Scribd
Upload
34 views44 pages

Lecture6-Protection Mechanisms PDF

Uploaded by

garikapati.saikiran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
34 views44 pages

Lecture6-Protection Mechanisms PDF

Uploaded by

garikapati.saikiran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 44

CC7178

Cyber Security Management

Lecture 6

Protection Mechanisms

CC7178 Cyber Security Management


Learning Objectives
– Understand access control approaches, including
authentication, authorization, and biometric access
controls.
– Define and identify the various types of firewalls
and the common approaches to firewall
implementation.
– Identify and describe the types of intrusion
detection systems and the two strategies on
which they are based.
– Discuss the current issues in dial-up access and
protection.

CC7178 Cyber Security Management Slide 2


CC7178 Cyber Security Management
Introduction
Focus: Protection Mechanisms
• Technical controls can be an important part of an
information security program. However, they must
also be combined with sound policy and education,
training, and awareness efforts.
• Some of the most powerful and widely used
technical security mechanisms include:
• Access controls
• Firewalls
• Intrusion detection systems
• Dial-up protection
• Scanning and analysis tools*
• Encryption systems*

CC7178 Cyber Security Management Slide 4


Sphere of Security

CC7178 Cyber Security Management Slide 5


Access Control Devices
• Access control encompasses two processes:
– Authentication: Confirming the identity of the
entity accessing a logical or physical area
– Authorization: Determining which actions
that entity can perform in that physical or
logical area
• A successful access control approach, whether
intended to control physical access or logical
access, always consists of both authentication
and authorization.

CC7178 Cyber Security Management Slide 6


Authentication Mechanisms
• Types of authentication mechanism
– Something you know
– Something you have
– Something you are
– Something you produce

• A strong authentication uses at least two


different authentication mechanism types.

CC7178 Cyber Security Management Slide 7


Something You Know
• This type verifies the user’s identity by means of
a password, passphrase, or other unique code
– A password is a private word or combination of
characters that only the user should know.
– A passphrase is a plain-language phrase,
typically longer than a password, from which a
virtual password is derived.
• A good rule of thumb is to require that
passwords be at least eight characters long and
contain at least one number and one special
character.

CC7178 Cyber Security Management Slide 8


Weak, Strong, and Stronger
Passwords
Password Strength of Password
Prowse Weak
DavidProwse Medium
|ocrian7 Strong
This1sV#ryS3cure Very strong or “best”

CC7178 Cyber Security Management


Something You Have
• This type makes use of something (a card,
key, or token) that the user or the system
possesses
– One example is a dumb card (such as an ATM
card) with magnetic stripes.
– Another example is the smart card containing a
processor.
– Another device often used is the cryptographic
token, a processor in a card that has a display.

CC7178 Cyber Security Management Slide 10


Something You Are
• This type takes advantage of something
inherent in the user that is evaluated using
biometrics.
• Most of the technologies that scan human
characteristics convert these images to
obtain some form of small -- unique points
of reference that are digitized and stored
in an encrypted format.

CC7178 Cyber Security Management Slide 11


Something You Produce

• This type of authentication makes use of


something the user performs or produces.
• It includes technology related to signature
recognition and voice recognition.

CC7178 Cyber Security Management Slide 12


Recognition Characteristics

CC7178 Cyber Security Management Slide 13


Evaluating Biometrics
Biometric technologies are generally
evaluated according to three basic criteria:
– The false reject rate (FRR): the percentage of
authorized users who are denied access (Type I
Error) – not a threat to security
– The false accept rate (FAR): the percentage of
unauthorized users who are allowed access (Type
II Error) – serious breach of security
– The crossover error rate (CER): the point at
which the number of false rejections equals the
false acceptances – optimal outcome

CC7178 Cyber Security Management Slide 14


Orders of Effectiveness and
Acceptance

CC7178 Cyber Security Management Slide 15


Managing Access Controls
• To properly manage access controls, an
organization must have in place a formal access
control policy, which determines how access
rights are granted to entities and groups.
• This policy must include provisions for
periodically reviewing all access rights, granting
access rights to new employees, changing
access rights when job roles change, and
revoking access rights as appropriate.

