Upon Completion of This Chapter, You Should Be Able To

CH-6
SECURITY TECHNOLOGY: FIREWALLS AND VPNS
UPON COMPLETION OF THIS CHAPTER,

YOU SHOULD BE ABLE TO:
• Recognize the important role of access control in computerized

information systems, and identify and discuss widely-used
authentication factors
• Describe firewall technology and the various approaches to

firewall implementation
• Identify the various approaches to control remote and dial-up

access by means of the Authentication and Authorization of
users
• Describe the technology that enables the use of Virtual Private

Networks
1
CH-6
Terminalogies
Access is the flow of information between a subject and an object.
A subject is an active entity that requests access to an object or the data
within an object.
A subject can be a user, program, or process that accesses an object to
accomplish a task.
When a program accesses a file, the program is the subject and the file is
the object.
An object is a passive entity that contains information.
An object can be a computer, database, file, computer program, directory,
or field contained in a table within a database.
When you look up information in a database, you are the active subject and
the database is the passive object.
2
CH-6
3
CH-6
ACCESS CONTROL
Access control is the method by which systems determine whether
and how to admit a user into a trusted area of the organization.
Access control is achieved by means of a combination of policies,

programs, and technologies.
Access controls can be;
 Mandatory access controls (MACs) use data classification

schemes; they give users and data owners limited control over
access to information resources.
In a data classification scheme, each collection of information is rated, and

each user is rated to specify the level of information that user may access.
These ratings are often referred to as sensitivity levels, and they indicate
4
the level of confidentiality the information requires.
CH-6
ACCESS CONTROL
A variation of this form of access control is called lattice-based

access control, in which users are assigned a matrix of
authorizations for particular areas of access.
The lattice structure contains subjects and objects, and the

boundaries associated with each pair are demarcated.
Lattice-based control specifies the level of access each subject has

to each object.
With this type of control, the column of attributes associated with a

particular object (such as a printer) is referred to as an access
control list (ACL).
The row of attributes associated with a particular subject (such as a

user) is referred to as a capabilities table.
5
CH-6
ACCESS CONTROL
6
CH-6
ACCESS CONTROL
 Nondiscretionary controls are a strictly-enforced version of

MACs that are managed by a central authority in the organization
and can be based on an individual’s role—role-based controls—or
a specified set of tasks (subject or object-based)—task-based
controls.
Role-based controls are tied to the role a user performs in an
organization, and task-based controls are tied to a particular
assignment or responsibility.
 Discretionary access controls (DACs) are implemented at the

discretion or option of the data user.
The ability to share resources in a peer-to-peer configuration allows users
to control and possibly provide access to information or resources at their
disposal.
The users can allow general, unrestricted access, or they can allow
specific individuals or sets of individuals to access these resources.
7
CH-6
ACCESS CONTROL
For example, a user has a hard drive containing information to be

shared with office coworkers. This user can elect to allow access to
specific individuals by providing access, by name, in the share
control function.
The figure shows an example of a discretionary access control from

a peer-to-peer network using Microsoft Windows.
8
CH-6
ACCESS CONTROL
In general, all access control approaches rely on as the following

mechanisms:
 Identification I don’t really care who
you are, but come
 Authentication right in.
 Authorization
 Accountability
A. IDENTIFICATION
Identification is a mechanism whereby an unverified entity—called a
supplicant—that seeks access to a resource proposes a label by
which they are known to the system.
The label applied to the supplicant (or supplied by the supplicant) is

called an identifier (ID), and must be mapped to one and only one
entity within the security domain.
9
CH-6
ACCESS CONTROL
Some organizations use composite identifiers,

concatenating elements—department codes, random numbers, or
special characters—to make unique identifiers within the security
domain.
Other organizations generate random IDs to protect the resources

from potential attackers.
Most organizations use a single piece of unique information, such as

a complete name or the user’s first initial and surname.
When issuing identification values to users, the following should be

