IT 321 – INFORMATION ASSURANCE AND SECURITY 2

CHAPTER V: AUTHENTICATION

INTRODUCTION
The password system has evolved over the years to enhance security and protect
sensitive information. Initially, passwords were simple and easily guessable, but as
technology advanced, so did the complexity of passwords. Today, password systems
often require a combination of uppercase and lowercase letters, numbers, and special
characters to create a strong password. Additionally, multi-factor authentication has
become more prevalent, adding an extra layer of security. This evolution in password
complexity helps protect against unauthorized access. Password guessing is a technique
used by attackers to gain unauthorized access to an account by attempting various
combinations of passwords. Attackers can use different methods, such as dictionary
attacks, brute-force attacks, or social engineering, to guess or crack passwords. To
combat password guessing attacks, it is crucial to choose strong passwords and enable
account lockouts after multiple failed login attempts. Attacks on password bias exploit the
tendency of users to choose certain types of passwords more frequently than others.
Attackers target commonly used passwords, making it easier for them to guess or crack
passwords.

LEARNING OUTCOME
At the end of the unit, the student should be able to:

• Define Authentication factors

• Discuss the Authentication threats and risks
• Define sniffing credentials
• Solve password search space
• Compute cracking speeds
• Identify biased choices and average attack space;
• Discuss token vulnerabilities; and
• Discuss the biometric vulnerabilities

LEARNING CONTENT

1. evolution of the password system

1
2. password guessing
3. attacks on password Bias
4. authentication tokens
5. biometric authentication
6. Firewall Rule Best Practices
7. Rule Methodology
8. Configuring firewall rules

I. Evolution of the Password System

1. The password system has evolved over the years to enhance security and protect
sensitive information. Initially, passwords were simple and easily guessable, such
as a person's name or a common word. However, as technology advanced, so did
the complexity of passwords. Today, password systems often require a
combination of uppercase and lowercase letters, numbers, and special characters
to create a strong password. Additionally, multi-factor authentication has become
more prevalent, where users need to provide additional verification, such as a
fingerprint or a unique code, to access their accounts.

Example: In the early days of computing, passwords were often short and easy to
remember, like "password" or "123456." However, as cyber threats increased, the need
for stronger passwords became evident. Nowadays, a strong password could look like
this: "R3$1st@nc3!#". This evolution in password complexity helps protect against
unauthorized access.

1. 1960s: The first password system was introduced at the Massachusetts Institute
of Technology (MIT) for the Compatible Time-Sharing System (CTSS). This
system allowed users to have their own set of files on a shared mainframe.
Passwords were used to secure these files and grant access to individual users.
2. 1970s-1980s: As computer systems became more prevalent, password systems
expanded. However, passwords during this time were often simple and easily
guessable, such as a person's name or a common word. The focus was more on
convenience rather than security.
3. 1990s: With the rise of the internet and increased connectivity, the importance of
strong passwords became evident. Users started to use longer passwords and
incorporate a mix of uppercase and lowercase letters, numbers, and special
characters to create more complex passwords.
4. Early 2000s: Password policies and best practices started to emerge, encouraging
users to regularly change their passwords and avoid using common words or
easily guessable information. This era also saw the introduction of password
complexity requirements enforced by organizations.
5. Mid-2000s: Multi-factor authentication (MFA) gained popularity as an additional
layer of security. MFA combines something the user knows (password) with

2
 something the user has (e.g., a token or a unique code sent to a mobile device) to
verify their identity.
6. Present: The password system continues to evolve. Organizations are exploring
passwordless authentication methods, such as biometrics (fingerprint, facial
recognition, etc.), hardware tokens, or cryptographic keys. These methods provide
a more secure and user-friendly approach to authentication.

Example: In the early days of computing, passwords were often short and easy to
remember, like "password" or "123456." However, as cyber threats increased, the need
for stronger passwords became evident. A strong password could look like this:
"R3$1st@nc3!#". This evolution in password complexity helps protect against
unauthorized access.
Sources:

using System;

public class PasswordSystem

{
public static void Main(string[] args)
{
string password = GetPasswordFromUser();
bool isPasswordStrong = CheckPasswordStrength(password);

if (isPasswordStrong)
{
Console.WriteLine("Congratulations! Your password is strong and secure.");
}
else
{
Console.WriteLine("Your password is weak. Please choose a stronger
password.");
}
}

public static string GetPasswordFromUser()

{
Console.WriteLine("Enter your password:");
string password = Console.ReadLine();
return password;
}

public static bool CheckPasswordStrength(string password)

{
// Password strength criteria
int minLength = 8;
bool hasUppercase = false;

3
 bool hasLowercase = false;
bool hasDigit = false;
bool hasSpecialChar = false;

// Check password length

if (password.Length < minLength)
{
return false;
}

// Check for uppercase, lowercase, digit, and special character

foreach (char c in password)
{
if (char.IsUpper(c))
{
hasUppercase = true;
}
else if (char.IsLower(c))
{
hasLowercase = true;
}
else if (char.IsDigit(c))
{
hasDigit = true;
}
else if (char.IsSymbol(c) || char.IsPunctuation(c))
{
hasSpecialChar = true;
}
}

// Check if all criteria are met

return hasUppercase && hasLowercase && hasDigit && hasSpecialChar;
}
}

II. Password Guessing

Password guessing is a technique used by attackers to gain unauthorized access to an
account by attempting various combinations of passwords. Attackers can use different
methods, such as dictionary attacks (trying common words), brute-force attacks (trying
all possible combinations), or social engineering (guessing based on personal
information). To mitigate password-guessing attacks, choosing strong passwords and
enabling account lockouts after multiple failed login attempts is crucial.