CC7178 Cyber Security Management Slide 16


Authorization
In general, authorization can be handled by:
– Authorization for each authenticated user
the system performs an authentication process to verify the
specific entity and then grants access to resources for only
that entity (complex and resource-intensive).
– Authorization for members of a group
the system matches authenticated entities to a list of group
memberships, and then grants access to resources based
on the group’s access rights (most commonly used
method).
– Authorization across multiple systems (‘single sign-on’)
a central authentication and authorization system verifies
entity identity and grants a set of credentials (also called
authorization tickets) to the verified entity.

CC7178 Cyber Security Management Slide 17


Firewalls
• In information security, a firewall is any device
that prevents a specific type of information
from moving between two networks, often
the outside, known as the untrusted network
(e.g., the Internet), and the inside, known as the
trusted network.
• The firewall may be a separate computer
system, a service running on an existing router
or server, or a separate network containing a
number of supporting devices.

CC7178 Cyber Security Management Slide 18


An illustration of where a firewall
would be located in a network

CC7178 Cyber Security Management


An illustration of where a firewall
would be located in a network

CC7178 Cyber Security Management


Firewall Architectures
• Four common architectural implementations of
firewalls:
– Packet filtering routers
– Screened-host firewalls
– Dual-homed host firewalls
– Screened-subnet firewalls

CC7178 Cyber Security Management Slide 21


Packet Filtering Firewall

CC7178 Cyber Security Management Slide 22


Packet Filtering Routers
• Most organizations with an Internet connection use
some form of router between their internal networks
and the external service provider.

• Many of these routers can be configured to block


packets that the organization does not allow into the
network.

• Such an architecture lacks auditing and strong


authentication, and the complexity of the access control
lists used to filter the packets can grow to a point that
degrades network performance .

CC7178 Cyber Security Management Slide 23


Screened-Host Firewall

CC7178 Cyber Security Management Slide 24


Screened-Host Firewall Systems
• Screened-host firewall systems combine the packet
filtering router with a separate, dedicated firewall such
as an application proxy server.
– The router is used to screen packets to minimize the
network traffic and load on the internal proxy.
– The application proxy examines an application layer
protocol, such as HTTP, and performs the proxy
services.
– This separate and single host, which is often
referred to as a bastion host, represents a rich target
for external attacks, and should be very thoroughly
secured.

CC7178 Cyber Security Management Slide 25


Dual-Homed Host Firewall

CC7178 Cyber Security Management Slide 26


Dual-Homed Host Firewalls
• In this configuration, the bastion host contains
two network interfaces: one that is connected
to the external network, and one that is
connected to the internal network, requiring all
traffic to travel through the firewall to move
between the internal and external networks

CC7178 Cyber Security Management Slide 27


Screened Subnet (DMZ)

CC7178 Cyber Security Management Slide 28


Screened-Subnet Firewalls
• The screened-subnet firewall consists of one or more
internal bastion hosts located behind a packet filtering
router, with each host protecting the trusted network.
This raises the level of difficulty to penetrate defense.
• One of the general models (in Figure 9-8) shows
connections are routed as follows:
– Connections from the outside or untrusted network
are routed through an external filtering router
– Connections from the outside or untrusted network
are routed into—and then out of—a routing firewall
to the separate network segment known as the DMZ
– Connections into the trusted internal network are
allowed only from the DMZ bastion host servers
CC7178 Cyber Security Management Slide 29
Proxy Servers

CC7178 Cyber Security Management


Firewall Best Practices
Some of the Best Practices for Firewall Use:
– All traffic from the trusted network is allowed out.
– The firewall device is never accessible directly from
the public network.
– Simple Mail Transport Protocol (SMTP) data is
allowed to pass through the firewall, but should be
routed to a SMTP gateway.
– All Internet Control Message Protocol (ICMP) data
should be denied.
– Telnet (terminal emulation) access to all internal
servers from the public networks should be blocked.
– When Web services are offered outside the firewall,
HTTP traffic should be handled by some form of
proxy access or DMZ architecture.

CC7178 Cyber Security Management Slide 31


Intrusion Detection Systems (IDSs)
• Information security Intrusion Detection Systems
(IDSs) work like burglar alarms.
• With almost all IDSs, administrators can choose the
alarm level.
• Many IDSs can be configured to notify administrators
via e-mail and numerical or text paging.
• Like firewall systems, IDSs require complex
configurations to provide the level of detection and
response desired.

