SlideShare a Scribd company logo

Lessson 2 - Application Layer

Download as PPT, PDF
M
MLG College of Learning, Inc

This document discusses firewalls and VPNs. It covers firewall types like application layer firewalls and hybrid firewalls. Firewall processing modes include packet filtering, proxy services, and circuit gateways. Common firewall architectures are packet filtering routers, dual homed firewalls, screened host firewalls, and screened subnet firewalls with a DMZ. The document also discusses selecting, configuring, and managing firewalls as well as content filters and protecting remote connections with VPNs.

Education
1 of 28
Principles of Information Security, Fifth Edition Chapter 6 Security Technology: Firewalls and VPNs If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology. BRUCE SCHNEIER, AMERICAN CRYPTOGRAPHER, COMPUTER SECURITY SPECIALIST, AND WRITER Lesson 2 – Application Layer Firewall
Learning Objectives • Upon completion of this material, you should be able to: – Discuss the important role of access control in computer-based information systems, and identify and discuss widely used authentication factors – Describe firewall technology and the various approaches to firewall implementation – Identify the various approaches to control remote and dial-up access by authenticating and authorizing users Principles of Information Security, Fifth Edition 2
Learning Objectives (cont’d) – Discuss content filtering technology – Describe virtual private networks and discuss the technology that enables them Principles of Information Security, Fifth Edition 3
Application Layer Firewall • Frequently installed on a dedicated computer; also known as a proxy server • Since proxy server is often placed in unsecured area of the network (e.g., DMZ), it is exposed to higher levels of risk from less trusted networks. • Additional filtering routers can be implemented behind the proxy server, further protecting internal systems. Principles of Information Security, Fifth Edition 4
Firewall Processing Modes (cont’d) • MAC layer firewalls – Designed to operate at media access control sublayer of network’s data link layer – Make filtering decisions based on specific host computer’s identity – MAC addresses of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked. Principles of Information Security, Fifth Edition 5
Principles of Information Security, Fifth Edition 6
Firewall Processing Modes (cont’d) • Hybrid firewalls – Combine elements of other types of firewalls, that is, elements of packet filtering and proxy services, or of packet filtering and circuit gateways – Alternately, may consist of two separate firewall devices; each a separate firewall system, but connected to work in tandem – Enables an organization to make security improvement without completely replacing existing firewalls Principles of Information Security, Fifth Edition 7
Firewall Architectures • Firewall devices can be configured in several network connection architectures. • Best configuration depends on three factors: – Objectives of the network – Organization’s ability to develop and implement architectures – Budget available for function • Four common architectural implementations of firewalls: packet-filtering routers, dual-homed firewalls (bastion hosts), screened host firewalls, screened subnet firewalls Principles of Information Security, Fifth Edition 8
Firewall Architectures (cont’d) • Packet-filtering routers – Most organizations with Internet connection have a router at the boundary between internal networks and external service provider. – Many of these routers can be configured to reject packets that the organization does not allow into its network. – Drawbacks include a lack of auditing and strong authentication. Principles of Information Security, Fifth Edition 9
Firewall Architectures (cont’d) • Bastion hosts – Commonly referred to as sacrificial host, as it stands as sole defender on the network perimeter – Contains two network interface cards (NICs): one connected to external network, one connected to internal network – Implementation of this architecture often makes use of network address translation (NAT), creating another barrier to intrusion from external attackers. Principles of Information Security, Fifth Edition 10
Principles of Information Security, Fifth Edition 11
Principles of Information Security, Fifth Edition 12
Firewall Architectures (cont’d) • Screened host firewalls – Combines packet-filtering router with separate, dedicated firewall such as an application proxy server – Allows router to prescreen packets to minimize traffic/load on internal proxy – Requires external attack to compromise two separate systems before attack can access internal data Principles of Information Security, Fifth Edition 13
Principles of Information Security, Fifth Edition 14
Firewall Architectures (cont’d) • Screened subnet firewall (with DMZ) – Is the dominant architecture used today – Commonly consists of two or more internal bastion hosts behind packet-filtering router, with each host protecting a trusted network: • Connections from outside or untrusted network are routed through external filtering router. • Connections from outside or untrusted network are routed into and out of routing firewall to separate the network segment known as DMZ. • Connections into trusted internal network are allowed only from DMZ bastion host servers. Principles of Information Security, Fifth Edition 15
Principles of Information Security, Fifth Edition 16
Principles of Information Security, Fifth Edition 17
Firewall Architectures (cont’d) • Screened subnet performs two functions: – Protects DMZ systems and information from outside threats – Protects the internal networks by limiting how external connections can gain access to internal systems • Another facet of DMZs: extranets Principles of Information Security, Fifth Edition 18
Firewall Architectures (cont’d) • SOCKS servers – SOCKS is the protocol for handling TCP traffic via a proxy server. – A proprietary circuit-level proxy server that places special SOCKS client-side agents on each workstation – A SOCKS system can require support and management resources beyond those of traditional firewalls. Principles of Information Security, Fifth Edition 19
Selecting the Right Firewall • When selecting the firewall, consider a number of factors: – What firewall technology offers right balance between protection and cost for the needs of organization? – Which features are included in the base price and which are not? – Ease of setup and configuration? How accessible are staff technicians who can configure the firewall? – Can firewall adapt to organization’s growing network? • Second most important issue is cost. Principles of Information Security, Fifth Edition 20
Configuring and Managing Firewalls • The organization must provide for the initial configuration and ongoing management of firewall(s). • Each firewall device must have its own set of configuration rules regulating its actions. • Firewall policy configuration is usually complex and difficult. • Configuring firewall policies is both an art and a science . • When security rules conflict with the performance of business, security often loses. Principles of Information Security, Fifth Edition 21
Configuring and Managing Firewalls (cont’d) • Best practices for firewalls – All traffic from the trusted network is allowed out. – Firewall device is never directly accessed from public network. – Simple Mail Transport Protocol (SMTP) data are allowed to pass through firewall. – Internet Control Message Protocol (ICMP) data are denied – Telnet access to internal servers should be blocked. – When Web services are offered outside the firewall, HTTP traffic should be blocked from reaching internal networks. – All data not verifiably authentic should be denied. Principles of Information Security, Fifth Edition 22
Configuring and Managing Firewalls (cont’d) • Firewall rules – Firewalls operate by examining data packets and performing comparison with predetermined logical rules. – The logic is based on a set of guidelines most commonly referred to as firewall rules, rule base, or firewall logic. – Most firewalls use packet header information to determine whether specific packet should be allowed or denied. Principles of Information Security, Fifth Edition 23
Principles of Information Security, Fifth Edition 24
Principles of Information Security, Fifth Edition 25
Principles of Information Security, Fifth Edition 26
Content Filters • Software filter—not a firewall—that allows administrators to restrict content access from within a network • Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations • Primary purpose to restrict internal access to external material • Most common content filters restrict users from accessing non-business Web sites or deny incoming spam. Principles of Information Security, Fifth Edition 27
Protecting Remote Connections • Installing Internetwork connections requires leased lines or other data channels; these connections are usually secured under the requirements of a formal service agreement. • When individuals seek to connect to an organization’s network, a more flexible option must be provided. • Options such as virtual private networks (VPNs) have become more popular due to the spread of Internet. Principles of Information Security, Fifth Edition 28

