Principles of Information Security,

Fifth Edition

Chapter 6
Security Technology: Firewalls and
VPNs
If you think technology can solve your security problems,
then you don’t understand the problems and you don’t
understand the technology.
BRUCE SCHNEIER, AMERICAN CRYPTOGRAPHER,
COMPUTER SECURITY SPECIALIST, AND WRITER
 Learning Objectives

• Upon completion of this material, you should be

able to:
– Discuss the important role of access control in
computer-based information systems, and identify
and discuss widely used authentication factors
– Describe firewall technology and the various
approaches to firewall implementation
– Identify the various approaches to control remote
and dial-up access by authenticating and authorizing
users

Principles of Information Security, Fifth Edition 2

 Learning Objectives (cont’d)
– Discuss content filtering technology
– Describe virtual private networks and discuss the
technology that enables them

Principles of Information Security, Fifth Edition 3

 Introduction

• Technical controls are essential in enforcing policy

for many IT functions not under direct human
control.
• When properly implemented, technical control
solutions improve an organization’s ability to
balance the objectives of making information
readily available and preserving information’s
confidentiality and integrity.

Principles of Information Security, Fifth Edition 4

 Access Control

• Access control: method by which systems

determine whether and how to admit a user into a
trusted area of the organization
• Mandatory access controls (MACs): use data
classification schemes
• Discretionary access controls (DACs): allow users
to control and possibly provide access to
information/resources at their disposal
• Nondiscretionary controls: strictly enforced version
of MACs that are managed by a central authority

Principles of Information Security, Fifth Edition 5

Principles of Information Security, Fifth Edition 6
 Identification

• Identification: mechanism whereby unverified

entities seeking access to a resource (supplicants)
provide a label by which they are known to the
system
• Identifiers can be composite identifiers,
concatenating elements—department codes,
random numbers, or special characters—to make
them unique.
• Some organizations generate random numbers.

Principles of Information Security, Fifth Edition 7

 Authentication

• Authentication: the process of validating a

supplicant’s purported identity
• Authentication factors
– Something a supplicant knows
• Password: a private word or a combination of
characters that only the user should know
• Passphrase: a series of characters, typically longer
than a password, from which a virtual password is
derived

Principles of Information Security, Fifth Edition 8

 Authentication (cont’d)

• Authentication factors (cont’d)

– Something a supplicant has
• Dumb card: ID or ATM card with magnetic stripe
• Smart card: contains a computer chip that can verify
and validate information
• Synchronous tokens
• Asynchronous tokens
– Something a supplicant is
• Relies upon individual characteristics
• Strong authentication

Principles of Information Security, Fifth Edition 9

 Authorization

• Authorization: the matching of an authenticated

entity to a list of information assets and
corresponding access levels
• Authorization can be handled in one of three ways:
– Authorization for each authenticated user
– Authorization for members of a group
– Authorization across multiple systems
• Authorization tickets

Principles of Information Security, Fifth Edition 10

 Accountability

• Accountability (auditability): ensures that all actions

on a system—authorized or unauthorized—can be
attributed to an authenticated identity
• Most often accomplished by means of system logs
and database journals, and the auditing of these
records
• Systems logs record specific information.
• Logs have many uses.

Principles of Information Security, Fifth Edition 11

 Biometrics

• Approach based on the use of measurable human

characteristics/traits to authenticate identity
• Only fingerprints, retina of eye, and iris of eye are
considered truly unique.
• Evaluated on false reject rate, false accept rate,
and crossover error rate
• Highly reliable/effective biometric systems are often
considered intrusive by users.

Principles of Information Security, Fifth Edition 12

Principles of Information Security, Fifth Edition 13
Principles of Information Security, Fifth Edition 14
 Access Control Architecture Models

• Illustrate access control implementations and can

help organizations quickly make improvements
through adaptation
• Trusted computing base (TCB)
– Part of TCSEC Rainbow Series
– Used to enforce security policy (rules of system
configuration)
– Biggest challenges include covert channels
• Storage channels
• Timing channels

Principles of Information Security, Fifth Edition 15

 Access Control Architecture Models
(cont’d)
• ITSEC: an international set of criteria for evaluating
computer systems
– Compares Targets of Evaluation (ToE) to detailed security
function specifications
• The Common Criteria
– Considered successor to both TCSEC and ITSEC
• Bell-LaPadula Confidentiality Model
– Model of an automated system able to manipulate its state or
status over time
• Biba Integrity Model
– Based on “no write up, no read down” principle

