CC5052 Week 8

Protection Mechanisms
Learning Objectives
• Access control approaches, including authentication, authorization, and
biometric access controls.
• Firewalls and the common approaches to firewall implementation.
• Intrusion detection systems and the two strategies on which they are based.
• Current issues in dial-up access and protection.

2
Sphere of Security

3
Introduction
Focus: Protection Mechanisms
• Technical controls can be an important part of an information security
program. However, they must also be combined with sound policy and
education, training, and awareness efforts.

• Some of the most powerful and widely used technical security

mechanisms include:
• Access controls
• Firewalls
• Intrusion detection systems
• Anti-Malware
• Scanning and analysis tools
• Encryption
4
Access Control
• Access control encompasses two processes:
• Authentication: Confirming the identity of the entity accessing a logical or
physical area
• Authorization: Determining which actions that entity can perform in that
physical or logical area

• A successful access control approach, whether intended to control

physical access or logical access, always consists of both
authentication and authorization.

5
Authentication Mechanisms
• Types of authentication mechanism
• Something you know
• Something you have
• Something you are
• Something you produce

• A strong authentication uses at least two different authentication

mechanism types.

6
7
Something You Know
• This type verifies the user’s identity by means of a password,
passphrase, or other unique code
• A password is a private word or combination of characters that only
the user should know.
• A passphrase is a plain-language phrase, typically longer than a
password, from which a virtual password is derived.
• A good rule of thumb is to require that passwords be at least eight
characters long and contain at least one number and one special
character.

8
Something You Have
• This type makes use of something (a card, key, or token) that
the user or the system possesses
• One example is a dumb card (such as an ATM card) with magnetic
stripes.
• Another example is the smart card containing a processor.
• Another device often used is the cryptographic token, a processor in
a card that has a display.

9
10
Something You Are
• This type takes advantage of something inherent in the user that
is evaluated using biometrics.
• Most of the technologies that scan human characteristics convert
these images to obtain some form of minutiae—unique points of
reference that are digitized and stored in an encrypted format.

11
Something You Produce
• This type of authentication makes use of something the user
performs or produces.
• It includes technology related to signature recognition and voice
recognition.

12
Recognition Characteristics

13
Evaluating Biometrics
Biometric technologies are generally evaluated according to three
basic criteria:
• The False Reject Rate (FRR): The percentage of authorized users
who are denied access (Type I Error) – not a threat to security
• The False Accept Rate (FAR): The percentage of unauthorized users
who are allowed access (Type II Error) – serious breach of security
• The Crossover Error Rate (CER): The point at which the number of
false rejections equals the false acceptances – optimal outcome

14
Orders of Effectiveness and Acceptance

15
Managing Access Controls
• To properly manage access controls, an organization must have in
place a formal access control policy, which determines how
access rights are granted to entities and groups.

• This policy must include provisions for periodically reviewing all

access rights, granting access rights to new employees, changing
access rights when job roles change, and revoking access rights
as appropriate.

16
Authorization
In general, authorization can be handled by:
• Authorization for each authenticated user
The system performs an authentication process to verify the specific entity and
then grants access to resources for only that entity (complex and resource-
intensive).
• Authorization for members of a group
The system matches authenticated entities to a list of group memberships, and
then grants access to resources based on the group’s access rights (most
commonly used method).
• Authorization across multiple systems (‘single sign-on’)
A central authentication and authorization system verifies entity identity and
grants a set of credentials (also called authorization tickets) to the verified entity.

17
Firewalls
• In information security, a firewall is any device that prevents a specific type
of information from moving between two networks, often the outside,
known as the untrusted network (e.g., the Internet), and the inside, known
as the trusted network.

• The firewall may be a separate computer system, a service running on an

existing router or server, or a separate network containing a number of
supporting devices.

18
Firewall Architectures
• Four architectural implementations of firewalls are especially
common:
• Packet filtering routers
• Screened-host firewalls
• Dual-homed host firewalls
• Screened-subnet firewalls

19
Packet Filtering Firewall

20
Packet Filtering Routers
• Most organizations with an Internet connection use some form of router
between their internal networks and the external service provider.

• Many of these routers can be configured to block packets that the

organization does not allow into the network.

21
Screened-Host Firewall

22
Screened-Host Firewall Systems
• Screened-host firewall systems combine the packet filtering router with a
separate, dedicated firewall such as an application proxy server.
• The router is used to screen packets to minimize the network traffic and load on
the internal proxy.
• The application proxy examines an application layer protocol, such as HTTP, and
performs the proxy services.
• This separate and single host, which is often referred to as a bastion host,
represents a rich target for external attacks, and should be very thoroughly
secured.

