Learning Objectives

Upon completion of this material, you should be able to: Explain the role of physical design in the implementation of a comprehensive security program
Describe firewall technology and the various approaches to firewall implementation

Identify the various approaches to remote and dial-up access protectionthat is, how these connection methods can be controlled to assure confidentiality of information, and the authentication and authorization of users Explain content filtering technology Describe the technology that enables the use of virtual private networks
2

Introduction
Technical controls are essential in enforcing policy for many IT functions that do not involve direct human control Technical control solutions improve an organizations ability to balance making information readily available against increasing informations levels of confidentiality and integrity

Physical Design
The physical design process:
Selects technologies to support information security blueprint Identifies complete technical solutions based on these technologies, including deployment, operations, and maintenance elements, to improve security of environment

Designs physical security measures to support technical solution Prepares project plans for implementation phase that follows
4

Firewalls
Prevent specific types of information from moving between the outside world (untrusted network) and the inside world (trusted network) May be separate computer system; a software service running on existing router or server; or a separate network containing supporting devices

Processing Modes of Firewalls

Five processing modes that firewalls can be categorized by are:
Packet filtering Application gateways

Circuit gateways MAC layer firewalls Hybrids

Packet Filtering
Packet filtering firewalls examine header information of data packets
Most often based on combination of:
Internet Protocol (IP) source and destination address Direction (inbound or outbound) Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests

Simple firewall models enforce rules designed to prohibit packets with certain addresses or partial addresses

Packet Filtering (continued)

Three subsets of packet filtering firewalls:
Static filtering: requires that filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed Dynamic filtering: allows firewall to react to emergent event and update or create rules to deal with event
Stateful inspection: firewalls that keep track of each network connection between internal and external systems using a state table
8

10

Application Gateways
Frequently installed on a dedicated computer; also known as a proxy server
Since proxy server is often placed in unsecured area of the network (e.g., DMZ), it is exposed to higher levels of risk from less trusted networks

Additional filtering routers can be implemented behind the proxy server, further protecting internal systems

11

Circuit Gateways
Circuit gateway firewall operates at transport layer Like filtering firewalls, do not usually look at data traffic flowing between two networks, but prevent direct connections between one network and another Accomplished by creating tunnels connecting specific processes or systems on each side of the firewall, and allow only authorized traffic in the tunnels

12

MAC Layer Firewalls

Designed to operate at the media access control layer of OSI network model
Able to consider specific host computers identity in its filtering decisions

MAC addresses of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked

13

14

Hybrid Firewalls
Combine elements of other types of firewalls; i.e., elements of packet filtering and proxy services, or of packet filtering and circuit gateways Alternately, may consist of two separate firewall devices; each a separate firewall system, but connected to work in tandem

15

Firewalls Categorized by Generation

First generation: static packet filtering firewalls Second generation: application-level firewalls or proxy servers
Third generation: stateful inspection firewalls Fourth generation: dynamic packet filtering firewalls; allow only packets with particular source, destination, and port addresses to enter Fifth generation: kernel proxies; specialized form working under kernel of Windows NT
16

Firewalls Categorized by Structure

Most firewalls are appliances: stand-alone, self-contained systems
Commercial-grade firewall system consists of firewall application software running on general-purpose computer

Small office/home office (SOHO) or residential-grade firewalls, aka broadband gateways or DSL/cable modem routers, connect users local area network or a specific computer system to Internetworking device
Residential-grade firewall software is installed directly on the users system
17

18

Software vs. Hardware: the SOHO Firewall Debate

Which firewall type should the residential user implement?
Where would you rather defend against a hacker? With the software option, hacker is inside your computer With the hardware device, even if hacker manages to crash firewall system, computer and information are still safely behind the now disabled connection

19

Firewall Architectures
Firewall devices can be configured in a number of network connection architectures

Configuration that works best depends on three factors:

Objectives of the network
Organizations ability to develop and implement architectures Budget available for function

Four common architectural implementations of firewalls: packet filtering routers, screened host firewalls, dual-homed firewalls, screened subnet firewalls

20

Packet Filtering Routers

Most organizations with Internet connection have a router serving as interface to Internet
Many of these routers can be configured to reject packets that organization does not allow into network Drawbacks include a lack of auditing and strong authentication

21

22

Screened Host Firewalls

Combines packet filtering router with separate, dedicated firewall such as an application proxy server
Allows router to prescreen packets to minimize traffic/load on internal proxy

Separate host is often referred to as bastion host; can be rich target for external attacks and should be very thoroughly secured

23

24

Dual-Homed Host Firewalls

Bastion host contains two network interface cards (NICs): one connected to external network, one connected to internal network Implementation of this architecture often makes use of network address translation (NAT), creating another barrier to intrusion from external attackers

25

26

Screened Subnet Firewalls (with DMZ)

Dominant architecture used today is the screened subnet firewall Commonly consists of two or more internal bastion hosts behind packet filtering router, with each host protecting trusted network:
Connections from outside (untrusted network) routed through external filtering router Connections from outside (untrusted network) are routed into and out of routing firewall to separate network segment known as DMZ Connections into trusted internal network allowed only from DMZ bastion host servers
27

Screened Subnet Firewalls (with DMZ) (continued)

Screened subnet performs two functions:
Protects DMZ systems and information from outside threats
Protects the internal networks by limiting how external connections can gain access to internal systems

Another facet of DMZs: extranets

28

29

Selecting the Right Firewall

When selecting firewall, consider a number of factors:
What firewall offers right balance between protection and cost for needs of organization?
Which features are included in base price and which are not?