Principles of Information Security, Fifth Edition 16

 Access Control Architecture Models
(cont’d)
• Clark-Wilson Integrity Model
– No changes by unauthorized subjects
– No unauthorized changes by authorized subjects
– Maintenance of internal and external consistency
• Graham-Denning Access Control Model
– Composed of set of objects, set of subjects, and set of rights
• Harrison-Ruzzo-Ullman Model
– Defines method to allow changes to access rights and
addition/removal of subjects/objects
• Brewer-Nash Model (Chinese Wall)
– Designed to prevent conflict of interest between two
parties
Principles of Information Security, Fifth Edition 17
 Firewalls

• Prevent specific types of information from moving

between an untrusted network (the Internet) and a
trusted network (organization’s internal network)
• May be:
– Separate computer system
– Software service running on existing router or server
– Separate network containing supporting devices

Principles of Information Security, Fifth Edition 18

 Firewalls Processing Modes

• Five processing modes by which firewalls can be

categorized:
– Packet filtering
– Application gateways
– Circuit gateways
– MAC layer firewalls
– Hybrids

Principles of Information Security, Fifth Edition 19

 Packet-Filtering Firewalls

• Packet-filtering firewalls examine the header

information of data packets.
• Most often based on the combination of:
– IP source and destination address
– Direction (inbound or outbound)
– Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP) source and destination
port requests
• Simple firewall models enforce rules designed to
prohibit packets with certain addresses or partial
addresses from passing through device.
Principles of Information Security, Fifth Edition 20
Principles of Information Security, Fifth Edition 21
Principles of Information Security, Fifth Edition 22
Principles of Information Security, Fifth Edition 23
Principles of Information Security, Fifth Edition 24
 Packet-Filtering Firewalls (cont’d)

• Three subsets of packet-filtering firewalls:

– Static filtering: requires that filtering rules be
developed and installed within the firewall
– Dynamic filtering: allows firewall to react to emergent
event and update or create rules to deal with event
– Stateful inspection: firewalls that keep track of each
network connection between internal and external
systems using a state table

Principles of Information Security, Fifth Edition 25

Principles of Information Security, Fifth Edition 26
 Application Layer Firewall

• Frequently installed on a dedicated computer; also

known as a proxy server
• Since proxy server is often placed in unsecured
area of the network (e.g., DMZ), it is exposed to
higher levels of risk from less trusted networks.
• Additional filtering routers can be implemented
behind the proxy server, further protecting internal
systems.

Principles of Information Security, Fifth Edition 27

 Firewall Processing Modes (cont’d)

• MAC layer firewalls

– Designed to operate at media access control
sublayer of network’s data link layer
– Make filtering decisions based on specific host
computer’s identity
– MAC addresses of specific host computers are
linked to access control list (ACL) entries that
identify specific types of packets that can be sent to
each host; all other traffic is blocked.

Principles of Information Security, Fifth Edition 28

Principles of Information Security, Fifth Edition 29
 Firewall Processing Modes (cont’d)

• Hybrid firewalls
– Combine elements of other types of firewalls, that is,
elements of packet filtering and proxy services, or of
packet filtering and circuit gateways
– Alternately, may consist of two separate firewall
devices; each a separate firewall system, but
connected to work in tandem
– Enables an organization to make security
improvement without completely replacing existing
firewalls

Principles of Information Security, Fifth Edition 30

 Firewall Architectures

• Firewall devices can be configured in several

network connection architectures.
• Best configuration depends on three factors:
– Objectives of the network
– Organization’s ability to develop and implement
architectures
– Budget available for function
• Four common architectural implementations of
firewalls: packet-filtering routers, dual-homed
firewalls (bastion hosts), screened host firewalls,
screened subnet firewalls
Principles of Information Security, Fifth Edition 31
 Firewall Architectures (cont’d)

• Packet-filtering routers
– Most organizations with Internet connection have a
router at the boundary between internal networks
and external service provider.
– Many of these routers can be configured to reject
packets that the organization does not allow into its
network.
– Drawbacks include a lack of auditing and strong
authentication.

