Firewalls and VPN
Chapter 6
Introduction
Technical controls – essential
Enforcing policy for many IT functions
Not involve direct human control
Improve organization’s ability to balance
Availability vs. increasing information’s levels of confidentiality and integrity
Access Control
Method
Whether and how to admit a user
Into a trusted area of the organization
Achieved by policies, programs, & technologies
Must be mandatory, nondiscretionary, or discretionary
Access Control
Mandatory access control (MAC)
Use data classification schemes
Give users and data owners limited control over access
Data classification schemes
Each collection of information is rated
Each user is rated
May use matrix or authorization
Access control list
Access Control
Nondiscretionary controls
Managed by central authority
Role-based
Tied to the role a user performs
Task-based
Tied to a set of tasks user performs
Access Control
Discretionary access controls
Implemented at the option of the data user
Used by peer to peer networks
All controls rely on
Identification
Authentication
Authorization
Accountability
Access Control
Identification
Unverified entity – supplicant
Seek access to a resource by label
Label is called an identifier
Mapped to one & only one entity
Authentication
Something a supplicant knows
Something a supplicant has
Something a supplicant is
Access Control
Authorization
Matches supplicant to resource
Often uses access control matrix
Handled by 1 of 3 ways
Authorization for each authenticated users
Authorization for members of a group
Authorization across multiple systems
Access Control
Accountability
Known as auditability
All actions on a system can be attributed to an authenticated identity
System logs and database journals
Firewalls
Purpose
Prevent information from moving between the outside world and inside
world
Outside world – untrusted network
Inside world – trusted network
Processing Mode
Five major categories
Packet filtering
Application gateway
Circuit gateway
MAC layer
Hybrids
Most common use
Several of above
Packet Filtering
Filtering firewall
Examine header information & data packets
Installed on TCP/IP based network
Functions at the IP level
Drop a packet (deny)
Forward a packet (allow)
Action based on programmed rules
Examines each incoming packet
Filtering Packets
Inspect networks at the network layer
Packet matching restriction = deny movement
Restrictions most commonly implemented in
Filtering Packets
IP source and destination addresses
Direction (incoming or outgoing)
Protocol
Transmission Control Protocol (TCP) or User
Datagram Protocol (UD) source or destination
IP Packet
TCP/IP Packet
Source Port Destination Port
Sequence Number
Acknowledgement Number
Offset Reserve U A P R S F Window
d
Checksum Urgent Pinter
Options Padding
Data
Data
UDP Datagram Structure
Source Port Destination Port
Length Checksum
Data
Data
Data
Sample Firewall Rule Format
Source Destination Service Action
Address Address (Allow/Deny)
172.16.xx 10.10.x.x Any Deny
192.168.xx 10.10.10.25 HTTP Allow
192.168.0.1 10.10.10.10 FTP Allow
Packet Filtering Subsets
Static filtering
Requires rules to be developed and installed with firewall
Dynamic filtering
Allows only a particular packet with a particular source,
destination, and port address to enter
Packet Filtering Subsets
Stateful
Uses a state table
Tracks the state and context of each packet
Records which station sent what packet and when
Perform packet filtering but takes extra step
Can expedite responses to internal requests
Vulnerable to DOS attacks because of processing time
required
Application Gateway
Installed on dedicated computer
Used in conjunction with filtering router
Proxy server
Goes between external request and webpage
Resides in DMZ
Between trusted and untrusted network
Exposed to risk
Can place additional filtering routers behind
Restricted to a single application
Circuit Gateways
Operates at transport level
Authorization based on addresses
Don’t look at traffic between networks
Do prevent direct connections
Create tunnels between networks
Only allowed traffic can use tunnels
MAC Layer Firewalls
Designed to operate at media access sublayer
Able to consider specific host computer identity in filtering
Allows specific types of packets that are acceptable to each host
OSI Model
7 Application
Application Gateway
6 Presentation
5 Session
Circuit Gateway 4 Transport
Packet Filtering 3 Network
Mac Layer 2 Data
1 Physical
Hybrid Firewalls
Combine elements of other types of firewalls; i.e., elements of
packet filtering and proxy services, or of packet filtering and
circuit gateways
Alternately, may consist of two separate firewall devices; each a
separate firewall system, but are connected to work in tandem
Categorization by Development
Generation
First Generation
Static packet filtering
Simple networking devices
Filter packets according to their headers
Second Generation
Application level or proxy servers
Dedicated systems
Provides intermediate services for the requestors
Third Generation
Stateful
Uses state tables
Categorization by Development
Generation
Fourth Generation
Dynamic filtering
Particular packet with a particular source,
destination, and port address to enter
Fifth Generation
Kernel proxy
Works un the Windows NT Executive
Evaluates at multiple layers
Checks security as packet passes from one
level to another
Categorized by Structure
Commercial-Grade
State-alone
Combination of hardware and software
Many of features of stand alone computer
Firmware based instructions
Increase reliability and performance
Minimize likelihood of their being compromised
Customized software operating system
Can be periodically upgraded
Requires direct physical connection for changes
Extensive authentication and authorization
Rules stored in non-volatile memory
Categorized by Structure
Commercial-Grade Firewall Systems
Configured application software
Runs on general-purpose computer
Existing computer
Dedicated computer
Categorized by Structure
Small Office/Home Office (SOHO)
Broadband gateways or DSL/cable modem routers
First – stateful
Many newer one – packet filtering
Can be configured by use
Router devices with WAP and stackable LAN
switches
Some include intrusion detection
Categorized by Structure
Residential
Installed directly on user’s system
Many free version not fully functional
Limited protection
Software vs. Hardware: the SOHO
Firewall Debate
Which firewall type should the residential user implement?
