SlideShare a Scribd company logo

Whitman_Ch06.pptx

Download as PPTX, PDF
S
Siphamandla9

Security Technology

Technology
1 of 71
Principles of Information Security Sixth Edition Chapter 6 Security Technology: Access Controls, Firewalls and VPNs Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Learning Objectives (1 of 2) • Upon completion of this material, you should be able to: – Discuss the role of access control in information systems, and identify and discuss the four fundamental functions of access control systems – Define authentication and explain the three commonly used authentication factors – Describe firewall technologies and the various categories of firewalls
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Learning Objectives (2 of 2) – Discuss the various approaches to firewall implementation – Identify the various approaches to control remote and dial-up access by authenticating and authorizing users – Describe virtual private networks (VPNs) and discuss the technology that enables them
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Introduction • Technical controls are essential in enforcing policy for many IT functions that are not under direct human control. • Technical control solutions, when properly implemented, improve an organization’s ability to balance the objectives of making information readily available and preserving the information’s confidentiality and integrity.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Access Control (1 of 2) • Access control: A selective method by which systems specify who may use a particular resource and how they may use it. • Mandatory access controls (MACs): A required, structured data classification scheme that rates each collection of information as well as each user. • Discretionary access controls (DACs): Access controls that are implemented at the discretion or option of the data user. • Nondiscretionary controls: Access controls that are implemented by a central authority.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Access Controls (2 of 2) • In general, all access control approaches rely on the following four mechanisms, which represent the four fundamental functions of access control systems: – Identification: I am a user of the system. – Authentication: I can prove I’m a user of the system. – Authorization: Here’s what I can do with the system. – Accountability: You can track and monitor my use of the system.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-1 Access control approaches
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Identification • Identification: The access control mechanism that requires the validation and verification of an unauthenticated entity’s purported identity. • Identifiers can be composite identifiers, concatenating elements—department codes, random numbers, or special characters—to make them unique. • Most organizations use a single piece of unique information, such as a complete name or the user’s first initial and surname.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Authentication (1 of 2) • Authentication: The access control mechanism that requires the validation and verification of an unauthenticated entity’s purported identity. • Authentication factors – Something you know  Password: a private word or a combination of characters that only the user should know  Passphrase: a series of characters, typically longer than a password, from which a virtual password is derived
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Authentication (2 of 2) – Something you have  Dumb card: ID or ATM card with magnetic stripe  Smart card: contains a computer chip that can verify and validate information  Synchronous tokens  Asynchronous tokens – Something you are  Relies upon individual characteristics  Strong authentication
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Authorization • Authorization: The access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels. • Authorization can be handled in one of three ways: – Authorization for each authenticated user – Authorization for members of a group – Authorization across multiple systems • Authorization credentials, also called authorization tickets, are issued by an authenticator and are honored by many or all systems within the authentication domain.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Accountability • Accountability: The access control mechanism that ensures all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity. Also known as auditability. • Accountability is most often accomplished by means of system logs and database journals, and the auditing of these records. • Systems logs record specific information. • Logs have many uses.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Biometrics • Approach based on the use of measurable human characteristics/traits to authenticate identity. • Only fingerprints, retina of eye, and iris of eye and DNA are considered truly unique. • Evaluated on false reject rate, false accept rate, and crossover error rate. • Highly reliable/effective biometric systems are often considered intrusive by users.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-5 Biometric recognition characteristics
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6-1 Ranking of Biometric Effectiveness and Acceptance (1 of 2) Biometrics University Uniqueness Permanence Collectabilit y Performanc e Acceptabilit y Circumvention Face H L M H L H L Fadal Thermogra m H H L H M H H Fingerprint M H H M H M H Hand Geometry M M M H M M M Hand Vein M M M M M M H Eye: Iris H H H M H H H
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6-1 Ranking of Biometric Effectiveness and Acceptance (2 of 2) Note: In the table, H = High, M = Medium, and L = Low. From multiple sources. Biometrics Universit y Uniquenes s Permanenc e Collectabilit y Performanc e Acceptabilit y Circumventio n Eye: Retina H H M L H L H DNA H H H L H L L Odor and Scent H H H L L M L Voice M L L M L H L Signature L L L H L H L Keystroke L L L M L M M Gait M L L H L H M
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Access Control Architecture Models (1 of 3) • Illustrate access control implementations and can help organizations quickly make improvements through adaptation. • Trusted computing base (TCB) – Part of TCSEC Rainbow Series – Used to enforce security policy (rules of system configuration) – Biggest challenges include covert channels  Storage channels  Timing channels
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Access Control Architecture Models (2 of 3) • ITSEC: An international set of criteria for evaluating computer systems – Compares Targets of Evaluation (ToE) to detailed security function specifications • The common criteria – Considered successor to both TCSEC and ITSEC • Bell-LaPadula confidentiality model – State machine reference model – Uses “no read up, no write down” principle
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Access Control Architecture Models (3 of 3) • Biba integrity model – Designed to prevent corruption of higher integrity entities – Based on “no write up, no read down” principle • Clark-Wilson integrity model – No changes by unauthorized subjects – No unauthorized changes by authorized subjects – Maintenance of internal and external consistency • Graham-Denning access control model – Composed of set of objects, set of subjects, and set of rights
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewalls • In information security, a combination of hardware and software that filters or prevents specific information from moving between the outside (untrusted) network and the inside (trusted) network. • May be: – Separate computer system – Software service running on existing router or server – Separate network containing supporting devices
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewalls Processing Modes • Processing modes by which firewalls can be categorized: – Packet filtering – Application layer proxy – MAC layer firewalls – Hybrids
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Packet-Filtering Firewalls (1 of 2) • Packet-filtering firewalls examine the header information of data packets. • Most often based on the combination of: – IP source and destination address – Direction (inbound or outbound) – Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests • Simple firewall models enforce rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Packet-Filtering Firewalls (2 of 2) • Three subsets of packet-filtering firewalls: – Static filtering requires that filtering rules be developed and installed within the firewall – Dynamic filtering allows firewall to react to an emergent event and update or create rules to deal with that event – Stateful packet inspection (SPI) firewalls keep track of each network connection between internal and external systems using a state table
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-7 IP packet structure
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-8 TCP packet structure
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-9 UDP datagram structure
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-10 Packet-filtering router
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6- 2 Sample Firewall Rule and Format Source Address Destination Address Service (e.g. HTTP, SMTP, FTP) Action (Allow or Deny) 172.16x.x 10.10.x.x Any Deny 192.168.x.x 10.10.10.25 HTTP Allow 192.168.0.1 10.10.10.10 FTP Allow
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6-3 State Table Entries Source Address Source Port Destination Address Destination Port Time Remaining (in seconds) Total Time (in seconds) Protocol 192.168.2.5 1028 10.10.10.7 80 2,275 3,600 TCP
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Application Layer Proxy Firewall (1 of 3) • A device capable of functioning both as a firewall and an application layer proxy server. • Since proxy servers are often placed in unsecured area of the network (e.g., DMZ), they are exposed to higher levels of risk from less trusted networks. • Additional filtering routers can be implemented behind the proxy firewall, further protecting internal systems.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewall Processing Modes (2 of 3) • MAC layer firewalls – Designed to operate at media access control sublayer of network’s data link layer – Make filtering decisions based on specific host computer’s identity – MAC addresses of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewall Processing Modes (3 of 3) • Hybrid firewalls – Combine elements of other types of firewalls, that is, elements of packet filtering and proxy services, or of packet filtering and circuit gateways – Alternately, may consist of two separate firewall devices; each a separate firewall system, but connected to work in tandem – Enables an organization to make security improvement without completely replacing existing firewalls – Include the Next Generation Firewall (NGFW) and Unified Threat Management (UTM) devices
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-11 Firewall types and protocol models
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewall Architectures (1 of 5) • Firewall devices can be configured in several network connection architectures. • Best configuration depends on three factors: – Objectives of the network – Organization’s ability to develop and implement architectures – Budget available for function • Three common architectural implementations of firewalls: single bastion hosts, screened host, and screened subnet (with DMZ).
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewall Architectures (2 of 5) • Single bastion hosts – Commonly referred to as sacrificial host, as it stands as sole defender on the network perimeter – Usually implemented as a dual-homed host, which contains two network interface cards (NICs): one that is connected to external network and one that is connected to internal network – Implementation of this architecture often makes use of network address translation (NAT), creating another barrier to intrusion from external attackers
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewall Architectures (3 of 5) • Screened host architecture – Combines packet-filtering router with a separate, dedicated firewall such as an application proxy server – Allows router to prescreen packets to minimize the traffic/load on internal proxy – Requires an external attack to compromise two separate systems before the attack can access internal data
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewall Architectures (4 of 5) • Screened subnet architecture (with DMZ) – Is the dominant architecture used today – Commonly consists of two or more internal firewalls behind packet-filtering router, with each protecting a trusted network:  Connections from outside or untrusted network are routed through external filtering router.  Connections from outside or untrusted network are routed into and out of routing firewall to separate the network segment known as DMZ.  Connections into trusted internal network are allowed only from DMZ bastion host servers.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewall Architectures (5 of 5) • Screened subnet performs two functions: – Protects DMZ systems and information from outside threats – Protects the internal networks by limiting how external connections can gain access to internal systems • Another facet of DMZs: creation of extranets
