9781111138219_ppt_ch06
TRANSCRIPT
![Page 1: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/1.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 1/63
Principles of InformationSecurity,
Fourth EditionChapter 6
Security Technology: Firewalls and VPNs
If you think technology can solve your security problems,
then you don’t understand the problems and you don’t
understand the technology.
BRUCE SCHNEIER, AMERICAN CRYPTOGRAPHER,
COMPUTER SECURITY SPECIALIST, AND WRITER
![Page 2: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/2.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 2/63
Learning Objectives
• Upon completion of this material, you should be
able to:
– Recognize the important role of access control in
computerized information systems, and identify anddiscuss idely!used authentication factors
– "escribe fireall technology and the various
approaches to fireall implementation
– #dentify the various approaches to control remoteand dial!up access by means of the authentication
and authorization of users
$rinciples of #nformation %ecurity, &ourth 'dition (
![Page 3: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/3.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 3/63
Learning Objectives )cont*d+
– "iscuss content filtering technology
– "escribe the technology that enables the use of
virtual private netor-s
$rinciples of #nformation %ecurity, &ourth 'dition .
![Page 4: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/4.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 4/63
#ntroduction
• /echnical controls are essential in enforcing policy
for many #/ functions that do not involve direct
human control
• /echnical control solutions improve anorganization*s ability to balance ma-ing information
readily available against increasing information*s
levels of confidentiality and integrity
$rinciples of #nformation %ecurity, &ourth 'dition 0
![Page 5: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/5.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 5/63
1ccess 2ontrol
• 1ccess control: method by hich systems
determine hether and ho to admit a user into a
trusted area of the organization
• 3andatory access controls )312s: use dataclassification schemes
• 4ondiscretionary controls: strictly!enforced version
of 312s that are managed by a central authority
• "iscretionary access controls )"12s:
implemented at the discretion or option of the data
user
$rinciples of #nformation %ecurity, &ourth 'dition 5
![Page 6: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/6.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 6/63
#dentification
• #dentification: mechanism hereby an unverified
entity that see-s access to a resource proposes a
label by hich they are -non to the system
• %upplicant: entity that see-s a resource• #dentifiers can be composite identifiers,
concatenating elements!department codes,
random numbers, or special characters to ma-e
them uni6ue
• %ome organizations generate random numbers
$rinciples of #nformation %ecurity, &ourth 'dition 7
![Page 7: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/7.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 7/63
1uthentication
• 1uthentication: the process of validating a
supplicant*s purported identity
• 1uthentication factors
– %omething a supplicant -nos• $assord: a private ord or combination of characters
that only the user should -no
• $assphrase: a series of characters, typically longer
than a passord, from hich a virtual passord isderived
$rinciples of #nformation %ecurity, &ourth 'dition 8
![Page 8: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/8.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 8/63
1uthentication )cont*d+
• 1uthentication factors )cont*d+
– %omething a supplicant has
• %mart card: contains a computer chip that can verify
and validate information• %ynchronous to-ens
• 1synchronous to-ens
– %omething a supplicant is
• Relies upon individual characteristics• %trong authentication
$rinciples of #nformation %ecurity, &ourth 'dition 9
![Page 9: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/9.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 9/63
1uthorization
• 1uthorization: the matching of an authenticated
entity to a list of information assets and
corresponding access levels
• 1uthorization can be handled in one of three ays – 1uthorization for each authenticated user
– 1uthorization for members of a group
– 1uthorization across multiple systems
• 1uthorization tic-ets
$rinciples of #nformation %ecurity, &ourth 'dition
![Page 10: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/10.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 10/63
1ccountability
• 1ccountability )auditability: ensures that all actions
on a system;authorized or unauthorized;can be
attributed to an authenticated identity
• 3ost often accomplished by means of system logsand database journals, and the auditing of these
records
• %ystems logs record specific information
• Logs have many uses
$rinciples of #nformation %ecurity, &ourth 'dition <=
![Page 11: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/11.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 11/63
&irealls
• $revent specific types of information from moving
beteen the outside orld )untrusted netor- and
the inside orld )trusted netor-
• 3ay be: – %eparate computer system
– %oftare service running on e>isting router or server
– %eparate netor- containing supporting devices
