9781111138219_ppt_ch06

7/23/2019 9781111138219_PPT_ch06

http://slidepdf.com/reader/full/9781111138219pptch06 1/63

Principles of InformationSecurity,

Fourth EditionChapter 6

Security Technology: Firewalls and VPNs

If you think technology can solve your security problems,

then you don’t understand the problems and you don’t

understand the technology.

BRUCE SCHNEIER, AMERICAN CRYPTOGRAPHER,

COMPUTER SECURITY SPECIALIST, AND WRITER

7/23/2019 9781111138219_PPT_ch06


Learning Objectives

• Upon completion of this material, you should be

able to:

– Recognize the important role of access control in

computerized information systems, and identify anddiscuss idely!used authentication factors

– "escribe fireall technology and the various

approaches to fireall implementation

– #dentify the various approaches to control remoteand dial!up access by means of the authentication

and authorization of users

$rinciples of #nformation %ecurity, &ourth 'dition (

7/23/2019 9781111138219_PPT_ch06


Learning Objectives )cont*d+

– "iscuss content filtering technology

– "escribe the technology that enables the use of

virtual private netor-s

$rinciples of #nformation %ecurity, &ourth 'dition .

7/23/2019 9781111138219_PPT_ch06


#ntroduction

• /echnical controls are essential in enforcing policy

for many #/ functions that do not involve direct

human control

• /echnical control solutions improve anorganization*s ability to balance ma-ing information

readily available against increasing information*s

levels of confidentiality and integrity

$rinciples of #nformation %ecurity, &ourth 'dition 0

7/23/2019 9781111138219_PPT_ch06


1ccess 2ontrol

• 1ccess control: method by hich systems

determine hether and ho to admit a user into a

trusted area of the organization

• 3andatory access controls )312s: use dataclassification schemes

• 4ondiscretionary controls: strictly!enforced version

of 312s that are managed by a central authority

• "iscretionary access controls )"12s:

implemented at the discretion or option of the data

user


7/23/2019 9781111138219_PPT_ch06


#dentification

• #dentification: mechanism hereby an unverified

entity that see-s access to a resource proposes a

label by hich they are -non to the system

• %upplicant: entity that see-s a resource• #dentifiers can be composite identifiers,

concatenating elements!department codes,

random numbers, or special characters to ma-e

them uni6ue

• %ome organizations generate random numbers


7/23/2019 9781111138219_PPT_ch06


1uthentication

• 1uthentication: the process of validating a

supplicant*s purported identity

• 1uthentication factors

– %omething a supplicant -nos• $assord: a private ord or combination of characters

that only the user should -no

• $assphrase: a series of characters, typically longer

than a passord, from hich a virtual passord isderived


7/23/2019 9781111138219_PPT_ch06


1uthentication )cont*d+

• 1uthentication factors )cont*d+

– %omething a supplicant has

• %mart card: contains a computer chip that can verify

and validate information• %ynchronous to-ens

• 1synchronous to-ens

– %omething a supplicant is

• Relies upon individual characteristics• %trong authentication


7/23/2019 9781111138219_PPT_ch06


1uthorization

• 1uthorization: the matching of an authenticated

entity to a list of information assets and

corresponding access levels

• 1uthorization can be handled in one of three ays – 1uthorization for each authenticated user

– 1uthorization for members of a group

– 1uthorization across multiple systems

• 1uthorization tic-ets

$rinciples of #nformation %ecurity, &ourth 'dition

7/23/2019 9781111138219_PPT_ch06


1ccountability

• 1ccountability )auditability: ensures that all actions

on a system;authorized or unauthorized;can be

attributed to an authenticated identity

• 3ost often accomplished by means of system logsand database journals, and the auditing of these

records

• %ystems logs record specific information

• Logs have many uses

$rinciples of #nformation %ecurity, &ourth 'dition <=

7/23/2019 9781111138219_PPT_ch06


&irealls

• $revent specific types of information from moving

beteen the outside orld )untrusted netor- and

the inside orld )trusted netor-

• 3ay be: – %eparate computer system

– %oftare service running on e>isting router or server

– %eparate netor- containing supporting devices

$rinciples of #nformation %ecurity, &ourth 'dition <<

7/23/2019 9781111138219_PPT_ch06


&irealls $rocessing 3odes

• &ive processing modes by hich firealls can be

categorized:

