Transcript Document
Learning Objectives Upon completion of this material, you should be able to: Explain the role of physical design in the implementation of a comprehensive security program Describe firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up access protection—that is, how these connection methods can be controlled to assure confidentiality of information, and the authentication and authorization of users Explain content filtering technology Describe the technology that enables the use of virtual private networks Principles of Information Security, 3rd Edition 2 Introduction Information security is a discipline that relies on the synthesis of people, policy, education, training, awareness, procedures, and technology to improve the protection of an organization’s information assets. Technical solutions, properly implemented, can maintain the confidentiality, integrity, and availability of information in each of it’s three states( storage, transmission, and processing). Principles of Information Security, 3rd Edition 3 Physical Design The physical design process: Selects technologies to support information security blueprint Identifies complete technical solutions based on these technologies, including deployment, operations, and maintenance elements, to improve security of environment Designs physical security measures to support technical solution Prepares project plans for implementation phase that follows Principles of Information Security, 3rd Edition 4 Firewalls Prevent specific types of information from moving between the outside world (untrusted network) and the inside world (trusted network) May be separate computer system; a software service running on existing router or server; or a separate network containing supporting devices Principles of Information Security, 3rd Edition 5 Processing Modes of Firewalls There are five generally recognized generations of firewalls, which can be implemented in a wide variety of architectures. The following is a summary of the technical capabilities of each generation. Principles of Information Security, 3rd Edition 6 First Generation: Packet Filtering Firewalls Packet filtering firewalls examine header information of data packets. It scans network data packets looking for compliance with or violation of the rules of the firewall’s DB. It inspects packets at the network layer. If it finds a packet that matches a restriction it simply refuses to forward it. Principles of Information Security, 3rd Edition 7 First Generation: Packet Filtering Firewalls… Most often based on a combination of a following: Internet Protocol (IP) source and destination address Direction (inbound or outbound) Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests Simple firewall models enforce rules designed to prohibit packets with certain addresses or partial addresses. They accomplish this through ACLs (Access control Lists). Principles of Information Security, 3rd Edition 8 Principles of Information Security, 3rd Edition 9 Principles of Information Security, 3rd Edition 10 Principles of Information Security, 3rd Edition 11 Principles of Information Security, 3rd Edition 12 Second Generation: Application Firewall Frequently installed on a dedicated computer; also known as a proxy server Since proxy server is often placed in unsecured area of the network (e.g., DMZ (Data Management Zone)), it is exposed to higher levels of risk from less trusted networks Additional filtering routers can be implemented behind the proxy server, further protecting internal systems Principles of Information Security, 3rd Edition 13 Third Generation: Stateful inspection firewalls Keep track of each network connection established between internal and external systems using a state table. These tables track the state and context of each packet in the conversation, by recording which station sends the packet and when. Like first generation it performs packet filtering, but it takes it a step further. It can restrict incoming packets by denying access to packets that are responses to internal requests. If it receives an incoming packet that it cannot match in its state table, then it defaults to its ACL to determine whether to allow the packet to pass. Principles of Information Security, 3rd Edition 14 Third Generation: Stateful inspection firewalls… A minus: this can possible expose the system to DoS attack. A plus: these firewalls can track connectionless packet traffic such as UDP and remote procedure calls (RPC) traffic. Principles of Information Security, 3rd Edition 15 Fourth Generation: Dynamic packet filtering firewalls While static filtering such as first and third generation, allow entire sets of one type of packet to enter in response to authorized requests, a dynamic packet filtering firewall allows only a particular packet with a particular source, destination, and port number to enter through the firewall . It perform this based on the information contained in the packet header. Principles of Information Security, 3rd Edition 16 Fifth Generation: Kernel proxy kernel-based, multi-layer session evaluation technology that runs in the Windows NT Executive, which is the kernel mode of Windows NT. The Security Kernel component contains three major technologies: the Interceptor/Packet Analyzer, the Security Verification Engine, and Kernel Proxies. Figure 5-4 identifies the network packet flow within the Security Kernel. Principles of Information Security, 3rd Edition 17 Fifth Generation: Kernel proxy Principles of Information Security, 3rd Edition 18 Fifth Generation: Kernel proxy The Interceptor captures all network packets arriving at the firewall server. Once the Interceptor captures a network packet, it passes it to the Packet Analyzer. The Packet Analyzer recognizes the header information included with the network packets, prepares them to be looked at as a session by deriving signature data, and passes this derived signature data and the network packets to the Security Verification Engine. The SVEN receives this information and determines whether to drop the packet, map it to an existing session, or to create a new session. Then it enforces security policy as configured into the device In the final piece of the puzzle the kernel proxy performs its function of inspecting the actual network packets and enforcing security policies. Principles of Information Security, 3rd Edition 19 Firewall Architectures Firewall devices can be configured in a number of network connection architectures Configuration that works best depends on three factors: Objectives of the network Organization’s ability to develop and implement architectures Budget available for function Four common architectural implementations of firewalls: packet filtering routers, screened host firewalls, dual-homed firewalls, screened subnet firewalls Principles of Information Security, 3rd Edition 20 Packet Filtering Routers Most organizations with Internet connection have a router serving as interface to Internet Many of these routers can be configured to reject packets that organization does not allow into network Drawbacks include a lack of auditing and strong authentication. Also the complexity of the ACLs used to filter the packets can grow and degrade the network performance. Principles of Information Security, 3rd