Recommended

Lesson 3- Remote Access
Lesson 3- Remote AccessLesson 3- Remote Access
Lesson 3- Remote Access
MLG College of Learning, Inc
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
MLG College of Learning, Inc
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
MLG College of Learning, Inc
 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 Presentation
Amy McMullin
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk Managment
MLG College of Learning, Inc
 
Information Assurance And Security - Chapter 2 - Lesson 1
Information Assurance And Security - Chapter 2 - Lesson 1Information Assurance And Security - Chapter 2 - Lesson 1
Information Assurance And Security - Chapter 2 - Lesson 1
MLG College of Learning, Inc
 
Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2
MLG College of Learning, Inc
 
FireWall
FireWallFireWall
FireWallrubal_9
 

Recommended

Lesson 3- Remote Access
Lesson 3- Remote AccessLesson 3- Remote Access
Lesson 3- Remote Access
MLG College of Learning, Inc
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
MLG College of Learning, Inc
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
MLG College of Learning, Inc
 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 Presentation
Amy McMullin
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk Managment
MLG College of Learning, Inc
 
Information Assurance And Security - Chapter 2 - Lesson 1
Information Assurance And Security - Chapter 2 - Lesson 1Information Assurance And Security - Chapter 2 - Lesson 1
Information Assurance And Security - Chapter 2 - Lesson 1
MLG College of Learning, Inc
 
Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2Information Assurance And Security - Chapter 2 - Lesson 2
Information Assurance And Security - Chapter 2 - Lesson 2
MLG College of Learning, Inc
 
FireWall
FireWallFireWall
FireWallrubal_9
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Chapter 3 Presentation
Chapter 3 PresentationChapter 3 Presentation
Chapter 3 Presentation
Amy McMullin
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
MLG College of Learning, Inc
 
60304756 whitman-ch01-1
60304756 whitman-ch01-160304756 whitman-ch01-1
60304756 whitman-ch01-1UDCNTT
 
CISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU ArchitectureCISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU Architecture
Karthikeyan Dhayalan
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
Sachin Darekar
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
Coder Tech
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
Bryan Len
 
Information Assurance And Security - Chapter 3 - Lesson 3
Information Assurance And Security - Chapter 3 - Lesson 3Information Assurance And Security - Chapter 3 - Lesson 3
Information Assurance And Security - Chapter 3 - Lesson 3
MLG College of Learning, Inc
 
Lesson 2 - IDPS
Lesson 2 - IDPSLesson 2 - IDPS
Lesson 2 - IDPS
MLG College of Learning, Inc
 
Information security
Information security Information security
Information security
razendar79
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network Topology
Karthikeyan Dhayalan
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
Web application firewall
Web application firewallWeb application firewall
Web application firewall
Aju Thomas
 
Network Security
Network SecurityNetwork Security
Network Security
Manoj Singh
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
Karthikeyan Dhayalan
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
Vandana Verma
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
Govt. P.G. College Sendhwa, Barwani (M.P.)
 
Lessson 2
Lessson 2Lessson 2
Lessson 2
MLG College of Learning, Inc
 
Firewalls
FirewallsFirewalls
Firewalls
vaishnavi
 

More Related Content

What's hot

Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Chapter 3 Presentation
Chapter 3 PresentationChapter 3 Presentation
Chapter 3 Presentation
Amy McMullin
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
Digital Bond
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
MLG College of Learning, Inc
 
60304756 whitman-ch01-1
60304756 whitman-ch01-160304756 whitman-ch01-1
60304756 whitman-ch01-1UDCNTT
 
CISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU ArchitectureCISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU Architecture
Karthikeyan Dhayalan
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
Sachin Darekar
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
Coder Tech
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
Bryan Len
 
Information Assurance And Security - Chapter 3 - Lesson 3
Information Assurance And Security - Chapter 3 - Lesson 3Information Assurance And Security - Chapter 3 - Lesson 3
Information Assurance And Security - Chapter 3 - Lesson 3
MLG College of Learning, Inc
 
Information security
Information security Information security
Information security
razendar79
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network Topology
Karthikeyan Dhayalan
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
Web application firewall
Web application firewallWeb application firewall
Web application firewall
Aju Thomas
 
Network Security
Network SecurityNetwork Security
Network Security
Manoj Singh
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
Karthikeyan Dhayalan
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
Vandana Verma
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
Govt. P.G. College Sendhwa, Barwani (M.P.)
 

What's hot (20)

Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Chapter 3 Presentation
Chapter 3 PresentationChapter 3 Presentation
Chapter 3 Presentation
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
 
60304756 whitman-ch01-1
60304756 whitman-ch01-160304756 whitman-ch01-1
60304756 whitman-ch01-1
 
CISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU ArchitectureCISSP - Chapter 3 - CPU Architecture
CISSP - Chapter 3 - CPU Architecture
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
 
Information Assurance And Security - Chapter 3 - Lesson 3
Information Assurance And Security - Chapter 3 - Lesson 3Information Assurance And Security - Chapter 3 - Lesson 3
Information Assurance And Security - Chapter 3 - Lesson 3
 
Lesson 2 - IDPS
Lesson 2 - IDPSLesson 2 - IDPS
Lesson 2 - IDPS
 
Information security
Information security Information security
Information security
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network Topology
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
 
Web application firewall
Web application firewallWeb application firewall
Web application firewall
 
Network Security
Network SecurityNetwork Security
Network Security
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
 

Similar to Lessson 2 - Application Layer

Lessson 2
Lessson 2Lessson 2
Lessson 2
MLG College of Learning, Inc
 
Firewalls
FirewallsFirewalls
Firewalls
vaishnavi
 
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
ams1ams11
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
ssuser530a07
 
