If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology. BRUCE SCHNEIER, AMERICAN CRYPTOGRAPHER, COMPUTER SECURITY SPECIALIST, AND WRITER Introduction § Technical controls are essential in enforcing policy for many IT functions that do not involve direct human control § Technical control solutions improve an organization’s ability to balance the objectives of making information readily available against increasing the information’s levels of confidentiality and integrity Principles of Information Security, 4 th Edition 2 Access Control § Access control: method by which systems determine whether and how to admit a user into a trusted area of the organization § Mandatory access controls (MACs): use data classification schemes § Nondiscretionary controls: strictly-enforced version of MACs that are managed by a central authority § Discretionary access controls (DACs): implemented at the discretion or option of the Principals dataof Information user Security, Fourth Edition 3 Identification § Identification: mechanism whereby an unverified entity that seeks access to a resource proposes a label by which they are known to the system § Supplicant: entity that seeks a resource § Identifiers can be composite identifiers, concatenating elements-department codes, random numbers, or special characters to make them unique § Some organizations generate random numbers Principals of Information Security, Fourth Edition 4 Authentication § Authentication: the process of validating a supplicant’s purported identity § Authentication factors § Something a supplicant knows § Something a supplicant has § Something a supplicant is Principals of Information Security, Fourth Edition 5 Authorization § Authorization: the matching of an authenticated entity to a list of information assets and corresponding access levels § Authorization can be handled in one of three ways § Authorization for each authenticated user § Authorization for members of a group § Authorization across multiple systems § Authorization tickets Principals of Information Security, Fourth Edition 6 Accountability § Accountability (auditability): ensures that all actions on a system—authorized or unauthorized —can be attributed to an authenticated identity § Most often accomplished by means of system logs and database journals, and the auditing of these records § Systems logs record specific information § Logs have many uses Principals of Information Security, Fourth Edition 7 Firewalls § Prevent specific types of information from moving between the outside world (untrusted network) and the inside world (trusted network) § May be § separate computer system; § software service running on existing router or server; § separate network containing supporting devices Principles of Information Security, 4 th Edition 8 Processing Modes of Firewalls § Five processing modes that firewalls can be categorized by are: § Packet filtering § Application gateways § Circuit gateways § MAC layer firewalls § Hybrids Principles of Information Security, 4 th Edition 9 Packet Filtering § Packet filtering firewalls examine header information of data packets § Most often based on combination of: § Internet Protocol (IP) source and destination address § Direction (inbound or outbound) § Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests § Simple firewall models enforce rules designed to prohibit packets with certain addresses or partial addresses Principles of Information Security, 4 th Edition 10 Principles of Information Security, 4 th Edition 11 Packet Filtering (continued) § Three subsets of packet filtering firewalls: § Static filtering: requires that filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed § Dynamic filtering: allows firewall to react to emergent event and update or create rules to deal with event § Stateful inspection: firewalls that keep track of each network connection between internal and external using a state table Principles of Information systems Security, 4 th Edition 12 Application Gateways § Frequently installed on a dedicated computer; also known as a proxy server § Since proxy server is often placed in unsecured area of the network (e. g. , DMZ), it is exposed to higher levels of risk from less trusted networks § Additional filtering routers can be implemented behind the proxy server, further protecting internal systems Principles of Information Security, 4 th Edition 13 Circuit Gateways § Circuit gateway firewall operates at transport layer § Prevent direct connections between one network and another § Accomplished by creating tunnels connecting specific processes or systems on each side of the firewall, and allow only authorized traffic in the tunnels Principles of Information Security, 4 th Edition 14 MAC Layer Firewalls § Designed to operate at the media access control layer of OSI network model § Able to consider specific host computer’s identity in its filtering decisions § MAC addresses of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked Principles of Information Security, 4 th Edition 15 Principles of Information Security, 4 th Edition 16 Hybrid Firewalls § Combine elements of other types of firewalls; i. e. , elements of packet filtering and proxy services, or of packet filtering and circuit gateways § Alternately, may consist of two separate firewall devices; each a separate firewall system, but connected to work in tandem Principles of Information Security, 4 th Edition 17 Firewalls Categorized by Generation § First generation: static packet filtering firewalls § Second generation: application-level firewalls or proxy servers § Third generation: stateful inspection firewalls § Fourth generation: dynamic packet filtering firewalls; allow only packets with particular source, destination, and port addresses to enter § Fifth generation: kernel proxies; specialized form working under kernel of Windows NT Principles of Information Security, 4 th Edition 18 Firewalls Categorized by Structure § Most firewalls are appliances: stand-alone, selfcontained systems § Commercial-grade firewall system consists of firewall application software running on generalpurpose computer § Small office/home office (SOHO) or residentialgrade firewalls, aka broadband gateways or DSL/cable modem routers, connect user’s local area network or a specific computer system to