$rinciples of #nformation %ecurity, &ourth 'dition <<
![Page 12: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/12.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 12/63
&irealls $rocessing 3odes
• &ive processing modes by hich firealls can be
categorized:
– $ac-et filtering
– 1pplication gateays – 2ircuit gateays
– 312 layer firealls
– ?ybrids
$rinciples of #nformation %ecurity, &ourth 'dition <(
![Page 13: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/13.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 13/63
&irealls $rocessing 3odes )cont*d+
• $ac-et filtering firealls e>amine header information
of data pac-ets
• 3ost often based on combination of:
– #nternet $rotocol )#$ source and destination address – "irection )inbound or outbound
– /ransmission 2ontrol $rotocol )/2$ or User
"atagram $rotocol )U"$ source and destination port
re6uests• %imple fireall models enforce rules designed to
prohibit pac-ets ith certain addresses or partial
addresses
$rinciples of #nformation %ecurity, &ourth 'dition <.
![Page 14: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/14.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 14/63
&irealls $rocessing 3odes )cont*d+
• /hree subsets of pac-et filtering firealls:
– %tatic filtering: re6uires that filtering rules governing
ho the fireall decides hich pac-ets are alloed
and hich are denied are developed and installed – "ynamic filtering: allos fireall to react to emergent
event and update or create rules to deal ith event
– %tateful inspection: firealls that -eep trac- of each
netor- connection beteen internal and e>ternalsystems using a state table
$rinciples of #nformation %ecurity, &ourth 'dition <0
![Page 15: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/15.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 15/63
$rinciples of #nformation %ecurity, &ourth 'dition <5
&igure 7!( #$ $ac-et %tructure
![Page 16: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/16.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 16/63
$rinciples of #nformation %ecurity, &ourth 'dition <7
&igure 7!. /2$ $ac-et %tructure
&igure 7!0 U"$ "atagram %tructure
![Page 17: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/17.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 17/63
$rinciples of #nformation %ecurity, &ourth 'dition <8
/able 7!< %ample &ireall Rule and &ormat
![Page 18: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/18.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 18/63
&irealls $rocessing 3odes )cont*d+
• 1pplication gateays
– &re6uently installed on a dedicated computer@ also
-non as a pro>y server
– %ince pro>y server is often placed in unsecured areaof the netor- )e+g+, "3A, it is e>posed to higher
levels of ris- from less trusted netor-s
– 1dditional filtering routers can be implemented
behind the pro>y server, further protecting internalsystems
$rinciples of #nformation %ecurity, &ourth 'dition <9
![Page 19: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/19.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 19/63
&irealls $rocessing 3odes )cont*d+
• 2ircuit gateay fireall
– Operates at transport layer
– Li-e filtering firealls, do not usually loo- at data
traffic floing beteen to netor-s, but preventdirect connections beteen one netor- and another
– 1ccomplished by creating tunnels connecting
specific processes or systems on each side of the
fireall, and allo only authorized traffic in thetunnels
$rinciples of #nformation %ecurity, &ourth 'dition <
![Page 20: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/20.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 20/63
&irealls $rocessing 3odes )cont*d+
• 312 layer firealls
– "esigned to operate at the media access control
layer of O%# netor- model
– 1ble to consider specific host computer*s identity inits filtering decisions
– 312 addresses of specific host computers are
lin-ed to access control list )12L entries that identify
specific types of pac-ets that can be sent to eachhost@ all other traffic is bloc-ed
$rinciples of #nformation %ecurity, &ourth 'dition (=
![Page 21: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/21.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 21/63
$rinciples of #nformation %ecurity, &ourth 'dition (<
&igure 7!7 &ireall /ypes and the O%# 3odel
![Page 22: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/22.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 22/63
&irealls $rocessing 3odes )cont*d+
• ?ybrid firealls
– 2ombine elements of other types of firealls@ i+e+,
elements of pac-et filtering and pro>y services, or of
pac-et filtering and circuit gateays – 1lternately, may consist of to separate fireall
devices@ each a separate fireall system, but
connected to or- in tandem
$rinciples of #nformation %ecurity, &ourth 'dition ((
![Page 23: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/23.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 23/63
&irealls 2ategorized by Beneration
• &irst generation: static pac-et filtering firealls
• %econd generation: application!level firealls or
pro>y servers
• /hird generation: stateful inspection firealls• &ourth generation: dynamic pac-et filtering
firealls@ allo only pac-ets ith particular source,
destination, and port addresses to enter
• &ifth generation: -ernel pro>ies@ specialized form
or-ing under -ernel of Cindos 4/
$rinciples of #nformation %ecurity, &ourth 'dition (.