– $ac-et filtering

– 1pplication gateays – 2ircuit gateays

– 312 layer firealls

– ?ybrids

$rinciples of #nformation %ecurity, &ourth 'dition <(

7/23/2019 9781111138219_PPT_ch06


&irealls $rocessing 3odes )cont*d+

• $ac-et filtering firealls e>amine header information

of data pac-ets

• 3ost often based on combination of:

– #nternet $rotocol )#$ source and destination address – "irection )inbound or outbound

– /ransmission 2ontrol $rotocol )/2$ or User

"atagram $rotocol )U"$ source and destination port

re6uests• %imple fireall models enforce rules designed to

prohibit pac-ets ith certain addresses or partial

addresses

$rinciples of #nformation %ecurity, &ourth 'dition <.

7/23/2019 9781111138219_PPT_ch06



• /hree subsets of pac-et filtering firealls:

– %tatic filtering: re6uires that filtering rules governing

ho the fireall decides hich pac-ets are alloed

and hich are denied are developed and installed – "ynamic filtering: allos fireall to react to emergent

event and update or create rules to deal ith event

– %tateful inspection: firealls that -eep trac- of each

netor- connection beteen internal and e>ternalsystems using a state table

$rinciples of #nformation %ecurity, &ourth 'dition <0

7/23/2019 9781111138219_PPT_ch06



&igure 7!( #$ $ac-et %tructure

7/23/2019 9781111138219_PPT_ch06



&igure 7!. /2$ $ac-et %tructure

&igure 7!0 U"$ "atagram %tructure

7/23/2019 9781111138219_PPT_ch06



/able 7!< %ample &ireall Rule and &ormat

7/23/2019 9781111138219_PPT_ch06



• 1pplication gateays

– &re6uently installed on a dedicated computer@ also

-non as a pro>y server

– %ince pro>y server is often placed in unsecured areaof the netor- )e+g+, "3A, it is e>posed to higher

levels of ris- from less trusted netor-s

– 1dditional filtering routers can be implemented

behind the pro>y server, further protecting internalsystems


7/23/2019 9781111138219_PPT_ch06



• 2ircuit gateay fireall

– Operates at transport layer

– Li-e filtering firealls, do not usually loo- at data

traffic floing beteen to netor-s, but preventdirect connections beteen one netor- and another

– 1ccomplished by creating tunnels connecting

specific processes or systems on each side of the

fireall, and allo only authorized traffic in thetunnels

$rinciples of #nformation %ecurity, &ourth 'dition <

7/23/2019 9781111138219_PPT_ch06



• 312 layer firealls

– "esigned to operate at the media access control

layer of O%# netor- model

– 1ble to consider specific host computer*s identity inits filtering decisions

– 312 addresses of specific host computers are

lin-ed to access control list )12L entries that identify

specific types of pac-ets that can be sent to eachhost@ all other traffic is bloc-ed

$rinciples of #nformation %ecurity, &ourth 'dition (=

7/23/2019 9781111138219_PPT_ch06


$rinciples of #nformation %ecurity, &ourth 'dition (<

&igure 7!7 &ireall /ypes and the O%# 3odel

7/23/2019 9781111138219_PPT_ch06



• ?ybrid firealls

– 2ombine elements of other types of firealls@ i+e+,

elements of pac-et filtering and pro>y services, or of

pac-et filtering and circuit gateays – 1lternately, may consist of to separate fireall

devices@ each a separate fireall system, but

connected to or- in tandem

$rinciples of #nformation %ecurity, &ourth 'dition ((

7/23/2019 9781111138219_PPT_ch06


&irealls 2ategorized by Beneration

• &irst generation: static pac-et filtering firealls

• %econd generation: application!level firealls or

pro>y servers

• /hird generation: stateful inspection firealls• &ourth generation: dynamic pac-et filtering

firealls@ allo only pac-ets ith particular source,

destination, and port addresses to enter

• &ifth generation: -ernel pro>ies@ specialized form

or-ing under -ernel of Cindos 4/

$rinciples of #nformation %ecurity, &ourth 'dition (.

