Faculty of Computing and Informatics

Department of Computer Sciences

IT Systems Security
Firewalls and analysis tools

Mercy Chitauro
 Faculty of Computing and Informatics
Department of Computer Sciences

Outline
1. Firewalls
2. Wireless Network Security
3. Scanning and Analysis Tools
 Firewalls
• Firewalls in a building are intended to
inhibit the spread of fire from one part of
the building to another
 Firewall

https://sdinspect.com/health-and-safety/understanding-firewalls/
 What is a Firewall?
• A Firewall is a device that filters all traffic
between a protected ‘inside’ network
and a less trustworthy or ‘outside’
network.
• Usually runs on a dedicated device
• A firewall permits or blocks data flow
between two parts of a network
architecture.
 Firewall Default Behavior
• Default permit – that which is not
expressly forbidden is permitted
• Default deny – that which is not
expressly permitted is forbidden
 Firewalls ctd…
• Firewalls enforce predetermined rules
governing what traffic can flow
• A firewall implements a security policy – a
set of rules that determine what traffic can
or cannot pass through the firewall.
• A firewall is an example of a reference
monitor which means it has 3 characteristics
– Always invoked
– Tamperproof
– Small and simple enough for rigorous analysis
 Firewall as reference Monitor
• Firewall is always ‘invoked’
– Placement ensures that all traffic to be
controlled passes through the firewall
• Tamperproof
– Usually isolated
– Runs minimal OS services
• Small and simple enough for rigorous
analysis
– Functionality is very simple
 Types of Firewalls
• Packet Filtering Gateways or screening
routers
• Stateful inspection firewalls
• Application-level gateways or proxies
• Circuit level gateways
• Guards
• Personal firewalls
 Packet Filter

• Controls access on the

basis of packet address,
(src or dest) or specific
transport protocol
• Do see inside a packet
• Disadvantage – inspection
is too simplistic to perform
sophisticated filtering

Packet Filter
 Stateful Inspection

• Maintains state
information from one
packet to another in the
input stream
 Application Proxy Gateway
• Simulates the behavior of a
protected application on the inside
network, allowing only safe data
• Acts as a relay of application-level
traffic
• If the gateway does not implement
the proxy code for a specific
application, the service is not
supported and cannot be
forwarded across the firewall
• The gateway can be configured to
support only specific features of an
application that the network
administrator considers acceptable
while denying all other features
Proxy firewall
 Circuit-level Gateway

• A firewall that allows one

network to be an extension
of another one
• Layer 5
• Does not permit an end-to-
end TCP connection
• The security function
consists of determining
which connections will be
allowed Circuit level gateway
 Guard
• A sophisticated firewall
• Receives PDUs interprets them, and
emits different protocol data units that
achieve the same or modified result
• A guard can implement any
programmable set of conditions, even if
sophisticated
 Host-Based Firewall

• A software module used to secure an

individual host
• Is available in many operating systems or
can be provided as an add-on package
• Filters and restricts the flow of packets
Firewall Implementation
1. screening router

Screening
2. Firewall on a Separate LAN
3. Application Proxy
Demilitarised Zone (DMZ)
What Firewalls Can and Cannot Do
• Firewalls can protect an environment only if they control
the entire perimeter
• Firewalls do not protect data outside the perimeter
• Firewalls are the most visible part of an installation to the
outside, so they are an attractive target for attack
• Firewalls must be correctly configured, that configuration
must be updated as the environment changes, and firewall
activity reports must be reviewed periodically for evidence
of attempted or successful intrusion
• Firewalls exercise only minor control over the content
admitted to the inside, meaning that inaccurate or
malicious code must be controlled by means inside the
perimeter
 Firewall limitations
Cannot protect against
attacks that bypass the
firewall

May not protect fully against

A laptop, PDA, or portable
internal threats, such as a
storage device may be used
disgruntled employee or an
and infected outside the
corporate network, and then A Firewall employee who unwittingly
cooperates with an external
attached and used internally
attacker