![Page 24: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/24.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 24/63
$rinciples of #nformation %ecurity, &ourth 'dition (0
/able 7!( %tate /able 'ntries
![Page 25: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/25.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 25/63
&irealls 2ategorized by %tructure
• 3ost firealls are appliances: stand!alone, self!
contained systems
• 2ommercial!grade fireall system
• %mall officeDhome office )%O?O fireallappliances
• Residential!grade fireall softare
$rinciples of #nformation %ecurity, &ourth 'dition (5
![Page 26: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/26.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 26/63
$rinciples of #nformation %ecurity, &ourth 'dition (7
&igure 7!8 %O?O &ireall "evices
![Page 27: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/27.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 27/63
%oftare vs+ ?ardare: the %O?O
&ireall "ebate
• Chich fireall type should the residential user
implementE
• Chere ould you rather defend against a hac-erE
• Cith the softare option, hac-er is inside yourcomputer
• Cith the hardare device, even if hac-er manages
to crash fireall system, computer and information
are still safely behind the no disabled connection
$rinciples of #nformation %ecurity, &ourth 'dition (8
![Page 28: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/28.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 28/63
&ireall 1rchitectures
• &ireall devices can be configured in a number of
netor- connection architectures
• Fest configuration depends on three factors:
– Objectives of the netor- – Organization*s ability to develop and implement
architectures
– Fudget available for function
• &our common architectural implementations offirealls: pac-et filtering routers, screened host
firealls, dual!homed firealls, screened subnet
firealls
$rinciples of #nformation %ecurity, &ourth 'dition (9
![Page 29: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/29.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 29/63
&ireall 1rchitectures )cont*d+
• $ac-et filtering routers
– 3ost organizations ith #nternet connection have a
router serving as interface to #nternet
– 3any of these routers can be configured to rejectpac-ets that organization does not allo into netor-
– "rabac-s include a lac- of auditing and strong
authentication
$rinciples of #nformation %ecurity, &ourth 'dition (
![Page 30: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/30.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 30/63
$rinciples of #nformation %ecurity, &ourth 'dition .=
&igure 7!5 $ac-et!&iltering Router
![Page 31: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/31.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 31/63
&ireall 1rchitectures )cont*d+
• %creened host firealls
– 2ombines pac-et filtering router ith separate,
dedicated fireall such as an application pro>y
server – 1llos router to prescreen pac-ets to minimize
trafficDload on internal pro>y
– %eparate host is often referred to as bastion host
• 2an be rich target for e>ternal attac-s and should bevery thoroughly secured
• 1lso -non as a sacrificial host
$rinciples of #nformation %ecurity, &ourth 'dition .<
![Page 32: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/32.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 32/63
$rinciples of #nformation %ecurity, &ourth 'dition .(
&igure 7!<( %creened ?ost &ireall
![Page 33: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/33.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 33/63
&ireall 1rchitectures )cont*d+
• "ual!homed host firealls
– Fastion host contains to netor- interface cards
)4#2s: one connected to e>ternal netor-, one
connected to internal netor- – #mplementation of this architecture often ma-es use
of netor- address translation )41/, creating
another barrier to intrusion from e>ternal attac-ers
$rinciples of #nformation %ecurity, &ourth 'dition ..