7/23/2019 9781111138219_PPT_ch06


$rinciples of #nformation %ecurity, &ourth 'dition (0

/able 7!( %tate /able 'ntries

7/23/2019 9781111138219_PPT_ch06


&irealls 2ategorized by %tructure

• 3ost firealls are appliances: stand!alone, self!

contained systems

• 2ommercial!grade fireall system

• %mall officeDhome office )%O?O fireallappliances

• Residential!grade fireall softare


7/23/2019 9781111138219_PPT_ch06



&igure 7!8 %O?O &ireall "evices

7/23/2019 9781111138219_PPT_ch06


%oftare vs+ ?ardare: the %O?O

&ireall "ebate

• Chich fireall type should the residential user

implementE

• Chere ould you rather defend against a hac-erE

• Cith the softare option, hac-er is inside yourcomputer

• Cith the hardare device, even if hac-er manages

to crash fireall system, computer and information

are still safely behind the no disabled connection


7/23/2019 9781111138219_PPT_ch06


&ireall 1rchitectures

• &ireall devices can be configured in a number of

netor- connection architectures

• Fest configuration depends on three factors:

– Objectives of the netor- – Organization*s ability to develop and implement

architectures

– Fudget available for function

• &our common architectural implementations offirealls: pac-et filtering routers, screened host

firealls, dual!homed firealls, screened subnet

firealls


7/23/2019 9781111138219_PPT_ch06


&ireall 1rchitectures )cont*d+

• $ac-et filtering routers

– 3ost organizations ith #nternet connection have a

router serving as interface to #nternet

– 3any of these routers can be configured to rejectpac-ets that organization does not allo into netor-

– "rabac-s include a lac- of auditing and strong

authentication

$rinciples of #nformation %ecurity, &ourth 'dition (

7/23/2019 9781111138219_PPT_ch06


$rinciples of #nformation %ecurity, &ourth 'dition .=

&igure 7!5 $ac-et!&iltering Router

7/23/2019 9781111138219_PPT_ch06



• %creened host firealls

– 2ombines pac-et filtering router ith separate,

dedicated fireall such as an application pro>y

server – 1llos router to prescreen pac-ets to minimize

trafficDload on internal pro>y

– %eparate host is often referred to as bastion host

• 2an be rich target for e>ternal attac-s and should bevery thoroughly secured

• 1lso -non as a sacrificial host

$rinciples of #nformation %ecurity, &ourth 'dition .<

7/23/2019 9781111138219_PPT_ch06


$rinciples of #nformation %ecurity, &ourth 'dition .(

&igure 7!<( %creened ?ost &ireall

7/23/2019 9781111138219_PPT_ch06



• "ual!homed host firealls

– Fastion host contains to netor- interface cards

)4#2s: one connected to e>ternal netor-, one

connected to internal netor- – #mplementation of this architecture often ma-es use

of netor- address translation )41/, creating

another barrier to intrusion from e>ternal attac-ers

$rinciples of #nformation %ecurity, &ourth 'dition ..

7/23/2019 9781111138219_PPT_ch06


$rinciples of #nformation %ecurity, &ourth 'dition .0

/able 7!0 Reserved 4onroutable 1ddress Ranges

7/23/2019 9781111138219_PPT_ch06



&igure 7!<. "ual!?omed ?ost &ireall

7/23/2019 9781111138219_PPT_ch06



• %creened subnet fireall is the dominant architectureused today

• 2ommonly consists of to or more internal bastion hosts

behind pac-et filtering router, ith each host protecting

trusted netor-: – 2onnections from outside )untrusted netor- routed

through e>ternal filtering router

– 2onnections from outside )untrusted netor- are routed

into and out of routing fireall to separate netor-

segment -non as "3A

– 2onnections into trusted internal netor- alloed only

from "3A bastion host servers


7/23/2019 9781111138219_PPT_ch06



• %creened subnet performs to functions:

– $rotects "3A systems and information from outside

threats

– $rotects the internal netor-s by limiting hoe>ternal connections can gain access to internal

systems

• 1nother facet of "3As: e>tranets


7/23/2019 9781111138219_PPT_ch06



• %O2G% servers

– %O2G% is the protocol for handling /2$ traffic via a

pro>y server

– 1 proprietary circuit!level pro>y server that placesspecial %O2G% client!side agents on each

or-station

– 1 %O2G% system can re6uire support and

management resources beyond those of traditionalfirealls


7/23/2019 9781111138219_PPT_ch06


$rinciples of #nformation %ecurity, &ourth 'dition .