Where would you rather defend against a hacker?
With the software option, hacker is inside your computer
With the hardware device, even if hacker manages to crash
firewall system, computer and information are still safely behind
the now disabled connection
Firewall Architectures
Sometimes the architecture is exclusive
Configuration decision
Objectives of the network
The org’s ability to develop and implement architecture
Budget
Firewall Architectures
Packet filtering routers
Lacks auditing and strong authentication
Can degrade network performance
Firewall Architectures
Screened Host firewall
Combines packet filtering router with dedicated
firewall – such as proxy server
Allows router to prescreen packets
Application proxy examines at application layer
Separate host – bastion or sacrificial host
Requires external attack to compromise 2
separate systems.
Firewall Architectures
Dual Homed Host
Two network interface cards
One connected to external network
One connected to internal network
Additional protection
All traffic must go through firewall to get to networks
Can translate between different protocols at different layers
Firewall Architectures
Screened Subnet Firewalls (with DMZ)
Dominant architecture used today
Provides DMZ
Common arrangement
2 or most hosts behind a packet filtering router
Each host protecting the trusted net
Untrusted network routed through filtering router
Come into a separate network segment
Connection into the trusted network only allowed through DMZ
Expensive to implement
Complex to configure and manage
Firewall Architectures
SOCS Servers
Protocol for handling TCP traffic through a proxy server
Proprietary circuit-level proxy server
Places special SOCS client-side agents on each workstation
General approach – place filtering requirements on individual
workstation
Selecting the Right Firewall
What firewall offers right balance between
protection and cost for needs of organization?
What features are included in base price and
which are not?
Ease of setup and configuration? How
accessible are staff technicians who can
configure the firewall?
Can firewall adapt to organization’s growing
network?
Selecting the Right Firewall
Most important factor
Extent to which the firewall design provides the required protection
Second most important factor
Cost
Configuring and Managing
Firewalls
Each firewall device must have own set of
configuration rules regulating its actions
Firewall policy configuration is usually
complex and difficult
Configuring firewall policies both an art and a
science
When security rules conflict with the
performance of business, security often loses
Best Practices for Firewalls
All traffic from trusted network is allowed out
Firewall device never directly accessed from
public network
Simple Mail Transport Protocol (SMTP) data
allowed to pass through firewall
Internet Control Message Protocol (ICMP)
data denied
Telnet access to internal servers should be
blocked
When Web services offered outside firewall,
HTTP traffic should be denied from reaching
internal networks
Firewall Rules
Operate by examining data packets and performing
comparison with predetermined logical rules
Logic based on set of guidelines most commonly
referred to as firewall rules, rule base, or firewall
logic
Most firewalls use packet header information to
determine whether specific packet should be
allowed or denied
Content Filters
Software filter—not a firewall—that allows
administrators to restrict content access from within
network
Essentially a set of scripts or programs restricting user
access to certain networking protocols/Internet locations
Primary focus to restrict internal access to external
material
Most common content filters restrict users from accessing
non-business Web sites or deny incoming span
Protecting Remote Connections
Installing internetwork connections requires leased lines or
other data channels; these connections usually secured
under requirements of formal service agreement
When individuals seek to connect to organization’s
network, more flexible option must be provided
Options such as Virtual Private Networks (VPNs) have
become more popular due to spread of Internet
Dial-Up
Unsecured, dial-up connection points represent a
substantial exposure to attack
Attacker can use device called a war dialer to
locate connection points
War dialer: automatic phone-dialing program
that dials every number in a configured range
and records number if modem picks up
Some technologies (RADIUS systems;
TACACS; CHAP password systems) have
improved authentication process
Protecting Remote Connections
VPN (Virtual Private Networks)
Authentication systems
RADIUS AND TACACS
Access control for dial-up
Kerberos
Symmetric key encryption to validate
Keeps a database containing the private keys
Both networks and clients have to register
Does the authentication based on database
Kerberos
Three interacting services
Authentication server
Key distribution center
Kerberos ticket granting service
Principles
KDC knows the secret keys of all clients and servers
KDC initially exchanges information with the client
and server by using the keys
Authenticates a client to a requested service by
issuing a temporary session key
Sesame
Secure European System for applications in
Multiple vendor Environment
Similar to Kerberos
User first authenticated to an authentication
server and receives a token
Token presented to a privilege attribute server
Get a privilege attribute certificate
Build on Kerberos model – addition and more
sophisticated access control features
VPN
Implementation of cryptographic technology
Private and secure network connection
Trusted VPN
Secure VPN
Hybrid VPN
Transport Mode
Data within IP packet is encrypted, but header
information is not
Allows user to establish secure link directly
with remote host, encrypting only data contents
of packet
Two popular uses:
End-to-end transport of encrypted data
Remote access worker connects to office network
over Internet by connecting to a VPN server on the
perimeter
Tunnel Mode
Organization establishes two perimeter tunnel
servers
These servers act as encryption points, encrypting
all traffic that will traverse unsecured network
Primary benefit to this model is that an intercepted
packet reveals nothing about true destination system
Example of tunnel mode VPN: Microsoft’s Internet
Security and Acceleration (ISA) Server