![Page 34: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/34.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 34/63
$rinciples of #nformation %ecurity, &ourth 'dition .0
/able 7!0 Reserved 4onroutable 1ddress Ranges
![Page 35: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/35.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 35/63
$rinciples of #nformation %ecurity, &ourth 'dition .5
&igure 7!<. "ual!?omed ?ost &ireall
![Page 36: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/36.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 36/63
&ireall 1rchitectures )cont*d+
• %creened subnet fireall is the dominant architectureused today
• 2ommonly consists of to or more internal bastion hosts
behind pac-et filtering router, ith each host protecting
trusted netor-: – 2onnections from outside )untrusted netor- routed
through e>ternal filtering router
– 2onnections from outside )untrusted netor- are routed
into and out of routing fireall to separate netor-
segment -non as "3A
– 2onnections into trusted internal netor- alloed only
from "3A bastion host servers
$rinciples of #nformation %ecurity, &ourth 'dition .7
![Page 37: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/37.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 37/63
&ireall 1rchitectures )cont*d+
• %creened subnet performs to functions:
– $rotects "3A systems and information from outside
threats
– $rotects the internal netor-s by limiting hoe>ternal connections can gain access to internal
systems
• 1nother facet of "3As: e>tranets
$rinciples of #nformation %ecurity, &ourth 'dition .8
![Page 38: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/38.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 38/63
&ireall 1rchitectures )cont*d+
• %O2G% servers
– %O2G% is the protocol for handling /2$ traffic via a
pro>y server
– 1 proprietary circuit!level pro>y server that placesspecial %O2G% client!side agents on each
or-station
– 1 %O2G% system can re6uire support and
management resources beyond those of traditionalfirealls
$rinciples of #nformation %ecurity, &ourth 'dition .9
![Page 39: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/39.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 39/63
$rinciples of #nformation %ecurity, &ourth 'dition .
&igure 7!<0 %creened %ubnet )"3A
![Page 40: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/40.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 40/63
%electing the Right &ireall
• Chen selecting fireall, consider a number of
factors:
– Chat fireall offers right balance beteen protection
and cost for needs of organizationE – Chich features are included in base price and hich
are notE
– 'ase of setup and configurationE ?o accessible are
staff technicians ho can configure the fireallE – 2an fireall adapt to organization*s groing
netor-E
• %econd most important issue is cost
$rinciples of #nformation %ecurity, &ourth 'dition 0=
![Page 41: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/41.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 41/63
2onfiguring and 3anaging &irealls
• 'ach fireall device must have on set of
configuration rules regulating its actions
• &ireall policy configuration is usually comple> and
difficult• 2onfiguring fireall policies is both an art and a
science
• Chen security rules conflict ith the performance
of business, security often loses
$rinciples of #nformation %ecurity, &ourth 'dition 0<
![Page 42: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/42.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 42/63
2onfiguring and 3anaging &irealls
)cont*d+• Fest practices for firealls
– 1ll traffic from trusted netor- is alloed out
– &ireall device never directly accessed from public
netor-
– %imple 3ail /ransport $rotocol )%3/$ data alloed to
pass through fireall
– #nternet 2ontrol 3essage $rotocol )#23$ data denied
– /elnet access to internal servers should be bloc-ed
– Chen Ceb services offered outside fireall, ?//$
traffic should be denied from reaching internal netor-s
$rinciples of #nformation %ecurity, &ourth 'dition 0(
![Page 43: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/43.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 43/63
2onfiguring and 3anaging &irealls
)cont*d+
• &ireall rules
– Operate by e>amining data pac-ets and performing
comparison ith predetermined logical rules
– Logic based on set of guidelines most commonlyreferred to as fireall rules, rule base, or fireall
logic
– 3ost firealls use pac-et header information to
determine hether specific pac-et should be alloedor denied
$rinciples of #nformation %ecurity, &ourth 'dition 0.