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6-4 Reserved Nonroutable Address Ranges Classful Description Usable Addresses From To CIDR Mask Decimal Mask Class A or 24 Bit ̴̴ 16.5 million 10.0.0.0 10.255.255.255 /8 255.0.0.0 Class B or 20 Bit ̴̴ 1.05 million 172.16.0.0 172.31.255.255 /12 or /16 255.240.0.0 or 255.255.0.0 Class C or 16 Bit ̴̴ 65,500 192.168.0.0 192.168.255.255 /16 or /24 255.240.0.0 or 255.255.0.0 IPv6 Space ̴̴ 65,500 sets of 18.45 quintillion (18.45 X 1018) fc00:/7, where the first 7 digits are fixed (1111 1 10x), followed by a 10-digit organization ID, then 4 digits of subnet ID and 16 digits of host ID. ((F]]C or D] xx:xxxx:xxxx:yyy y:zzzz:zzzz:zzzz: zzzz). fc00:/7, where the first 7 digits are fixed (1111 1 10x), followed by a 10-digit organization ID, then 4 digits of subnet ID and 16 digits of host ID. ((F]]C or D] xx:xxxx:xxxx:yyy y:zzzz:zzzz:zzzz: zzzz). fc00:/7, where the first 7 digits are fixed (1111 1 10x), followed by a 10-digit organization ID, then 4 digits of subnet ID and 16 digits of host ID. ((F]]C or D] xx:xxxx:xxxx:yyy y:zzzz:zzzz:zzzz: zzzz). fc00:/7, where the first 7 digits are fixed (1111 1 10x), followed by a 10-digit organization ID, then 4 digits of subnet ID and 16 digits of host ID. ((F]]C or D] xx:xxxx:xxxx:yyy y:zzzz:zzzz:zzzz: zzzz). Note: that CIDR stands for classless inter- domain routing. Source: Internet Engineering Task Force, RFC 1466 (http://tools.ietf.orglhtmllrfc1466).18
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-16 Dual-homed bastion host firewall
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-17 Screened host architecture
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-18 Screened subnet (DMZ)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-19 Example network configuration
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Selecting the Right Firewall (1 of 2) • When selecting the firewall, consider the following factors: – Which type of firewall technology offers the right balance between protection and cost for the needs of the organization? – What features are included in the base price? What features are available at extra cost? Are all cost factors known?
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Selecting the Right Firewall (2 of 2) – How easy is it to set up and configure the firewall? Does the organization have staff on hand that are trained to configure the firewall, or would the hiring of additional employees be required? – Can the firewall adapt to the growing network in the target organization? • Most important factor is provision of required protection • Second most important issue is cost
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Configuring and Managing Firewalls (1 of 4) • The organization must provide for the initial configuration and ongoing management of firewall(s) • Each firewall device must have its own set of configuration rules regulating its actions • Firewall policy configuration is usually complex and difficult • Configuring firewall policies is both an art and a science • When security rules conflict with the performance of business, security often loses
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Configuring and Managing Firewalls (2 of 4) • Best practices for firewalls – All traffic from the trusted network is allowed out. – Firewall device is never directly accessed from public network. – Simple Mail Transport Protocol (SMTP) data are allowed to pass through firewall. – Internet Control Message Protocol (ICMP) data are denied.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Configuring and Managing Firewalls (3 of 4) – Telnet access to internal servers should be blocked. – When Web services are offered outside the firewall, HTTP traffic should be blocked from reaching internal networks. – All data that are not verifiably authentic should be denied. • Firewall rules – Firewalls operate by examining data packets and performing comparison with predetermined logical rules.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Configuring and Managing Firewalls (4 of 4) – The logic is based on a set of guidelines most commonly referred to as firewall rules, rule base, or firewall logic. – Most firewalls use packet header information to determine whether a specific packet should be allowed or denied.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6-5 Well – Known Port Numbers Port Number Protocol 7 Echo 20 File Transfer [Default Data] (FTP) 21 File Transfer [Control] (FTP) 23 Telnet 25 Simple Mail Transfer Protocol (SMTP) 53 Domain Name System (DNS) 80 Hypertext Transfer Protocol (HTTP) 110 Post Office Protocol version 3 (POP3) 161 Simple Network Management Protocol (SNMP)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6-16 External Filtering Firewall Inbound Interface Rule Set Rule # Source Address Source port Destination Address Destination Port Action 1 10.10.10.0 Any Any Any Deny 2 Any Any 10.10.10.1 Any Deny 3 Any Any 10.10.10.2 Any Deny 4 10.10.10.1 Any Any Any Deny 5 Any Any Any Any Deny 6 Any Any 10.10.10.0 >1023 Allow 7 Any Any 10.10.10.6 25 Allow 8 Any Any 10.10.10.0 7 Deny 9 Any Any 10.10.10.0 23 Deny 10 Any Any 10.10.10.4 80 Allow 11 Any Any Any Any Deny
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6-16 External Filtering Firewall Outbound Interface Rule Set Rule # Source Address Source port Destination Address Destination Port Action 1 10.10.10.12 Any 10.10.10.0 Any Allow 2 Any Any 10.10.10.1 Any Deny 3 Any Any 10.10.10.2 Any Deny 4 10.10.10.1 Any Any Any Deny 5 10.10.10.2 Any Any Any Deny 6 10.10.10.0 Any Any Any Allow 7 Any Any Any Any Deny
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Content Filters • A software program or hardware/software appliance that allows administrators to restrict content that comes into or leaves a network • Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations • Primary purpose to restrict internal access to external material • Most common content filters restrict users from accessing non-business Web sites or deny incoming spam
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Protecting Remote Connections • Installing Internetwork connections requires leased lines or other data channels; these connections are usually secured under the requirements of a formal service agreement. • When individuals seek to connect to an organization’s network, a more flexible option must be provided. • Options such as virtual private networks (VPNs) have become more popular due to the spread of Internet.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Remote Access (1 of 5) • Unsecured, dial-up connection points represent a substantial exposure to attack. • Attacker can use a device called a war dialer to locate the connection points. • War dialer: automatic phone-dialing program that dials every number in a configured range and records number if a modem picks up. • Some technologies (Kerberos; RADIUS systems; TACACS; CHAP password systems) have improved the authentication process.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Remote Access (2 of 5) • RADIUS, Diameter, and TACACS – Systems that authenticate user credentials for those trying to access an organization’s network via dial-up – Remote Authentication Dial-In User Service (RADIUS) centralizes responsibility for user authentication in a central RADIUS server – Diameter: emerging alternative derived from RADIUS – Terminal Access Controller Access Control System (TACACS) validates user’s credentials at centralized server (like RADIUS); based on client/server configuration
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Remote Access (3 of 5) • Kerberos – Provides secure third-party authentication – Uses symmetric key encryption to validate individual user to various network resources – Keeps database containing private keys of clients/servers – Consists of three interacting services:  Authentication server (AS)  Key Distribution Center (KDC)  Kerberos ticket granting service (TGS)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Remote Access (4 of 5) • Kerberos – Provides secure third-party authentication – Uses symmetric key encryption to validate individual user to various network resources – Keeps database containing private keys of clients/servers – Consists of three interacting services:  Authentication server (AS)  Key Distribtion Center (KDC)  Kerberos ticket granting service (TGS)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Remote Access (5 of 5) • SESAME – Secure European System for Applications in a Multivendor Environment (SESAME) is similar to Kerberos  User is first authenticated to authentication server and receives token  Token is then presented to a privilege attribute server as proof of identity to gain a privilege attribute certificate  Uses public key encryption, adds sophisticated access control features, more scalable encryption systems, improved manageability, auditing features, and options for delegation of responsibility for allowing access
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-20 RADIUS configuration 1. Remote worker dials NAS and submits username and password 2. NAS passes username and password to RADIUS server 3. RADIUS server approves or rejects request and provides access authorization 4. NAS provides access to authorized remote worker
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-21 Kerberos login (1 of 2)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-21 Kerberos login (2 of 2) 1. User logs into client machine (c) 2. Client machine encrypts password to create client key (Kc) 3. Client machine sends clear request to Kerberos Authentication Server (AS) 4. Kerberos AS returns ticket consisting of: – Client/TGS session key for future communications between client and TGS [Kc,TGS], encrypted with the client's key – Ticket granting ticket (TGT). The TGT contains the client name, client address, ticket valid times, and the client/TGS session key, all encrypted in the TGS' private key
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-22 Kerberos request for services
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Virtual Private Networks (VPNs) (1 of 4) • Private and secure network connection between systems; uses data communication capability of unsecured and public network • Securely extends organization’s internal network connections to remote locations • Three VPN technologies defined: – Trusted VPN – Secure VPN – Hybrid VPN (combines trusted and secure)
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Virtual Private Networks (VPNs) (2 of 4) • VPN must accomplish: – Encapsulation of incoming and outgoing data – Encryption of incoming and outgoing data – Authentication of remote computer and perhaps remote user as well • In most common implementation, it allows the user to turn Internet into a private network
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Virtual Private Networks (VPNs) (3 of 4) • Transport mode – Data within IP packet are encrypted, but header information is not – Allows user to establish secure link directly with remote host, encrypting only data contents of packet – Two popular uses:  End-to-end transport of encrypted data  Remote access worker connects to an office network over Internet by connecting to a VPN server on the perimeter
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Virtual Private Networks (VPNs) (4 of 4) • Tunnel mode – Establishes two perimeter tunnel servers to encrypt all traffic that will traverse an unsecured network – Entire client package encrypted and added as data portion of packet from one tunneling server to another – Primary benefit to this model is that an intercepted packet reveals nothing about the true destination system – Example of tunnel mode VPN: Microsoft’s Internet Security and Acceleration (ISA) Server
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-23 Transport mode VPN
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-24 Tunnel mode VPN
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Summary (1 of 2) • Access control is a process by which systems determine if and how to admit a user into a trusted area of the organization. • All access control approaches rely on identification, authentication, authorization, and accountability. • A firewall is any device that prevents a specific type of information from moving between the outside network, known as the untrusted network, and the inside network, known as the trusted network. • Firewalls can be categorized into four groups: packet filtering, MAC layers, application gateways, and hybrid firewalls.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Summary (2 of 2) • Packet-filtering firewalls can be implemented as static filtering, dynamic filtering, and stateful inspection firewalls. • The three common architectural implementations of firewalls are single bastion hosts, screened hosts, and screened subnets. • Dial-up protection mechanisms help secure organizations that use modems for remote connectivity. • VPNs enable remote offices and users to connect to private networks securely over public networks.

