Security

Technology:
Firewalls and VPNs
LEARNING OBJECTIVES

 LEARNING OBJECTIVES: Upon completion of this material, you should be

able to:
 Recognize the important role of access control in computerized information
systems, and identify and discuss widely-used authentication factors
 Describe firewall technology and the various approaches to firewall
implementation
 Identify the various approaches to control remote and dial-up access by
means of the authentication and authorization of users
 Discuss content filtering technology
 Describe the technology that enables the use of virtual private networks
Introduction

 Technical controls are essential in enforcing policy for the many IT functions
that are not under direct human control
 Technical control solutions, properly implemented, can improve an
organization’s ability to balance the often conflicting objectives of making
information readily and widely available and of preserving the information’s
confidentiality and integrity
Access Control

 Access control: a selective method by which system specify who may use a
particular resource and how they may use it
 combination of policies(who can do what), programs (software that enforces
these rules), and technologies(tools or systems that help enforce the rules)
 Mandatory access controls (MACs): use data classification schemes; they
give users and data owners limited control over access to information
resources
 Discretionary access controls (DACs): This type of control allow the user
to decide who can access the resources they control like files and folders
 For example in a peer-to-peer network user can choose to share files with
others if they want to
Access Control

 Nondiscretionary controls: Access control that are a strictly-enforced

version of MACs that are managed by a central authority in the organization
 access is granted based on specific rules set by the organization
 Role-based controls: are tied to the role a user performs in an
organization such as "Manager" or "Employee." Each role has specific
access rights.
 Task-based controls: are tied to a particular assignment or
responsibility assigned to the user. For example, someone assigned to
handle payroll might only have access to payroll data
Access Control

 Lattice-based access control: Each user has a specific authorization level

for different types of information or resources.
 This level can be higher or lower, depending on the sensitivity of the
information and the user’s authorization.
Four Fundamental Functions of
access control system
Identification:
 I am a user of the system For example, entering a username or showing an
ID card lets the system know your identity.
 Authentication:
 I can prove I’m a user of the system entering a password, scanning a
fingerprint, or using a face recognition system.
 Authorization:
 Here’s what I can do with the system for example, some users may have
permission to view files, while others can also edit or delete them.
 Accountability:
 involves tracking and recording the actions you take in the system.
Access Control
 Identification

 Identification in access control is the process where a user first tells the
system who they are. Before they can get access, the system needs to
check and confirm that the identity provided by the user is valid.
 Identifiers can be composite identifiers, concatenating elements—
department codes, random numbers, or special characters—to make them
unique
 Most organizations use a single piece of unique information, such as a
complete name or the user’s first initial and surname
 Authentication

 Authentication is the process of proving that you are who you say you are
after you have identified yourself to the system. It’s like showing proof to
confirm your identity before the system lets you in.
 Authentication factors
 Something you know
 Password: a private word or a combination of characters that only the user should know
 scanning a fingerprint, or using a face recognition system
 Authentication

 Something you have

 Dumb card: ID or ATM card with magnetic stripe
 Smart card: contains a computer chip that can verify and validate information
 Synchronous tokens(Time based, generate new code after 30 second, mobile otp
 Asynchronous tokens( enter your username and password to verify it’s really
you)
 Something you are
 Relies upon individual characteristics
 Strong authentication
 Synchronous Tokens
 Authorization

 Authorization is the process of determining what an

authenticated user can do within a system. like files,
databases, or applications. It ensures that only the right people
can see or change specific information.
 Authorization can be handled in one of three ways:
 Authorization for each authenticated user
 Authorization for members of a group
 Authorization across multiple systems
 Accountability

 Accountability means being able to see and understand what actions

were taken in a system. If something goes wrong, you can find out
who was responsible because every action is linked to a specific user
 Accountability is most often accomplished by means of system logs
and database journals, and the auditing of these records.
 Systems logs record specific information.
 Firewalls

 In information security, a combination of hardware and software that filters or

prevents specific information from moving between the outside (untrusted)
network and the inside (trusted) network
 ways to implement security
 Separate Computer System: Sometimes, a dedicated computer (like a firewall) is
used solely for filtering information. This system is focused on protecting the
network.
 Software Service: software that runs on an existing router (the device that
connects your network to the internet) or server. It checks the information without
needing additional hardware.
 Separate Network: In some cases, there might be a whole separate network with
additional devices that work together to provide extra security.
 Firewalls Processing Modes