n place:
Each value should be unique, for user accountability.
A standard naming scheme should be followed.
The value should be nondescriptive of the user’s position or tasks.
10
The value should not be shared between users.
CH-6
ACCESS CONTROL
AUTHENTICATION
Authentication is the process of validating a supplicant’s purported
identity.
There are three widely used authentication mechanisms, or

authentication factors:
 Something a Supplicant Knows

This factor of authentication relies upon what the supplicant knows and
can recall—for example, a password, passphrase, or other unique
authentication code, such as a personal identification number (PIN).
 Something a Supplicant Has

This authentication factor relies upon something a supplicant has and can
produce when necessary.
11
CH-6
ACCESS CONTROL
One example is dumb cards, such as ID cards or ATM cards with

magnetic stripes containing the digital (and often encrypted) user PIN,
against which the number a user input is compared.
Another include Smart card and token.
 Something a Supplicant Is or Can Produce

This authentication factor relies upon individual characteristics, such as
fingerprints, palm prints, hand topography, hand geometry, or retina and
iris scans, or something a supplicant can produce on demand, such as
voice patterns and signatures.
Some of these characteristics, known collectively as biometrics
12
CH-6
ACCESS CONTROL
Note: Certain critical logical or physical areas may require the use of
strong authentication— at minimum two different authentication
mechanisms drawn from two different factors of authentication, most
often something you have and something you know.
For example, access to a bank’s ATM services requires a banking

card plus a PIN. Such systems are called two-factor authentication,
because two separate mechanisms are used.
C. AUTHORIZATION
Authorization is the matching of an authenticated entity to a list of
information assets and corresponding access levels.
This list is usually an ACL or access control matrix.
13
CH-6
ACCESS CONTROL
In general, authorization can be handled in one of three ways:
 Authorization for each authenticated user, in which the system

performs an authentication process to verify each entity and then
grants access to resources for only that entity.
 Authorization for members of a group, in which the system

matches authenticated entities to a list of group memberships, and
then grants access to resources based on the group’s access
rights.
 Authorization across multiple systems, in which a central

authentication and authorization system verifies entity identity and
grants it a set of credentials.
14
CH-6
ACCESS CONTROL
D. ACCOUNTABILITY
Accountability, also known as auditability, ensures that all actions
on a system—authorized or unauthorized—can be attributed to an
authenticated identity.
Accountability is most often accomplished by means of system logs

and the auditing of these records.
Systems logs record specific information, such as failed access

attempts and systems modifications.
Logs have many uses, such as intrusion detection, determining the

root cause of a system failure, or simply tracking the use of a
particular resource.
15
CH-6
16
CH-6
FIREWALLS
A firewall in an information security program prevents specific types
of information from moving between the outside world, known as the
untrusted network (for example, the internet), and the inside world,
known as the trusted network.
The firewall may be a separate computer system, a software service

running on an existing router or server, or a separate network
containing a number of supporting devices.
Firewalls can be categorized by processing mode, development era, or

structure.
FIREWALL PROCESSING MODES

Firewalls fall into five major processing-mode categories:
packet-filtering firewalls, application gateways,
circuit gateways, MAC layer firewalls, and
17
Hybrids.
CH-6
Hybrid firewalls use a combination of the other four modes, and in

practice, most firewalls fall into this category, since most firewall
implementations use multiple approaches.
The packet-filtering firewall, also simply called a filtering firewall,

examines the header information of data packets that come into a
network.
A packet-filtering firewall installed on a TCP/IP-based network

typically functions at the IP level and determines whether to drop a
packet (deny) or forward it to the next network connection (allow)
based on the rules programmed into the firewall.
Packet-filtering firewalls examine every incoming packet header and

can selectively filter packets based on header information such as
destination address, source address, packet type, and other key
information.
18
CH-6
Filtering firewalls inspect packets at the network layer, or Layer 3,

of the Open Systems Interconnect (OSI) model.
If the device finds a packet that matches a restriction, it stops the

packet from traveling from one network to another.
The restrictions most commonly implemented in packet-filtering

firewalls are based on a combination of the following:
• IP source and destination address