Recommended

Whitman_Ch05.pptx
Whitman_Ch05.pptxWhitman_Ch05.pptx
Whitman_Ch05.pptxSiphamandla9
 
Whitman_Ch02.pptx
Whitman_Ch02.pptxWhitman_Ch02.pptx
Whitman_Ch02.pptxSiphamandla9
 
Chapter 1 Introduction to Security
Chapter 1 Introduction to SecurityChapter 1 Introduction to Security
Chapter 1 Introduction to SecurityDr. Ahmed Al Zaidy
 
Whitman_Ch03.pptx
Whitman_Ch03.pptxWhitman_Ch03.pptx
Whitman_Ch03.pptxSiphamandla9
 
Chapter 6 Presentation
Chapter 6 PresentationChapter 6 Presentation
Chapter 6 PresentationAmy McMullin
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to securityDhani Ahmad
 
Chapter 10 Mobile and Embedded Device Security
Chapter 10 Mobile and Embedded Device Security Chapter 10 Mobile and Embedded Device Security
Chapter 10 Mobile and Embedded Device Security Dr. Ahmed Al Zaidy
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 

Recommended

Whitman_Ch05.pptx
Whitman_Ch05.pptxWhitman_Ch05.pptx
Whitman_Ch05.pptxSiphamandla9
 
Whitman_Ch02.pptx
Whitman_Ch02.pptxWhitman_Ch02.pptx
Whitman_Ch02.pptxSiphamandla9
 
Chapter 1 Introduction to Security
Chapter 1 Introduction to SecurityChapter 1 Introduction to Security
Chapter 1 Introduction to SecurityDr. Ahmed Al Zaidy
 
Whitman_Ch03.pptx
Whitman_Ch03.pptxWhitman_Ch03.pptx
Whitman_Ch03.pptxSiphamandla9
 
Chapter 6 Presentation
Chapter 6 PresentationChapter 6 Presentation
Chapter 6 PresentationAmy McMullin
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to securityDhani Ahmad
 
Chapter 10 Mobile and Embedded Device Security
Chapter 10 Mobile and Embedded Device Security Chapter 10 Mobile and Embedded Device Security
Chapter 10 Mobile and Embedded Device Security Dr. Ahmed Al Zaidy
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Chapter 2 Presentation
Chapter 2 PresentationChapter 2 Presentation
Chapter 2 PresentationAmy McMullin
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyArti Ambokar
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
Chapter 9 Client and application Security
Chapter 9 Client and application SecurityChapter 9 Client and application Security
Chapter 9 Client and application SecurityDr. Ahmed Al Zaidy
 
The need for security
The need for securityThe need for security
The need for securityDhani Ahmad
 
Pranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-pptPranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-pptPranaviVerma
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 PresentationAmy McMullin
 
Information Assurance And Security - Chapter 2 - Lesson 3
Information Assurance And Security - Chapter 2 - Lesson 3Information Assurance And Security - Chapter 2 - Lesson 3
Information Assurance And Security - Chapter 2 - Lesson 3MLG College of Learning, Inc
 
Whitman_Ch04.pptx
Whitman_Ch04.pptxWhitman_Ch04.pptx
Whitman_Ch04.pptxSiphamandla9
 
Security tools
Security toolsSecurity tools
Security toolsarfan shahzad
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 PresentationAmy McMullin
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityGamentortc
 
Chapter 12 Access Management
Chapter 12 Access ManagementChapter 12 Access Management
Chapter 12 Access ManagementDr. Ahmed Al Zaidy
 
Chapter 5 Presentation
Chapter 5 PresentationChapter 5 Presentation
Chapter 5 PresentationAmy McMullin
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Chapter 15 Risk Mitigation
Chapter 15 Risk MitigationChapter 15 Risk Mitigation
Chapter 15 Risk MitigationDr. Ahmed Al Zaidy
 
Whitman_Ch12.pptx
Whitman_Ch12.pptxWhitman_Ch12.pptx
Whitman_Ch12.pptxSiphamandla9
 

More Related Content

What's hot

Chapter 2 Presentation
Chapter 2 PresentationChapter 2 Presentation
Chapter 2 PresentationAmy McMullin
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyArti Ambokar
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
Chapter 9 Client and application Security
Chapter 9 Client and application SecurityChapter 9 Client and application Security
Chapter 9 Client and application SecurityDr. Ahmed Al Zaidy
 
The need for security
The need for securityThe need for security
The need for securityDhani Ahmad
 
Pranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-pptPranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-pptPranaviVerma
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 PresentationAmy McMullin
 