CC7178 Cyber Security Management Slide 32


Intrusion Detection Systems (Cont.)
• Two system types:
– network based to protect network information
assets
– host based to protect server or host
information assets

• Two detection methods used:


– signature based
– statistical anomaly based

CC7178 Cyber Security Management Slide 33


Intrusion Detection Systems (Cont.)

CC7178 Cyber Security Management Slide 34


Host-Based IDS
• A host-based IDS works by configuring and
classifying various categories of systems and data
files. Such systems:
– monitor the access or altering of files on
multiple systems
– often provide only a few general levels of alert
notification
– unless the IDS is very precisely configured, mild
actions can generate a large volume of false
alarms
– easier to set up and administer than the
network-based IDS due to the more specific
rules and restrictions that can be set.
CC7178 Cyber Security Management Slide 35
Network-Based IDS
• Network-based IDSs monitor network traffic and,
when a predefined condition occurs, notify the
appropriate administrator. Such systems:
– look for patterns of network traffic
– must match known and unknown attack
strategies against their knowledge base to
determine whether an attack has occurred
– yield many more false-positive readings than
host-based IDSs do, because they are
attempting to read the network activity pattern to
determine what is normal and what is not
CC7178 Cyber Security Management Slide 36
Signature-Based IDS
• A signature-based IDS or knowledge-based IDS
examines data traffic for something that matches the
signatures, which comprise preconfigured, predetermined
attack patterns
– The problem with this approach is that the signatures
must be continually updated, as new attack strategies
emerge
– A weakness of this method is the time frame over which
attacks occur
– If attackers are slow and methodical, they may slip
undetected through the IDS, as their actions may not
match a signature that includes factors based on duration
of the events

CC7178 Cyber Security Management Slide 37


Statistical Anomaly-Based IDS
• The statistical anomaly-based IDS (stat IDS)
or behavior-based IDS first collects data from
normal traffic and establishes a baseline.
• It then periodically samples network activity,
based on statistical methods, and compares the
samples to the baseline.
• When the activity falls outside the baseline
parameters (known as the clipping level), the
IDS notifies the administrator.
• The advantage of this approach is that the
system is able to detect new types of attacks,
because it looks for abnormal activity of any
type.
CC7178 Cyber Security Management Slide 38
Managing Intrusion Detection Systems
• IDSs must be configured using technical
knowledge and adequate business and security
knowledge to differentiate between routine
circumstances and low, moderate, or severe
threats.
• There must be response to an alert.
• A properly configured IDS can translate a
security alert into different types of notification.
• A poorly configured IDS may yield only noise.

CC7178 Cyber Security Management Slide 39


Dial-Up Protection
• An attacker on an organization’s dial-up lines
can use a device called a war-dialer to locate
the connection points.

• Network connectivity using dial-up connections


is usually much simpler and less sophisticated
than Internet connections.

• For the most part, simple user name and


password schemes are the only means of
authentication.

CC7178 Cyber Security Management Slide 40


RADIUS and TACACS
• RADIUS and TACACS are systems that authenticate
the credentials of users who are trying to access an
organization’s network via a dial-up connection.

• Typical dial-up systems place the authentication of


users on the system connected to the modems.

• A Remote Authentication Dial-In User Service


(RADIUS) system centralizes the management of user
authentication by placing the responsibility for
authenticating each user in the central RADIUS server
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a
0080094e99.shtml

CC7178 Cyber Security Management Slide 41


RADIUS and TACACS
• When a Remote Access Server (RAS) receives a
request for a network connection from a dial-up client,
it passes the request along with the user’s credentials
to the RADIUS server; RADIUS then validates the
credentials

• The Terminal Access Controller Access Control


System (TACACS) works similarly and is based on a
client/server configuration

CC7178 Cyber Security Management Slide 42


RADIUS Configuration

CC7178 Cyber Security Management Slide 43


Summary

• Introduction
• Access Controls
• Firewalls
• Intrusion Detection Systems
• Dial-Up Protection

CC7178 Cyber Security Management Slide 44

You might also like