• Direction (inbound or outbound)
• Protocol (for firewalls capable of examining the IP protocol layer)
• Transmission Control Protocol (TCP) or User Datagram Protocol
(UDP) source and destination port requests (for firewalls capable
of examining the TCP/UPD layer)
19
CH-6
The following figure shows how a packet-filtering router can be used

as a simple firewall to filter data packets from inbound connections
and allow outbound connections unrestricted access to the public
network.
To better understand an address restriction scheme, consider the

following table.
20
CH-6
If an administrator were to configure a simple rule based on the

content of the above table, any connection attempt made by an
external computer or network device in the 192.168.x.x address
range (192.168.0.0–192.168.255.255) is allowed.
There are three subsets of packet-filtering firewalls:

static filtering, dynamic filtering, and stateful inspection.
Static filtering requires that the filtering rules be developed and
installed with the firewall.
The rules are created and sequenced either by a person directly
editing the rule set, or by a person using a programmable interface to
specify the rules and the sequence.
Any changes to the rules require human intervention. This type of

filtering is common in network routers and gateways.
21
CH-6
A dynamic filtering firewall can react to an emergent event and

update or create rules to deal with that event.
While static filtering firewalls allow entire sets of one type of

packet to enter in response to authorized requests, the dynamic
packet-filtering firewall allows only a particular packet with a
particular source, destination, and port address to enter.
Stateful inspection firewalls, also called stateful firewalls, keep

track of each network connection between internal and external
systems using a state table.
Whereas simple packet-filtering firewalls only allow or deny

certain packets based on their address, a stateful firewall can
expedite incoming packets that are responses to internal
requests.
22
CH-6
The following lists some important characteristics of a stateful-

inspection firewall:
• Maintains a state table that tracks each and every communication

channel
• Provides a high degree of security and does not introduce the

performance hit that application proxy firewalls introduce
• Is scalable and transparent to users
• Provides data for tracking connectionless protocols such as UDP

and ICMP
• Stores and updates the state and context of the data within the
packets
23
• Is considered a third-generation firewall
CH-6
A state table looks similar to a firewall rule set but has additional
information, as shown in the following table
APPLICATION GATEWAYS
The application gateway, also known as an application-level
firewall or application firewall, is frequently installed on a
dedicated computer, separate from the filtering router, but is
commonly used in conjunction with a filtering router.
The application firewall is also known as a proxy server since it

runs special software that acts as a proxy for a service request.
24
CH-6
The benefits from this type of implementation are significant.

For one, the proxy server is placed in an unsecured area of the
network so that it, rather than the Web server, is exposed to the
higher levels of risk from the less trusted networks.
Additional filtering routers can be implemented behind the proxy

server, limiting access to the more secure internal system, and
thereby further protecting internal systems.
The primary disadvantage of application-level firewalls is that they

are designed for one or a few specific protocols and cannot easily
be reconfigured to protect against attacks on other protocols.
25
CH-6
CIRCUIT GATEWAYS
The circuit gateway firewall operates at the transport layer.
Again, connections are authorized based on addresses.
Like filtering firewalls, circuit gateway firewalls do not usually look
at traffic flowing between one network and another, but they do
prevent direct connections between one network and another.
They accomplish this by creating tunnels connecting specific

processes or systems on each side of the firewall, and then
allowing only authorized traffic, such as a specific type of TCP
connection for authorized users, in these tunnels.
MAC LAYER FIREWALLS

