Transcript Document
Learning Objectives
Upon completion of this material, you should be able to:
Explain the role of physical design in the implementation
of a comprehensive security program
Describe firewall technology and the various approaches
to firewall implementation
Identify the various approaches to remote and dial-up
access protection—that is, how these connection methods
can be controlled to assure confidentiality of information,
and the authentication and authorization of users
Explain content filtering technology
Describe the technology that enables the use of virtual
private networks
Principles of Information Security, 3rd Edition
2
Introduction
Information security is a discipline that relies on the
synthesis of people, policy, education, training, awareness,
procedures, and technology to improve the protection of an
organization’s information assets.
Technical solutions, properly implemented, can maintain
the confidentiality, integrity, and availability of information
in each of it’s three states( storage, transmission, and
processing).
Principles of Information Security, 3rd Edition
3
Physical Design
The physical design process:
Selects technologies to support information security blueprint
Identifies complete technical solutions based on these
technologies, including deployment, operations, and
maintenance elements, to improve security of environment
Designs physical security measures to support technical
solution
Prepares project plans for implementation phase that follows
Principles of Information Security, 3rd Edition
4
Firewalls
Prevent specific types of information from moving between
the outside world (untrusted network) and the inside world
(trusted network)
May be separate computer system; a software service
running on existing router or server; or a separate network
containing supporting devices
Principles of Information Security, 3rd Edition
5
Processing Modes of Firewalls
There are five generally recognized generations of
firewalls, which can be implemented in a wide variety of
architectures.
The following is a summary of the technical capabilities of
each generation.
Principles of Information Security, 3rd Edition
6
First Generation: Packet Filtering Firewalls
Packet filtering firewalls examine header information of
data packets.
It scans network data packets looking for compliance with
or violation of the rules of the firewall’s DB. It inspects
packets at the network layer. If it finds a packet that
matches a restriction it simply refuses to forward it.
Principles of Information Security, 3rd Edition
7
First Generation: Packet Filtering Firewalls…
Most often based on a combination of a following:
Internet Protocol (IP) source and destination address
Direction (inbound or outbound)
Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP) source and destination port requests
Simple firewall models enforce rules designed to prohibit
packets with certain addresses or partial addresses. They
accomplish this through ACLs (Access control Lists).
Principles of Information Security, 3rd Edition
8
Principles of Information Security, 3rd Edition
9
Principles of Information Security, 3rd Edition
10
Principles of Information Security, 3rd Edition
11
Principles of Information Security, 3rd Edition
12
Second Generation: Application Firewall
Frequently installed on a dedicated computer; also known
as a proxy server
Since proxy server is often placed in unsecured area of the
network (e.g., DMZ (Data Management Zone)), it is
exposed to higher levels of risk from less trusted networks
Additional filtering routers can be implemented behind the
proxy server, further protecting internal systems
Principles of Information Security, 3rd Edition
13
Third Generation: Stateful inspection firewalls
Keep track of each network connection established between
internal and external systems using a state table.
These tables track the state and context of each packet in the
conversation, by recording which station sends the packet and
when.
Like first generation it performs packet filtering, but it takes it a
step further.
It can restrict incoming packets by denying access to packets that
are responses to internal requests. If it receives an incoming
packet that it cannot match in its state table, then it defaults to its
ACL to determine whether to allow the packet to pass.
Principles of Information Security, 3rd Edition
14
Third Generation: Stateful inspection firewalls…
A minus: this can possible expose the system to DoS
attack.
A plus: these firewalls can track connectionless packet
traffic such as UDP and remote procedure calls (RPC)
traffic.
Principles of Information Security, 3rd Edition
15
Fourth Generation: Dynamic packet filtering
firewalls
While static filtering such as first and third generation, allow
entire sets of one type of packet to enter in response to
authorized requests, a dynamic packet filtering firewall
allows only a particular packet with a particular source,
destination, and port number to enter through the firewall .
It perform this based on the information contained in the
packet header.