Principles of Information Security, Fifth Edition 32

 Firewall Architectures (cont’d)

• Bastion hosts
– Commonly referred to as sacrificial host, as it stands
as sole defender on the network perimeter
– Contains two network interface cards (NICs): one
connected to external network, one connected to
internal network
– Implementation of this architecture often makes use
of network address translation (NAT), creating
another barrier to intrusion from external attackers.

Principles of Information Security, Fifth Edition 33

Principles of Information Security, Fifth Edition 34
Principles of Information Security, Fifth Edition 35
 Firewall Architectures (cont’d)

• Screened host firewalls

– Combines packet-filtering router with separate,
dedicated firewall such as an application proxy
server
– Allows router to prescreen packets to minimize
traffic/load on internal proxy
– Requires external attack to compromise two
separate systems before attack can access internal
data

Principles of Information Security, Fifth Edition 36

Principles of Information Security, Fifth Edition 37
 Firewall Architectures (cont’d)

• Screened subnet firewall (with DMZ)

– Is the dominant architecture used today
– Commonly consists of two or more internal bastion
hosts behind packet-filtering router, with each host
protecting a trusted network:
• Connections from outside or untrusted network are
routed through external filtering router.
• Connections from outside or untrusted network are
routed into and out of routing firewall to separate the
network segment known as DMZ.
• Connections into trusted internal network are allowed
only from DMZ bastion host servers.
Principles of Information Security, Fifth Edition 38
Principles of Information Security, Fifth Edition 39
Principles of Information Security, Fifth Edition 40
 Firewall Architectures (cont’d)

• Screened subnet performs two functions:

– Protects DMZ systems and information from outside
threats
– Protects the internal networks by limiting how
external connections can gain access to internal
systems
• Another facet of DMZs: extranets

Principles of Information Security, Fifth Edition 41

 Firewall Architectures (cont’d)

• SOCKS servers
– SOCKS is the protocol for handling TCP traffic via a
proxy server.
– A proprietary circuit-level proxy server that places
special SOCKS client-side agents on each
workstation
– A SOCKS system can require support and
management resources beyond those of traditional
firewalls.

Principles of Information Security, Fifth Edition 42

 Selecting the Right Firewall

• When selecting the firewall, consider a number of

factors:
– What firewall technology offers right balance between
protection and cost for the needs of organization?
– Which features are included in the base price and
which are not?
– Ease of setup and configuration? How accessible are
staff technicians who can configure the firewall?
– Can firewall adapt to organization’s growing network?
• Second most important issue is cost.

Principles of Information Security, Fifth Edition 43

 Configuring and Managing Firewalls

• The organization must provide for the initial

configuration and ongoing management of firewall(s).
• Each firewall device must have its own set of
configuration rules regulating its actions.
• Firewall policy configuration is usually complex and
difficult.
• Configuring firewall policies is both an art and a
science .
• When security rules conflict with the performance of
business, security often loses.
Principles of Information Security, Fifth Edition 44
 Configuring and Managing Firewalls
(cont’d)
• Best practices for firewalls
– All traffic from the trusted network is allowed out.
– Firewall device is never directly accessed from public
network.
– Simple Mail Transport Protocol (SMTP) data are allowed
to pass through firewall.
– Internet Control Message Protocol (ICMP) data are denied
– Telnet access to internal servers should be blocked.
– When Web services are offered outside the firewall, HTTP
traffic should be blocked from reaching internal networks.
– All data not verifiably authentic should be denied.
Principles of Information Security, Fifth Edition 45
 Configuring and Managing Firewalls
(cont’d)
• Firewall rules
– Firewalls operate by examining data packets and
performing comparison with predetermined logical
rules.
– The logic is based on a set of guidelines most
commonly referred to as firewall rules, rule base, or
firewall logic.
– Most firewalls use packet header information to
determine whether specific packet should be allowed
or denied.