Ease of setup and configuration? How accessible are staff technicians who can configure the firewall?
Can firewall adapt to organizations growing network?

Second most important issue is cost

30

Configuring and Managing Firewalls

Each firewall device must have own set of configuration rules regulating its actions
Firewall policy configuration is usually complex and difficult Configuring firewall policies is both an art and a science

When security rules conflict with the performance of business, security often loses
31

Best Practices for Firewalls

All traffic from trusted network is allowed out Firewall device never directly accessed from public network Simple Mail Transport Protocol (SMTP) data allowed to pass through firewall
Internet Control Message Protocol (ICMP) data denied

Telnet access to internal servers should be blocked When Web services offered outside firewall, HTTP traffic should be denied from reaching internal networks
32

Firewall Rules
Operate by examining data packets and performing comparison with predetermined logical rules
Logic based on set of guidelines most commonly referred to as firewall rules, rule base, or firewall logic Most firewalls use packet header information to determine whether specific packet should be allowed or denied

33

34

35

Content Filters
Software filternot a firewallthat allows administrators to restrict content access from within network
Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations Primary focus to restrict internal access to external material

Most common content filters restrict users from accessing non-business Web sites or deny incoming span
36

Protecting Remote Connections

Installing Internetwork connections requires leased lines or other data channels; these connections are usually secured under requirements of formal service agreement When individuals seek to connect to organizations network, more flexible option must be provided Options such as virtual private networks (VPNs) have become more popular due to spread of Internet

37

Remote Access
Unsecured, dial-up connection points represent a substantial exposure to attack
Attacker can use device called a war dialer to locate connection points

War dialer: automatic phone-dialing program that dials every number in a configured range and records number if modem picks up Some technologies (RADIUS systems; TACACS; CHAP password systems) have improved authentication process
38

RADIUS, TACACS, and Diameter

Systems that authenticate user credentials for those trying to access an organizations network via dial-up Remote Authentication Dial-In User Service (RADIUS): centralizes management of user authentication system in a central RADIUS server
Diameter: emerging alternative derived from RADIUS

Terminal Access Controller Access Control System (TACACS): validates users credentials at centralized server (like RADIUS); based on client/server configuration
39

Principles of Information Security, 3rd Edition

40

Securing Authentication with Kerberos

Provides secure third-party authentication Uses symmetric key encryption to validate individual user to various network resources
Keeps database containing private keys of clients/servers Consists of three interacting services:
Authentication server (AS)

Key Distribution Center (KDC) Kerberos ticket granting service (TGS)

41

42

43

Sesame
Secure European System for Applications in a Multivendor Environment (SESAME); similar to Kerberos in that user is first authenticated to authentication server and receives token
Token then presented to privilege attribute server (instead of ticket granting service as in Kerberos) as proof of identity to gain privilege attribute certificate (PAC) Uses public key encryption; adds additional and more sophisticated access control features; more scalable encryption systems; improved manageability; auditing features; delegation of responsibility for allowing access
44

Virtual Private Networks (VPNs)

Private and secure network connection between systems; uses data communication capability of unsecured and public network Securely extends organizations internal network connections to remote locations beyond trusted network Three VPN technologies defined:
Trusted VPN Secure VPN

Hybrid VPN (combines trusted and secure)

45

Virtual Private Networks (VPNs) (continued)

VPN must accomplish:
Encapsulation of incoming and outgoing data Encryption of incoming and outgoing data
Authentication of remote computer and (perhaps) remote user as well

46

Transport Mode

Data within IP packet is encrypted, but header information is not

Allows user to establish secure link directly with remote host, encrypting only data contents of packet

Two popular uses:

End-to-end transport of encrypted data Remote access worker connects to office network over Internet by connecting to a VPN server on the perimeter

47

48

Tunnel Mode
Organization establishes two perimeter tunnel servers These servers act as encryption points, encrypting all traffic that will traverse unsecured network Primary benefit to this model is that an intercepted packet reveals nothing about true destination system Example of tunnel mode VPN: Microsofts Internet Security and Acceleration (ISA) Server
49

50

51

Summary
Firewall technology Various approaches to remote and dial-up access protection Content filtering technology
Virtual private networks

52