MAC layer firewalls are designed to operate at the media access
control sublayer of the data link layer (Layer 2) of the OSI network
26
model.
CH-6
This enables these firewalls to consider the specific host

computer’s identity, as represented by its MAC or network
interface card (NIC) address in its filtering decisions.
Thus, MAC layer firewalls link the addresses of specific host

computers to ACL entries that identify the specific types of
packets that can be sent to each host, and block all other traffic.
HYBRID FIREWALLS
Hybrid firewalls combine the elements of other types of firewalls
An added advantage to the hybrid firewall approach is that it

enables an organization to make a security improvement without
completely replacing its existing firewalls.
27
CH-6
28
CH-6
FIREWALLS CATEGORIZED BY GENERATION

At present, there are five generally recognized generations of
firewalls, and these generations can be implemented in a wide
variety of architectures.
 First generation firewalls are static packet-filtering firewalls—
that is, simple networking devices that filter packets according to
their headers as the packets travel to and from the organization’s
networks.
 Second generation firewalls are application-level firewalls or
proxy servers—that is, dedicated systems that are separate from
the filtering router and that provide intermediate services for
requestors.
 Third generation firewalls are stateful inspection firewalls,
which, as described previously, monitor network connections
between internal and external systems using state tables.
 Fourth generation firewalls, which are also known as dynamic
packet-filtering firewalls, allow only a particular packet with a
29
particular source, destination, and port address to enter.
CH-6
FIREWALLS CATEGORIZED BY GENERATION
 Fifth generation firewalls include the kernel proxy, a

specialized form that works under Windows NT Executive,
which is the kernel of Windows NT.
This type of firewall evaluates packets at multiple layers of the protocol

stack, by checking security in the kernel as data is passed up and
down the stack.
FI R EWAL L S CA TEGOR IZ ED B Y STR UC TURE ( YOUR R EAD I NG A SSI GNMENT)
PROTECTING REMOTE CONNECTIONS

REMOTE ACCESS
Before the Internet emerged, organizations created private
networks and allowed individuals and other organizations to
connect to them using dial-up or leased line connections.
30
CH-6
these unsecured, dial-up connection points represent a substantial

exposure to attack.
An attacker who suspects that an organization has dial-up lines can
use a device called a war dialer to locate the connection points.
A war dialer is an automatic phone-dialing program that dials every

number in a configured range (e.g., 555-1000 to 555-2000), and
checks to see if a person, answering machine, or modem picks up.
If a modem answers, the war dialer program makes a note of the

number and then moves to the next target number.
The attacker then attempts to hack into the network via the identified
modem connection using a variety of techniques.
For the most part, simple username and password schemes are the
only means of authentication.
However some technologies have improved the authentication process.
31
CH-6
RADIUS, TACACS, and Diameter RADIUS and TACACS are

systems that authenticate the credentials of users who are trying
to access an organization’s network via a dial-up connection.
The Remote Authentication Dial-In User Service (RADIUS) system

centralizes the management of user authentication by placing the
responsibility for authenticating each user in the central RADIUS
server.
When a remote access server (RAS) receives a request for a

network connection from a dial-up client, it passes the request,
along with the user’s credentials, to the RADIUS server.
RADIUS then validates the credentials and passes the resulting

decision (accept or deny) back to the accepting remote access
server.
32
CH-6
The following figure shows the typical configuration of an RAS

system.
33
CH-6
The Diameter protocol defines the minimum requirements for a system

that provides authentication, authorization, and accounting (AAA)
services and can go beyond these basics and add commands and/or
object attributes.
The Terminal Access Controller Access Control System (TACACS) is

another remote access authorization system that is based on a
client/server configuration.
Like RADIUS, it contains a centralized database, and it validates the

user ’s credentials at this TACACS server.
Two authentication systems can provide secure third-party

authentication:
a. KERBEROS
uses symmetric key encryption to validate an individual user to various
34
network resources.
CH-6
Kerberos keeps a database containing the private keys of clients

and servers—
in the case of a client, this key is simply the client’s encrypted
password.
Network services running on servers in the network register with