Principles of Information Security, Fifth Edition 46

Principles of Information Security, Fifth Edition 47
Principles of Information Security, Fifth Edition 48
Principles of Information Security, Fifth Edition 49
 Content Filters

• Software filter—not a firewall—that allows

administrators to restrict content access from within a
network
• Essentially a set of scripts or programs restricting
user access to certain networking protocols/Internet
locations
• Primary purpose to restrict internal access to external
material
• Most common content filters restrict users from
accessing non-business Web sites or deny incoming
spam.
Principles of Information Security, Fifth Edition 50
 Protecting Remote Connections

• Installing Internetwork connections requires leased

lines or other data channels; these connections are
usually secured under the requirements of a formal
service agreement.
• When individuals seek to connect to an
organization’s network, a more flexible option must
be provided.
• Options such as virtual private networks (VPNs)
have become more popular due to the spread of
Internet.

Principles of Information Security, Fifth Edition 51

 Remote Access

• Unsecured, dial-up connection points represent a

substantial exposure to attack.
• Attacker can use a device called a war dialer to
locate the connection points.
• War dialer: automatic phone-dialing program that
dials every number in a configured range and
records number if modem picks up
• Some technologies (RADIUS systems; TACACS;
CHAP password systems) have improved the
authentication process.

Principles of Information Security, Fifth Edition 52

 Remote Access (cont’d)

• RADIUS, Diameter, and TACACS

– Systems that authenticate user credentials for those
trying to access an organization’s network via dial-up
– Remote Authentication Dial-In User Service
(RADIUS): centralizes responsibility for user
authentication in a central RADIUS server
– Diameter: emerging alternative derived from
RADIUS
– Terminal Access Controller Access Control System
(TACACS): validates user’s credentials at
centralized server (like RADIUS); based on
client/server configuration
Principles of Information Security, Fifth Edition 53
Principles of Information Security, Fifth Edition 54
 Remote Access (cont’d)

• Kerberos
– Provides secure third-party authentication
– Uses symmetric key encryption to validate individual
user to various network resources
– Keeps database containing private keys of
clients/servers
– Consists of three interacting services:
• Authentication server (AS)
• Key Distribution Center (KDC)
• Kerberos ticket granting service (TGS)

Principles of Information Security, Fifth Edition 55

Principles of Information Security, Fifth Edition 56
Principles of Information Security, Fifth Edition 57
 Remote Access (cont’d)

• SESAME
– Secure European System for Applications in a
Multivendor Environment (SESAME) is similar to
Kerberos.
• User is first authenticated to authentication server and
receives token.
• Token is then presented to a privilege attribute server
as proof of identity to gain privilege attribute certificate.
• Uses public key encryption; adds sophisticated access
control features; more scalable encryption systems;
improved manageability; auditing features; and options
for delegation of responsibility for allowing access
Principles of Information Security, Fifth Edition 58
 Virtual Private Networks (VPNs)

• Private and secure network connection between

systems; uses data communication capability of
unsecured and public network
• Securely extends organization’s internal network
connections to remote locations
• Three VPN technologies defined:
– Trusted VPN
– Secure VPN
– Hybrid VPN (combines trusted and secure)

Principles of Information Security, Fifth Edition 59

 Virtual Private Networks (VPNs)
(cont’d)
• VPN must accomplish:
– Encapsulation of incoming and outgoing data
– Encryption of incoming and outgoing data
– Authentication of remote computer and perhaps
remote user as well
• In most common implementation, it allows the user
to turn Internet into a private network.

Principles of Information Security, Fifth Edition 60

 Virtual Private Networks (VPNs)
(cont’d)
• Transport mode
– Data within IP packet is encrypted, but header
information is not.
– Allows user to establish secure link directly with
remote host, encrypting only data contents of packet
– Two popular uses:
• End-to-end transport of encrypted data
• Remote access worker connects to office network
over Internet by connecting to a VPN server on the
perimeter.

Principles of Information Security, Fifth Edition 61

Principles of Information Security, Fifth Edition 62
 Virtual Private Networks (VPNs)
(cont’d)
• Tunnel mode
– Establishes two perimeter tunnel servers to encrypt
all traffic that will traverse unsecured network
– Entire client package encrypted and added as data
portion of packet from one tunneling server to another
– Primary benefit to this model is that an intercepted
packet reveals nothing about the true destination
system.
– Example of tunnel mode VPN: Microsoft’s Internet
Security and Acceleration (ISA) Server

Principles of Information Security, Fifth Edition 63

Principles of Information Security, Fifth Edition 64
 Summary

• Firewall technology
• Various approaches to remote and dial-up access
protection
• Content filtering technology
• Virtual private networks

Principles of Information Security, Fifth Edition 65