Principles of Information Security, 3rd Edition
16
Fifth Generation: Kernel proxy
kernel-based, multi-layer session evaluation technology
that runs in the Windows NT Executive, which is the kernel
mode of Windows NT.
The Security Kernel component contains three major
technologies: the Interceptor/Packet Analyzer, the Security
Verification Engine, and Kernel Proxies. Figure 5-4
identifies the network packet flow within the Security
Kernel.
Principles of Information Security, 3rd Edition
17
Fifth Generation: Kernel proxy
Principles of Information Security, 3rd Edition
18
Fifth Generation: Kernel proxy
The Interceptor captures all network packets arriving at the firewall server.
Once the Interceptor captures a network packet, it passes it to the Packet
Analyzer. The Packet Analyzer recognizes the header information included
with the network packets, prepares them to be looked at as a session by
deriving signature data, and passes this derived signature data and the
network packets to the Security Verification Engine.
The SVEN receives this information and determines whether to drop the
packet, map it to an existing session, or to create a new session. Then it
enforces security policy as configured into the device
In the final piece of the puzzle the kernel proxy performs its function of
inspecting the actual network packets and enforcing security policies.
Principles of Information Security, 3rd Edition
19
Firewall Architectures
Firewall devices can be configured in a number of network
connection architectures
Configuration that works best depends on three factors:
Objectives of the network
Organization’s ability to develop and implement architectures
Budget available for function
Four common architectural implementations of firewalls:
packet filtering routers, screened host firewalls, dual-homed
firewalls, screened subnet firewalls
Principles of Information Security, 3rd Edition
20
Packet Filtering Routers
Most organizations with Internet connection have a router
serving as interface to Internet
Many of these routers can be configured to reject packets
that organization does not allow into network
Drawbacks include a lack of auditing and strong
authentication.
Also the complexity of the ACLs used to filter the packets
can grow and degrade the network performance.
Principles of Information Security, 3rd Edition
21
Principles of Information Security, 3rd Edition
22
Screened Host Firewalls
Combines packet filtering router with separate, dedicated
firewall such as an application proxy server
Allows router to prescreen packets to minimize traffic/load
on internal proxy
Separate host is often referred to as bastion host; can be
rich target for external attacks and should be very
thoroughly secured
Principles of Information Security, 3rd Edition
23
Principles of Information Security, 3rd Edition
24
Screened Host Firewalls
There are some disadvantages to the screened host
architecture.
The major one is that if an attacker manages to break in to
the bastion host, there is nothing left in the way of network
security between the bastion host and the rest of the
internal hosts.
The router also presents a single point of failure; if the
router is compromised, the entire network is available to
an attacker. For this reason, the screened subnet
architecture has become increasingly popular.
Principles of Information Security, 3rd Edition
25
Dual-Homed Host Firewalls
Bastion host contains two network interface cards (NICs):
one connected to external network, one connected to
internal network.
With two NICs all the traffic must physically go through
the firewall to move between the external and internal
networks.
Implementation of this architecture often makes use of
network address translation (NAT), creating another
barrier to intrusion from external attackers.
Principles of Information Security, 3rd Edition
26
Principles of Information Security, 3rd Edition
27
Screened Subnet Firewalls (with DMZ)
The screened subnet architecture adds an extra layer of security to
the screened host architecture by adding a perimeter network that
further isolates the internal network from the Internet.
There are many variants of this architecture, the first general model
consist of two filtering routers with one or more dual-homed bastion
hosts between them.
Principles of Information Security, 3rd Edition
28
The first general model
Principles of Information Security, 3rd Edition
29
Screened Subnet Firewalls (with DMZ)
(continued)
The second general model consists of two or more internal
bastion hosts behind packet filtering router, with each host
protecting trusted network:
Connections from outside (untrusted network) routed
through external filtering router
Connections from outside (untrusted network) are
routed into and out of routing firewall to separate
network segment known as DMZ
Connections into trusted internal network allowed only
from DMZ bastion host servers
Principles of Information Security, 3rd Edition
30
Principles of Information Security, 3rd Edition
31
Screened Subnet Firewalls (with DMZ)
(continued)
The Screened subnet is an entire network segment that
performs two functions:
Protects DMZ systems and information from outside threats
Protects the internal networks by limiting how external
connections can gain access to internal systems
Although extremely secure, the screened subnet can be
expensive to implement and complex to configure and
manage.