 Processing modes by which firewalls can be categorized:

 Packet filtering
 Application layer/ Gateway
 MAC layer firewalls
 Hybrids
Packet-Filtering Firewalls
 Packet-filtering firewalls are like security guards that check the
"envelopes" of data packets before they enter or leave a network.
 Packet-filtering firewalls look at the header information of data
packets, which includes important details like:
 IP source and destination address. The firewall checks the source
address (where the packet is coming from) and the destination
address (where it’s going).
 Direction (inbound or outbound)
 Transmission Control Protocol (TCP) or User Datagram Protocol
(UDP) source and destination port requests
 Ports: allow data to enter or leave. The firewall checks the source
and destination ports, which are associated with specific services
or applications.
Three subsets of packet-filtering firewalls
 Static Filtering: means that the firewall uses a fixed set of rules that must be
created and set up in advance. These rules specify which types of traffic are allowed
or blocked.
 For example, if the firewall has a rule that blocks traffic from a specific IP address, it will
always enforce that rule until someone manually changes it. This type of filtering is
straightforward but does not adapt to new threats or changes in the network.
 Dynamic filtering: It allows the firewall to respond to real-time events and adjust its
rules accordingly.
 If the firewall detects unusual activity, like a sudden increase in traffic from a specific source,
it can automatically create new rules to block that traffic or allow it based on the situation.
This makes dynamic filtering more responsive to emerging threats.
 Stateful packet inspection (SPI) firewalls: keep track of each network
connection between internal and external systems using a state table
 How It Works: The firewall maintains a state table that records information about ongoing
connections, such as the source and destination IP addresses, port numbers, and the
connection status (e.g., established, closing). This allows the firewall to understand the
context of the traffic and make smarter decisions about allowing or blocking packets based
on whether they belong to an existing connection or are unsolicited.
Packet-filtering router
Application Gateway

 Known as application-level firewall or application firewall

 security device that acts as a middleman between users and the
web server of an organization
 Receives external requests for web content
 Forwards the request to the internal web server on behalf of the client
 Returns requested pages to the client
 proxy server sits in the DMZ(area in the network between trusted
internal systems and the outside internet)
MAC Layer Firewalls

 A MAC Layer Firewall uses these unique MAC addresses to make decisions
about which network traffic to allow or block.
 The firewall knows the MAC address of each device connected to the network
 The firewall uses an Access Control List (ACL), which is like a set of rules.
The ACL specifies which types of data packets (like web requests, file
transfers, etc.) are allowed or blocked for each device based on its MAC
address.
 When data tries to enter or leave the network, the MAC layer firewall checks
the MAC address of the sender or receiver.
 If the packet matches the rules in the ACL (for example, a rule allowing web
requests to a specific MAC address), the firewall allows it.
 If it doesn’t match, the firewall blocks it
 Employee computers and guest devices
MAC Layer Firewalls
Hybrid Firewalls

 Hybrid Firewalls combine features from different types of firewalls,

like packet-filtering firewalls and proxy servers, and circuit
gateways
 create a stronger and more flexible security setup
 The first firewall might be a packet-filtering firewall that checks
basic information in data packets (like IP addresses and ports) to
allow or block traffic based on predefined rules.
 If a packet is allowed, it passes to a proxy server, which performs
more in-depth inspection by acting as an intermediary between the
user and the main server
Example of a Hybrid

 company with sensitive internal data on its servers and a lot of online
traffic:
 Packet-Filtering Firewall: This firewall checks the incoming data at
the network’s edge, allowing only traffic from specific, approved
sources and blocking anything suspicious.
 Proxy Server: Once the packet-filtering firewall has approved the
data, it sends the request to a proxy server. The proxy server further
checks the request by acting as a go-between; it connects to the
company’s web server on behalf of the external client, limiting direct
access to the company’s network.
 Secure Connection: Only after passing these checks can a user
access the requested data, keeping the company’s internal network
well-protected.
Hybrid Firewalls

 Increased Security: Multiple layers of security reduce the risk of

attacks.
 Upgrade Flexibility: An organization can add a hybrid firewall setup
without replacing existing firewalls, allowing them to improve security
without major changes.
Firewall Architectures

