NET3106 – Network Security

Lecturer:
Houshyar Honar Pajooh
Room Number : AE-3-28 (University Building - East)
Email: houshyarh@sunway.edu.my

Sunway University | NET3106 Network Security | Houshyar Honar Pajooh | Aug 2022
SENSITIVE
 NET3106 – Network Security
WEEK (12)
Firewalls, Kerberos

Sunway University | NET3106 Network Security | Houshyar Honar Pajooh | Aug 2022
SENSITIVE
Firewalls
• The firewall is an important complement to host-based security services
• Typically, a firewall is inserted between the premises network and the
Internet to establish a controlled link and to erect an outer security wall or
perimeter
• The aim of this perimeter is to protect the premises network from Internet-
based attacks and to provide a single choke point where security and
auditing can be imposed
• Firewalls are also deployed internal to the enterprise network to segregate
portions of the network
• The firewall provides an additional layer of defense, insulating internal
systems from external networks or other parts of the internal network
• This follows the classic military doctrine of “defense in depth,” which is just
as applicable to IT security
Firewall Design Goals
• All traffic from inside to outside, and vice versa, must pass
through the firewall. This is achieved by physically blocking all
access to the local network except via the firewall
• Only authorized traffic, as defined by the local security policy,
will be allowed to pass. Various types of firewalls are used,
which implement various types of security policies
• The firewall itself is immune to penetration. This implies the use
of a hardened system with a secured operating system (OS).
Trusted computer systems are suitable for hosting a firewall and
are often required in government applications
Firewall Techniques
• There are four techniques that firewalls use to control access and
enforce the site’s security policy
– Service control
▪ Determines the types of Internet services that can be
accessed, inbound or outbound
– Direction control
▪ Determines the direction in which particular service requests
may be initiated and allowed to flow through the firewall
– User control
▪ Controls access to a service according to which user is
attempting to access it
– Behavior control
▪ Controls how particular services are used
Firewall Capabilities
• The following capabilities are within the scope of a firewall:
– A firewall defines a single choke point that keeps
unauthorized users out of the protected network, prohibits
potentially vulnerable services from entering or leaving the
network, and provides protection from various kinds of IP
spoofing and routing attacks
– A firewall provides a location for monitoring security-related
events
– A firewall is a convenient platform for several Internet
functions that are not security related
– A firewall can serve as the platform for implementing virtual
private networks
Firewall Limitations
• Firewalls have their limitations, including the following:
– The firewall cannot protect against attacks that bypass the firewall.
Internal systems may have dial-out capability to connect to an ISP. An
internal LAN may support a modem pool that provides dial-in capability
for traveling employees and telecommuters
– The firewall may not protect fully against internal threats, such as a
disgruntled employee or an employee who unwittingly cooperates with
an external attacker
– An improperly secured wireless LAN may be accessed from outside the
organization. An internal firewall that separates portions of an
enterprise network cannot guard against wireless communications
between local systems on different sides of the internal firewall
– A laptop, smartphone, or portable storage device may be used and
infected outside the corporate network, and then connected and used
internally
Figure 21.1 Types of Firewalls
Figure 21.2 Packet-Filtering Example
Packet Filtering Firewalls
• Advantages:
– Simplicity
– Typically transparent to users
– Are very fast
• Weaknesses:
– They cannot prevent attacks that employ application-specific
vulnerabilities or functions
– The logging functionality present in packet filter firewalls is limited
– Most packet filter firewalls do not support advanced user
authentication schemes
– Packet filter firewalls are generally vulnerable to attacks and exploits
that take advantage of problems within the TCP/IP specification and
protocol stack
– Packet filter firewalls are susceptible to security breaches caused by
improper configurations
Attacks and Countermeasures (1 of 2)
• Some of the attacks that can be made on packet filtering firewalls and the
appropriate countermeasures are the following:
– IP address spoofing: The intruder transmits packets from the