23
Dual-Homed Host Firewall

24
Dual-Homed Host Firewalls
• In this configuration, the bastion host contains two network
interfaces: one that is connected to the external network, and
one that is connected to the internal network, requiring all traffic
to travel through the firewall to move between the internal and
external networks

25
Screened Subnet (DMZ)

26
Screened-Subnet Firewalls
• The screened-subnet firewall consists of one or more internal bastion hosts
located behind a packet filtering router, with each host protecting the trusted
network. This raises the level of difficulty to penetrate defense.

• One of the general models (in Figure 9-8) shows connections are routed as
follows:
• Connections from the outside or untrusted network are routed through an
external filtering router
• Connections from the outside or untrusted network are routed into—and then
out of—a routing firewall to the separate network segment known as the DMZ
• Connections into the trusted internal network are allowed only from the DMZ
bastion host servers

27
28
Firewall Best Practices
Some of the Best Practices for Firewall Use:
• All traffic from the trusted network is allowed out.
• The firewall device is never accessible directly from the public network.
• Simple Mail Transport Protocol (SMTP) data is allowed to pass through the firewall,
but should be routed to a SMTP gateway.
• All Internet Control Message Protocol (ICMP) data should be denied.
• Telnet (terminal emulation) access to all internal servers from the public networks
should be blocked.
• When Web services are offered outside the firewall, HTTP traffic should be handled
by some form of proxy access or DMZ architecture.

29
Intrusion Detection Systems (IDSs)
• Information security intrusion detection systems (IDSs) work like burglar
alarms.

• With almost all IDSs, administrators can choose the alarm level.

• Many IDSs can be configured to notify administrators via e-mail and numerical
or text paging.

• Like firewall systems, IDSs require complex configurations to provide the level
of detection and response desired.

30
Intrusion Detection Systems (Cont.)
• Two system types:
• Network based to protect network information assets
• Host based to protect server or host information assets

• Two detection methods used:

• Signature based
• Statistical anomaly based

31
Intrusion Detection Systems (Cont.)

32
Host-Based IDS
• A host-based IDS works by configuring and classifying various
categories of systems and data files. Such systems:
• Monitor the access or altering of files on multiple systems
• Often provide only a few general levels of alert notification
• Unless the IDS is very precisely configured, mild actions can generate a
large volume of false alarms
• Easier to set up and administer than the network-based IDS due to the
more specific rules and restrictions that can be set.

33
Network-Based IDS
• Network-based IDSs monitor network traffic and, when a
predefined condition occurs, notify the appropriate
administrator. Such systems:
• Look for patterns of network traffic
• Must match known and unknown attack strategies against their
knowledge base to determine whether an attack has occurred
• Yield many more false-positive readings than host-based IDSs do,
because they are attempting to read the network activity pattern to
determine what is normal and what is not

34
Detection Methods: Signature-Based IDS
• A signature-based IDS or knowledge-based IDS examines data traffic for
something that matches the signatures, which comprise preconfigured,
predetermined attack patterns
• The problem with this approach is that the signatures must be continually
updated, as new attack strategies emerge
• A weakness of this method is the time frame over which attacks occur
• If attackers are slow and methodical, they may slip undetected through the
IDS, as their actions may not match a signature that includes factors based
on duration of the events

35
Detection Methods: Statistical Anomaly-Based
IDS
• The statistical anomaly-based IDS (stat IDS) or behavior-based IDS
first collects data from normal traffic and establishes a baseline.
• It then periodically samples network activity, based on statistical
methods, and compares the samples to the baseline.
• When the activity falls outside the baseline parameters (known as
the clipping level), the IDS notifies the administrator.
• The advantage of this approach is that the system is able to detect
new types of attacks, because it looks for abnormal activity of any
type.

36
Managing Intrusion Detection Systems
• IDSs must be configured using technical knowledge and adequate
business and security knowledge to differentiate between routine
circumstances and low, moderate, or severe threats.
• There must be response to an alert.
• A properly configured IDS can translate a security alert into different
types of notification.
• A poorly configured IDS may yield only noise.

37
RADIUS and TACACS
• RADIUS and TACACS are systems that authenticate the credentials of users who
are trying to access an organization’s network via a dial-up connection.

• Typical dial-up systems place the authentication of users on the system

connected to the modems.

• A Remote Authentication Dial-In User Service (RADIUS) system centralizes the

management of user authentication by placing the responsibility for
authenticating each user in the central RADIUS server

38
RADIUS and TACACS
• When a Remote Access Server (RAS) receives a request for a network
connection from a dial-up client, it passes the request along with the user’s
credentials to the RADIUS server; RADIUS then validates the credentials

• The Terminal Access Controller Access Control System (TACACS) works

similarly and is based on a client/server configuration

39
Summary
• Access Controls
• Firewalls
• Intrusion Detection Systems

40
Any Question?

Thank you

41