Information Assurance And Security - Chapter 2 - Lesson 3
Information Assurance And Security - Chapter 2 - Lesson 3Information Assurance And Security - Chapter 2 - Lesson 3
Information Assurance And Security - Chapter 2 - Lesson 3MLG College of Learning, Inc
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 PresentationAmy McMullin
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityGamentortc
 
Chapter 5 Presentation
Chapter 5 PresentationChapter 5 Presentation
Chapter 5 PresentationAmy McMullin
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 

What's hot (20)

Chapter 2 Presentation
Chapter 2 PresentationChapter 2 Presentation
Chapter 2 Presentation
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Access_Control_Systems_and_methodology
Access_Control_Systems_and_methodologyAccess_Control_Systems_and_methodology
Access_Control_Systems_and_methodology
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Chapter 9 Client and application Security
Chapter 9 Client and application SecurityChapter 9 Client and application Security
Chapter 9 Client and application Security
 
The need for security
The need for securityThe need for security
The need for security
 
Pranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-pptPranavi verma-cyber-security-ppt
Pranavi verma-cyber-security-ppt
 
Information security
Information securityInformation security
Information security
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 Presentation
 
Information Assurance And Security - Chapter 2 - Lesson 3
Information Assurance And Security - Chapter 2 - Lesson 3Information Assurance And Security - Chapter 2 - Lesson 3
Information Assurance And Security - Chapter 2 - Lesson 3
 
Whitman_Ch04.pptx
Whitman_Ch04.pptxWhitman_Ch04.pptx
Whitman_Ch04.pptx
 
Security tools
Security toolsSecurity tools
Security tools
 
Chapter 7 Presentation
Chapter 7 PresentationChapter 7 Presentation
Chapter 7 Presentation
 
Information security
Information securityInformation security
Information security
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
Legal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information SecurityLegal, Ethical and professional issues in Information Security
Legal, Ethical and professional issues in Information Security
 
Chapter 12 Access Management
Chapter 12 Access ManagementChapter 12 Access Management
Chapter 12 Access Management
 
Chapter 5 Presentation
Chapter 5 PresentationChapter 5 Presentation
Chapter 5 Presentation
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 

Similar to Whitman_Ch06.pptx

Chapter 4 Advanced Cryptography and P K I
Chapter 4 Advanced Cryptography and P K IChapter 4 Advanced Cryptography and P K I
Chapter 4 Advanced Cryptography and P K IDr. Ahmed Al Zaidy
 
Chapter 13 Vulnerability Assessment and Data Security
Chapter 13 Vulnerability Assessment and Data SecurityChapter 13 Vulnerability Assessment and Data Security
Chapter 13 Vulnerability Assessment and Data SecurityDr. Ahmed Al Zaidy
 
Chapter 11 Authentication and Account Management
Chapter 11 Authentication and Account ManagementChapter 11 Authentication and Account Management
Chapter 11 Authentication and Account ManagementDr. Ahmed Al Zaidy
 
Chapter 6Network Security Devices, Design, and Technology
Chapter 6Network Security Devices, Design, and TechnologyChapter 6Network Security Devices, Design, and Technology
Chapter 6Network Security Devices, Design, and TechnologyDr. Ahmed Al Zaidy
 
Chapter 14 Business Continuity
Chapter 14 Business ContinuityChapter 14 Business Continuity
Chapter 14 Business ContinuityDr. Ahmed Al Zaidy
 
ITT450 Chapter 1.pptx
ITT450 Chapter 1.pptxITT450 Chapter 1.pptx
ITT450 Chapter 1.pptxAliffDarfriz
 
Digital Forensics_Lecture.pptx
Digital Forensics_Lecture.pptxDigital Forensics_Lecture.pptx
Digital Forensics_Lecture.pptxkhalifaAlMarzooqi3
 
Accounting Information System ch 01 ppt1
Accounting Information System ch 01 ppt1Accounting Information System ch 01 ppt1
Accounting Information System ch 01 ppt1Eloise Mae Hersane
 
Lecture 8- information technology slides
Lecture 8- information technology slidesLecture 8- information technology slides
Lecture 8- information technology slidesAiman Niazi
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 

Similar to Whitman_Ch06.pptx (20)

Chapter 15 Risk Mitigation
Chapter 15 Risk MitigationChapter 15 Risk Mitigation
Chapter 15 Risk Mitigation
 
Whitman_Ch12.pptx
Whitman_Ch12.pptxWhitman_Ch12.pptx
Whitman_Ch12.pptx
 
Chapter 4 Advanced Cryptography and P K I
Chapter 4 Advanced Cryptography and P K IChapter 4 Advanced Cryptography and P K I
Chapter 4 Advanced Cryptography and P K I
 
Chapter 13 Vulnerability Assessment and Data Security
Chapter 13 Vulnerability Assessment and Data SecurityChapter 13 Vulnerability Assessment and Data Security
Chapter 13 Vulnerability Assessment and Data Security
 
Whitman_Ch11.pptx
Whitman_Ch11.pptxWhitman_Ch11.pptx
Whitman_Ch11.pptx
 
Chapter 11 Authentication and Account Management
Chapter 11 Authentication and Account ManagementChapter 11 Authentication and Account Management
Chapter 11 Authentication and Account Management
 
Chapter 6Network Security Devices, Design, and Technology
Chapter 6Network Security Devices, Design, and TechnologyChapter 6Network Security Devices, Design, and Technology
Chapter 6Network Security Devices, Design, and Technology
 
Chapter 14 Business Continuity
Chapter 14 Business ContinuityChapter 14 Business Continuity
Chapter 14 Business Continuity
 
Python Fundamentals
Python FundamentalsPython Fundamentals
Python Fundamentals
 
ITT450 Chapter 1.pptx
ITT450 Chapter 1.pptxITT450 Chapter 1.pptx
ITT450 Chapter 1.pptx
 
Chapter 3 Basic Cryptography
Chapter 3 Basic CryptographyChapter 3 Basic Cryptography
Chapter 3 Basic Cryptography
 
Digital Forensics_Lecture.pptx
Digital Forensics_Lecture.pptxDigital Forensics_Lecture.pptx
Digital Forensics_Lecture.pptx
 
Pp 16-new
Pp 16-newPp 16-new
Pp 16-new
 
ITEC 1010
ITEC 1010ITEC 1010
ITEC 1010
 
Accounting Information System ch 01 ppt1
Accounting Information System ch 01 ppt1Accounting Information System ch 01 ppt1
Accounting Information System ch 01 ppt1
 
Lecture 5.pptx
Lecture 5.pptxLecture 5.pptx
Lecture 5.pptx
 
Lecture 8- information technology slides
Lecture 8- information technology slidesLecture 8- information technology slides
Lecture 8- information technology slides
 
Whitman_Ch10.pptx
Whitman_Ch10.pptxWhitman_Ch10.pptx
Whitman_Ch10.pptx
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Whitman_Ch06.pptx

