

The Titanic OR The Love Canal OR BP Deepwater Horizon Spill OR Fukushima Reactor Meltdown OR Wikileaks(Julian Assange) - Essay Example This implies that, what is more important to consider for an individual is the fact that she or he as a person is responsible and independently acting, and conscious being (existence) rather than the labels, stereotypes, definitions, roles, and other preconceived categories fitting the individual (essence) (Thomas 23). Basically, what this means is that the actual life of a person is what constitutes his or her true essence instead of other arbitrarily attributable essence used by other people to define her or him. Therefore, going by existentialism, a human being, through his or her own consciousness creates his or her own values which determine a meaning to his or her life. Though existentialism has its strong point, other approaches refute it. Generally, existentialism approach can offer practical and useful solutions to psychological problems, it overemphasizes three different themes namely: meaningless, isolation and death. Proponents of these approach then place (Thomas 42). Ex istentialism alongside the ethics arising out of it can be such an attractive package. The fact that in existentialism one can create his or her actions, shows that this approach can give a person a good moral base line. However, it does not imply that it necessarily does that, as it has an assortment of belief and tenets but fails to involve detailed code of ethics (Warnock 46). Each individual is left to work the issue of ethics himself or herself but within the tenets of existential through system. This gives an individual a lot of latitude to decide what is wrong and right. However, it is worth noting that some individuals may reach a spurious notion of what is right and wrong. This is one of the key weaknesses of this ethics. The second weakness is that existentialism ethics is tied up with other systems (Thomas 43). This way, it can lead those who adhere to it into wrongheaded decisions. Existential principles are entwined with established, detailed, and complex ethical system s (Thomas 25). The third weakness is that existentialism is hard to be interpreted by many people. The result of which is that few people end up using its principles as their ethical guidelines The Love Canal is the Niagara Falls chemical disaster (Brook 3). This town was not arguably known for what it was designed for â€Å"love† but for being the largest chemical disaster in North America. As existentialism will have it, William T. Love had envisioned creating a town near Niagara Falls, which will run off hydroelectricity. His plan was that the hydropower would be supplied to this town by running these canal from the upper Niagara Rivers to the lower part of this river (Brook 5). Mr. Love’s plan was to turn this canal into a shipping route with a model city, which surrounded the canal. However, this did not happen. This is because the â€Å"Panic of 1893† caused the financiers of the project to pull out their money. Mr. Love went broke which meant the end of t hese project (Brook 8). The aftermath of Mr. Love’

Wednesday, September 25, 2019

Organizational Culture of Ritz-Carlton Research Paper

Organizational Culture of Ritz-Carlton - Research Paper Example Some organizations encourage their employees to be more innovative and to take more risks than other organizations.The second characteristic of organizational culture is attention to detail. This characteristic of organizational culture explains the degree to which a corporation encourages its employees to be precise in their work and to pay close attention to details.  The third characteristic of organization culture is outcome orientation. This characteristic of organizational culture explains the degree to which the management of a corporation focuses on the outcomes, rather than on the processes that brings about the outcome.The fourth characteristic of organizational culture is people orientation. This characteristic of organizational culture explains the degree to which the management of an organization focuses on the effect that the activities and the decisions made by the management of an organization will have on the people within the organization.The fifth characteristic of organizational culture is team orientation. This characteristic of organizational culture explains the degree to which work activities within an organization are organized around teams, rather than individuals.The sixth characteristic of organizational culture is aggressiveness.   This characteristic of organizational culture explains the degree to which an organization encourages its employees to be aggressive or adventurous, and competitive.The seventh characteristic of organization culture is stability.

Tuesday, September 24, 2019

The play Lucky Spot Thesis Example | Topics and Well Written Essays - 500 words

The play Lucky Spot - Thesis Example It is obvious from the beginning of the play that the prospect of success for a dance hall in a poor, Southern town during the Depression, over the Christmas holidays, when people spend time with family, is unlikely. But it's Hooker's pipe dream that keeps him alive when he says, "Hey, look, it's Christmas Eve. People are so lonely out there you can smell it rotting on 'em. Here at The Lucky Spot we'll be selling hot music, fine dancing, and sweet solace of kind hearted women." The stakes are raised even higher when Whitt Carmichael, a wealthy, well-dressed man in his thirties, comes to town and informs Hooker that the property he won from his relative has a lien on it and unless he pays him three hundred and fifty dollars for it by January 1st, the property belongs to him. The prospect for success narrows even further when Lacey Rollins, 30ish with fading good looks, one of the Taxi Dancers Hooker hired to work at The Lucky Spot, emerges from the living quarters to inform the others that the rest of the dancers have fled on account of the news that Hooker's estranged wife, Sue Jack Tiller Hooker, has been released from prison early and is headed back there. Sue Jack's reputation precedes her having served time for throwing a woman over a second floor balcony when she found her in bed with her husband.

Monday, September 23, 2019

In what way modernization change the political identity in modern Essay

In what way modernization change the political identity in modern Japan - Essay Example Historians have also stated that Japan was a country inn which political oppression and dictatorship reigned as citizens had no voice on political matters. In fact, those who dared to make any challenge had to bear the government’s wrath2. Nevertheless, this changed tremendously as Japan is today known to be the top upholders of democratic freedoms. The objective of this paper is to discuss how modernization has changed the political identity in the modern Japan. The pace at which Japan has modernized itself has really taken many countries by surprise. It is reported that, like many other Asian countries, Japan retained its feudal system of government up to mid 19th century, after making itself one of the greatest economical power in Asia and beyond, up to the end of 20th century. Nevertheless, as the country struggled to modernize the society, two historical conversions took place, which made Japan what is today according to Furuya. Meiji Restoration of 1868 was the first conversion to take place in Japan it is noted that since then, Japan abandoned its traditional way of doing things while promoting modernization and industrialization3. The second was the triumph of the World War II, which is also historical, as far as modernization of Japanese society is concerned. It is reported that after 1945, the GHQ reforms removed the old social systems as well as the national identity, an act rooted in the Meiji Restoration. As such, a post-war Japan was needed for the establishment of a democratic society, and to rebuild its national identity, so as to see Japan become a more democratic country4. The Meiji restoration is said to have contributed a lot with regard to how it help mitigate the political threats that Japan faced from other foreign countries. It is reported that the Meiji leaders were aware of China’s fate and, therefore, appreciated that maintaining the status quo would lead to defeat and humiliation.5 These leaders were aware