Edition 21 Principles of Information Security, 3rd Edition 22 Screened Host Firewalls Combines packet filtering router with separate, dedicated firewall such as an application proxy server Allows router to prescreen packets to minimize traffic/load on internal proxy Separate host is often referred to as bastion host; can be rich target for external attacks and should be very thoroughly secured Principles of Information Security, 3rd Edition 23 Principles of Information Security, 3rd Edition 24 Screened Host Firewalls There are some disadvantages to the screened host architecture. The major one is that if an attacker manages to break in to the bastion host, there is nothing left in the way of network security between the bastion host and the rest of the internal hosts. The router also presents a single point of failure; if the router is compromised, the entire network is available to an attacker. For this reason, the screened subnet architecture has become increasingly popular. Principles of Information Security, 3rd Edition 25 Dual-Homed Host Firewalls Bastion host contains two network interface cards (NICs): one connected to external network, one connected to internal network. With two NICs all the traffic must physically go through the firewall to move between the external and internal networks. Implementation of this architecture often makes use of network address translation (NAT), creating another barrier to intrusion from external attackers. Principles of Information Security, 3rd Edition 26 Principles of Information Security, 3rd Edition 27 Screened Subnet Firewalls (with DMZ) The screened subnet architecture adds an extra layer of security to the screened host architecture by adding a perimeter network that further isolates the internal network from the Internet. There are many variants of this architecture, the first general model consist of two filtering routers with one or more dual-homed bastion hosts between them. Principles of Information Security, 3rd Edition 28 The first general model Principles of Information Security, 3rd Edition 29 Screened Subnet Firewalls (with DMZ) (continued) The second general model consists of two or more internal bastion hosts behind packet filtering router, with each host protecting trusted network: Connections from outside (untrusted network) routed through external filtering router Connections from outside (untrusted network) are routed into and out of routing firewall to separate network segment known as DMZ Connections into trusted internal network allowed only from DMZ bastion host servers Principles of Information Security, 3rd Edition 30 Principles of Information Security, 3rd Edition 31 Screened Subnet Firewalls (with DMZ) (continued) The Screened subnet is an entire network segment that performs two functions: Protects DMZ systems and information from outside threats Protects the internal networks by limiting how external connections can gain access to internal systems Although extremely secure, the screened subnet can be expensive to implement and complex to configure and manage. Principles of Information Security, 3rd Edition 32 Selecting the Right Firewall When selecting firewall, consider a number of factors: What firewall offers right balance between protection and cost for needs of organization? Which features are included in base price and which are not? Ease of setup and configuration? How accessible are staff technicians who can configure the firewall? Can firewall adapt to organization’s growing network? Second most important issue is cost Principles of Information Security, 3rd Edition 33 Configuring and Managing Firewalls Each firewall device must have own set of configuration rules regulating its actions Firewall policy configuration is usually complex and difficult Configuring firewall policies is both an art and a science When security rules conflict with the performance of business, security often loses Principles of Information Security, 3rd Edition 34 Best Practices for Firewalls All traffic from trusted network is allowed out Firewall device never directly accessed from public network Simple Mail Transport Protocol (SMTP) data allowed to pass through firewall Internet Control Message Protocol (ICMP) data denied Telnet access to internal servers should be blocked When Web services offered outside firewall, HTTP traffic should be denied from reaching internal networks Principles of Information Security, 3rd Edition 35 Dial-up protection Unsecured, dial-up connection points represent a substantial exposure to attack. Attacker can use device called a war dialer to locate connection points. War dialer: automatic phone-dialing program that dials every number in a configured range and records number if modem picks up. Some technologies (RADIUS systems; TACACS; CHAP password systems) have improved authentication process. Principles of Information Security, 3rd Edition 36 RADIUS, TACACS, and Diameter Systems that authenticate user credentials for those trying to access an organization’s network via dial-up Remote Authentication Dial-In User Service (RADIUS): centralizes management of user authentication system in a central RADIUS server Diameter: emerging alternative derived from RADIUS Terminal Access Controller Access Control System (TACACS): validates user’s credentials at centralized server (like RADIUS); based on client/server configuration Principles of Information Security, 3rd Edition 37 Principles of Information Security, 3rd Edition 38 Virtual Private Networks (VPNs) Private and secure network connection between systems; uses data communication capability of unsecured and public network Securely extends organization’s internal network connections to remote locations beyond trusted network Three VPN technologies defined: Trusted VPN Secure VPN Hybrid VPN (combines trusted and secure) Principles of Information Security, 3rd Edition 39 Virtual Private Networks (VPNs) (continued) VPN must accomplish: Encapsulation of incoming and outgoing data Encryption of incoming and outgoing data Authentication of remote computer and (perhaps) remote user as well Principles of Information Security, 3rd Edition 40 Transport Mode Data within IP packet is encrypted, but header information is not Allows user to establish secure link directly with remote host, encrypting only data contents of packet Two popular uses: End-to-end transport of encrypted data Remote access worker connects to office network over Internet by connecting to a VPN server on the perimeter Principles of Information Security, 3rd Edition 41 Principles of Information Security, 3rd Edition 42 Tunnel Mode Organization establishes two perimeter tunnel servers These servers act as encryption points, encrypting all traffic that will traverse unsecured network Primary benefit to this model is that an intercepted packet reveals nothing about true destination system Example of tunnel mode VPN: Microsoft’s Internet Security and Acceleration (ISA) Server Principles of Information Security, 3rd Edition 43 Principles of Information Security, 3rd Edition 44 Principles of Information Security, 3rd Edition 45 Summary Firewall technology Various approaches to remote and dial-up access protection Content filtering technology Virtual private networks Principles of Information Security, 3rd Edition 46