&igure 7!<0 %creened %ubnet )"3A

7/23/2019 9781111138219_PPT_ch06


%electing the Right &ireall

• Chen selecting fireall, consider a number of

factors:

– Chat fireall offers right balance beteen protection

and cost for needs of organizationE – Chich features are included in base price and hich

are notE

– 'ase of setup and configurationE ?o accessible are

staff technicians ho can configure the fireallE – 2an fireall adapt to organization*s groing

netor-E

• %econd most important issue is cost

$rinciples of #nformation %ecurity, &ourth 'dition 0=

7/23/2019 9781111138219_PPT_ch06


2onfiguring and 3anaging &irealls

• 'ach fireall device must have on set of

configuration rules regulating its actions

• &ireall policy configuration is usually comple> and

difficult• 2onfiguring fireall policies is both an art and a

science

• Chen security rules conflict ith the performance

of business, security often loses

$rinciples of #nformation %ecurity, &ourth 'dition 0<

7/23/2019 9781111138219_PPT_ch06



)cont*d+• Fest practices for firealls

– 1ll traffic from trusted netor- is alloed out

– &ireall device never directly accessed from public

netor-

– %imple 3ail /ransport $rotocol )%3/$ data alloed to

pass through fireall

– #nternet 2ontrol 3essage $rotocol )#23$ data denied

– /elnet access to internal servers should be bloc-ed

– Chen Ceb services offered outside fireall, ?//$

traffic should be denied from reaching internal netor-s

$rinciples of #nformation %ecurity, &ourth 'dition 0(

7/23/2019 9781111138219_PPT_ch06



)cont*d+

• &ireall rules

– Operate by e>amining data pac-ets and performing

comparison ith predetermined logical rules

– Logic based on set of guidelines most commonlyreferred to as fireall rules, rule base, or fireall

logic

– 3ost firealls use pac-et header information to

determine hether specific pac-et should be alloedor denied

$rinciples of #nformation %ecurity, &ourth 'dition 0.

7/23/2019 9781111138219_PPT_ch06



&igure 7!<5 '>ample 4etor- 2onfiguration

7/23/2019 9781111138219_PPT_ch06



/able 7!5 %elect Cell!Gnon $ort 4umbers

7/23/2019 9781111138219_PPT_ch06



/able 7!<7 '>ternal &iltering &ireall #nbound #nterface Rule %et

7/23/2019 9781111138219_PPT_ch06



/able 7!<8 '>ternal &iltering &ireall Outbound #nterface Rule %et

7/23/2019 9781111138219_PPT_ch06


2ontent &ilters

• %oftare filter;not a fireall;that allos

administrators to restrict content access from ithin

netor-

• 'ssentially a set of scripts or programs restrictinguser access to certain netor-ing protocolsD#nternet

locations

• $rimary focus to restrict internal access to e>ternal

material• 3ost common content filters restrict users from

accessing non!business Ceb sites or deny incoming

span


7/23/2019 9781111138219_PPT_ch06


$rotecting Remote 2onnections

• #nstalling #nternetor- connections re6uires leased

lines or other data channels@ these connections are

usually secured under re6uirements of formal

service agreement• Chen individuals see- to connect to organization*s

netor-, more fle>ible option must be provided

• Options such as virtual private netor-s )H$4s

have become more popular due to spread of#nternet


7/23/2019 9781111138219_PPT_ch06


Remote 1ccess

• Unsecured, dial!up connection points represent a

substantial e>posure to attac-

• 1ttac-er can use device called a ar dialer to

locate connection points• Car dialer: automatic phone!dialing program that

dials every number in a configured range and

records number if modem pic-s up

• %ome technologies )R1"#U% systems@ /1212%@2?1$ passord systems have improved

authentication process


7/23/2019 9781111138219_PPT_ch06


Remote 1ccess )cont*d+

• R1"#U%, /1212%, and "iameter

– %ystems that authenticate user credentials for those

trying to access an organization*s netor- via dial!up

– Remote 1uthentication "ial!#n User %ervice)R1"#U%: centralizes management of user