![Page 44: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/44.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 44/63
$rinciples of #nformation %ecurity, &ourth 'dition 00
&igure 7!<5 '>ample 4etor- 2onfiguration
![Page 45: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/45.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 45/63
$rinciples of #nformation %ecurity, &ourth 'dition 05
/able 7!5 %elect Cell!Gnon $ort 4umbers
![Page 46: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/46.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 46/63
$rinciples of #nformation %ecurity, &ourth 'dition 07
/able 7!<7 '>ternal &iltering &ireall #nbound #nterface Rule %et
![Page 47: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/47.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 47/63
$rinciples of #nformation %ecurity, &ourth 'dition 08
/able 7!<8 '>ternal &iltering &ireall Outbound #nterface Rule %et
![Page 48: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/48.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 48/63
2ontent &ilters
• %oftare filter;not a fireall;that allos
administrators to restrict content access from ithin
netor-
• 'ssentially a set of scripts or programs restrictinguser access to certain netor-ing protocolsD#nternet
locations
• $rimary focus to restrict internal access to e>ternal
material• 3ost common content filters restrict users from
accessing non!business Ceb sites or deny incoming
span
$rinciples of #nformation %ecurity, &ourth 'dition 09
![Page 49: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/49.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 49/63
$rotecting Remote 2onnections
• #nstalling #nternetor- connections re6uires leased
lines or other data channels@ these connections are
usually secured under re6uirements of formal
service agreement• Chen individuals see- to connect to organization*s
netor-, more fle>ible option must be provided
• Options such as virtual private netor-s )H$4s
have become more popular due to spread of#nternet
$rinciples of #nformation %ecurity, &ourth 'dition 0
![Page 50: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/50.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 50/63
Remote 1ccess
• Unsecured, dial!up connection points represent a
substantial e>posure to attac-
• 1ttac-er can use device called a ar dialer to
locate connection points• Car dialer: automatic phone!dialing program that
dials every number in a configured range and
records number if modem pic-s up
• %ome technologies )R1"#U% systems@ /1212%@2?1$ passord systems have improved
authentication process
$rinciples of #nformation %ecurity, &ourth 'dition 5=
![Page 51: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/51.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 51/63
Remote 1ccess )cont*d+
• R1"#U%, /1212%, and "iameter
– %ystems that authenticate user credentials for those
trying to access an organization*s netor- via dial!up
– Remote 1uthentication "ial!#n User %ervice)R1"#U%: centralizes management of user
authentication system in a central R1"#U% server
– "iameter: emerging alternative derived from R1"#U%
– /erminal 1ccess 2ontroller 1ccess 2ontrol %ystem)/1212%: validates user*s credentials at centralized
server )li-e R1"#U%@ based on clientDserver
configuration
$rinciples of #nformation %ecurity, &ourth 'dition 5<
![Page 52: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/52.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 52/63
$rinciples of #nformation %ecurity, &ourth 'dition 5(
&igure 7!<7 R1"#U% 2onfiguration
![Page 53: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/53.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 53/63
Remote 1ccess )cont*d+
• %ecuring authentication ith Gerberos
– $rovides secure third!party authentication
– Uses symmetric -ey encryption to validate individual
user to various netor- resources – Geeps database containing private -eys of
clientsDservers
– 2onsists of three interacting services:
• 1uthentication server )1%• Gey "istribution 2enter )G"2
• Gerberos tic-et granting service )/B%
$rinciples of #nformation %ecurity, &ourth 'dition 5.