[9] Firewall.pdf
[9] Firewall.pdf[9] Firewall.pdf
[9] Firewall.pdf
lamtran367679
 
Firewall and its types and function
Firewall and its types and functionFirewall and its types and function
Firewall and its types and function
Nisarg Amin
 
Firewall
FirewallFirewall
Firewall
Naga Dinesh
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
OECLIB Odisha Electronics Control Library
 
Firewall.pdf
Firewall.pdfFirewall.pdf
Firewall.pdf
ImXaib
 
Firewall
FirewallFirewall
Firewall
reddivarihareesh
 
Firewall
FirewallFirewall
Firewall
Saurabh Chauhan
 
firewall.pdf
firewall.pdffirewall.pdf
firewall.pdf
Anand992498
 
CompTIA Security Plus Overview
CompTIA Security Plus OverviewCompTIA Security Plus Overview
CompTIA Security Plus Overview
Joseph Holbrook, Chief Learning Officer (CLO)
 
Seminar
SeminarSeminar
Seminar
Abhinav Kushwah
 
Network defenses
Network defensesNetwork defenses
Network defenses
G Prachi
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
Jainam Shah
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
Divya Jyoti
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
Revanth71
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
Radhika Talaviya
 

Similar to Lessson 2 - Application Layer (20)

Lessson 2
Lessson 2Lessson 2
Lessson 2
 
Firewalls
FirewallsFirewalls
Firewalls
 
Divyanshu.pptx
Divyanshu.pptxDivyanshu.pptx
Divyanshu.pptx
 
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
[9] Firewall.pdf
[9] Firewall.pdf[9] Firewall.pdf
[9] Firewall.pdf
 
Firewall and its types and function
Firewall and its types and functionFirewall and its types and function
Firewall and its types and function
 
Firewall
FirewallFirewall
Firewall
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
 
Firewall.pdf
Firewall.pdfFirewall.pdf
Firewall.pdf
 
Firewall
FirewallFirewall
Firewall
 
Firewall
FirewallFirewall
Firewall
 
firewall.pdf
firewall.pdffirewall.pdf
firewall.pdf
 
CompTIA Security Plus Overview
CompTIA Security Plus OverviewCompTIA Security Plus Overview
CompTIA Security Plus Overview
 
Seminar
SeminarSeminar
Seminar
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
 

More from MLG College of Learning, Inc

Db2 characteristics of db ms
Db2 characteristics of db msDb2 characteristics of db ms
Db2 characteristics of db ms
MLG College of Learning, Inc
 
Db1 introduction
Db1 introductionDb1 introduction
Db1 introduction
MLG College of Learning, Inc
 

More from MLG College of Learning, Inc (20)

PC111.Lesson2
PC111.Lesson2PC111.Lesson2
PC111.Lesson2
 
PC111.Lesson1
PC111.Lesson1PC111.Lesson1
PC111.Lesson1
 
PC111-lesson1.pptx
PC111-lesson1.pptxPC111-lesson1.pptx
PC111-lesson1.pptx
 
PC LEESOON 6.pptx
PC LEESOON 6.pptxPC LEESOON 6.pptx
PC LEESOON 6.pptx
 
PC 106 PPT-09.pptx
PC 106 PPT-09.pptxPC 106 PPT-09.pptx
PC 106 PPT-09.pptx
 
PC 106 PPT-07
PC 106 PPT-07PC 106 PPT-07
PC 106 PPT-07
 
PC 106 PPT-01
PC 106 PPT-01PC 106 PPT-01
PC 106 PPT-01
 
PC 106 PPT-06
PC 106 PPT-06PC 106 PPT-06
PC 106 PPT-06
 
PC 106 PPT-05
PC 106 PPT-05PC 106 PPT-05
PC 106 PPT-05
 
PC 106 Slide 04
PC 106 Slide 04PC 106 Slide 04
PC 106 Slide 04
 
PC 106 Slide no.02
PC 106 Slide no.02PC 106 Slide no.02
PC 106 Slide no.02
 
pc-106-slide-3
pc-106-slide-3pc-106-slide-3
pc-106-slide-3
 
PC 106 Slide 2
PC 106 Slide 2PC 106 Slide 2
PC 106 Slide 2
 
PC 106 Slide 1.pptx
PC 106 Slide 1.pptxPC 106 Slide 1.pptx
PC 106 Slide 1.pptx
 
Db2 characteristics of db ms
Db2 characteristics of db msDb2 characteristics of db ms
Db2 characteristics of db ms
 