Internetworking device § Residential-grade firewall software is installed directly on the user’s system Principles of Information Security, 4 th Edition 19 Firewall Architectures § Firewall devices can be configured in a number of network connection architectures § Configuration that works best depends on three factors: § Objectives of the network § Organization’s ability to develop and implement architectures § Budget available for function § Four common architectural implementations of firewalls: packet filtering routers, screened host firewalls, dual-homed firewalls, screened subnet Principles of Information Security, 4 th Edition 20 Packet Filtering Routers § Most organizations with Internet connection have a router serving as interface to Internet § Many of these routers can be configured to reject packets that organization does not allow into network § Drawbacks include a lack of auditing and strong authentication Principles of Information Security, 4 th Edition 21 Principles of Information Security, 4 th Edition 22 Screened Host Firewalls § Combines packet filtering router with separate, dedicated firewall such as an application proxy server § Allows router to prescreen packets to minimize traffic/load on internal proxy § Separate host is often referred to as bastion host; can be rich target for external attacks and should be very thoroughly secured Principles of Information Security, 4 th Edition 23 Principles of Information Security, 4 th Edition 24 Dual-Homed Host Firewalls § Bastion host contains two network interface cards (NICs): one connected to external network, one connected to internal network § Implementation of this architecture often makes use of network address translation (NAT), creating another barrier to intrusion from external attackers Principles of Information Security, 4 th Edition 25 Principles of Information Security, 4 th Edition 26 Screened Subnet Firewalls (with DMZ) § Dominant architecture used today is the screened subnet firewall § Commonly consists of two or more internal bastion hosts behind packet filtering router, with each host protecting trusted network: § Connections from outside (untrusted network) routed through external filtering router § Connections from outside (untrusted network) are routed into and out of routing firewall to separate network segment known as DMZ § Connections into trusted internal network allowed only from DMZ bastion host servers Principles of Information Security, 4 th Edition 27 Principles of Information Security, 4 th Edition 28 Selecting the Right Firewall § When selecting firewall, consider a number of factors: § What firewall offers right balance between protection and cost for needs of organization? § Which features are included in base price and which are not? § Ease of setup and configuration? How accessible are staff technicians who can configure the firewall? § Can firewall adapt to organization’s growing Principles of Information Security, 4 th Edition 29 Best Practices for Firewalls § All traffic from trusted network is allowed out § Firewall device never directly accessed from public network § Simple Mail Transport Protocol (SMTP) data allowed to pass through firewall § Internet Control Message Protocol (ICMP) data denied § Telnet access to internal servers should be blocked § When Web services are offered outside firewall, Principles of Information Security, 4 th Edition 30 Figure 6 -15 Example Network Configuration Principles of Information Security, Fourth Edition 31 Table 6 -5 Select Well-Known Port Numbers Principles of Information Security, Fourth Edition 32 Table 6 -16 External Filtering Firewall Inbound Interface Rule Set Principles of Information Security, Fourth Edition 33 Content Filters § Software filter—not a firewall—that allows administrators to restrict content access from within network § Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations § Primary focus to restrict internal access to external material § Most common content filters restrict users from Principles of Information Security, 4 th Edition accessing non-business Web sites or deny 34 Protecting Remote Connections § Installing Internetwork connections requires leased lines or other data channels; these connections are usually secured under requirements of formal service agreement § When individuals seek to connect to organization’s network, more flexible option must be provided § Options such as virtual private networks (VPNs) have become more popular due to spread of. Security, Internet Principles of Information 4 th Edition 35 Remote Access § Unsecured, dial-up connection points represent a substantial exposure to attack § Attacker can use device called a war dialer to locate connection points § War dialer: automatic phone-dialing program that dials every number in a configured range and records number if modem picks up § Some technologies (RADIUS systems; TACACS; CHAP password systems) have improved authentication process Principles of Information Security, 4 th Edition 36 Virtual Private Networks (VPNs) § Private and secure network connection between systems; uses data communication capability of unsecured and public network § Securely extends organization’s internal network connections to remote locations beyond trusted network § Three VPN technologies defined: § Trusted VPN § Secure VPN § Hybrid VPN (combines trusted and secure) Principles of Information Security, 4 th Edition 37 Transport Mode § Data within IP packet is encrypted, but header information is not § Allows user to establish secure link directly with remote host, encrypting only data contents of packet § Two popular uses: § End-to-end transport of encrypted data § Remote access worker connects to office network over Internet by connecting to a VPN server on the perimeter Principles of Information Security, 4 th Edition 38 Principles of Information Security, 4 th Edition 39 Tunnel Mode § Organization establishes two perimeter tunnel servers § These servers act as encryption points, encrypting all traffic that will traverse unsecured network § Primary benefit to this model is that an intercepted packet reveals nothing about true destination system § Example of tunnel mode VPN: Microsoft’s Principles of Information Security, 4 th Edition 40 Principles of Information Security, 4 th Edition 41 |