Sunday, September 22, 2019

Ethics system table Essay Example for Free

Ethics system table Essay This ethics is also referred to as teleological ethics. This refers to the end results or the outcomes of certain decisions. The acts determine what is ethical. What is viewed to be ethical is the action most likely to result to in the best good or the action with the most significance. This action usually gives the best consequence. Rights-Based Ethics This is the ethics that outlines the privileges that an individual is entitled to. This is based on the ground of categorical imperative which views a person as a moral agent in relation to other people. The rights are treated to be true and correct as they are approved by many people. However, it is difficult to determine which rights should be approved and which ones should be discarded. Human Nature Ethics Also referred to as humanistic ethics. These ethics emphasis on doing what is right and best for the society as a whole. This ethic which mainly dominates ethical theory is a more clearly altruistic. The ethics aims at virtue as well as having social improvement rather than having personal success. The ethics is concerned about everybody in the society. People should not be afraid to lend a helping hand or to receive one Relativistic Ethics This ethics is viewed as an inquiry to what is right or wrong through a critical review of the people’s beliefs and practices. The ethic however fails to recognize that some societies have better reasons of holding tom their views than others. The ethic raises important issues in that different cultural societies have different beliefs and are greatly influenced by culture. The ethics challenges people to explore on the belief systems that differ their own and to find an explanation why people hold their belief system. Entitlement-Based Ethics This is an ethic that views that you owe me because its my right to have everything that you have. Virtue-Based ethical This ethic places less emphasis on the rules that people should follow and instead tries to find of teaching people good virtues such as generosity and kindness. These traits later help the person to make better decisions in life. They also emphasis that people should know how to avoid bad virtues such as greed and hatred. These are viewed as hindrances of becoming a good person. Ethical Theory or System Brief Definition Other Names for Theory Real-world Example Workplace Example Duty-based Ethics Regardless of consequences, certain moral principles are binding, focusing on duty rather than results or moral obligation over what the individual would prefer to do (Trevino and Nelson, 2007, Ch. 4). Deontology, pluralism, moral rights, rights-based Categorical imperative Golden rule I believe people should be able to eat sand because it is the right thing to do. It is my duty to follow through with instructions my boss gives me, even if I do not agree with the concept. It is my moral obligation to respect authority figures. Consequence-based Ethics What is viewed to be ethical is the action most likely to result to in the best good or the action with the most significance. teleological ethics I believe people should be able to eat sand because it is good for one’s health. We ignore the consequence of telling the truth to the police as it may lead to the imprisonment and detention of another person. Rights-based Ethics the privileges that an individual is entitled to Society norms I believe people should be able to eat sand if they want to because they are free to make the decision themselves. In America it is so clear on the right of the people to choose their faith; therefore people in the USA have a right to choose their religion. Human Nature Ethics emphasis on doing what ibis right and best for the society as a whole Humanistic ethics. I believe that if sand is going to be eaten, it should be available for everyone to eat. In an organization people should encourage teamwork as much as possible in order for it to run successfully. Relativistic Ethics Viewed as an inquiry to what is right or wrong through a critical review of the people’s beliefs and practices. Ethnocentric ethic I believe I will eat sand because it is the standard meal for my community. Every organization should be viewed as unique and different from others as it has its own practices and code of conduct. Entitlement-based Ethics Views that you owe me because its my right to have everything that you have. I believe people should be able to eat sand if they decide they want to, regardless of whether it is someone else’s sand. A person may claim to be paid his salary by the company at the end of the month. Virtue-based ethics places less emphasis on the rules that people should follow and instead tries to find of teaching people good virtues such as generosity and kindness Character based ethic I believe people should be able to eat sand if they like the taste of it. The organization should teach people what is right or wrong and leave them to make good decisions later. Reference Trevino, L. , and Nelson, K. (2007). Managing business ethics: Straight talk about how to do it right. Hoboken: Wiley.

Saturday, September 21, 2019

E-Contracts and E-Signatures Essay Example for Free

E-Contracts and E-Signatures Essay I. Forming Contracts Online Disputes arising from contracts entered into online concern the terms and assent to those terms. A. Online Offers Terms should be conspicuous and clearly spelled out. On a Web site, this can be done with a link to a separate page that contains the details. The text lists subjects that might be covered, including remedies, dispute settlement, payment, taxes, refund and return policies, disclaimers, and privacy policies. An online offer should also include a mechanism by which an offeree can affirmatively indicate assent (such as an â€Å"I agree† box to click on). 1. Click-On Agreements A click-on agreement occurs when a buyer, completing a transaction on a computer, is required to indicate his or her assent to be bound by the terms of an offer by clicking on a button that says, for example, â€Å"I agree.† The terms may appear on a Web site through which a buyer is obtaining goods or services, or they may appear on a computer screen when software is loaded. 2. Shrink-wrap Agreements A shrink-wrap agreement is an agreement whose terms are expressed inside a box in which computer hardware or software is packaged. In most cases, the agreement is not between a seller and a buyer, but between a manufacturer and the user of the product. The terms generally concern warranties, remedies, and other issues associated with the use of the product. †¢ Courts often enforce shrink-wrap agreements, reasoning that the seller proposed an offer that the buyer accepted after an opportunity to read the terms. Also, it is more practical to enclose the full terms of a sale in a box. †¢ If a court finds that the buyer learned of the shrink-wrap terms after the parties entered into a contract, the court might conclude that those terms were proposals for additional terms, which were not part of the contract unless the buyer expressly agreed to them. 3. Browse-Wrap Terms Browse-wrap terms, which can also occur in an online transaction, do not require a user to assent to the terms before going ahead with the deal. Offerors of these terms generally assert that they are binding without the user’s active consent. Critics argue that a user should at least be required to navigate past the terms before they should be considered binding. II. E-Signatures The text discusses how e-signatures are created and verified, and their legal effect. A. E-Signature Technologies The text discusses three common methods for creating e-signatures. B. State Laws Governing E-Signatures Most states have laws governing e-signatures, although the laws are not uniform. The Uniform Electronic Transactions Act (UETA), issued in 1999 and adopted by most states, was an attempt by the National Conference of Commissioners on Uniform State Laws (NCCUSL) to create more uniformity. C. Federal Law on E-Signatures and E-Documents In 2000, Congress enacted the Electronic Signatures in Global and National Commerce Act (E-SIGN Act) to provide that no contract, record, or signature may be â€Å"denied legal effect† solely because it is in an electronic form. Some documents are excluded, most notably documents governed by Articles 3, 4, and 9 of the UCC. III. Partnering Agreements Through a partnering agreement, a seller and a buyer agree in advance on the terms to apply in all transactions subsequently conducted electronically. These terms may include access and identification codes. A partnering agreement, like any contract, can prevent later disputes. IV. The Uniform Electronic Transactions Act The UETA, which is a draft of legislation suggested to the states by the National Conference of Commissioners of Uniform State Laws (NCCUSL) and the American Law Institute (ALI), removes barriers to e-commerce by giving the same legal effect to electronic records and signatures as to paper documents and signatures. A. The Scope and Applicability of the UETA The UETA applies only to e-records and e-signatures relating to a transaction (an interaction between two or more people relating to business, commercial or governmental activities). The UETA does not apply to laws governing wills or testamentary trusts, the UCC (except Articles 2 and 2A), the UCITA, and other laws excluded by the states. B. The Federal E-SIGN Act and the UETA If a state enacts the UETA without modification, the E-SIGN Act does not preempt it. The E-SIGN Act does preempt modified versions of the UETA to the extent that they are inconsistent with the E-SIGN Act. Under the E-SIGN Act, states may enact alternative procedures or requirements for the use or acceptance of e-records or e-signatures if (1) those procedures or requirements are consistent with the E-SIGN Act, (2) the state’s procedures do not give greater legal effect to any specific type of technology, and (3) if the state adopts the alternative after the enactment of the E-SIGN Act, the state law must refer to the E-SIGN Act. C. Highlights of the UETA State versions may vary. 1. The Parties Must Agree to Conduct Transaction Electronically This agreement may be implied by the circumstances and the parties’ conduct (for example, giving out a business card with an e-mail address on it). Consent may also be withdrawn. 2. Parties Can â€Å"Opt Out† Parties can waive or vary any or all of the UETA, but the UETA applies in the absence of an agreement to the contrary. 3. Attribution The effect of an e-record is determined from its context and circumstances. A person’s name is not necessary to give effect to an e-record, but if, for example, a person types her or his name at the bottom of an e-mail purchase order, that typing qualifies as a â€Å"signature† and is attributed to the person. Any relevant evidence can prove that an e-record or e-signature is, or is not, the act of the person. If issues arise relating to agency, authority, forgery, or contract formation, state laws other than the UETA apply. 4. Notarization A document can be notarized by a notary’s e-signature. 5. The Effect of Errors If the parties agree to a security procedure and one party does not detect an error because it did not follow the procedure, the conforming party can avoid the effect of the error [UETA 10]. If the parties do not agree on a security procedure, other state laws determine the effect of the mistake. To avoid the effect of an error, a party must (1) promptly notify the other of the error and of his or her intent not to be bound by it and (2) take reasonable steps to return any benefit or consideration received. If restitution cannot be made, the transaction may be unavoidable. 6. Timing An e-record is sent when it is properly directed from the sender’s place of business to the intended recipient in a form readable by the recipient’s computer at the recipient’s place of business that has the closest relation to the transaction (or either party’s residence, if there is no place of business). Once an e-record leaves the sender’s control or comes under the recipient’s control, it is sent. An e-record is received when it enters the recipient’s processing system in a readable form—even if no person is aware of its receipt.

