Unit 3:

Security Technologies: Firewalls & VPNs

Technical Control & Physical Design

Access Control
Mandatory access controls (MACs) - lattice-based access control Nondiscretionary controls - role-based Controls & task-based controls

Discretionary access controls (DACs)

all access control approaches rely on as the following mechanisms:

Identification Authentication Authorization Accountability

Firewalls
Firewalls can be categorized by processing mode, development era, or structure.

Firewall Processing Modes

packet-filtering firewalls, Application gateways, circuit gateways, MAC layer firewalls, and hybrids.

packet-filtering firewalls

 IP source and destination address Direction (inbound or outbound) Protocol (for firewalls capable of examining the IP protocol layer) Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests (for firewalls capable of examining the TCP/UPD layer)

 There are three subsets of packet-filtering firewalls: static filtering, dynamic filtering, and stateful inspection.

Application Gateways
The application firewall is also known as a proxy server since it runs special software that acts as a proxy for a service request.

Circuit Gateways
operates at the transport layer

Do prevent direct connections between one network and another.

Creating tunnels connecting specific processes or systems on each side of the firewall, and then allowing only authorized traffic,

MAC Layer Firewalls & Hybrid Firewalls

Firewalls Categorized by Generation

First generation firewalls are static packet-filtering firewalls Second generation firewalls are application-level firewalls or proxy servers

Third generation firewalls are stateful inspection firewalls,

Fourth generation firewalls, which are also known as dynamic packet-filtering firewalls,

Fifth generation firewalls include the kernel proxy,

Firewalls Categorized by Structure

Commercial-Grade Firewall Appliances Commercial-Grade Firewall Systems Small Office/Home Office (SOHO) Firewall Appliances Residential-Grade Firewall Software

Firewall Architectures
The configuration that works best for a particular organization depends on three factors: The objectives of the network,

the organizations ability to develop and implement the architectures, and

the budget available for the function.

common architectural implementations

Packet-filtering routers, Screened host firewalls, dual-homed firewalls, and Screened Subnet (DMZ)

Screened host firewalls,

Dual-Homed Host Firewall

Screened Subnet (DMZ)

SOCKS Servers
SOCKS is the protocol for handling TCP traffic via a proxy server.

place the filtering requirements on the individual workstation rather than on a single point of defense (and thus point of failure).

Selecting the Right Firewall

1. Which type of firewall technology offers the right balance between protection and cost for the needs of the organization? 2. What features are included in the base price? What features are available at extra cost? Are all cost factors known? 3. How easy is it to set up and configure the firewall? How accessible are the staff technicians who can competently configure the firewall? 4. Can the candidate firewall adapt to the growing network in the target organization?

Configuring and Managing Firewalls

Good policy and practice dictates that each firewall device the configuration of firewall policies can be complex and difficult.

syntax errors and logic errors

Configuring firewall policies is as much an art as it is a science.

organizations are much more willing to live with potential risk than certain failure.

Best Practices for Firewalls

All traffic from the trusted network is allowed out. This allows members of the organization to access the services they need. The firewall device is never directly accessible from the public network for configuration or management purposes. Only authorized firewall administrators access the device through secure authentication mechanisms, preferably via a method that is based on cryptographically strong authentication and uses two-factor access control techniques.

 Simple Mail Transport Protocol (SMTP) data is allowed to enter through the firewall, but is routed to a well-configured SMTP gateway to filter and route messaging traffic securely. All Internet Control Message Protocol (ICMP) data should be denied. Known as the ping service, ICMP is a common method for hacker reconnaissance and should be turned off to prevent snooping.

 Telnet (terminal emulation) access to all internal servers from the public networks should be blocked. At the very least, Telnet access to the organizations Domain Name System (DNS) server should be blocked to prevent illegal zone transfers and to prevent attackers from taking down the organizations entire network. If internal users need to access an organizations network from outside the firewall, the organization should enable them to use a Virtual Private Network (VPN) client or other secure system that provides a reasonable level of authentication.

 When Web services are offered outside the firewall, HTTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture. That way, if any employees are running Web servers for internal use on their desktops, the services are invisible to the outside Internet.

All data that is not verifiably authentic should be denied

Firewall Rules
that which is not permitted is prohibited, - expressly permitted rules

External Filtering Firewall Outbound Interface Rule Set

Content Filters
A content filter is a software filtertechnically not a firewall reverse firewalls, content filter has two components: rating and filtering.

 The rating is like a set of firewall rules for Web sites and is common in residential content filters. The rating can be complex, with multiple access control settings for different levels of the organization, or it can be simple, with a basic allow/ deny scheme like that of a firewall.

The filtering is a method used to restrict specific access requests to the identified resources, which may be Web sites, servers, or whatever resources the content filter administrator configures.

Protecting Remote Connections

Remote Access

Remote Authentication Dial-In User Service (RADIUS)

Terminal Access Controller Access Control System (TACACS)

TACACS, - combines authentication and authorization services. Extended TACACS - separates the steps needed to authenticate. & keeps records for accountability,

TACACS+ - uses dynamic

passwords and incorporates two-factor authentication.

Kerberos

 uses symmetric key encryption to validate keeps a database containing the private keys of clients and servers also generates temporary session keys, which are private keys given to the two parties in a conversation.

Kerberos consists of three interacting services, all of which use a database library:
1. Authentication server (AS), which is a Kerberos server that authenticates clients and servers. 2. Key Distribution Center (KDC), which generates and issues session keys.

3. Kerberos ticket granting service (TGS), which provides tickets to clients who request services. In Kerberos a ticket is an identification card for a particular client that verifies to the server that the client is requesting services and that the client is a valid member of the Kerberos system and therefore authorized to receive services. The ticket consists of the clients name and network address, a ticket validation starting and ending time, and the session key, all encrypted in the private key of the server from which the client is requesting services.

Kerberos is based on the following principles:

The KDC knows the secret keys of all clients and servers on the network. The KDC initially exchanges information with the client and server by using these secret keys. Kerberos authenticates a client to a requested service on a server through TGS and by issuing temporary session keys for communications between the client and KDC, the server and KDC, and the client and server. Communications then take place between the client and server using these temporary session keys.

Secure European System for Applications in a Multivendor Environment (SESAME)

token is then presented to a privilege attribute server (instead of a ticket granting service as in Kerberos) SESAME uses public key encryption to distribute secret keys

 The SESAME technology offers sophisticated single sign-on with added distributed access control features and cryptographic protection of interchanged data. SESAME is similar to Kerberos, but has a lot of extensions to Kerberos. one important extension is it supports role based access control using PAS (Privilege Arribute Server)

http://www.cs.nyu.edu/~wanghua/course/security/final/present ation.html

virtual private network (VPN)

a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures.

 Virtual Private Network Consortium (VPNC) defines three VPN technologies: Trusted VPNs,

secure VPNs, and

hybrid VPNs.

 Encapsulation of incoming and outgoing data, Encryption of incoming and outgoing data Authentication of the remote computer and, perhaps, the remote user as well.

Transport Mode

Tunnel Mode