Kerberos, as do the clients that use those services.
The Kerberos system knows these private keys and can

authenticate one network node (client or server) to another.
Typically a user logs into the network, is authenticated to the

Kerberos system, and is then authenticated to other resources on
the network by the Kerberos system itself.
35
CH-6
Kerberos consists of three interacting services, all of which use a

database library:
a. Authentication server (AS), which is a Kerberos server that
authenticates clients and servers.
b. Key Distribution Center (KDC), which generates and issues
session keys.
c. Kerberos ticket granting service (TGS), which provides tickets
to clients who request services.
The ticket consists of;

 the client’s name and network address,
 a ticket validation starting and ending time, and
 the session key,
all encrypted in the private key of the server from which the client
is requesting services.
36
CH-6
Kerberos is based on the following principles:
 The KDC knows the secret keys of all clients and servers on
the network.
 The KDC initially exchanges information with the client and

server by using these secret keys.
 Kerberos authenticates a client to a requested service on a

server through TGS and by issuing temporary session keys for
communications between the client and KDC, the server and
KDC, and the client and server.
 Communications then take place between the client and server

using these temporary session keys.
37
CH-6
The following figures illustrate this process. The first for login and
the second for service request respectively.
Kerberos may be obtained free of charge from MIT at
http://web.mit.edu/Kerberos/
38
CH-6
39
CH-6
b. SESAME
The Secure European System for Applications in a Multivendor
Environment (SESAME) is the result of a European research and
development project partly funded by the European Commission.
SESAME is similar to Kerberos in that the user is first
authenticated to an authentication server and receives a token.
The token is then presented to a privilege attribute server (instead

of a ticket granting service as in Kerberos) as proof of identity to
gain a privilege attribute certificate (PAC).
The PAC is like the ticket in Kerberos; however, a PAC conforms

to the standards of the European Computer Manufacturers
Association (ECMA) and the International Organization for
Standardization/International Telecommunications Union (ISO/ITU-
T).
40
CH-6
SESAME uses public key encryption to distribute secret keys.
SESAME also builds on the Kerberos model by adding additional

and more sophisticated access control features, more scalable
encryption systems, improved manageability, auditing features,
and the option to delegate responsibility for allowing access.
VIRTUAL PRIVATE NETWORKS (VPNS)

A Virtual Private Network (VPN) is a private and secure network
connection between systems that uses the data communication
capability of an unsecured and public network.
The Virtual Private Network Consortium (VPNC) (www.vpnc. org)
defines a VPN as
“a private data network that makes use of the public
telecommunication infrastructure, maintaining privacy through the use
of a tunneling protocol and security procedures.”
41
CH-6
The VPNC defines three VPN technologies:
A. A TRUSTED VPN
Also known as a legacy VPN, uses leased circuits from a service
provider and conducts packet switching over these leased circuits.
The organization must trust the service provider, who provides

contractual assurance that no one else is allowed to use these
circuits and that the circuits are properly maintained and
protected.
B. SECURE VPN
Uses security protocols and encrypt traffic transmitted across
unsecured public networks like the Internet.
42
CH-6
C. A HYBRID VPN
combines the two, providing encrypted transmissions (as in secure
VPN) over some or all of a trusted VPN network.
A VPN that proposes to offer a secure and reliable capability while

relying on public networks must accomplish the following,
regardless of the specific technologies and protocols being used:
 Encapsulation of incoming and outgoing data, wherein the native

protocol of the client is embedded within the frames of a protocol
that can be routed over the public network and be usable by the
server network environment.
 Encryption of incoming and outgoing data to keep the data

contents private while in transit over the public network, but
usable by the client and server computers and/or the local
43
networks on both ends of the VPN connection.
CH-6
 Authentication of the remote computer and, perhaps, the

remote user as well.
There are a number of ways to implement a VPN.