Db1 introduction
Db1 introductionDb1 introduction
Db1 introduction
 
Lesson 3.2
Lesson 3.2Lesson 3.2
Lesson 3.2
 
Lesson 3.1
Lesson 3.1Lesson 3.1
Lesson 3.1
 
Lesson 1.6
Lesson 1.6Lesson 1.6
Lesson 1.6
 
Lesson 3.2
Lesson 3.2Lesson 3.2
Lesson 3.2
 

Recently uploaded

Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
RaedMohamed3
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
Vikramjit Singh
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Atul Kumar Singh
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
joachimlavalley1
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
TechSoup
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
Tamralipta Mahavidyalaya
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
Special education needs
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
Delapenabediema
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
Jheel Barad
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.
Atul Kumar Singh
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
GeoBlogs
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
Nguyen Thanh Tu Collection
 
Polish students' mobility in the Czech Republic
Polish students' mobility in the Czech RepublicPolish students' mobility in the Czech Republic
Polish students' mobility in the Czech Republic
Anna Sz.
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 

Recently uploaded (20)

Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
 
Polish students' mobility in the Czech Republic
Polish students' mobility in the Czech RepublicPolish students' mobility in the Czech Republic
Polish students' mobility in the Czech Republic
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 

Lessson 2 - Application Layer

  • 1. Principles of Information Security, Fifth Edition Chapter 6 Security Technology: Firewalls and VPNs If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology. BRUCE SCHNEIER, AMERICAN CRYPTOGRAPHER, COMPUTER SECURITY SPECIALIST, AND WRITER Lesson 2 – Application Layer Firewall
  • 2. Learning Objectives • Upon completion of this material, you should be able to: – Discuss the important role of access control in computer-based information systems, and identify and discuss widely used authentication factors – Describe firewall technology and the various approaches to firewall implementation – Identify the various approaches to control remote and dial-up access by authenticating and authorizing users Principles of Information Security, Fifth Edition 2
  • 3. Learning Objectives (cont’d) – Discuss content filtering technology – Describe virtual private networks and discuss the technology that enables them Principles of Information Security, Fifth Edition 3
  • 4. Application Layer Firewall • Frequently installed on a dedicated computer; also known as a proxy server • Since proxy server is often placed in unsecured area of the network (e.g., DMZ), it is exposed to higher levels of risk from less trusted networks. • Additional filtering routers can be implemented behind the proxy server, further protecting internal systems. Principles of Information Security, Fifth Edition 4
  • 5. Firewall Processing Modes (cont’d) • MAC layer firewalls – Designed to operate at media access control sublayer of network’s data link layer – Make filtering decisions based on specific host computer’s identity – MAC addresses of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked. Principles of Information Security, Fifth Edition 5
  • 6. Principles of Information Security, Fifth Edition 6
  • 7. Firewall Processing Modes (cont’d) • Hybrid firewalls – Combine elements of other types of firewalls, that is, elements of packet filtering and proxy services, or of packet filtering and circuit gateways – Alternately, may consist of two separate firewall devices; each a separate firewall system, but connected to work in tandem – Enables an organization to make security improvement without completely replacing existing firewalls Principles of Information Security, Fifth Edition 7
  • 8. Firewall Architectures • Firewall devices can be configured in several network connection architectures. • Best configuration depends on three factors: – Objectives of the network – Organization’s ability to develop and implement architectures – Budget available for function • Four common architectural implementations of firewalls: packet-filtering routers, dual-homed firewalls (bastion hosts), screened host firewalls, screened subnet firewalls Principles of Information Security, Fifth Edition 8
  • 9. Firewall Architectures (cont’d) • Packet-filtering routers – Most organizations with Internet connection have a router at the boundary between internal networks and external service provider. – Many of these routers can be configured to reject packets that the organization does not allow into its network. – Drawbacks include a lack of auditing and strong authentication. Principles of Information Security, Fifth Edition 9
  • 10. Firewall Architectures (cont’d) • Bastion hosts – Commonly referred to as sacrificial host, as it stands as sole defender on the network perimeter – Contains two network interface cards (NICs): one connected to external network, one connected to internal network – Implementation of this architecture often makes use of network address translation (NAT), creating another barrier to intrusion from external attackers. Principles of Information Security, Fifth Edition 10