  • 1. Principles of Information Security Sixth Edition Chapter 6 Security Technology: Access Controls, Firewalls and VPNs Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
  • 2. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Learning Objectives (1 of 2) • Upon completion of this material, you should be able to: – Discuss the role of access control in information systems, and identify and discuss the four fundamental functions of access control systems – Define authentication and explain the three commonly used authentication factors – Describe firewall technologies and the various categories of firewalls
  • 3. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Learning Objectives (2 of 2) – Discuss the various approaches to firewall implementation – Identify the various approaches to control remote and dial-up access by authenticating and authorizing users – Describe virtual private networks (VPNs) and discuss the technology that enables them
  • 4. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Introduction • Technical controls are essential in enforcing policy for many IT functions that are not under direct human control. • Technical control solutions, when properly implemented, improve an organization’s ability to balance the objectives of making information readily available and preserving the information’s confidentiality and integrity.
  • 5. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Access Control (1 of 2) • Access control: A selective method by which systems specify who may use a particular resource and how they may use it. • Mandatory access controls (MACs): A required, structured data classification scheme that rates each collection of information as well as each user. • Discretionary access controls (DACs): Access controls that are implemented at the discretion or option of the data user. • Nondiscretionary controls: Access controls that are implemented by a central authority.
  • 6. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Access Controls (2 of 2) • In general, all access control approaches rely on the following four mechanisms, which represent the four fundamental functions of access control systems: – Identification: I am a user of the system. – Authentication: I can prove I’m a user of the system. – Authorization: Here’s what I can do with the system. – Accountability: You can track and monitor my use of the system.
  • 7. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-1 Access control approaches
  • 8. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Identification • Identification: The access control mechanism that requires the validation and verification of an unauthenticated entity’s purported identity. • Identifiers can be composite identifiers, concatenating elements—department codes, random numbers, or special characters—to make them unique. • Most organizations use a single piece of unique information, such as a complete name or the user’s first initial and surname.
  • 9. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Authentication (1 of 2) • Authentication: The access control mechanism that requires the validation and verification of an unauthenticated entity’s purported identity. • Authentication factors – Something you know  Password: a private word or a combination of characters that only the user should know  Passphrase: a series of characters, typically longer than a password, from which a virtual password is derived
  • 10. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Authentication (2 of 2) – Something you have  Dumb card: ID or ATM card with magnetic stripe  Smart card: contains a computer chip that can verify and validate information  Synchronous tokens  Asynchronous tokens – Something you are  Relies upon individual characteristics  Strong authentication
  • 11. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Authorization • Authorization: The access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels. • Authorization can be handled in one of three ways: – Authorization for each authenticated user – Authorization for members of a group – Authorization across multiple systems • Authorization credentials, also called authorization tickets, are issued by an authenticator and are honored by many or all systems within the authentication domain.
  • 12. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Accountability • Accountability: The access control mechanism that ensures all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity. Also known as auditability. • Accountability is most often accomplished by means of system logs and database journals, and the auditing of these records. • Systems logs record specific information. • Logs have many uses.
  • 13. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Biometrics • Approach based on the use of measurable human characteristics/traits to authenticate identity. • Only fingerprints, retina of eye, and iris of eye and DNA are considered truly unique. • Evaluated on false reject rate, false accept rate, and crossover error rate. • Highly reliable/effective biometric systems are often considered intrusive by users.
  • 14. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-5 Biometric recognition characteristics
  • 15. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6-1 Ranking of Biometric Effectiveness and Acceptance (1 of 2) Biometrics University Uniqueness Permanence Collectabilit y Performanc e Acceptabilit y Circumvention Face H L M H L H L Fadal Thermogra m H H L H M H H Fingerprint M H H M H M H Hand Geometry M M M H M M M Hand Vein M M M M M M H Eye: Iris H H H M H H H
  • 16. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6-1 Ranking of Biometric Effectiveness and Acceptance (2 of 2) Note: In the table, H = High, M = Medium, and L = Low. From multiple sources. Biometrics Universit y Uniquenes s Permanenc e Collectabilit y Performanc e Acceptabilit y Circumventio n Eye: Retina H H M L H L H DNA H H H L H L L Odor and Scent H H H L L M L Voice M L L M L H L Signature L L L H L H L Keystroke L L L M L M M Gait M L L H L H M
  • 17. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Access Control Architecture Models (1 of 3) • Illustrate access control implementations and can help organizations quickly make improvements through adaptation. • Trusted computing base (TCB) – Part of TCSEC Rainbow Series – Used to enforce security policy (rules of system configuration) – Biggest challenges include covert channels  Storage channels  Timing channels
  • 18. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Access Control Architecture Models (2 of 3) • ITSEC: An international set of criteria for evaluating computer systems – Compares Targets of Evaluation (ToE) to detailed security function specifications • The common criteria – Considered successor to both TCSEC and ITSEC • Bell-LaPadula confidentiality model – State machine reference model – Uses “no read up, no write down” principle
  • 19. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Access Control Architecture Models (3 of 3) • Biba integrity model – Designed to prevent corruption of higher integrity entities – Based on “no write up, no read down” principle • Clark-Wilson integrity model – No changes by unauthorized subjects – No unauthorized changes by authorized subjects – Maintenance of internal and external consistency • Graham-Denning access control model – Composed of set of objects, set of subjects, and set of rights
  • 20. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewalls • In information security, a combination of hardware and software that filters or prevents specific information from moving between the outside (untrusted) network and the inside (trusted) network. • May be: – Separate computer system – Software service running on existing router or server – Separate network containing supporting devices
  • 21. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewalls Processing Modes • Processing modes by which firewalls can be categorized: – Packet filtering – Application layer proxy – MAC layer firewalls – Hybrids
  • 22. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Packet-Filtering Firewalls (1 of 2) • Packet-filtering firewalls examine the header information of data packets. • Most often based on the combination of: – IP source and destination address – Direction (inbound or outbound) – Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests • Simple firewall models enforce rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.
  • 23. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Packet-Filtering Firewalls (2 of 2) • Three subsets of packet-filtering firewalls: – Static filtering requires that filtering rules be developed and installed within the firewall – Dynamic filtering allows firewall to react to an emergent event and update or create rules to deal with that event – Stateful packet inspection (SPI) firewalls keep track of each network connection between internal and external systems using a state table
  • 24. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-7 IP packet structure
  • 25. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-8 TCP packet structure
  • 26. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-9 UDP datagram structure
  • 27. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-10 Packet-filtering router
  • 28. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6- 2 Sample Firewall Rule and Format Source Address Destination Address Service (e.g. HTTP, SMTP, FTP) Action (Allow or Deny) 172.16x.x 10.10.x.x Any Deny 192.168.x.x 10.10.10.25 HTTP Allow 192.168.0.1 10.10.10.10 FTP Allow
  • 29. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6-3 State Table Entries Source Address Source Port Destination Address Destination Port Time Remaining (in seconds) Total Time (in seconds) Protocol 192.168.2.5 1028 10.10.10.7 80 2,275 3,600 TCP
  • 30. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Application Layer Proxy Firewall (1 of 3) • A device capable of functioning both as a firewall and an application layer proxy server. • Since proxy servers are often placed in unsecured area of the network (e.g., DMZ), they are exposed to higher levels of risk from less trusted networks. • Additional filtering routers can be implemented behind the proxy firewall, further protecting internal systems.
  • 31. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewall Processing Modes (2 of 3) • MAC layer firewalls – Designed to operate at media access control sublayer of network’s data link layer – Make filtering decisions based on specific host computer’s identity – MAC addresses of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked
  • 32. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewall Processing Modes (3 of 3) • Hybrid firewalls – Combine elements of other types of firewalls, that is, elements of packet filtering and proxy services, or of packet filtering and circuit gateways – Alternately, may consist of two separate firewall devices; each a separate firewall system, but connected to work in tandem – Enables an organization to make security improvement without completely replacing existing firewalls – Include the Next Generation Firewall (NGFW) and Unified Threat Management (UTM) devices
  • 33. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-11 Firewall types and protocol models
  • 34. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewall Architectures (1 of 5) • Firewall devices can be configured in several network connection architectures. • Best configuration depends on three factors: – Objectives of the network – Organization’s ability to develop and implement architectures – Budget available for function • Three common architectural implementations of firewalls: single bastion hosts, screened host, and screened subnet (with DMZ).
  • 35. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewall Architectures (2 of 5) • Single bastion hosts – Commonly referred to as sacrificial host, as it stands as sole defender on the network perimeter – Usually implemented as a dual-homed host, which contains two network interface cards (NICs): one that is connected to external network and one that is connected to internal network – Implementation of this architecture often makes use of network address translation (NAT), creating another barrier to intrusion from external attackers
  • 36. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewall Architectures (3 of 5) • Screened host architecture – Combines packet-filtering router with a separate, dedicated firewall such as an application proxy server – Allows router to prescreen packets to minimize the traffic/load on internal proxy – Requires an external attack to compromise two separate systems before the attack can access internal data
  • 37. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewall Architectures (4 of 5) • Screened subnet architecture (with DMZ) – Is the dominant architecture used today – Commonly consists of two or more internal firewalls behind packet-filtering router, with each protecting a trusted network:  Connections from outside or untrusted network are routed through external filtering router.  Connections from outside or untrusted network are routed into and out of routing firewall to separate the network segment known as DMZ.  Connections into trusted internal network are allowed only from DMZ bastion host servers.