Friday, September 20, 2019

Technology for Network Security

Technology for Network Security 2.0 CHAPTER TWO 2.1 INTRODUCTION The ever increasing need for information technology as a result of globalisation has brought about the need for an application of a better network security system. It is without a doubt that the rate at which computer networks are expanding in this modern time to accommodate higher bandwidth, unique storage demand, and increase number of users can not be over emphasised. As this demand grows on daily bases, so also, are the threats associated with it. Some of which are, virus attacks, worm attacks, denial of services or distributed denial of service attack etc. Having this in mind then call for swift security measures to address these threats in order to protect data reliability, integrity, availability and other needed network resources across the network. Generally, network security can simply be described as a way of protecting the integrity of a network by making sure authorised access or threats of any form are restricted from accessing valuable information. As network architecture begins to expand, tackling the issue of security is becomes more and more complex to handle, therefore keeping network administrators on their toes to guard against any possible attacks that occurs on daily basis. Some of the malicious attacks are viruses and worm attacks, denial of service attacks, IP spoofing, cracking password, Domain Name Server (DNS) poisoning etc. As an effort to combat these threats, many security elements have been designed to tackle these attacks on the network. Some of which includes, firewall, Virtual Private Network (VPN), Encryption and Decryption, Cryptography, Internet Protocol Security (IPSec), Data Encryption Standard (3DES), Demilitarised Zone, (DMZ), Secure Shell Layer (SSL) etc. This chapter starts by briefly discussi ng Internet Protocol (IP), Transmission Control Protocol (TCP), User datagram Protocol (UDP), Internet Control Message Protocol (ICMP), then discussed the Open system interconnection (OSI) model and the protocols that operate at each layer of the model, network security elements, followed by the background of firewall, types and features of firewalls and lastly, network security tools. 2.2 A BRIEF DESCRIPTION OF TCP, IP, UDP AND ICMP 2.2.1 DEFINITION Going by the tremendous achievement of the World Wide Web (internet), a global communication standard with the aim of building interconnection of networks over heterogeneous network is known as the TCP/IP protocol suite was designed (Dunkels 2003; Global Knowledge 2007; Parziale et al 2006). The TCP/IP protocol suite is the core rule used for applications transfer such as File transfers, E-Mail traffics, web pages transfer between hosts across the heterogeneous networks (Dunkels 2003; Parziale et al 2006). Therefore, it becomes necessary for a network administrator to have a good understanding of TCP/IP when configuring firewalls, as most of the policies are set to protect the internal network from possible attacks that uses the TCP/IP protocols for communication (Noonan and Dobrawsky 2006). Many incidents of network attacks are as a result of improper configuration and poor implementation TCP/IP protocols, services and applications. TCP/IP make use of protocols such as TCP, UDP, IP, ICMP etc to define rules of how communication over the network takes place (Noonan and Dobrawsky 2006). Before these protocols are discussed, this thesis briefly looks into the theoretical Open Systems Interconnection (OSI) model (Simoneau 2006). 2.2.2 THE OSI MODEL The OSI model is a standardised layered model defined by International Organization for Standardization (ISO) for network communication which simplifies network communication to seven separate layers, with each individual layer having it own unique functions that support immediate layer above it and at same time offering services to its immediate layer below it (Parziale et al 2006; Simoneau 2006). The seven layers are Application, Presentation, Session Transport, Network, Data, Link and Physical layer. The first three lower layers (Network, Data, Link and Physical layer) are basically hardware implementations while the last four upper layers (Application, Presentation, Session and Transport) are software implementations. Application Layer This is the end user operating interface that support file transfer, web browsing, electronic mail etc. This layer allows user interaction with the system. Presentation Layer This layer is responsible for formatting the data to be sent across the network which enables the application to understand the message been sent and in addition it is responsible for message encryption and decryption for security purposes. Session Layer This layer is responsible for dialog and session control functions between systems. Transport layer This layer provides end-to-end communication which could be reliable or unreliable between end devices across the network. The two mostly used protocols in this layer are TCP and UDP. Network Layer This layer is also known as logical layer and is responsible for logical addressing for packet delivery services. The protocol used in this layer is the IP. Data Link Layer This layer is responsible for framing of units of information, error checking and physical addressing. Physical Layer This layer defines transmission medium requirements, connectors and responsible for the transmission of bits on the physical hardware (Parziale et al 2006; Simoneau 2006). 2.2.3 INTERNET PROTOCOL (IP) IP is a connectionless protocol designed to deliver data hosts across the network. IP data delivery is unreliable therefore depend on upper layer protocol such as TCP or lower layer protocols like IEEE 802.2 and IEEE802.3 for reliable data delivery between hosts on the network.(Noonan and Dobrawsky 2006) 2.2.4 TRANSMISSION CONTROL PROTOCOL (TCP) TCP is a standard protocol which is connection-oriented transport mechanism that operates at the transport layer of OSI model. It is described by the Request for Comment (RFC) 793. TCP solves the unreliability problem of the network layer protocol (IP) by making sure packets are reliably and accurately transmitted, errors are recovered and efficiently monitors flow control between hosts across the network. (Abie 2000; Noonan and Dobrawsky 2006; Simoneau 2006). The primary objective of TCP is to create session between hosts on the network and this process is carried out by what is called TCP three-way handshake. When using TCP for data transmission between hosts, the sending host will first of all send a synchronise (SYN) segment to the receiving host which is first step in the handshake. The receiving host on receiving the SYN segment reply with an acknowledgement (ACK) and with its own SYN segment and this form the second part of the handshake. The final step of the handshake is the n completed by the sending host responding with its own ACK segment to acknowledge the acceptance of the SYN/ACK. Once this process is completed, the hosts then established a virtual circuit between themselves through which the data will be transferred (Noonan and Dobrawsky 2006). As good as the three ways handshake of the TCP is, it also has its short comings. The most common one being the SYN flood attack. This form of attack occurs when the destination host such as the Server is flooded with a SYN session request without receiving any ACK reply from the source host (malicious host) that initiated a SYN session. The result of this action causes DOS attack as destination host buffer will get to a point it can no longer take any request from legitimate hosts but have no other choice than to drop such session request (Noonan and Dobrawsky 2006). 2.2.5 USER DATAGRAM PROTOCOL (UDP) UDP unlike the TCP is a standard connectionless transport mechanism that operates at the transport layer of OSI model. It is described by the Request for Comment (RFC) 768 (Noonan and Dobrawsky 2006; Simoneau 2006). When using UDP to transfer packets between hosts, session initiation, retransmission of lost or damaged packets and acknowledgement are omitted therefore, 100 percent packet delivery is not guaranteed (Sundararajan et al 2006; Postel 1980). UDP is designed with low over head as it does not involve initiation of session between hosts before data transmission starts. This protocol is best suite for small data transmission (Noonan and Dobrawsky 2006). 2.2.6 INTERNET CONTROL MESSAGE PROTOCOL (ICMP). ICMP is primarily designed to identify and report routing error, delivery failures and delays on the network. This protocol can only be used to report errors and can not be used to make any correction on the identified errors but depend on routing protocols or reliable protocols like the TCP to handle the error detected (Noonan and Dobrawsky 2006; Dunkels 2003). ICMP makes use of the echo mechanism called Ping command. This command is used to check if the host is replying to network traffic or not (Noonan and Dobrawsky 2006; Dunkels 2003). 2.3 OTHER NETWORK SECURITY ELEMENTS. 2.3.1 VIRTUAL PRIVATE NETWORK (VPN) VPN is one of the network security elements that make use of the public network infrastructure to securely maintain confidentiality of information transfer between hosts over the public network (Bou 2007). VPN provides this security features by making use of encryption and Tunneling technique to protect such information and it can be configured to support at least three models which are Remote- access connection. Site-to-site ( branch offices to the headquarters) Local area network internetworking (Extranet connection of companies with their business partners) (Bou 2007). 2.3.2 VPN TECHNOLOGY VPN make use of many standard protocols to implement the data authentication (identification of trusted parties) and encryption (scrambling of data) when making use of the public network to transfer data. These protocols include: Point-to-Point Tunneling Protocol PPTP [RFC2637] Secure Shell Layer Protocol (SSL) [RFC 2246] Internet Protocol Security (IPSec) [RFC 2401] Layer 2 Tunneling Protocol (L2TP) [RFC2661] 2.3.2.1 POINT-TO-POINT TUNNELING PROTOCOL [PPTP] The design of PPTP provides a secure means of transferring data over the public infrastructure with authentication and encryption support between hosts on the network. This protocol operates at the data link layer of the OSI model and it basically relies on user identification (ID) and password authentication for its security. PPTP did not eliminate Point-to-Point Protocol, but rather describes better way of Tunneling PPP traffic by using Generic Routing Encapsulation (GRE) (Bou 2007; Microsoft 1999; Schneier and Mudge 1998). 