outside with a source IP address field containing an address of
an internal host
▪ The countermeasure is to discard packets with an inside source
address if the packet arrives on an external interface. In fact, this
countermeasure is often implemented at the router external to the
firewall
– Source routing attacks: The source station specifies the route
that a packet should take as it crosses the Internet, in the hopes
that this will bypass security measures that do not analyze the
source routing information
▪ The countermeasure is to discard all packets that use this option
Attacks and Countermeasures (2 of 2)
– Tiny fragment attacks: The intruder uses the IP
fragmentation option to create extremely small
fragments and force the TCP header information into
a separate packet fragment
▪ A tiny fragment attack can be defeated by enforcing a
rule that the first fragment of a packet must contain a
predefined minimum amount of the transport header. If
the first fragment is rejected, the filter can remember
the packet and discard all subsequent fragments
Table 21.1 Example Stateful Firewall
Connection State Table
Destination Destination Connection
Source Address Source Port
Address Port State
192.168.1.100 1030 210.9.88.29 80 Established
192.168.1.102 1031 216.32.42.123 80 Established
192.168.1.101 1033 173.66.32.122 25 Established
192.168.1.106 1035 177.231.32.12 79 Established
223.43.21.231 1990 192.168.1.6 80 Established
219.22.123.32 2112 192.168.1.6 80 Established
210.99.212.18 3321 192.168.1.6 80 Established
24.102.32.23 1025 192.168.1.6 80 Established
223.21.22.12 1046 192.168.1.6 80 Established
Application-Level Gateway
• Also called an application proxy
• Acts as a relay of application-level traffic
• Tend to be more secure than packet filters
– Rather than trying to deal with the numerous possible
combinations that are to be allowed and forbidden at the TCP
and IP level, the application-level gateway need only scrutinize
a few allowable applications
• A prime disadvantage of this type of gateway is the additional
processing overhead on each connection
– In effect, there are two spliced connections between the end
users, with the gateway at the splice point, and the gateway
must examine and forward all traffic in both directions
Circuit-Level Gateway
• A fourth type of firewall is the circuit-level gateway or circuit-
level proxy
• Can be a stand-alone system or it can be a specialized function
performed by an application-level gateway for certain
applications
• A circuit-level gateway does not permit an end-to-end TCP
connection
• The security function consists of determining which connections
will be allowed
• A typical use of circuit-level gateways is a situation in which the
system administrator trusts the internal users
Figure 21.3 Example Firewall
Configuration
User-Authentication
• The process of determining whether some user or some application or
process acting on behalf of a user is, in fact, who or what it declares itself to
be
• Authentication technology provides access control for systems by checking to
see if a user’s credentials match the credentials in a database of authorized
users or in a data authentication server
• Authentication enables organizations to keep their networks secure by
permitting only authenticated users (or processes) to access its protected
resources
• User authentication is distinct from message authentication
– Message authentication is a procedure that allows communicating
parties to verify that the contents of a received message have not been
altered and that the source is authentic
Authentication Principles (1 of 2)
• Digital identity:
– The unique representation of a subject engaged in an online
transaction
– The representation consists of an attribute or set of
attributes that uniquely describe a subject within a given
context of a digital service, but does not necessarily
uniquely identify the subject in all contexts
• Identity proofing:
– Establishes that a subject is who they claim to be to a stated
level of certitude
– This process involves collecting, validating, and verifying
information about a person
Authentication Principles (2 of 2)
• Digital authentication:
– The process of determining the validity of one or more
authenticators used to claim a digital identity
– Authentication establishes that a subject attempting to
access a digital service is in control of the technologies used
to authenticate
– Successful authentication provides reasonable risk-based
assurances that the subject accessing the service today is
the same as the subject that previously accessed the service
Figure 16.1 The NIST 800-63 Digital
Identity Model
Table 16.1 Authentication Factors

