What is a mechanism whereby an unverified entity called a supplicant that seeks access to a resource proposes a label by which they are known to the system?

If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology. BRUCE SCHNEIER, AMERICAN CRYPTOGRAPHER, COMPUTER SECURITY SPECIALIST, AND WRITER

Introduction § Technical controls are essential in enforcing policy for many IT functions that do not involve direct human control § Technical control solutions improve an organization’s ability to balance the objectives of making information readily available against increasing the information’s levels of confidentiality and integrity Principles of Information Security, 4 th Edition 2

Access Control § Access control: method by which systems determine whether and how to admit a user into a trusted area of the organization § Mandatory access controls (MACs): use data classification schemes § Nondiscretionary controls: strictly-enforced version of MACs that are managed by a central authority § Discretionary access controls (DACs): implemented at the discretion or option of the Principals dataof Information user Security, Fourth Edition 3

Identification § Identification: mechanism whereby an unverified entity that seeks access to a resource proposes a label by which they are known to the system § Supplicant: entity that seeks a resource § Identifiers can be composite identifiers, concatenating elements-department codes, random numbers, or special characters to make them unique § Some organizations generate random numbers Principals of Information Security, Fourth Edition 4

Authentication § Authentication: the process of validating a supplicant’s purported identity § Authentication factors § Something a supplicant knows § Something a supplicant has § Something a supplicant is Principals of Information Security, Fourth Edition 5

Authorization § Authorization: the matching of an authenticated entity to a list of information assets and corresponding access levels § Authorization can be handled in one of three ways § Authorization for each authenticated user § Authorization for members of a group § Authorization across multiple systems § Authorization tickets Principals of Information Security, Fourth Edition 6

Accountability § Accountability (auditability): ensures that all actions on a system—authorized or unauthorized —can be attributed to an authenticated identity § Most often accomplished by means of system logs and database journals, and the auditing of these records § Systems logs record specific information § Logs have many uses Principals of Information Security, Fourth Edition 7

Firewalls § Prevent specific types of information from moving between the outside world (untrusted network) and the inside world (trusted network) § May be § separate computer system; § software service running on existing router or server; § separate network containing supporting devices Principles of Information Security, 4 th Edition 8

Processing Modes of Firewalls § Five processing modes that firewalls can be categorized by are: § Packet filtering § Application gateways § Circuit gateways § MAC layer firewalls § Hybrids Principles of Information Security, 4 th Edition 9

Packet Filtering § Packet filtering firewalls examine header information of data packets § Most often based on combination of: § Internet Protocol (IP) source and destination address § Direction (inbound or outbound) § Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests § Simple firewall models enforce rules designed to prohibit packets with certain addresses or partial addresses Principles of Information Security, 4 th Edition 10

Principles of Information Security, 4 th Edition 11

Packet Filtering (continued) § Three subsets of packet filtering firewalls: § Static filtering: requires that filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed § Dynamic filtering: allows firewall to react to emergent event and update or create rules to deal with event § Stateful inspection: firewalls that keep track of each network connection between internal and external using a state table Principles of Information systems Security, 4 th Edition 12

Application Gateways § Frequently installed on a dedicated computer; also known as a proxy server § Since proxy server is often placed in unsecured area of the network (e. g. , DMZ), it is exposed to higher levels of risk from less trusted networks § Additional filtering routers can be implemented behind the proxy server, further protecting internal systems Principles of Information Security, 4 th Edition 13

Circuit Gateways § Circuit gateway firewall operates at transport layer § Prevent direct connections between one network and another § Accomplished by creating tunnels connecting specific processes or systems on each side of the firewall, and allow only authorized traffic in the tunnels Principles of Information Security, 4 th Edition 14

MAC Layer Firewalls § Designed to operate at the media access control layer of OSI network model § Able to consider specific host computer’s identity in its filtering decisions § MAC addresses of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked Principles of Information Security, 4 th Edition 15

Principles of Information Security, 4 th Edition 16

Hybrid Firewalls § Combine elements of other types of firewalls; i. e. , elements of packet filtering and proxy services, or of packet filtering and circuit gateways § Alternately, may consist of two separate firewall devices; each a separate firewall system, but connected to work in tandem Principles of Information Security, 4 th Edition 17

Firewalls Categorized by Generation § First generation: static packet filtering firewalls § Second generation: application-level firewalls or proxy servers § Third generation: stateful inspection firewalls § Fourth generation: dynamic packet filtering firewalls; allow only packets with particular source, destination, and port addresses to enter § Fifth generation: kernel proxies; specialized form working under kernel of Windows NT Principles of Information Security, 4 th Edition 18

Firewalls Categorized by Structure § Most firewalls are appliances: stand-alone, selfcontained systems § Commercial-grade firewall system consists of firewall application software running on generalpurpose computer § Small office/home office (SOHO) or residentialgrade firewalls, aka broadband gateways or DSL/cable modem routers, connect user’s local area network or a specific computer system to Internetworking device § Residential-grade firewall software is installed directly on the user’s system Principles of Information Security, 4 th Edition 19