2.3.2.2 LAYER 2 TUNNELING PROTOCOL [L2TP] The L2TP is a connection-oriented protocol standard defined by the RFC 2661which merged the best features of PPTP and Layer 2 forwarding (L2F) protocol to create the new standard (L2TP) (Bou 2007; Townsley et al 1999). Just like the PPTP, the L2TP operates at the layer 2 of the OSI model. Tunneling in L2TP is achieved through series of data encapsulation of the different levels layer protocols. Examples are UDP, IPSec, IP, and Data-Link layer protocol but the data encryption for the tunnel is provided by the IPSec (Bou 2007; Townsley et al 1999). 2.3.2.3 INTERNET PROTOCOL SECURITY (IPSEC) [RFC 2401] IPSec is a standard protocol defined by the RFC 2401 which is designed to protect the payload of an IP packet and the paths between hosts, security gateways (routers and firewalls), or between security gateway and host over the unprotected network (Bou 2007; Kent and Atkinson 1998). IPSec operate at network layer of the OSI model. Some of the security services it provides are, authentication, connectionless integrity, encryption, access control, data origin, rejection of replayed packets, etc (Kent and Atkinson 1998). 2.3.3.4 SECURE SOCKET LAYER (SSL) [RFC 2246] SSL is a standard protocol defined by the RFC 2246 which is designed to provide secure communication tunnel between hosts by encrypting hosts communication over the network, to ensure packets confidentiality, integrity and proper hosts authentication, in order to eliminate eavesdropping attacks on the network (Homin et al 2007; Oppliger et al 2008). SSL makes use of security elements such as digital certificate, cryptography and certificates to enforce security measures over the network. SSL is a transport layer security protocol that runs on top of the TCP/IP which manage transport and routing of packets across the network. Also SSL is deployed at the application layer OSI model to ensure hosts authentication (Homin et al 2007; Oppliger et al 2008; Dierks and Allen 1999). 2.4 FIREWALL BACKGROUND The concept of network firewall is to prevent unauthorised packets from gaining entry into a network by filtering all packets that are coming into such network. The word firewall was not originally a computer security vocabulary, but was initially used to illustrate a wall which could be brick or mortar built to restrain fire from spreading from one part of a building to the other or to reduce the spread of the fire in the building giving some time for remedial actions to be taken (Komar et al 2003). 2.4.1BRIEF HISTORY OF FIREWALL Firewall as used in computing is dated as far back as the late 1980s, but the first set of firewalls came into light sometime in 1985, which was produced by a Ciscos Internet work Operating System (IOS) division called packet filter firewall (Cisco System 2004). In 1988, Jeff Mogul from DEC (Digital Equipment Corporation) published the first paper on firewall. Between 1989 and 1990, two workers of the ATT Bell laboratories Howard Trickey and Dave Persotto initiated the second generation firewall technology with their study in circuit relays called Circuit level firewall. Also, the two scientists implemented the first working model of the third generation firewall design called Application layer firewalls. Sadly enough, there was no published documents explaining their work and no product was released to support their work. Around the same year (1990-1991), different papers on the third generation firewalls were published by researchers. But among them, Marcus Ranums work received the most attention in 1991 and took the form of bastion hosts running proxy services. Ranums work quickly evolved into the first commercial product—Digital Equipment Corporations SEAL product (Cisco System 2004). About the same year, work started on the fourth generation firewall called Dynamic packet filtering and was not operational until 1994 when Check Point Software rolled out a complete working model of the fourth generation firewall architecture. In 1996, plans began on the fifth generation firewall design called the Kernel Proxy architecture and became reality in 1997 when Cisco released the Cisco Centri Firewall which was the first Proxy firewall produced for commercial use (Cisco System 2004). Since then many vendor have designed and implemented various forms of firewall both in hardware and software and till date, research works is on going in improving firewalls architecture to meet up with ever increasing challenges of network security. 2.5 DEFINITION According to the British computer society (2008), Firewalls are defence mechanisms that can be implemented in either hardware or software, and serve to prevent unauthorized access to computers and networks. Similarly, Subrata, et al (2006) defined firewall as a combination of hardware and software used to implement a security policy governing the flow of network traffic between two or more networks. The concept of firewall in computer systems security is similar to firewall built within a building but differ in their functions. While the latter is purposely designed for only one task which is fire prevention in a building, computer system firewall is designed to prevent more than one threat (Komar et al 2003).This includes the following Denial Of Service Attacks (DoS) Virus attacks Worm attack. Hacking attacks etc 2.5.1 DENIAL OF SERVICE ATTACKS (DOS) â€Å"Countering DoS attacks on web servers has become a very challenging problem† (Srivatsa et al 2006). This is an attack that is aimed at denying legitimate packets to access network resources. The attacker achieved this by running a program that floods the network, making network resources such as main memory, network bandwidth, hard disk space, unavailable for legitimate packets. SYN attack is a good example of DOS attacks, but can be prevented by implementing good firewall polices for the secured network. A detailed firewall policy (iptables) is presented in chapter three of this thesis. 2.5.2 VIRUS AND WORM ATTACKS Viruses and worms attacks are big security problem which can become pandemic in a twinkle of an eye resulting to possible huge loss of information or system damage (Ford et al 2005; Cisco System 2004). These two forms of attacks can be programs designed to open up systems to allow information theft or programs that regenerate themselves once they gets into the system until they crashes the system and some could be programmed to generate programs that floods the network leading to DOS attacks. Therefore, security tools that can proactively detect possible attacks are required to secure the network. One of such tools is a firewall with good security policy configuration (Cisco System 2004). Generally speaking, any kind of firewall implementation will basically perform the following task. Manage and control network traffic. Authenticate access Act as an intermediary Make internal recourses available Record and report event 2.5.3 MANAGE AND CONTROL NETWORK TRAFFIC. The first process undertaken by firewalls is to secure a computer networks by checking all the traffic coming into and leaving the networks. This is achieved by stopping and analysing packet Source IP address, Source port, Destination IP address, Destination port, IP protocol Packet header information etc. in order decide on what action to take on such packets either to accept or reject the packet. This action is called packet filtering and it depends on the firewall configuration. Likewise the firewall can also make use of the connections between TCP/IP hosts to establish communication between them for identification and to state the way they will communicate with each other to decide which connection should be permitted or discarded. This is achieved by maintaining the state table used to check the state of all the packets passing through the firewall. This is called stateful inspection (Noonan and Dobrawsky 2006). 2.5.4 AUTHENTICATE ACCESS When firewalls inspects and analyses packets Source IP address, Source port, Destination IP address, Destination port, IP protocol Packet header information etc, and probably filters it based on the specified security procedure defined, it does not guarantee that the communication between the source host and destination host will be authorised in that, hackers can manage to spoof IP address and port action which defeats the inspection and analysis based on IP and port screening. To tackle this pit fall over the network, an authentication rule is implemented in firewall using a number of means such as, the use of username and password (xauth), certificate and public keys and pre-shared keys (PSKs).In using the xauth authentication method, the firewall will request for the source host that is trying to initiate a connection with the host on the protected network for its username and password before it will allow connection between the protected network and the source host to be establi shed. Once the connection is been confirmed and authorised by the security procedure defined, the source host need not to authenticate itself to make connection again (Noonan and Dobrawsky 2006). The second method is using certificates and public keys. The advantage of this method over xauth is that verification can take place without source host intervention having to supply its username and password for authentication. Implementation of Certificates and public keys requires proper hosts (protected network and the source host) configuration with certificates and firewall and making sure that protected network and the source host use a public key infrastructure that is properly configured. This security method is best for big network design (Noonan and Dobrawsky 2006). Another good way of dealing with authentication issues with firewalls is by using pre-shared keys (PSKs). The implementation of PSKs is easy compare to the certificates and public keys although, authentication still occur without the source host intervention its make use of an additional feature which is providing the host with a predetermined key that is used for the verification procedure (Noonan and Dobrawsky 2006). 