Factor Examples Properties

Knowledge User ID Can be shared
Password Many passwords easy to guess
PIN Can be forgotten
Possession Smart Card Can be shared
Electronic Can be duplicated (cloned)
Badge Can be lost or stolen
Electronic Key
Inherence Fingerprint Not possible to share
Face False positives and false Negatives possible
Iris Forging difficult
Voice print
Figure 16.2 Multifactor Authentication
Mutual Authentication (1 of 2)
• Protocols which enable communicating parties to satisfy themselves
mutually about each other’s identity and to exchange session keys

• Central to the problem of authenticated key exchange are two issues:

– Confidentiality
▪ Essential identification and session-key information must be
communicated in encrypted form
▪ This requires the prior existence of secret or public keys that can be
used for this purpose
– Timeliness
▪ Important because of the threat of message replays
▪ Such replays could allow an opponent to:
– compromise a session key
– successfully impersonate another party
– disrupt operations by presenting parties with messages that
appear genuine but are not
Kerberos
• Authentication service developed as part of Project Athena at MIT
• A workstation cannot be trusted to identify its users correctly to network
services
– A user may gain access to a particular workstation and pretend to be
another user operating from that workstation
– A user may alter the network address of a workstation so that the
requests sent from the altered workstation appear to come from the
impersonated workstation
– A user may eavesdrop on exchanges and use a replay attack to gain
entrance to a server or to disrupt operations
• Kerberos provides a centralized authentication server whose function is to
authenticate users to servers and servers to users
– Relies exclusively on symmetric encryption, making no use of public-key
encryption
Kerberos Requirements (1 of 2)
• The first published report on Kerberos listed the following
requirements:
• Secure
– A network eavesdropper should not be able to obtain the
necessary information to impersonate a user
• Reliable
– Should be highly reliable and should employ a distributed
server architecture with one system able to back up another
Kerberos Requirements (2 of 2)
• Transparent
– Ideally, the user should not be aware that authentication is
taking place beyond the requirement to enter a password
• Scalable
– The system should be capable of supporting large numbers
of clients and servers
Kerberos Version 4
• Makes use of DES to provide the authentication service
• Authentication server (AS)
– Knows the passwords of all users and stores these in a centralized database
– Shares a unique secret key with each server
• Ticket
– Created once the AS accepts the user as authentic; contains the user’s ID and
network address and the server’s ID
– Encrypted using the secret key shared by the AS and the server

• Ticket-granting server (TGS)

– Issues tickets to users who have been authenticated to AS
– Each time the user requires access to a new service the client applies to the TGS
using the ticket to authenticate itself
– The TGS then grants a ticket for the particular service
– The client saves each service-granting ticket and uses it to authenticate its user
to a server each time a particular service is requested
The Version 4 Authentication
Dialogue
• The lifetime associated with the ticket-granting ticket creates a
problem:
– If the lifetime is very short (e.g., minutes), the user will be
repeatedly asked for a password
– If the lifetime is long (e.g., hours), then an opponent has a
greater opportunity for replay
• A network service (the TGS or an application service) must be
able to prove that the person using a ticket is the same person
to whom that ticket was issued
• Servers need to authenticate themselves to users
Table 16.2 Summary of Kerberos
Version 4 Message Exchanges
Figure 16.3 Overview of Kerberos
Figure 16.4 Kerberos Exchanges
Kerberos Realms and Multiple
Kerberi
• A full-service Kerberos environment consisting of a Kerberos
server, a number of clients, and a number of application servers
requires that:
– The Kerberos server must have the user ID and hashed
passwords of all participating users in its database; all users
are registered with the Kerberos server
– The Kerberos server must share a secret key with each
server; all servers are registered with the Kerberos server
– The Kerberos server in each interoperating realm shares a
secret key with the server in the other realm; the two
Kerberos servers are registered with each other
Kerberos Realm
• A set of managed nodes that share the same Kerberos database
• The database resides on the Kerberos master computer system,
which should be kept in a physically secure room
• A read-only copy of the Kerberos database might also reside on
other Kerberos computer systems
• All changes to the database must be made on the master
computer system
• Changing or accessing the contents of a Kerberos database
requires the Kerberos master password
Kerberos Principal
• A service or user that is known to the Kerberos system
• Identified by its principal name
• A service or user name
• An instance name
• A realm name
• Three parts of a principal name
Figure 16.5 Request for Service in Another
Realm
Differences Between Versions 4 and 5
• Version 5 is intended to address the limitations of version 4 in two
areas:
– Environmental shortcomings
▪ Encryption system dependence
▪ Internet protocol dependence
▪ Message byte ordering
▪ Ticket lifetime
▪ Authentication forwarding
▪ Interrealm authentication
– Technical deficiencies
▪ Double encryption
▪ PCBC encryption
▪ Session keys
▪ Password attacks
Table 16.3 Summary of Kerberos Version 5
Message Exchanges
 Thank you Questions!!!

Sunway University | NET3106 Network Security | Houshyar Honar Pajooh | Aug 2022
SENSITIVE