Firewall Architectures § Firewall devices can be configured in a number of network connection architectures § Configuration that works best depends on three factors: § Objectives of the network § Organization’s ability to develop and implement architectures § Budget available for function § Four common architectural implementations of firewalls: packet filtering routers, screened host firewalls, dual-homed firewalls, screened subnet Principles of Information Security, 4 th Edition 20

Packet Filtering Routers § Most organizations with Internet connection have a router serving as interface to Internet § Many of these routers can be configured to reject packets that organization does not allow into network § Drawbacks include a lack of auditing and strong authentication Principles of Information Security, 4 th Edition 21

Principles of Information Security, 4 th Edition 22

Screened Host Firewalls § Combines packet filtering router with separate, dedicated firewall such as an application proxy server § Allows router to prescreen packets to minimize traffic/load on internal proxy § Separate host is often referred to as bastion host; can be rich target for external attacks and should be very thoroughly secured Principles of Information Security, 4 th Edition 23

Principles of Information Security, 4 th Edition 24

Dual-Homed Host Firewalls § Bastion host contains two network interface cards (NICs): one connected to external network, one connected to internal network § Implementation of this architecture often makes use of network address translation (NAT), creating another barrier to intrusion from external attackers Principles of Information Security, 4 th Edition 25

Principles of Information Security, 4 th Edition 26

Screened Subnet Firewalls (with DMZ) § Dominant architecture used today is the screened subnet firewall § Commonly consists of two or more internal bastion hosts behind packet filtering router, with each host protecting trusted network: § Connections from outside (untrusted network) routed through external filtering router § Connections from outside (untrusted network) are routed into and out of routing firewall to separate network segment known as DMZ § Connections into trusted internal network allowed only from DMZ bastion host servers Principles of Information Security, 4 th Edition 27

Principles of Information Security, 4 th Edition 28

Selecting the Right Firewall § When selecting firewall, consider a number of factors: § What firewall offers right balance between protection and cost for needs of organization? § Which features are included in base price and which are not? § Ease of setup and configuration? How accessible are staff technicians who can configure the firewall? § Can firewall adapt to organization’s growing Principles of Information Security, 4 th Edition 29

Best Practices for Firewalls § All traffic from trusted network is allowed out § Firewall device never directly accessed from public network § Simple Mail Transport Protocol (SMTP) data allowed to pass through firewall § Internet Control Message Protocol (ICMP) data denied § Telnet access to internal servers should be blocked § When Web services are offered outside firewall, Principles of Information Security, 4 th Edition 30

Figure 6 -15 Example Network Configuration Principles of Information Security, Fourth Edition 31

Table 6 -5 Select Well-Known Port Numbers Principles of Information Security, Fourth Edition 32

Table 6 -16 External Filtering Firewall Inbound Interface Rule Set Principles of Information Security, Fourth Edition 33

Content Filters § Software filter—not a firewall—that allows administrators to restrict content access from within network § Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations § Primary focus to restrict internal access to external material § Most common content filters restrict users from Principles of Information Security, 4 th Edition accessing non-business Web sites or deny 34

Protecting Remote Connections § Installing Internetwork connections requires leased lines or other data channels; these connections are usually secured under requirements of formal service agreement § When individuals seek to connect to organization’s network, more flexible option must be provided § Options such as virtual private networks (VPNs) have become more popular due to spread of. Security, Internet Principles of Information 4 th Edition 35

Remote Access § Unsecured, dial-up connection points represent a substantial exposure to attack § Attacker can use device called a war dialer to locate connection points § War dialer: automatic phone-dialing program that dials every number in a configured range and records number if modem picks up § Some technologies (RADIUS systems; TACACS; CHAP password systems) have improved authentication process Principles of Information Security, 4 th Edition 36

Virtual Private Networks (VPNs) § Private and secure network connection between systems; uses data communication capability of unsecured and public network § Securely extends organization’s internal network connections to remote locations beyond trusted network § Three VPN technologies defined: § Trusted VPN § Secure VPN § Hybrid VPN (combines trusted and secure) Principles of Information Security, 4 th Edition 37

Transport Mode § Data within IP packet is encrypted, but header information is not § Allows user to establish secure link directly with remote host, encrypting only data contents of packet § Two popular uses: § End-to-end transport of encrypted data § Remote access worker connects to office network over Internet by connecting to a VPN server on the perimeter Principles of Information Security, 4 th Edition 38

Principles of Information Security, 4 th Edition 39

Tunnel Mode § Organization establishes two perimeter tunnel servers § These servers act as encryption points, encrypting all traffic that will traverse unsecured network § Primary benefit to this model is that an intercepted packet reveals nothing about true destination system § Example of tunnel mode VPN: Microsoft’s Principles of Information Security, 4 th Edition 40

Principles of Information Security, 4 th Edition 41