2.5.5 ACT AS AN INTERMEDIARY When firewalls are configured to serve as an intermediary between a protected host and external host, they simply function as application proxy. The firewalls in this setup are configured to impersonate the protected host such that all packets destined for the protected host from the external host are delivered to the firewall which appears to the external host as the protected host. Once the firewalls receive the packets, they inspect the packet to determine if the packet is valid (e.g. genuine HTTT packet) or not before forwarding to the protected host. This firewall design totally blocks direct communication between the hosts. 2.5.6 RECORD AND REPORT EVENTS While it is good practise to put strong security policies in place to secure network, it is equally important to record firewalls events. Using firewalls to record and report events is a technique that can help to investigate what kind of attack took place in situations where firewalls are unable to stop malicious packets that violate the access control policy of the protected network. Recording this event gives the network administrator a clear understanding of the attack and at the same time, to make use of the recorded events to troubleshoot the problem that as taken place. To record these events, network administrators makes use of different methods but syslog or proprietary logging format are mostly used for firewalls. However, some malicious events need to be reported quickly so that immediate action can be taken before serious damage is done to the protected network. Therefore firewalls also need an alarming mechanism in addition to the syslog or proprietary logging format whe n ever access control policy of the protected network is violated. Some types of alarm supported by firewalls include Console notification, Simple Network Management Protocol (SNMP), Paging notification, E-mail notification etc (Noonan and Dobrawsky 2006). Console notification is a warning massage that is presented to the firewall console. The problem with this method of alarm is that, the console needs to be monitored by the network administrator at all times so that necessary action can be taken when an alarm is generated. Simple Network Management Protocol (SNMP) notification is implemented to create traps which are transferred to the network management system (NMS) monitoring the firewall. Paging notification is setup on the firewall to deliver a page to the network administrator whenever the firewall encounters any event. The message could be an alphanumeric or numeric depending on how the firewall is setup. E-mail notification is similar to paging notification, but in this case, the firewall send an email instead to proper address. 2.6 TYPES OF FIREWALLS Going by firewall definition, firewalls are expected to perform some key functions like, Application Proxy, Network Translation Address, and Packet filtering. 2.6.1 APPLICATION PROXY This is also known as Application Gateway, and it acts as a connection agent between protected network and the external network. Basically, the application proxy is a host on the protected network that is setup as proxy server. Just as the name implies, application proxy function at the application layer of the Open System Interconnection (OSI) model and makes sure that all application requests from the secured network is communicated to the external network through the proxy server and no packets passes through from to external network to the secured network until the proxy checks and confirms inbound packets. This firewall support different types of protocols such as a Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) and Simple Mail Transport Protocol (SMTP) (Noonan and Dobrawsky 2006; NetContinuum 2006). 2.6.2 NETWORK ADDRESS (NAT) NAT alter the IP addresses of hosts packets by hiding the genuine IP addresses of secured network hosts and dynamically replacing them with a different IP addresses (Cisco System 2008; Walberg 2007). When request packets are sent from the secured host through the gateway to an external host, the source host address is modified to a different IP address by NAT.  When the reply packets arrives at the gateway, the NAT then replaces the modified address with genuine host address before forwarding it to the host (Walberg 2007).The role played by NAT in a secured network system makes it uneasy for unauthorized access to know: The number of hosts available in the protected network The topology of the network The operating systems the host is running The type of host machine (Cisco System 2008). 2.6.3 PACKET FILTERING. â€Å"Firewalls and IPSec gateways have become major components in the current high speed Internet infrastructure to filter out undesired traffic and protect the integrity and confidentiality of critical traffic† (Hamed and Al-Shaer 2006). Packet filtering is based on the lay down security rule defined for any network or system. Filtering traffic over the network is big task that involves comprehensive understanding of the network on which it will be setup. This defined policy must always be updated in order to handle the possible network attacks (Hamed and Al-Shaer 2006). 2.6.4 INSTRUCTION DETECTION SYSTEMS. Network penetration attacks are now on the increase as valuable information is being stolen or damaged by the attacker. Many security products have been developed to combat these attacks. Two of such products are Intrusion Prevention systems (IPS) and Intrusion Detection Systems (IDS). IDS are software designed to purposely monitor and analysed all the activities (network traffic) on the network for any suspicious threats that may violate the defined network security policies (Scarfone and Mell 2007; Vignam et al 2003). There are varieties of methods IDS uses to detect threats on the network, two of them are, anomaly based IDS, and signature based IDS. 2.6.4.1 ANOMALY BASED IDS Anomaly based IDS is setup to monitor and compare network events against what is defined to be normal network activities which is represented by a profile, in order to detect any deviation from the defined normal events. Some of the events are, comparing the type of bandwidth used, the type of protocols etc and once the IDS identifies any deviation in any of this events, it notifies the network administrator who then take necessary action to stop the intended attack (Scarfone and Mell 2007). 2.6.4.2 SIGNATURE BASED IDS Signature based IDS are designed to monitor and compare packets on the network against the signature database of known malicious attacks or threats. This type of IDS is efficient at identifying already known threats but ineffective at identifying new threats which are not currently defined in the signature database, therefore giving way to network attacks (Scarfone and Mell 2007). 2.6.5 INTRUSION PREVENTION SYSTEMS (IPS). IPS are proactive security products which can be software or hardware used to identify malicious packets and also to prevent such packets from gaining entry in the networks (Ierace et al 2005, Botwicz et al 2006). IPS is another form of firewall which is basically designed to detect irregularity in regular network traffic and likewise to stop possible network attacks such as Denial of service attacks. They are capable of dropping malicious packets and disconnecting any connection suspected to be illegal before such traffic get to the protected host. Just like a typical firewall, IPS makes use of define rules in the system setup to determine the action to take on any traffic and this could be to allow or block the traffic. IPS makes use of stateful packet analysis to protect the network. Similarly, IPS is capable of performing signature matching, application protocol validation etc as a means of detecting attacks on the network (Ierace et al 2005). As good as IPS are, they also have t heir downsides as well. One of it is the problem of false positive and false negative. False positive is a situation where legitimate traffic is been identified to be malicious and thereby resulting to the IPS blocking such traffic on the network. False negative on the other hand is when malicious traffic is be identified by the IPS as legitimate traffic thereby allowing such traffic to pass through the IPS to the protected network (Ierace N et al 2005). 2.7 SOFTWARE AND HARDWARE FIREWALLS 2.7.1 SOFTWARE FIREWALLS Software-based firewalls are computers installed software for filtering packets (Permpootanalarp and Rujimethabhas 2001). These are programs setup either on personal computers or on network servers (Web servers and Email severs) operating system. Once the software is installed and proper security polices are defined, the systems (personal computers or servers) assume the role of a firewall. Software firewalls are second line of defence after hardware firewalls in situations where both are used for network security. Also software firewalls can be installed on different operating system such as, Windows Operating Systems, Mac operating system, Novel Netware, Linux Kernel, and UNIX Kernel etc. The function of these firewalls is, filtering distorted network traffic. There are several software firewall some of which include, Online Armor firewall, McAfee Personal Firewall, Zone Alarm, Norton Personal Firewall, Black Ice Defender, Sygate Personal Firewall, Panda Firewall, The DoorStop X Fi rewall etc (Lugo Parker 2005). When designing a software firewall two keys things are considered. These are, per-packet filtering and a per-process filtering. The pre-packet filter is design to search for distorted packets, port scan detection and checking if the packets are accepted into the protocol stack. In the same vein, pre-process filter is the designed to check if a process is allowed to begin a connection to the secured network or not (Lugo and Parker 2005). It should be noted that there are different implantations of all Firewalls. While some are built into the operating system others are add-ons. Examples of built-in firewalls are windows based firewall and Linux based. 