 Firewall devices can be set up in different ways within a network

 Best configuration depends on three factors:
 Objectives of the network
 Organization’s ability to develop and implement architectures
 Budget available for function
Firewall Architectures

 Three common architectural implementations of firewalls

 single bastion hosts
 screened host
 screened subnet (with DMZ)
Single bastion hosts

 Single bastion hosts

 Commonly referred to as sacrificial host, as it stands as sole defender on
the network perimeter
 Usually implemented as a dual-homed host, which contains two network
interface cards (NICs): one that is connected to external network and one
that is connected to internal network
 Implementation of this architecture often makes use of network address
translation (NAT), creating another barrier to intrusion from external
attackers
bastion hosts firewall
Screened host architecture

 Screened host architecture

 Combines packet-filtering router with a separate, dedicated firewall such
as an application proxy server
 Allows router to prescreen packets to minimize the traffic/load on internal
proxy
 Requires an external attack to compromise two separate systems before
the attack can access internal data
Screened host architecture
Screened subnet architecture (with DMZ)

 Screened subnet architecture (with DMZ)

 Is the dominant architecture used today
 Commonly consists of two or more internal firewalls behind packet-filtering
router, with each protecting a trusted network:
 Connections from outside or untrusted network are routed through external
filtering router.
 Connections from outside or untrusted network are routed into and out of
routing firewall to separate the network segment known as DMZ.
 Connections into trusted internal network are allowed only from DMZ bastion
host servers.
Screened subnet architecture
(with DMZ)
 Screened subnet performs two functions:
 Protects DMZ systems and information from outside threats
 Protects the internal networks by limiting how external connections can
gain access to internal systems
 Another facet of DMZs: creation of extranets
Screened subnet (DMZ)
Selecting the Right Firewall

 When selecting the firewall, consider the following factors:

 Which type of firewall technology offers the right balance between
protection and cost for the needs of the organization?
 What features are included in the base price? What features are available
at extra cost? Are all cost factors known?
Selecting the Right Firewall

 How easy is it to set up and configure the firewall? Does the organization
have staff on hand that are trained to configure the firewall, or would the
hiring of additional employees be required?
 Can the firewall adapt to the growing network in the target organization?
 Most important factor is provision of required protection
 Second most important issue is cost
Configuring and Managing
Firewalls
 The organization must provide for the initial configuration and
ongoing management of firewall(s)
 Each firewall device must have its own set of configuration rules
regulating its actions
 Firewall policy configuration is usually complex and difficult
 Configuring firewall policies is both an art and a science
 When security rules conflict with the performance of business,
security often loses
Configuring and Managing
Firewalls
 Best practices for firewalls
 All traffic from the trusted network is allowed out.
 Firewall device is never directly accessed from public network.
 Simple Mail Transport Protocol (SMTP) data are allowed
to pass through firewall.
Configuring and Managing
Firewalls
 Telnet access to internal servers should be blocked.
 When Web services are offered outside the firewall, HTTP traffic should be
blocked from reaching internal networks.
 All data that are not verifiably authentic should be denied.
Configuring and Managing
Firewalls
 Firewall rules
 Firewalls operate by examining data packets and performing comparison
with predetermined logical rules.
 The logic is based on a set of guidelines most commonly referred to as
firewall rules, rule base, or firewall logic.
 Most firewalls use packet header information to determine whether a
specific packet should be allowed or denied.
Well – Known Port Numbers

Port Number Protocol

7 Echo
20 File Transfer [Default Data] (FTP)
21 File Transfer [Control] (FTP)
23 Telnet

25 Simple Mail Transfer Protocol (SMTP)

53 Domain Name System (DNS)

80 Hypertext Transfer Protocol (HTTP)

110 Post Office Protocol version 3 (POP3)

Simple Network Management Protocol

161
(SNMP)
Well – Known Port Numbers

 When you enter "https://example.com", your browser automatically

connects to Port 443 (HTTPS) on the server hosting that website.
 If you try to upload a file to your website’s server, you might use an
FTP client, which connects to Port 21 on the server.
 While browsing, your computer may also be using Port 53 to
communicate with a DNS server to translate website names into IP
addresses.
Content Filters

 A software program or hardware/software appliance that allows

administrators to restrict content that comes into or leaves a network
 Essentially a set of scripts or programs restricting user access to
certain networking protocols/Internet locations
 Primary purpose to restrict internal access to external material
 Most common content filters restrict users from accessing non-
business Web sites or deny incoming spam
Protecting Remote Connections