Principles of Information Security, 3rd Edition
32
Selecting the Right Firewall
When selecting firewall, consider a number of factors:
What firewall offers right balance between protection and
cost for needs of organization?
Which features are included in base price and which are
not?
Ease of setup and configuration? How accessible are staff
technicians who can configure the firewall?
Can firewall adapt to organization’s growing network?
Second most important issue is cost
Principles of Information Security, 3rd Edition
33
Configuring and Managing Firewalls
Each firewall device must have own set of configuration
rules regulating its actions
Firewall policy configuration is usually complex and
difficult
Configuring firewall policies is both an art and a science
When security rules conflict with the performance of
business, security often loses
Principles of Information Security, 3rd Edition
34
Best Practices for Firewalls
All traffic from trusted network is allowed out
Firewall device never directly accessed from public network
Simple Mail Transport Protocol (SMTP) data allowed to
pass through firewall
Internet Control Message Protocol (ICMP) data denied
Telnet access to internal servers should be blocked
When Web services offered outside firewall, HTTP traffic
should be denied from reaching internal networks
Principles of Information Security, 3rd Edition
35
Dial-up protection
Unsecured, dial-up connection points represent a
substantial exposure to attack.
Attacker can use device called a war dialer to locate
connection points.
War dialer: automatic phone-dialing program that dials
every number in a configured range and records number if
modem picks up.
Some technologies (RADIUS systems; TACACS; CHAP
password systems) have improved authentication process.
Principles of Information Security, 3rd Edition
36
RADIUS, TACACS, and Diameter
Systems that authenticate user credentials for those trying
to access an organization’s network via dial-up
Remote Authentication Dial-In User Service (RADIUS):
centralizes management of user authentication system in a
central RADIUS server
Diameter: emerging alternative derived from RADIUS
Terminal Access Controller Access Control System
(TACACS): validates user’s credentials at centralized
server (like RADIUS); based on client/server configuration
Principles of Information Security, 3rd Edition
37
Principles of Information Security, 3rd Edition
38
Virtual Private Networks (VPNs)
Private and secure network connection between systems;
uses data communication capability of unsecured and
public network
Securely extends organization’s internal network
connections to remote locations beyond trusted network
Three VPN technologies defined:
Trusted VPN
Secure VPN
Hybrid VPN (combines trusted and secure)
Principles of Information Security, 3rd Edition
39
Virtual Private Networks (VPNs) (continued)
VPN must accomplish:
Encapsulation of incoming and outgoing data
Encryption of incoming and outgoing data
Authentication of remote computer and (perhaps) remote
user as well
Principles of Information Security, 3rd Edition
40
Transport Mode
Data within IP packet is encrypted, but header
information is not
Allows user to establish secure link directly with remote
host, encrypting only data contents of packet
Two popular uses:
End-to-end transport of encrypted data
Remote access worker connects to office network over
Internet by connecting to a VPN server on the perimeter
Principles of Information Security, 3rd Edition
41
Principles of Information Security, 3rd Edition
42
Tunnel Mode
Organization establishes two perimeter tunnel servers
These servers act as encryption points, encrypting all
traffic that will traverse unsecured network
Primary benefit to this model is that an intercepted packet
reveals nothing about true destination system
Example of tunnel mode VPN: Microsoft’s Internet
Security and Acceleration (ISA) Server
Principles of Information Security, 3rd Edition
43
Principles of Information Security, 3rd Edition
44
Principles of Information Security, 3rd Edition
45
Summary
Firewall technology
Various approaches to remote and dial-up access
protection
Content filtering technology
Virtual private networks
Principles of Information Security, 3rd Edition
46