2.7.2 WINDOWS OPERATING SYSTEM BASED FIREWALL. In operating system design, security features is one important aspect that is greatly considered. This is a challenge the software giant (Microsoft) as always made sure they implement is their products. In the software industry, Mi Technology for Network Security Technology for Network Security 2.0 CHAPTER TWO 2.1 INTRODUCTION The ever increasing need for information technology as a result of globalisation has brought about the need for an application of a better network security system. It is without a doubt that the rate at which computer networks are expanding in this modern time to accommodate higher bandwidth, unique storage demand, and increase number of users can not be over emphasised. As this demand grows on daily bases, so also, are the threats associated with it. Some of which are, virus attacks, worm attacks, denial of services or distributed denial of service attack etc. Having this in mind then call for swift security measures to address these threats in order to protect data reliability, integrity, availability and other needed network resources across the network. Generally, network security can simply be described as a way of protecting the integrity of a network by making sure authorised access or threats of any form are restricted from accessing valuable information. As network architecture begins to expand, tackling the issue of security is becomes more and more complex to handle, therefore keeping network administrators on their toes to guard against any possible attacks that occurs on daily basis. Some of the malicious attacks are viruses and worm attacks, denial of service attacks, IP spoofing, cracking password, Domain Name Server (DNS) poisoning etc. As an effort to combat these threats, many security elements have been designed to tackle these attacks on the network. Some of which includes, firewall, Virtual Private Network (VPN), Encryption and Decryption, Cryptography, Internet Protocol Security (IPSec), Data Encryption Standard (3DES), Demilitarised Zone, (DMZ), Secure Shell Layer (SSL) etc. This chapter starts by briefly discussi ng Internet Protocol (IP), Transmission Control Protocol (TCP), User datagram Protocol (UDP), Internet Control Message Protocol (ICMP), then discussed the Open system interconnection (OSI) model and the protocols that operate at each layer of the model, network security elements, followed by the background of firewall, types and features of firewalls and lastly, network security tools. 2.2 A BRIEF DESCRIPTION OF TCP, IP, UDP AND ICMP 2.2.1 DEFINITION Going by the tremendous achievement of the World Wide Web (internet), a global communication standard with the aim of building interconnection of networks over heterogeneous network is known as the TCP/IP protocol suite was designed (Dunkels 2003; Global Knowledge 2007; Parziale et al 2006). The TCP/IP protocol suite is the core rule used for applications transfer such as File transfers, E-Mail traffics, web pages transfer between hosts across the heterogeneous networks (Dunkels 2003; Parziale et al 2006). Therefore, it becomes necessary for a network administrator to have a good understanding of TCP/IP when configuring firewalls, as most of the policies are set to protect the internal network from possible attacks that uses the TCP/IP protocols for communication (Noonan and Dobrawsky 2006). Many incidents of network attacks are as a result of improper configuration and poor implementation TCP/IP protocols, services and applications. TCP/IP make use of protocols such as TCP, UDP, IP, ICMP etc to define rules of how communication over the network takes place (Noonan and Dobrawsky 2006). Before these protocols are discussed, this thesis briefly looks into the theoretical Open Systems Interconnection (OSI) model (Simoneau 2006). 2.2.2 THE OSI MODEL The OSI model is a standardised layered model defined by International Organization for Standardization (ISO) for network communication which simplifies network communication to seven separate layers, with each individual layer having it own unique functions that support immediate layer above it and at same time offering services to its immediate layer below it (Parziale et al 2006; Simoneau 2006). The seven layers are Application, Presentation, Session Transport, Network, Data, Link and Physical layer. The first three lower layers (Network, Data, Link and Physical layer) are basically hardware implementations while the last four upper layers (Application, Presentation, Session and Transport) are software implementations. Application Layer This is the end user operating interface that support file transfer, web browsing, electronic mail etc. This layer allows user interaction with the system. Presentation Layer This layer is responsible for formatting the data to be sent across the network which enables the application to understand the message been sent and in addition it is responsible for message encryption and decryption for security purposes. Session Layer This layer is responsible for dialog and session control functions between systems. Transport layer This layer provides end-to-end communication which could be reliable or unreliable between end devices across the network. The two mostly used protocols in this layer are TCP and UDP. Network Layer This layer is also known as logical layer and is responsible for logical addressing for packet delivery services. The protocol used in this layer is the IP. Data Link Layer This layer is responsible for framing of units of information, error checking and physical addressing. Physical Layer This layer defines transmission medium requirements, connectors and responsible for the transmission of bits on the physical hardware (Parziale et al 2006; Simoneau 2006). 2.2.3 INTERNET PROTOCOL (IP) IP is a connectionless protocol designed to deliver data hosts across the network. IP data delivery is unreliable therefore depend on upper layer protocol such as TCP or lower layer protocols like IEEE 802.2 and IEEE802.3 for reliable data delivery between hosts on the network.(Noonan and Dobrawsky 2006) 2.2.4 TRANSMISSION CONTROL PROTOCOL (TCP) TCP is a standard protocol which is connection-oriented transport mechanism that operates at the transport layer of OSI model. It is described by the Request for Comment (RFC) 793. TCP solves the unreliability problem of the network layer protocol (IP) by making sure packets are reliably and accurately transmitted, errors are recovered and efficiently monitors flow control between hosts across the network. (Abie 2000; Noonan and Dobrawsky 2006; Simoneau 2006). The primary objective of TCP is to create session between hosts on the network and this process is carried out by what is called TCP three-way handshake. When using TCP for data transmission between hosts, the sending host will first of all send a synchronise (SYN) segment to the receiving host which is first step in the handshake. The receiving host on receiving the SYN segment reply with an acknowledgement (ACK) and with its own SYN segment and this form the second part of the handshake. The final step of the handshake is the n completed by the sending host responding with its own ACK segment to acknowledge the acceptance of the SYN/ACK. Once this process is completed, the hosts then established a virtual circuit between themselves through which the data will be transferred (Noonan and Dobrawsky 2006). As good as the three ways handshake of the TCP is, it also has its short comings. The most common one being the SYN flood attack. This form of attack occurs when the destination host such as the Server is flooded with a SYN session request without receiving any ACK reply from the source host (malicious host) that initiated a SYN session. The result of this action causes DOS attack as destination host buffer will get to a point it can no longer take any request from legitimate hosts but have no other choice than to drop such session request (Noonan and Dobrawsky 2006). 2.2.5 USER DATAGRAM PROTOCOL (UDP) UDP unlike the TCP is a standard connectionless transport mechanism that operates at the transport layer of OSI model. It is described by the Request for Comment (RFC) 768 (Noonan and Dobrawsky 2006; Simoneau 2006). When using UDP to transfer packets between hosts, session initiation, retransmission of lost or damaged packets and acknowledgement are omitted therefore, 100 percent packet delivery is not guaranteed (Sundararajan et al 2006; Postel 1980). UDP is designed with low over head as it does not involve initiation of session between hosts before data transmission starts. This protocol is best suite for small data transmission (Noonan and Dobrawsky 2006). 2.2.6 INTERNET CONTROL MESSAGE PROTOCOL (ICMP). ICMP is primarily designed to identify and report routing error, delivery failures and delays on the network. This protocol can only be used to report errors and can not be used to make any correction on the identified errors but depend on routing protocols or reliable protocols like the TCP to handle the error detected (Noonan and Dobrawsky 2006; Dunkels 2003). ICMP makes use of the echo mechanism called Ping command. This command is used to check if the host is replying to network traffic or not (Noonan and Dobrawsky 2006; Dunkels 2003). 2.3 OTHER NETWORK SECURITY ELEMENTS. 2.3.1 VIRTUAL PRIVATE NETWORK (VPN) VPN is one of the network security elements that make use of the public network infrastructure to securely maintain confidentiality of information transfer between hosts over the public network (Bou 2007). VPN provides this security features by making use of encryption and Tunneling technique to protect such information and it can be configured to support at least three models which are Remote- access connection. Site-to-site ( branch offices to the headquarters) Local area network internetworking (Extranet connection of companies with their business partners) (Bou 2007). 2.3.2 VPN TECHNOLOGY VPN make use of many standard protocols to implement the data authentication (identification of trusted parties) and encryption (scrambling of data) when making use of the public network to transfer data. These protocols include: Point-to-Point Tunneling Protocol PPTP [RFC2637] Secure Shell Layer Protocol (SSL) [RFC 2246] Internet Protocol Security (IPSec) [RFC 2401] Layer 2 Tunneling Protocol (L2TP) [RFC2661] 2.3.2.1 POINT-TO-POINT TUNNELING PROTOCOL [PPTP] The design of PPTP provides a secure means of transferring data over the public infrastructure with authentication and encryption support between hosts on the network. This protocol operates at the data link layer of the OSI model and it basically relies on user identification (ID) and password authentication for its security. PPTP did not eliminate Point-to-Point Protocol, but rather describes better way of Tunneling PPP traffic by using Generic Routing Encapsulation (GRE) (Bou 2007; Microsoft 1999; Schneier and Mudge 1998). 