  • 38. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Firewall Architectures (5 of 5) • Screened subnet performs two functions: – Protects DMZ systems and information from outside threats – Protects the internal networks by limiting how external connections can gain access to internal systems • Another facet of DMZs: creation of extranets
  • 39. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6-4 Reserved Nonroutable Address Ranges Classful Description Usable Addresses From To CIDR Mask Decimal Mask Class A or 24 Bit ̴̴ 16.5 million 10.0.0.0 10.255.255.255 /8 255.0.0.0 Class B or 20 Bit ̴̴ 1.05 million 172.16.0.0 172.31.255.255 /12 or /16 255.240.0.0 or 255.255.0.0 Class C or 16 Bit ̴̴ 65,500 192.168.0.0 192.168.255.255 /16 or /24 255.240.0.0 or 255.255.0.0 IPv6 Space ̴̴ 65,500 sets of 18.45 quintillion (18.45 X 1018) fc00:/7, where the first 7 digits are fixed (1111 1 10x), followed by a 10-digit organization ID, then 4 digits of subnet ID and 16 digits of host ID. ((F]]C or D] xx:xxxx:xxxx:yyy y:zzzz:zzzz:zzzz: zzzz). fc00:/7, where the first 7 digits are fixed (1111 1 10x), followed by a 10-digit organization ID, then 4 digits of subnet ID and 16 digits of host ID. ((F]]C or D] xx:xxxx:xxxx:yyy y:zzzz:zzzz:zzzz: zzzz). fc00:/7, where the first 7 digits are fixed (1111 1 10x), followed by a 10-digit organization ID, then 4 digits of subnet ID and 16 digits of host ID. ((F]]C or D] xx:xxxx:xxxx:yyy y:zzzz:zzzz:zzzz: zzzz). fc00:/7, where the first 7 digits are fixed (1111 1 10x), followed by a 10-digit organization ID, then 4 digits of subnet ID and 16 digits of host ID. ((F]]C or D] xx:xxxx:xxxx:yyy y:zzzz:zzzz:zzzz: zzzz). Note: that CIDR stands for classless inter- domain routing. Source: Internet Engineering Task Force, RFC 1466 (http://tools.ietf.orglhtmllrfc1466).18
  • 40. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-16 Dual-homed bastion host firewall
  • 41. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-17 Screened host architecture
  • 42. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-18 Screened subnet (DMZ)
  • 43. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-19 Example network configuration
  • 44. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Selecting the Right Firewall (1 of 2) • When selecting the firewall, consider the following factors: – Which type of firewall technology offers the right balance between protection and cost for the needs of the organization? – What features are included in the base price? What features are available at extra cost? Are all cost factors known?
  • 45. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Selecting the Right Firewall (2 of 2) – How easy is it to set up and configure the firewall? Does the organization have staff on hand that are trained to configure the firewall, or would the hiring of additional employees be required? – Can the firewall adapt to the growing network in the target organization? • Most important factor is provision of required protection • Second most important issue is cost
  • 46. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Configuring and Managing Firewalls (1 of 4) • The organization must provide for the initial configuration and ongoing management of firewall(s) • Each firewall device must have its own set of configuration rules regulating its actions • Firewall policy configuration is usually complex and difficult • Configuring firewall policies is both an art and a science • When security rules conflict with the performance of business, security often loses
  • 47. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Configuring and Managing Firewalls (2 of 4) • Best practices for firewalls – All traffic from the trusted network is allowed out. – Firewall device is never directly accessed from public network. – Simple Mail Transport Protocol (SMTP) data are allowed to pass through firewall. – Internet Control Message Protocol (ICMP) data are denied.
  • 48. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Configuring and Managing Firewalls (3 of 4) – Telnet access to internal servers should be blocked. – When Web services are offered outside the firewall, HTTP traffic should be blocked from reaching internal networks. – All data that are not verifiably authentic should be denied. • Firewall rules – Firewalls operate by examining data packets and performing comparison with predetermined logical rules.
  • 49. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Configuring and Managing Firewalls (4 of 4) – The logic is based on a set of guidelines most commonly referred to as firewall rules, rule base, or firewall logic. – Most firewalls use packet header information to determine whether a specific packet should be allowed or denied.
  • 50. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6-5 Well – Known Port Numbers Port Number Protocol 7 Echo 20 File Transfer [Default Data] (FTP) 21 File Transfer [Control] (FTP) 23 Telnet 25 Simple Mail Transfer Protocol (SMTP) 53 Domain Name System (DNS) 80 Hypertext Transfer Protocol (HTTP) 110 Post Office Protocol version 3 (POP3) 161 Simple Network Management Protocol (SNMP)
  • 51. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6-16 External Filtering Firewall Inbound Interface Rule Set Rule # Source Address Source port Destination Address Destination Port Action 1 10.10.10.0 Any Any Any Deny 2 Any Any 10.10.10.1 Any Deny 3 Any Any 10.10.10.2 Any Deny 4 10.10.10.1 Any Any Any Deny 5 Any Any Any Any Deny 6 Any Any 10.10.10.0 >1023 Allow 7 Any Any 10.10.10.6 25 Allow 8 Any Any 10.10.10.0 7 Deny 9 Any Any 10.10.10.0 23 Deny 10 Any Any 10.10.10.4 80 Allow 11 Any Any Any Any Deny
  • 52. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Table 6-16 External Filtering Firewall Outbound Interface Rule Set Rule # Source Address Source port Destination Address Destination Port Action 1 10.10.10.12 Any 10.10.10.0 Any Allow 2 Any Any 10.10.10.1 Any Deny 3 Any Any 10.10.10.2 Any Deny 4 10.10.10.1 Any Any Any Deny 5 10.10.10.2 Any Any Any Deny 6 10.10.10.0 Any Any Any Allow 7 Any Any Any Any Deny
  • 53. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Content Filters • A software program or hardware/software appliance that allows administrators to restrict content that comes into or leaves a network • Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations • Primary purpose to restrict internal access to external material • Most common content filters restrict users from accessing non-business Web sites or deny incoming spam
  • 54. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Protecting Remote Connections • Installing Internetwork connections requires leased lines or other data channels; these connections are usually secured under the requirements of a formal service agreement. • When individuals seek to connect to an organization’s network, a more flexible option must be provided. • Options such as virtual private networks (VPNs) have become more popular due to the spread of Internet.
  • 55. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Remote Access (1 of 5) • Unsecured, dial-up connection points represent a substantial exposure to attack. • Attacker can use a device called a war dialer to locate the connection points. • War dialer: automatic phone-dialing program that dials every number in a configured range and records number if a modem picks up. • Some technologies (Kerberos; RADIUS systems; TACACS; CHAP password systems) have improved the authentication process.
  • 56. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Remote Access (2 of 5) • RADIUS, Diameter, and TACACS – Systems that authenticate user credentials for those trying to access an organization’s network via dial-up – Remote Authentication Dial-In User Service (RADIUS) centralizes responsibility for user authentication in a central RADIUS server – Diameter: emerging alternative derived from RADIUS – Terminal Access Controller Access Control System (TACACS) validates user’s credentials at centralized server (like RADIUS); based on client/server configuration
  • 57. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Remote Access (3 of 5) • Kerberos – Provides secure third-party authentication – Uses symmetric key encryption to validate individual user to various network resources – Keeps database containing private keys of clients/servers – Consists of three interacting services:  Authentication server (AS)  Key Distribution Center (KDC)  Kerberos ticket granting service (TGS)
  • 58. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Remote Access (4 of 5) • Kerberos – Provides secure third-party authentication – Uses symmetric key encryption to validate individual user to various network resources – Keeps database containing private keys of clients/servers – Consists of three interacting services:  Authentication server (AS)  Key Distribtion Center (KDC)  Kerberos ticket granting service (TGS)
  • 59. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Remote Access (5 of 5) • SESAME – Secure European System for Applications in a Multivendor Environment (SESAME) is similar to Kerberos  User is first authenticated to authentication server and receives token  Token is then presented to a privilege attribute server as proof of identity to gain a privilege attribute certificate  Uses public key encryption, adds sophisticated access control features, more scalable encryption systems, improved manageability, auditing features, and options for delegation of responsibility for allowing access
  • 60. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-20 RADIUS configuration 1. Remote worker dials NAS and submits username and password 2. NAS passes username and password to RADIUS server 3. RADIUS server approves or rejects request and provides access authorization 4. NAS provides access to authorized remote worker
  • 61. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-21 Kerberos login (1 of 2)
  • 62. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-21 Kerberos login (2 of 2) 1. User logs into client machine (c) 2. Client machine encrypts password to create client key (Kc) 3. Client machine sends clear request to Kerberos Authentication Server (AS) 4. Kerberos AS returns ticket consisting of: – Client/TGS session key for future communications between client and TGS [Kc,TGS], encrypted with the client's key – Ticket granting ticket (TGT). The TGT contains the client name, client address, ticket valid times, and the client/TGS session key, all encrypted in the TGS' private key
  • 63. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-22 Kerberos request for services
  • 64. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Virtual Private Networks (VPNs) (1 of 4) • Private and secure network connection between systems; uses data communication capability of unsecured and public network • Securely extends organization’s internal network connections to remote locations • Three VPN technologies defined: – Trusted VPN – Secure VPN – Hybrid VPN (combines trusted and secure)
  • 65. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Virtual Private Networks (VPNs) (2 of 4) • VPN must accomplish: – Encapsulation of incoming and outgoing data – Encryption of incoming and outgoing data – Authentication of remote computer and perhaps remote user as well • In most common implementation, it allows the user to turn Internet into a private network
  • 66. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Virtual Private Networks (VPNs) (3 of 4) • Transport mode – Data within IP packet are encrypted, but header information is not – Allows user to establish secure link directly with remote host, encrypting only data contents of packet – Two popular uses:  End-to-end transport of encrypted data  Remote access worker connects to an office network over Internet by connecting to a VPN server on the perimeter
  • 67. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Virtual Private Networks (VPNs) (4 of 4) • Tunnel mode – Establishes two perimeter tunnel servers to encrypt all traffic that will traverse an unsecured network – Entire client package encrypted and added as data portion of packet from one tunneling server to another – Primary benefit to this model is that an intercepted packet reveals nothing about the true destination system – Example of tunnel mode VPN: Microsoft’s Internet Security and Acceleration (ISA) Server
  • 68. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-23 Transport mode VPN
  • 69. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Figure 6-24 Tunnel mode VPN
  • 70. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Summary (1 of 2) • Access control is a process by which systems determine if and how to admit a user into a trusted area of the organization. • All access control approaches rely on identification, authentication, authorization, and accountability. • A firewall is any device that prevents a specific type of information from moving between the outside network, known as the untrusted network, and the inside network, known as the trusted network. • Firewalls can be categorized into four groups: packet filtering, MAC layers, application gateways, and hybrid firewalls.
  • 71. Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Summary (2 of 2) • Packet-filtering firewalls can be implemented as static filtering, dynamic filtering, and stateful inspection firewalls. • The three common architectural implementations of firewalls are single bastion hosts, screened hosts, and screened subnets. • Dial-up protection mechanisms help secure organizations that use modems for remote connectivity. • VPNs enable remote offices and users to connect to private networks securely over public networks.