Cannot guard against

wireless communications
between local systems on
different sides of the internal
firewall
 Exercise
• Choose from the list of events given below
instances where a firewall will not be able to
protect the system.
1. Internal employee escalating rights
2. A laptop infected outside and then plugged in
the system
3. A website that is not allowed to be accessed by
the system users
4. Attacks aiming for the firewall
5. VLAN 10 and VLAN 40 which should not share
files
Wireless Network Security
 Vulnerabilities in Wireless Networks
• Confidentiality – data signals sent in the
open
• Integrity – change content of communication
• Availability – rogue network communication
• Unauthorised Wi-Fi access
• Wi-Fi protocol weaknesses
– Picking up the beacon
– SSID in frames
– Association Issues
 Failed Countermeasure: WEP
• Wired equivalent privacy, or WEP, was
designed at the same time as the original
802.11 WiFi standards as the mechanism
for securing those communications
• Weaknesses in WEP were first identified
in 2001, four years after release
• More weaknesses were discovered over
the course of years, until any WEP-
encrypted communication could be
cracked in a matter of minutes
 How WEP Works
• Client and access point (AP) have a pre-
shared key
• AP sends a random number to the client,
which the client then encrypts using the key
and returns to the AP
• The AP decrypts the number using the key
and checks that it’s the same number to
authenticate the client
• Once the client is authenticated, the AP and
client communicate using messages
encrypted with the key
 WEP Weaknesses
• Weak encryption key
• WEP allows to be either 64- or 128-bit, but 24 of those bits
are reserved for initialization vectors (IV), thus reducing
effective key size to 40 or 140 bits
• Keys were either alphanumeric or hex phrases that users
typed in and were therefore vulnerable to dictionary
attacks
• Static key
• Since the key was just a value the user typed in at the client
and AP, and since users rarely changed those keys, one key
would be used for many months of communications
• Weak encryption process
• A 40-bit key can be brute forced easily. Flaws that were
eventually discovered in the RC4 encryption algorithm WEP
uses made the 104-bit keys easy to crack as well
 WEP Weaknesses (cont.)
• Weak encryption algorithm
• WEP used RC4 in a strange way (always a bad sign), which
resulted in a flaw that allowed attackers to decrypt large
portions of any WEP communication
• IV collisions
• There were only 16 million possible values of IV, which, in
practice, is not that many to cycle through for cracking. Also,
they were not as randomly selected as they should have been,
with some values being much more common than others
• Faulty integrity check
• WEP messages included a checksum to identify transmission
errors but did not use one that could address malicious
modification
• No authentication: Any client that knows the AP’s SSID and MAC
address is assumed to be legitimate
 WPA (WiFi Protected Access)
• WPA was designed in 2003 as a replacement for WEP
and was quickly followed in 2004 by WPA2, the
algorithm that remains the standard today
• Non-static encryption key
– WPA uses a hierarchy of keys: New keys are generated for
confidentiality and integrity of each session, and the
encryption key is automatically changed on each packet
– This way, the keys that are most important are used in
very few places and indirect ways, protecting them from
disclosure
• Authentication
– WPA allows authentication by password, token, or
certificate
 WPA (cont.)
• Strong encryption
– WPA adds support for AES, a much more reliably
strong encryption algorithm
• Integrity protection
– WPA includes a 64-bit cryptographic integrity check
• Session initiation
– WPA sessions begin with authentication and a four-
way handshake that results in separate keys for
encryption and integrity on both ends
• While there are some attacks against WPA, they
are either of very limited effectiveness or
require weak passwords
Scanning and Analysis Tools

By Alicia Coon
 Scanning and Analysis Tools

• Used to establish exactly where the

network needs securing
• Enable security administrators to see
what the attacker sees
• Identify vulnerabilities
 Analysis Tools
• Scanners
• Packet Sniffers
• Trap Tools
 Port Scanners
• Software that is capable of finding all of
the active computers, open ports, and
services on a network
• Example
– Nmap
 Vulnerability Scanners
• Are capable of scanning networks for
very detailed information
• Examples
– Nmap
– Nessus
 Packet Sniffers
• A network tool that collects and analyzes
copies of packets from a network
• Needs to be on the network that you
want to sniff
• Example
– Wireshark
 Trap Tools
• Trap
– Luring an attacker into the network
• Example
– Honeypot
 Honeypot
• An electronic decoy that is put on a
system’s network to trick an attacker into
thinking he/she has hacked into the
system
• Goal is to capture information about the
activity of the attacker
Honeypot Locations
 Summary
• A Firewall is a device that filters all traffic
between a protected ‘inside’ network
and a less trustworthy or ‘outside’
network.
• WPA was designed in 2003 as a
replacement for WEP and was quickly
followed in 2004 by WPA2, the algorithm
that remains the standard today
• Scanning tools used to establish exactly
where the network needs securing
 13 Storch Street T: +264 61 207 2258
Private Bag 13388 F: +264 61 207 9258
Windhoek E: [email protected]
NAMIBIA W: www.nust.na

Faculty of Computing and Informatics

Department of Computer Sciences

QUESTIONS?
 References for this Chapter
• Pfleeger, C. P., & Pfleeger, L. S. (2015).
Security in computing (5th ed.). New
Jersey, USA: Pearson Education Inc
• Whitman, M. E. & Mattord, H. J. (2014).
Management of information security (4th
ed.). Thomson Course Technology