2.3.2.2 LAYER 2 TUNNELING PROTOCOL [L2TP] The L2TP is a connection-oriented protocol standard defined by the RFC 2661which merged the best features of PPTP and Layer 2 forwarding (L2F) protocol to create the new standard (L2TP) (Bou 2007; Townsley et al 1999). Just like the PPTP, the L2TP operates at the layer 2 of the OSI model. Tunneling in L2TP is achieved through series of data encapsulation of the different levels layer protocols. Examples are UDP, IPSec, IP, and Data-Link layer protocol but the data encryption for the tunnel is provided by the IPSec (Bou 2007; Townsley et al 1999). 2.3.2.3 INTERNET PROTOCOL SECURITY (IPSEC) [RFC 2401] IPSec is a standard protocol defined by the RFC 2401 which is designed to protect the payload of an IP packet and the paths between hosts, security gateways (routers and firewalls), or between security gateway and host over the unprotected network (Bou 2007; Kent and Atkinson 1998). IPSec operate at network layer of the OSI model. Some of the security services it provides are, authentication, connectionless integrity, encryption, access control, data origin, rejection of replayed packets, etc (Kent and Atkinson 1998). 2.3.3.4 SECURE SOCKET LAYER (SSL) [RFC 2246] SSL is a standard protocol defined by the RFC 2246 which is designed to provide secure communication tunnel between hosts by encrypting hosts communication over the network, to ensure packets confidentiality, integrity and proper hosts authentication, in order to eliminate eavesdropping attacks on the network (Homin et al 2007; Oppliger et al 2008). SSL makes use of security elements such as digital certificate, cryptography and certificates to enforce security measures over the network. SSL is a transport layer security protocol that runs on top of the TCP/IP which manage transport and routing of packets across the network. Also SSL is deployed at the application layer OSI model to ensure hosts authentication (Homin et al 2007; Oppliger et al 2008; Dierks and Allen 1999). 2.4 FIREWALL BACKGROUND The concept of network firewall is to prevent unauthorised packets from gaining entry into a network by filtering all packets that are coming into such network. The word firewall was not originally a computer security vocabulary, but was initially used to illustrate a wall which could be brick or mortar built to restrain fire from spreading from one part of a building to the other or to reduce the spread of the fire in the building giving some time for remedial actions to be taken (Komar et al 2003). 2.4.1BRIEF HISTORY OF FIREWALL Firewall as used in computing is dated as far back as the late 1980s, but the first set of firewalls came into light sometime in 1985, which was produced by a Ciscos Internet work Operating System (IOS) division called packet filter firewall (Cisco System 2004). In 1988, Jeff Mogul from DEC (Digital Equipment Corporation) published the first paper on firewall. Between 1989 and 1990, two workers of the ATT Bell laboratories Howard Trickey and Dave Persotto initiated the second generation firewall technology with their study in circuit relays called Circuit level firewall. Also, the two scientists implemented the first working model of the third generation firewall design called Application layer firewalls. Sadly enough, there was no published documents explaining their work and no product was released to support their work. Around the same year (1990-1991), different papers on the third generation firewalls were published by researchers. But among them, Marcus Ranums work received the most attention in 1991 and took the form of bastion hosts running proxy services. Ranums work quickly evolved into the first commercial product—Digital Equipment Corporations SEAL product (Cisco System 2004). About the same year, work started on the fourth generation firewall called Dynamic packet filtering and was not operational until 1994 when Check Point Software rolled out a complete working model of the fourth generation firewall architecture. In 1996, plans began on the fifth generation firewall design called the Kernel Proxy architecture and became reality in 1997 when Cisco released the Cisco Centri Firewall which was the first Proxy firewall produced for commercial use (Cisco System 2004). Since then many vendor have designed and implemented various forms of firewall both in hardware and software and till date, research works is on going in improving firewalls architecture to meet up with ever increasing challenges of network security. 2.5 DEFINITION According to the British computer society (2008), Firewalls are defence mechanisms that can be implemented in either hardware or software, and serve to prevent unauthorized access to computers and networks. Similarly, Subrata, et al (2006) defined firewall as a combination of hardware and software used to implement a security policy governing the flow of network traffic between two or more networks. The concept of firewall in computer systems security is similar to firewall built within a building but differ in their functions. While the latter is purposely designed for only one task which is fire prevention in a building, computer system firewall is designed to prevent more than one threat (Komar et al 2003).This includes the following Denial Of Service Attacks (DoS) Virus attacks Worm attack. Hacking attacks etc 2.5.1 DENIAL OF SERVICE ATTACKS (DOS) â€Å"Countering DoS attacks on web servers has become a very challenging problem† (Srivatsa et al 2006). This is an attack that is aimed at denying legitimate packets to access network resources. The attacker achieved this by running a program that floods the network, making network resources such as main memory, network bandwidth, hard disk space, unavailable for legitimate packets. SYN attack is a good example of DOS attacks, but can be prevented by implementing good firewall polices for the secured network. A detailed firewall policy (iptables) is presented in chapter three of this thesis. 2.5.2 VIRUS AND WORM ATTACKS Viruses and worms attacks are big security problem which can become pandemic in a twinkle of an eye resulting to possible huge loss of information or system damage (Ford et al 2005; Cisco System 2004). These two forms of attacks can be programs designed to open up systems to allow information theft or programs that regenerate themselves once they gets into the system until they crashes the system and some could be programmed to generate programs that floods the network leading to DOS attacks. Therefore, security tools that can proactively detect possible attacks are required to secure the network. One of such tools is a firewall with good security policy configuration (Cisco System 2004). Generally speaking, any kind of firewall implementation will basically perform the following task. Manage and control network traffic. Authenticate access Act as an intermediary Make internal recourses available Record and report event 2.5.3 MANAGE AND CONTROL NETWORK TRAFFIC. The first process undertaken by firewalls is to secure a computer networks by checking all the traffic coming into and leaving the networks. This is achieved by stopping and analysing packet Source IP address, Source port, Destination IP address, Destination port, IP protocol Packet header information etc. in order decide on what action to take on such packets either to accept or reject the packet. This action is called packet filtering and it depends on the firewall configuration. Likewise the firewall can also make use of the connections between TCP/IP hosts to establish communication between them for identification and to state the way they will communicate with each other to decide which connection should be permitted or discarded. This is achieved by maintaining the state table used to check the state of all the packets passing through the firewall. This is called stateful inspection (Noonan and Dobrawsky 2006). 2.5.4 AUTHENTICATE ACCESS When firewalls inspects and analyses packets Source IP address, Source port, Destination IP address, Destination port, IP protocol Packet header information etc, and probably filters it based on the specified security procedure defined, it does not guarantee that the communication between the source host and destination host will be authorised in that, hackers can manage to spoof IP address and port action which defeats the inspection and analysis based on IP and port screening. To tackle this pit fall over the network, an authentication rule is implemented in firewall using a number of means such as, the use of username and password (xauth), certificate and public keys and pre-shared keys (PSKs).In using the xauth authentication method, the firewall will request for the source host that is trying to initiate a connection with the host on the protected network for its username and password before it will allow connection between the protected network and the source host to be establi shed. Once the connection is been confirmed and authorised by the security procedure defined, the source host need not to authenticate itself to make connection again (Noonan and Dobrawsky 2006). The second method is using certificates and public keys. The advantage of this method over xauth is that verification can take place without source host intervention having to supply its username and password for authentication. Implementation of Certificates and public keys requires proper hosts (protected network and the source host) configuration with certificates and firewall and making sure that protected network and the source host use a public key infrastructure that is properly configured. This security method is best for big network design (Noonan and Dobrawsky 2006). Another good way of dealing with authentication issues with firewalls is by using pre-shared keys (PSKs). The implementation of PSKs is easy compare to the certificates and public keys although, authentication still occur without the source host intervention its make use of an additional feature which is providing the host with a predetermined key that is used for the verification procedure (Noonan and Dobrawsky 2006). 