Editor's Notes

  1. Learning Objectives Upon completion of this material, you should be able to: Discuss the important role of access control in computer-based information systems, and identify and discuss widely-used authentication factors Describe firewall technology and the various approaches to firewall implementation Identify the various approaches to control remote and dial-up access by authenticating and authorizing users
  2. Introduction Technical controls are essential in enforcing policy for many IT functions not under direct human control When properly implemented, technical control solutions improve an organization’s ability to balance objectives of making information readily available and preserving information’s confidentiality and integrity
  3. Access Control Access control: method by which systems determine whether and how to admit a user into a trusted area of the organization Mandatory access controls (MACs): use data classification schemes Discretionary access controls (DACs): allows users to control and possibly provide access to information/resources at their disposal Nondiscretionary controls: strictly-enforced version of MACs that are managed by a central authority
  4. Identification Identification: mechanism whereby unverified entities seeking access to a resource (supplicants) provide a label by which they are known to the system Identifiers can be composite identifiers, concatenating elements -department codes, random numbers, or special characters- to make them unique Some organizations generate random numbers
  5. Authentication Authentication: the process of validating a supplicant’s purported identity Authentication factors Something a supplicant knows Password: a private word or combination of characters that only the user should know Passphrase: a series of characters, typically longer than a password, from which a virtual password is derived
  6. Authentication Authentication factors (cont’d.) Something a supplicant has Dumb card: ID or ATM card with magnetic stripe Smart card: contains a computer chip that can verify and validate information Synchronous tokens Asynchronous tokens Something a supplicant is Relies upon individual characteristics Strong authentication
  7. Authorization Authorization: the matching of an authenticated entity to a list of information assets and corresponding access levels Authorization can be handled in one of three ways Authorization for each authenticated user Authorization for members of a group Authorization across multiple systems Authorization tickets
  8. Accountability Accountability (auditability): ensures that all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity Most often accomplished by means of system logs and database journals, and the auditing of these records Systems logs record specific information Logs have many uses
  9. Biometrics Approach based on use of measurable human characteristics/traits to authenticate identity Only fingerprints, retina of eye, and iris of eye considered truly unique Evaluated on false reject rate, false accept rate, and crossover error rate Highly reliable/effective biometric systems often considered intrusive by users
  10. Access Control Architecture Models Illustrate access control implementations, can help organizations quickly make improvements through adaptation Trusted computing base (TCB) Part of Rainbow Series Used to enforce security policy (rules of system configuration) Biggest challenges include covert channels Storage channels Timing channels
  11. Access Control Architecture Models ITSEC: international set of criteria for evaluating computer systems Compares Targets of Evaluation (ToE) to detailed security function specifications The Common Criteria Considered successor to both TCSEC and ITSEC Bell-LaPadula Confidentiality Model Model of an automated system able to manipulate its state or status over time Biba Integrity Model Based on “no write up, no read down” principle
  12. Access Control Architecture Models Clark-Wilson Integrity Model no changes by unauthorized subjects, no unauthorized changes by authorized subjects, maintenance of internal and external consistency Graham-Denning Access Control Model Composed of set of objects, set of subjects, and set of rights Harrison-Ruzzo-Ullman Model Defines method to allow changes to access rights and addition/removal of subjects/objects Brewer-Nash Model (Chinese Wall) Designed to prevent conflict of interest between two parties
  13. Firewalls Prevent specific types of information from moving between an untrusted network(the Internet) and a trusted network (organization’s internal network) May be: Separate computer system Software service running on existing router or server Separate network containing supporting devices
  14. Firewall Processing Modes Five processing modes by which firewalls can be categorized: Packet filtering Application gateways Circuit gateways MAC layer firewalls Hybrids
  15. Packet Filtering Firewalls Packet filtering firewalls examine header information of data packets Most often based on combination of: IP source and destination address Direction (inbound or outbound) Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests Simple firewall models enforce rules designed to prohibit packets with certain addresses or partial addresses from passing through device
  16. Packet-Filtering Firewalls (cont’d.) Three subsets of packet filtering firewalls: Static filtering: requires that filtering rules be developed and installed within the firewall Dynamic filtering: allows firewall to react to emergent event and update or create rules to deal with event Stateful inspection: firewalls that keep track of each network connection between internal and external systems using a state table
  17. Application Gateways Frequently installed on a dedicated computer; also known as a proxy server Since proxy server is often placed in unsecured area of the network (e.g., DMZ), it is exposed to higher levels of risk from less trusted networks Additional filtering routers can be implemented behind the proxy server, further protecting internal systems
  18. MAC Layer Firewalls MAC layer firewalls Designed to operate at media access control sublayer of network’s data link layer Make filtering decisions based on specific host computer’s identity MAC addresses of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked
  19. Hybrid Firewalls Hybrid firewalls Combine elements of other types of firewalls; i.e., elements of packet filtering and proxy services, or of packet filtering and circuit gateways Alternately, may consist of two separate firewall devices; each a separate firewall system, but connected to work in tandem Enables organization to make security improvement without completely replacing existing firewalls
  20. Dual-Homed Host Firewalls Bastion hosts Commonly referred to as sacrificial host, as it stands as sole defender on the network perimeter Contains two network interface cards (NICs): one connected to external network, one connected to internal network Implementation of this architecture often makes use of network address translation (NAT), creating another barrier to intrusion from external attackers
  21. Screened Subnet Firewalls (with DMZ) Screened subnet firewalls (with DMZ) Is the dominant architecture used today Commonly consists of two or more internal bastion hosts behind packet filtering router, with each host protecting trusted network: Connections from outside or untrusted network routed through external filtering router Connections from outside or untrusted network are routed into and out of routing firewall to separate network segment known as DMZ Connections into trusted internal network allowed only from DMZ bastion host servers
  22. Screened Subnet Firewalls (with DMZ) Screened subnet firewalls (with DMZ) Is the dominant architecture used today Commonly consists of two or more internal bastion hosts behind packet filtering router, with each host protecting trusted network: Connections from outside or untrusted network routed through external filtering router Connections from outside or untrusted network are routed into and out of routing firewall to separate network segment known as DMZ Connections into trusted internal network allowed only from DMZ bastion host servers
  23. Firewall Architectures (cont’d.) Screened subnet performs two functions: Protects DMZ systems and information from outside threats Protects the internal networks by limiting how external connections can gain access to internal systems Another facet of DMZs: extranets
  24. Selecting the Right Firewall When selecting firewall, consider a number of factors: What firewall technology offers right balance between protection and cost for needs of organization? Which features are included in base price and which are not? Ease of setup and configuration? How accessible are staff technicians who can configure the firewall? Can firewall adapt to organization’s growing network? Second most important issue is cost