![Page 54: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/54.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 54/63
$rinciples of #nformation %ecurity, &ourth 'dition 50
&igure 7!<8 Gerberos Login
![Page 55: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/55.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 55/63
$rinciples of #nformation %ecurity, &ourth 'dition 55
&igure 7!<9 Gerberos Re6uest for %ervices
![Page 56: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/56.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 56/63
Remote 1ccess )cont*d+
• %esame – %ecure 'uropean %ystem for 1pplications in a
3ultivendor 'nvironment )%'%13' is similar to
Gerberos
• User is first authenticated to authentication server andreceives to-en
• /o-en then presented to privilege attribute server as
proof of identity to gain privilege attribute certificate
• Uses public -ey encryption@ adds additional and moresophisticated access control features@ more scalable
encryption systems@ improved manageability@ auditing
features@ delegation of responsibility for alloing access
$rinciples of #nformation %ecurity, &ourth 'dition 57
![Page 57: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/57.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 57/63
Hirtual $rivate 4etor-s )H$4s
• $rivate and secure netor- connection beteen
systems@ uses data communication capability of
unsecured and public netor-
• %ecurely e>tends organization*s internal netor-connections to remote locations beyond trusted
netor-
• /hree H$4 technologies defined:
– /rusted H$4 – %ecure H$4
– ?ybrid H$4 )combines trusted and secure
$rinciples of #nformation %ecurity, &ourth 'dition 58
![Page 58: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/58.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 58/63
Hirtual $rivate 4etor-s )H$4s
)cont*d+
• H$4 must accomplish:
– 'ncapsulation of incoming and outgoing data
– 'ncryption of incoming and outgoing data
– 1uthentication of remote computer and )perhapsremote user as ell
$rinciples of #nformation %ecurity, &ourth 'dition 59
![Page 59: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/59.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 59/63
Hirtual $rivate 4etor-s )H$4s
)cont*d+
• /ransport mode
– "ata ithin #$ pac-et is encrypted, but header
information is not
– 1llos user to establish secure lin- directly ithremote host, encrypting only data contents of pac-et
– /o popular uses:
• 'nd!to!end transport of encrypted data
• Remote access or-er connects to office netor-over #nternet by connecting to a H$4 server on the
perimeter
$rinciples of #nformation %ecurity, &ourth 'dition 5
![Page 60: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/60.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 60/63
$rinciples of #nformation %ecurity, &ourth 'dition 7=
&igure 7!< /ransport 3ode H$4
![Page 61: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/61.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 61/63
Hirtual $rivate 4etor-s )H$4s
)cont*d+
• /unnel mode
– Organization establishes to perimeter tunnel
servers
– /hese servers act as encryption points, encryptingall traffic that ill traverse unsecured netor-
– $rimary benefit to this model is that an intercepted
pac-et reveals nothing about true destination system
– '>ample of tunnel mode H$4: 3icrosoft*s #nternet%ecurity and 1cceleration )#%1 %erver
$rinciples of #nformation %ecurity, &ourth 'dition 7<
![Page 62: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/62.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 62/63
$rinciples of #nformation %ecurity, &ourth 'dition 7(
&igure 7!(= /unnel 3ode H$4
![Page 63: 9781111138219_PPT_ch06](https://reader036.vdocuments.site/reader036/viewer/2022062317/5695cf2e1a28ab9b028cf372/html5/thumbnails/63.jpg)
7/23/2019 9781111138219_PPT_ch06
http://slidepdf.com/reader/full/9781111138219pptch06 63/63
%ummary
• &irealls
– /echnology from pac-et filtering to dynamic stateful
inspection
– 1rchitectures vary ith the needs of the netor-• Harious approaches to remote and dial!up access
protection
– R1"#U% and /1212%
• 2ontent filtering technology
• Hirtual private netor-s
– 'ncryption beteen netor-s over the #nternet