 Installing Internetwork connections requires leased lines or other data

channels; these connections are usually secured under the
requirements of a formal service agreement.
 When individuals seek to connect to an organization’s network, a
more flexible option must be provided.
 Options such as virtual private networks (VPNs) have become more
popular due to the spread of Internet.
Remote Access

 Unsecured, dial-up connection points represent a substantial

exposure to attack.
 Attacker can use a device called a war dialer to locate the connection
points.
 A war dialer is a program that automatically calls every phone
number in a certain range. When it detects a modem answering, it
records the number. This helps attackers find possible entry points to
the network.
 Some technologies (Kerberos; RADIUS systems; TACACS; CHAP
password systems) have improved the authentication process.
Remote Access

 RADIUS (Remote Authentication Dial-In User Service):

 Centralizes the authentication process
 When a user tries to log in, their login request is sent to the RADIUS
server, which verifies their credentials (username and password) and
decides if they can access the network.
 If an employee is dialing in to access company resources, the RADIUS
server checks their username and password. If they’re correct, they’re
allowed in; if not, access is denied
 Diameter:
 A newer version of RADIUS, designed to be more flexible and secure.
 Used in some networks to improve upon RADIUS, especially in mobile and
internet applications that need more advanced security features.
RADIUS configuration

1. Remote worker dials NAS and submits username and

password
2. NAS passes username and password to RADIUS server
3. RADIUS server approves or rejects request and provides
access authorization
4. NAS provides access to authorized remote worker
Remote Access

 TACACS (Terminal Access Controller Access Control System):

 Similar to RADIUS, TACACS also centralizes the authentication process.
 A user’s credentials are sent to a TACACS server, which verifies them. Like
RADIUS, it’s based on a client-server setup.
 a company uses TACACS, an employee’s login request is verified by a
central server, ensuring only authorized people access the network.
 Separates authentication, authorization, and accounting into
different steps, allowing more flexibility in controlling what users can
do once authenticated.
Virtual Private Networks (VPNs)

 Private and secure network connection between systems; uses data

communication capability of unsecured and public network
 Securely extends organization’s internal network connections to
remote locations
 Three VPN technologies defined:
 Trusted VPN(relies on a service provider to ensure a private, secure
connection)
 Secure VPN(uses encryption to protect the data as it travels through the
public network, adding a high level of security)
 Hybrid VPN (combines trusted and secure)
Virtual Private Networks (VPNs)

 VPN must accomplish:

 Encapsulation of incoming and outgoing data
 Encryption of incoming and outgoing data
 Authentication of remote computer and perhaps remote user as well
 In most common implementation, it allows the user to turn Internet
into a private network
Virtual Private Networks (VPNs)

 Transport mode
 Data within IP packet are encrypted, but header information is not
 Allows user to establish secure link directly with remote host, encrypting
only data contents of packet
 Two popular uses:
 End-to-end transport of encrypted data
 Remote access worker connects to an office network over Internet by connecting
to a VPN server on the perimeter
Transport mode VPN
Virtual Private Networks (VPNs)

 Tunnel mode
 Establishes two perimeter tunnel servers to encrypt all traffic that will
traverse an unsecured network
 Entire client package encrypted and added as data portion of packet from
one tunneling server to another
 Primary benefit to this model is that an intercepted packet reveals nothing
about the true destination system
 Example of tunnel mode VPN: Microsoft’s Internet Security and
Acceleration (ISA) Server
Tunnel mode VPN
 Summary

 Access control is a process by which systems determine if and how to

admit a user into a trusted area of the organization.
 All access control approaches rely on identification, authentication,
authorization, and accountability.
 A firewall is any device that prevents a specific type of information
from moving between the outside network, known as the untrusted
network, and the inside network, known as the trusted network.
 Firewalls can be categorized into four groups: packet filtering, MAC
layers, application gateways, and hybrid firewalls.
 Summary

 Packet-filtering firewalls can be implemented as static filtering,

dynamic filtering, and stateful inspection firewalls.
 The three common architectural implementations of firewalls are
single bastion hosts, screened hosts, and screened subnets.
 Dial-up protection mechanisms help secure organizations that use
modems for remote connectivity.
 VPNs enable remote offices and users to connect to private networks
securely over public networks.