  25. Configuring and Managing Firewalls Organization must provide for initial configuration and ongoing management of firewall(s) Each firewall device must have own set of configuration rules regulating its actions Firewall policy configuration is usually complex and difficult Configuring firewall policies is both an art and a science When security rules conflict with the performance of business, security often loses
  26. Best practices for firewalls All traffic from trusted network is allowed out Firewall device never directly accessed from public network Simple Mail Transport Protocol (SMTP) data allowed to pass through firewall Internet Control Message Protocol (ICMP) data denied Telnet access to internal servers should be blocked When Web services offered outside firewall, HTTP traffic should be blocked from reaching internal networks All data not verifiably authentic should be denied
  27. Firewall Rules Firewall rules Firewalls operate by examining data packets and performing comparison with predetermined logical rules Logic based on set of guidelines most commonly referred to as firewall rules, rule base, or firewall logic Most firewalls use packet header information to determine whether specific packet should be allowed or denied
  28. Note that the rule allowing responses to internal communications comes first (appearing in Table 6-16 as Rule #1), followed by the four rules prohibiting direct communications to or from the firewall (Rules #2 through 5 in Table 6-16). After this comes the rule stating that all outgoing internal communications are allowed, followed by the rules governing access to the SMTP server and denial of Ping, Telnet access, and access to the HTTP server. If heavy traffic to the HTTP server is expected, move the HTTP server rule closer to the top (for example, into the position of Rule #2), which would expedite rule processing for external communications. The final rule in Table 6-16 denies any other types of communications.
  29. Note the similarities and differences in the two rule sets. The internal filtering router/firewall rule set, shown in Table 6-17, has to both protect against traffic and allow traffic from the internal network (192.168.2.0). Most of the rules in Table 6-17 are similar to those in Table 6-16: allowing responses to internal communications (Rule #1); denying communications to/from the firewall itself (Rules #2 through 5); and allowing all outbound internal traffic (Rule #6). Note that there is no permissible traffic from the DMZ systems, except as in Rule #1. Why isn’t there a comparable rule for the 192.168.2.1 subnet? Because this is an unrouteable network, external communications are handled by the NAT server, which maps internal (192.168.2.0) addresses to external (10.10.10.0) addresses. This prevents a hacker from compromising one of the internal boxes and accessing the internal network with it. The exception is the proxy server (Rule #7 in Table 6-17), which should be very carefully configured. If the organization does not need the proxy server, as in cases where all externally accessible services are provided from machines in the DMZ, then Rule #7 is not needed. Note that there are no Ping and Telnet rules in Table 6-17. This is because the external firewall filters these external requests out. The last rule, Rule #8, provides cleanup.
  30. Content Filters Software filter—not a firewall—that allows administrators to restrict content access from within a network Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations Primary purpose to restrict internal access to external material Most common content filters restrict users from accessing non-business Web sites or deny incoming spam
  31. Protecting Remote Connections Installing Internetwork connections requires leased lines or other data channels; these connections are usually secured under requirements of formal service agreement When individuals seek to connect to organization’s network, more flexible option must be provided Options such as virtual private networks (VPNs) have become more popular due to spread of Internet
  32. Dial-Up Unsecured, dial-up connection points represent a substantial exposure to attack Attacker can use device called a war dialer to locate connection points War dialer: automatic phone-dialing program that dials every number in a configured range and records number if modem picks up Some technologies (RADIUS systems; TACACS; CHAP password systems) have improved authentication process
  33. RADIUS, TACACS, and Diameter Systems that authenticate user credentials for those trying to access an organization’s network via dial-up Remote Authentication Dial-In User Service (RADIUS): centralizes responsibility for user authentication in a central RADIUS server Diameter: emerging alternative derived from RADIUS Terminal Access Controller Access Control System (TACACS): validates user’s credentials at centralized server (like RADIUS); based on client/server configuration
  34. Securing Authentication with Kerberos Kerberos Provides secure third-party authentication Uses symmetric key encryption to validate individual user to various network resources Keeps database containing private keys of clients/servers Consists of three interacting services: Authentication server (AS) Key Distribution Center (KDC) Kerberos ticket granting service (TGS)
  35. Securing Authentication with Kerberos Kerberos Provides secure third-party authentication Uses symmetric key encryption to validate individual user to various network resources Keeps database containing private keys of clients/servers Consists of three interacting services: Authentication server (AS) Key Distribution Center (KDC) Kerberos ticket granting service (TGS)
  36. SESAME Secure European System for Applications in a Multivendor Environment (SESAME) is similar to Kerberos User is first authenticated to authentication server and receives token Token then presented to privilege attribute server as proof of identity to gain privilege attribute certificate Uses public key encryption; adds sophisticated access control features; more scalable encryption systems; improved manageability; auditing features; and option for delegation of responsibility for allowing access
  37. Virtual Private Networks (VPNs) A VPN is a private and secure network connection between systems that uses the data communication capability of an unsecured and public network. VPNs are commonly used to extend securely an organization’s internal network connections to remote locations beyond the trusted network. The VPNC defines three VPN technologies: A trusted VPN, or VPN, uses leased circuits from a service provider and conducts packet switching over these leased circuits. Secure VPNs use security protocols and encrypt traffic transmitted across unsecured public networks like the Internet. A hybrid VPN combines the two, providing encrypted transmissions (as in secure VPN) over some or all of a trusted VPN network. A VPN that proposes to offer a secure and reliable capability while relying on public networks must address: Encapsulation of incoming and outgoing data, wherein the native protocol of the client is embedded within the frames of a protocol that can be routed over the public network, as well as be usable by the server network environment. Encryption of incoming and outgoing data to keep the data contents private while in transit over the public network but usable by the client and server computers and/or the local networks on both ends of the VPN connection. Authentication of the remote computer and, perhaps, the remote user as well. Authentication and the subsequent authorization of the user to perform specific actions are predicated on accurate and reliable identification of the remote system and/or user.
  38. Virtual Private Networks (VPNs) (continued) VPN must accomplish: Encapsulation of incoming and outgoing data Encryption of incoming and outgoing data Authentication of remote computer and perhaps remote user as well In most common implementation, allows user to turn Internet into a private network
  39. Transport Mode Transport mode Data within IP packet is encrypted, but header information is not Allows user to establish secure link directly with remote host, encrypting only data contents of packet Two popular uses: End-to-end transport of encrypted data Remote access worker connects to office network over Internet by connecting to a VPN server on the perimeter
  40. Tunnel mode Establishes two perimeter tunnel servers to encrypt all traffic that will traverse unsecured network Entire client package encrypted and added as data portion of packet from one tunneling server to another Primary benefit to this model is that an intercepted packet reveals nothing about true destination system Example of tunnel mode VPN: Microsoft’s Internet Security and Acceleration (ISA) Server