IPSec, the dominant protocol used in VPNs, uses either transport
mode or tunnel mode.
In transport mode, the data within an IP packet is encrypted, but

the header information is not.
This allows the user to establish a secure link directly with the
remote host, encrypting only the data contents of the packet.
The downside to this implementation is that packet eavesdroppers

can still identify the destination system.
44
CH-6
On the other hand, transport mode eliminates the need for special
servers and tunneling software, and allows the end users to
transmit traffic from anywhere.
The following figure illustrates the transport mode methods of

implementing VPNs.
45
CH-6
Tunnel mode establishes two perimeter tunnel servers that

encrypt all traffic that will traverse an unsecured network.
In tunnel mode, the entire client packet is encrypted and added as

the data portion of a packet addressed from one tunneling server
to another.
The receiving server decrypts the packet and sends it to the final
address.
The primary benefit to this model is that an intercepted packet

reveals nothing about the true destination system.
46
CH-6
The following figure shows an example of tunnel mode VPN

implementation.
47

Upon Completion of This Chapter, You Should Be Able To

Uploaded by

Copyright:

Available Formats

Upon Completion of This Chapter, You Should Be Able To

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Upon Completion of This Chapter, You Should Be Able To

Uploaded by

Copyright:

Available Formats

What are the different types of access control?

What are the different types of access control?

What are the different ways to implement a VPN?

What are the different ways to implement a VPN?

CH-6

SECURITY TECHNOLOGY: FIREWALLS AND VPNS

UPON COMPLETION OF THIS CHAPTER,

• Recognize the important role of access control in computerized

• Describe firewall technology and the various approaches to

• Identify the various approaches to control remote and dial-up

• Describe the technology that enables the use of Virtual Private

Access control is achieved by means of a combination of policies,

 Mandatory access controls (MACs) use data classification

In a data classification scheme, each collection of information is rated, and

A variation of this form of access control is called lattice-based

The lattice structure contains subjects and objects, and the

Lattice-based control specifies the level of access each subject has

With this type of control, the column of attributes associated with a

The row of attributes associated with a particular subject (such as a

 Nondiscretionary controls are a strictly-enforced version of

 Discretionary access controls (DACs) are implemented at the

For example, a user has a hard drive containing information to be

The figure shows an example of a discretionary access control from

In general, all access control approaches rely on as the following

The label applied to the supplicant (or supplied by the supplicant) is

Some organizations use composite identifiers,

Other organizations generate random IDs to protect the resources

Most organizations use a single piece of unique information, such as

When issuing identification values to users, the following should be

There are three widely used authentication mechanisms, or

 Something a Supplicant Knows

 Something a Supplicant Has

One example is dumb cards, such as ID cards or ATM cards with

 Something a Supplicant Is or Can Produce

Some of these characteristics, known collectively as biometrics

For example, access to a bank’s ATM services requires a banking

In general, authorization can be handled in one of three ways:

 Authorization for each authenticated user, in which the system

 Authorization for members of a group, in which the system

 Authorization across multiple systems, in which a central

Accountability is most often accomplished by means of system logs

Systems logs record specific information, such as failed access

Logs have many uses, such as intrusion detection, determining the

The firewall may be a separate computer system, a software service

Firewalls can be categorized by processing mode, development era, or

FIREWALL PROCESSING MODES

packet-filtering firewalls, application gateways,

circuit gateways, MAC layer firewalls, and

Hybrid firewalls use a combination of the other four modes, and in

The packet-filtering firewall, also simply called a filtering firewall,

A packet-filtering firewall installed on a TCP/IP-based network

Packet-filtering firewalls examine every incoming packet header and

Filtering firewalls inspect packets at the network layer, or Layer 3,

If the device finds a packet that matches a restriction, it stops the

The restrictions most commonly implemented in packet-filtering

• IP source and destination address

The following figure shows how a packet-filtering router can be used

To better understand an address restriction scheme, consider the

If an administrator were to configure a simple rule based on the