2.5.5 ACT AS AN INTERMEDIARY When firewalls are configured to serve as an intermediary between a protected host and external host, they simply function as application proxy. The firewalls in this setup are configured to impersonate the protected host such that all packets destined for the protected host from the external host are delivered to the firewall which appears to the external host as the protected host. Once the firewalls receive the packets, they inspect the packet to determine if the packet is valid (e.g. genuine HTTT packet) or not before forwarding to the protected host. This firewall design totally blocks direct communication between the hosts. 2.5.6 RECORD AND REPORT EVENTS While it is good practise to put strong security policies in place to secure network, it is equally important to record firewalls events. Using firewalls to record and report events is a technique that can help to investigate what kind of attack took place in situations where firewalls are unable to stop malicious packets that violate the access control policy of the protected network. Recording this event gives the network administrator a clear understanding of the attack and at the same time, to make use of the recorded events to troubleshoot the problem that as taken place. To record these events, network administrators makes use of different methods but syslog or proprietary logging format are mostly used for firewalls. However, some malicious events need to be reported quickly so that immediate action can be taken before serious damage is done to the protected network. Therefore firewalls also need an alarming mechanism in addition to the syslog or proprietary logging format whe n ever access control policy of the protected network is violated. Some types of alarm supported by firewalls include Console notification, Simple Network Management Protocol (SNMP), Paging notification, E-mail notification etc (Noonan and Dobrawsky 2006). Console notification is a warning massage that is presented to the firewall console. The problem with this method of alarm is that, the console needs to be monitored by the network administrator at all times so that necessary action can be taken when an alarm is generated. Simple Network Management Protocol (SNMP) notification is implemented to create traps which are transferred to the network management system (NMS) monitoring the firewall. Paging notification is setup on the firewall to deliver a page to the network administrator whenever the firewall encounters any event. The message could be an alphanumeric or numeric depending on how the firewall is setup. E-mail notification is similar to paging notification, but in this case, the firewall send an email instead to proper address. 2.6 TYPES OF FIREWALLS Going by firewall definition, firewalls are expected to perform some key functions like, Application Proxy, Network Translation Address, and Packet filtering. 2.6.1 APPLICATION PROXY This is also known as Application Gateway, and it acts as a connection agent between protected network and the external network. Basically, the application proxy is a host on the protected network that is setup as proxy server. Just as the name implies, application proxy function at the application layer of the Open System Interconnection (OSI) model and makes sure that all application requests from the secured network is communicated to the external network through the proxy server and no packets passes through from to external network to the secured network until the proxy checks and confirms inbound packets. This firewall support different types of protocols such as a Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) and Simple Mail Transport Protocol (SMTP) (Noonan and Dobrawsky 2006; NetContinuum 2006). 2.6.2 NETWORK ADDRESS (NAT) NAT alter the IP addresses of hosts packets by hiding the genuine IP addresses of secured network hosts and dynamically replacing them with a different IP addresses (Cisco System 2008; Walberg 2007). When request packets are sent from the secured host through the gateway to an external host, the source host address is modified to a different IP address by NAT.  When the reply packets arrives at the gateway, the NAT then replaces the modified address with genuine host address before forwarding it to the host (Walberg 2007).The role played by NAT in a secured network system makes it uneasy for unauthorized access to know: The number of hosts available in the protected network The topology of the network The operating systems the host is running The type of host machine (Cisco System 2008). 2.6.3 PACKET FILTERING. â€Å"Firewalls and IPSec gateways have become major components in the current high speed Internet infrastructure to filter out undesired traffic and protect the integrity and confidentiality of critical traffic† (Hamed and Al-Shaer 2006). Packet filtering is based on the lay down security rule defined for any network or system. Filtering traffic over the network is big task that involves comprehensive understanding of the network on which it will be setup. This defined policy must always be updated in order to handle the possible network attacks (Hamed and Al-Shaer 2006). 2.6.4 INSTRUCTION DETECTION SYSTEMS. Network penetration attacks are now on the increase as valuable information is being stolen or damaged by the attacker. Many security products have been developed to combat these attacks. Two of such products are Intrusion Prevention systems (IPS) and Intrusion Detection Systems (IDS). IDS are software designed to purposely monitor and analysed all the activities (network traffic) on the network for any suspicious threats that may violate the defined network security policies (Scarfone and Mell 2007; Vignam et al 2003). There are varieties of methods IDS uses to detect threats on the network, two of them are, anomaly based IDS, and signature based IDS. 2.6.4.1 ANOMALY BASED IDS Anomaly based IDS is setup to monitor and compare network events against what is defined to be normal network activities which is represented by a profile, in order to detect any deviation from the defined normal events. Some of the events are, comparing the type of bandwidth used, the type of protocols etc and once the IDS identifies any deviation in any of this events, it notifies the network administrator who then take necessary action to stop the intended attack (Scarfone and Mell 2007). 2.6.4.2 SIGNATURE BASED IDS Signature based IDS are designed to monitor and compare packets on the network against the signature database of known malicious attacks or threats. This type of IDS is efficient at identifying already known threats but ineffective at identifying new threats which are not currently defined in the signature database, therefore giving way to network attacks (Scarfone and Mell 2007). 2.6.5 INTRUSION PREVENTION SYSTEMS (IPS). IPS are proactive security products which can be software or hardware used to identify malicious packets and also to prevent such packets from gaining entry in the networks (Ierace et al 2005, Botwicz et al 2006). IPS is another form of firewall which is basically designed to detect irregularity in regular network traffic and likewise to stop possible network attacks such as Denial of service attacks. They are capable of dropping malicious packets and disconnecting any connection suspected to be illegal before such traffic get to the protected host. Just like a typical firewall, IPS makes use of define rules in the system setup to determine the action to take on any traffic and this could be to allow or block the traffic. IPS makes use of stateful packet analysis to protect the network. Similarly, IPS is capable of performing signature matching, application protocol validation etc as a means of detecting attacks on the network (Ierace et al 2005). As good as IPS are, they also have t heir downsides as well. One of it is the problem of false positive and false negative. False positive is a situation where legitimate traffic is been identified to be malicious and thereby resulting to the IPS blocking such traffic on the network. False negative on the other hand is when malicious traffic is be identified by the IPS as legitimate traffic thereby allowing such traffic to pass through the IPS to the protected network (Ierace N et al 2005). 2.7 SOFTWARE AND HARDWARE FIREWALLS 2.7.1 SOFTWARE FIREWALLS Software-based firewalls are computers installed software for filtering packets (Permpootanalarp and Rujimethabhas 2001). These are programs setup either on personal computers or on network servers (Web servers and Email severs) operating system. Once the software is installed and proper security polices are defined, the systems (personal computers or servers) assume the role of a firewall. Software firewalls are second line of defence after hardware firewalls in situations where both are used for network security. Also software firewalls can be installed on different operating system such as, Windows Operating Systems, Mac operating system, Novel Netware, Linux Kernel, and UNIX Kernel etc. The function of these firewalls is, filtering distorted network traffic. There are several software firewall some of which include, Online Armor firewall, McAfee Personal Firewall, Zone Alarm, Norton Personal Firewall, Black Ice Defender, Sygate Personal Firewall, Panda Firewall, The DoorStop X Fi rewall etc (Lugo Parker 2005). When designing a software firewall two keys things are considered. These are, per-packet filtering and a per-process filtering. The pre-packet filter is design to search for distorted packets, port scan detection and checking if the packets are accepted into the protocol stack. In the same vein, pre-process filter is the designed to check if a process is allowed to begin a connection to the secured network or not (Lugo and Parker 2005). It should be noted that there are different implantations of all Firewalls. While some are built into the operating system others are add-ons. Examples of built-in firewalls are windows based firewall and Linux based. 2.7.2 WINDOWS OPERATING SYSTEM BASED FIREWALL. In operating system design, security features is one important aspect that is greatly considered. This is a challenge the software giant (Microsoft) as always made sure they implement is their products. In the software industry, Mi