authentication system in a central R1"#U% server

– "iameter: emerging alternative derived from R1"#U%

– /erminal 1ccess 2ontroller 1ccess 2ontrol %ystem)/1212%: validates user*s credentials at centralized

server )li-e R1"#U%@ based on clientDserver

configuration


7/23/2019 9781111138219_PPT_ch06



&igure 7!<7 R1"#U% 2onfiguration

7/23/2019 9781111138219_PPT_ch06



• %ecuring authentication ith Gerberos

– $rovides secure third!party authentication

– Uses symmetric -ey encryption to validate individual

user to various netor- resources – Geeps database containing private -eys of

clientsDservers

– 2onsists of three interacting services:

• 1uthentication server )1%• Gey "istribution 2enter )G"2

• Gerberos tic-et granting service )/B%

$rinciples of #nformation %ecurity, &ourth 'dition 5.

7/23/2019 9781111138219_PPT_ch06



&igure 7!<8 Gerberos Login

7/23/2019 9781111138219_PPT_ch06



&igure 7!<9 Gerberos Re6uest for %ervices

7/23/2019 9781111138219_PPT_ch06



• %esame – %ecure 'uropean %ystem for 1pplications in a

3ultivendor 'nvironment )%'%13' is similar to

Gerberos

• User is first authenticated to authentication server andreceives to-en

• /o-en then presented to privilege attribute server as

proof of identity to gain privilege attribute certificate

• Uses public -ey encryption@ adds additional and moresophisticated access control features@ more scalable

encryption systems@ improved manageability@ auditing

features@ delegation of responsibility for alloing access


7/23/2019 9781111138219_PPT_ch06


Hirtual $rivate 4etor-s )H$4s

• $rivate and secure netor- connection beteen

systems@ uses data communication capability of

unsecured and public netor-

• %ecurely e>tends organization*s internal netor-connections to remote locations beyond trusted

netor-

• /hree H$4 technologies defined:

– /rusted H$4 – %ecure H$4

– ?ybrid H$4 )combines trusted and secure


7/23/2019 9781111138219_PPT_ch06



)cont*d+

• H$4 must accomplish:

– 'ncapsulation of incoming and outgoing data

– 'ncryption of incoming and outgoing data

– 1uthentication of remote computer and )perhapsremote user as ell


7/23/2019 9781111138219_PPT_ch06



)cont*d+

• /ransport mode

– "ata ithin #$ pac-et is encrypted, but header

information is not

– 1llos user to establish secure lin- directly ithremote host, encrypting only data contents of pac-et

– /o popular uses:

• 'nd!to!end transport of encrypted data

• Remote access or-er connects to office netor-over #nternet by connecting to a H$4 server on the

perimeter


7/23/2019 9781111138219_PPT_ch06



&igure 7!< /ransport 3ode H$4

7/23/2019 9781111138219_PPT_ch06



)cont*d+

• /unnel mode

– Organization establishes to perimeter tunnel

servers

– /hese servers act as encryption points, encryptingall traffic that ill traverse unsecured netor-

– $rimary benefit to this model is that an intercepted

pac-et reveals nothing about true destination system

– '>ample of tunnel mode H$4: 3icrosoft*s #nternet%ecurity and 1cceleration )#%1 %erver


7/23/2019 9781111138219_PPT_ch06



&igure 7!(= /unnel 3ode H$4

7/23/2019 9781111138219_PPT_ch06


%ummary

• &irealls

– /echnology from pac-et filtering to dynamic stateful

inspection

– 1rchitectures vary ith the needs of the netor-• Harious approaches to remote and dial!up access

protection

– R1"#U% and /1212%

• 2ontent filtering technology

• Hirtual private netor-s

– 'ncryption beteen netor-s over the #nternet

9781111138219_ppt_ch06

Documents