  • 11. Principles of Information Security, Fifth Edition 11
  • 12. Principles of Information Security, Fifth Edition 12
  • 13. Firewall Architectures (cont’d) • Screened host firewalls – Combines packet-filtering router with separate, dedicated firewall such as an application proxy server – Allows router to prescreen packets to minimize traffic/load on internal proxy – Requires external attack to compromise two separate systems before attack can access internal data Principles of Information Security, Fifth Edition 13
  • 14. Principles of Information Security, Fifth Edition 14
  • 15. Firewall Architectures (cont’d) • Screened subnet firewall (with DMZ) – Is the dominant architecture used today – Commonly consists of two or more internal bastion hosts behind packet-filtering router, with each host protecting a trusted network: • Connections from outside or untrusted network are routed through external filtering router. • Connections from outside or untrusted network are routed into and out of routing firewall to separate the network segment known as DMZ. • Connections into trusted internal network are allowed only from DMZ bastion host servers. Principles of Information Security, Fifth Edition 15
  • 16. Principles of Information Security, Fifth Edition 16
  • 17. Principles of Information Security, Fifth Edition 17
  • 18. Firewall Architectures (cont’d) • Screened subnet performs two functions: – Protects DMZ systems and information from outside threats – Protects the internal networks by limiting how external connections can gain access to internal systems • Another facet of DMZs: extranets Principles of Information Security, Fifth Edition 18
  • 19. Firewall Architectures (cont’d) • SOCKS servers – SOCKS is the protocol for handling TCP traffic via a proxy server. – A proprietary circuit-level proxy server that places special SOCKS client-side agents on each workstation – A SOCKS system can require support and management resources beyond those of traditional firewalls. Principles of Information Security, Fifth Edition 19
  • 20. Selecting the Right Firewall • When selecting the firewall, consider a number of factors: – What firewall technology offers right balance between protection and cost for the needs of organization? – Which features are included in the base price and which are not? – Ease of setup and configuration? How accessible are staff technicians who can configure the firewall? – Can firewall adapt to organization’s growing network? • Second most important issue is cost. Principles of Information Security, Fifth Edition 20
  • 21. Configuring and Managing Firewalls • The organization must provide for the initial configuration and ongoing management of firewall(s). • Each firewall device must have its own set of configuration rules regulating its actions. • Firewall policy configuration is usually complex and difficult. • Configuring firewall policies is both an art and a science . • When security rules conflict with the performance of business, security often loses. Principles of Information Security, Fifth Edition 21
  • 22. Configuring and Managing Firewalls (cont’d) • Best practices for firewalls – All traffic from the trusted network is allowed out. – Firewall device is never directly accessed from public network. – Simple Mail Transport Protocol (SMTP) data are allowed to pass through firewall. – Internet Control Message Protocol (ICMP) data are denied – Telnet access to internal servers should be blocked. – When Web services are offered outside the firewall, HTTP traffic should be blocked from reaching internal networks. – All data not verifiably authentic should be denied. Principles of Information Security, Fifth Edition 22
  • 23. Configuring and Managing Firewalls (cont’d) • Firewall rules – Firewalls operate by examining data packets and performing comparison with predetermined logical rules. – The logic is based on a set of guidelines most commonly referred to as firewall rules, rule base, or firewall logic. – Most firewalls use packet header information to determine whether specific packet should be allowed or denied. Principles of Information Security, Fifth Edition 23
  • 24. Principles of Information Security, Fifth Edition 24
  • 25. Principles of Information Security, Fifth Edition 25
  • 26. Principles of Information Security, Fifth Edition 26
  • 27. Content Filters • Software filter—not a firewall—that allows administrators to restrict content access from within a network • Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations • Primary purpose to restrict internal access to external material • Most common content filters restrict users from accessing non-business Web sites or deny incoming spam. Principles of Information Security, Fifth Edition 27
  • 28. Protecting Remote Connections • Installing Internetwork connections requires leased lines or other data channels; these connections are usually secured under the requirements of a formal service agreement. • When individuals seek to connect to an organization’s network, a more flexible option must be provided. • Options such as virtual private networks (VPNs) have become more popular due to the spread of Internet. Principles of Information Security, Fifth Edition 28