4
Example:An attacker may attempt to compromise a user's account by guessing their
password using commonly exploited passwords such as "password," "123456," or
"qwerty." Additionally, they may leverage variations of the user’s personal information,
including their name, birthdate, or even names of family members and pets, to increase
their chances of success. To safeguard against such password guessing attacks, users
are encouraged to adopt strong password practices, which include creating complex
passwords that consist of a mix of uppercase and lowercase letters, numbers, and special
characters, as well as ensuring that each password is unique for different accounts.
Utilizing password managers can also help users generate and store these complex
passwords securely.

Attackers employ different methods to guess passwords, including:

1. Brute-force attacks: In a brute-force attack, the attacker systematically tries all

possible combinations of characters until the correct password is found. This
method can be time-consuming and resource-intensive but can be effective if the
password is weak or short.
2. Dictionary Attacks: In a dictionary attack, the attacker uses a predefined list of
common words, phrases, or passwords to guess the password. The attacker tries
each word in the list as a potential password, often using variations or common
substitutions.
3. Social Engineering: Social engineering is a tactic used by attackers to gather
personal information about their targets in order to guess passwords. They may
exploit readily available details such as the target's name, birthdate, family
members' names, or other easily discoverable information to craft more convincing
password attempts. By manipulating this information, attackers can increase their
chances of breaching accounts and gaining unauthorized access. It's essential for
users to be aware of this threat and take steps to secure their personal information
to minimize the risk of social engineering attacks.

To mitigate password-guessing attacks, it is crucial to choose strong passwords and

follow best practices:

1. Use Strong and Unique Passwords: Create long, complex, and unique passwords
for each account. Avoid using common words, personal information, or easily
guessable patterns.
2. Enable Account Lockouts: Implement account lockouts after a certain number of
failed login attempts. This prevents attackers from repeatedly guessing passwords
and slows down their progress.
3. Two-factor Authentication (2FA): An attacker may attempt to infiltrate a user's account by
employing a variety of strategies to guess their password. This often includes the use of
notoriously simple and commonly exploited passwords, such as "password," "123456," or
"qwerty," which are alarmingly easy to crack. In addition to these common choices, attackers
may craft variations based on the user's personal details, including their first and last names,
birthdates, the names of loved ones, or even significant dates in their lives, significantly
increasing their likelihood of success. To effectively defend against such cunning password

5
 guessing attacks, users should adopt robust password practices. This entails creating complex
passwords that include a dynamic mix of uppercase and lowercase letters, numerals, and
special characters. Each password should be unique and tailored specifically for different
accounts, reducing the risk of mass compromise if one password is leaked. Utilizing password
managers can greatly assist users in generating and securely storing these intricate
passwords, ensuring that their online presence remains protected against unauthorized
access.

Example:
To effectively defend against these password guessing attacks, users are advised to
implement strong password practices. This includes creating passwords that are not only
lengthy—ideally consisting of at least 12 to 16 characters—but also complex,
incorporating a mix of uppercase and lowercase letters, numerals, and special characters.
It's vital for users to ensure that each password is distinct and not reused across different
accounts, as this minimizes the risk of widespread breaches should one password be
compromised.

To facilitate the creation and management of these intricate passwords, utilizing

password managers is highly recommended. These tools can generate random, strong
passwords and securely store them, allowing users to access their accounts with ease
while providing an extra layer of protection against unauthorized access. By employing
these strategies, users can significantly enhance their security and safeguard their
personal information from potential attackers.
Sources:

using System;

public class PasswordGuessing

{
public static void Main(string[] args)
{
string password = "myPassword123"; // The actual password
int attempts = 3; // Maximum number of password attempts

while (attempts > 0)

{
Console.WriteLine("Enter your password:");
string userInput = Console.ReadLine();

if (userInput == password)
{
Console.WriteLine("Congratulations! You have successfully logged in.");
break;
}
else
{
attempts--;

6
 Console.WriteLine($"Incorrect password. You have {attempts} attempts
remaining.");
}
}

if (attempts == 0)
{
Console.WriteLine("You have exceeded the maximum number of attempts.
Please try again later.");
}
}
}

III. Attacks on Password Bias

3. Password bias refers to users' tendency to choose specific types of passwords
more frequently than others. Attackers can exploit this bias by focusing their efforts
on commonly used passwords, making it easier for them to guess or crack
passwords. To combat password bias attacks, it is essential to educate users
about the risks of using predictable passwords and enforce password policies that
encourage the use of strong and unique passwords.

Here are some examples of attacks on password bias and how to combat them:

1. Dictionary Attacks: Attackers employ precompiled lists of commonly utilized words and passwords
to attempt to guess user passwords. These lists frequently include widely used passwords such as
"123456," "password," or "qwerty." To mitigate the risk of dictionary attacks, users are advised to
eschew easily guessable passwords in favor of complex and unique combinations of characters.

2. Pattern-based Attacks: Attackers may exploit the predictability of password structures by targeting
specific patterns that are often employed in password creation, including sequences of numbers or
letters, such as "123456" or "abcdef." To safeguard against pattern-based attacks, users should avoid
predictable patterns and instead develop passwords that are both random and distinct.

3. Social Engineering: Attackers may utilize social engineering techniques to obtain information about
a user, enabling them to guess passwords based on personal details. Commonly targeted information
includes the user's name, birthdate, or other easily accessible data. Users are encouraged to exercise
caution when disclosing personal information online and to refrain from using such details within their
passwords.

To combat attacks on password bias, organizations can implement the following

measures:

7
 • Password Complexity Requirements: It is essential to enforce robust password
policies that compel users to create strong and unique passwords. Such policies
should mandate the use of a diverse combination of uppercase and lowercase
letters, numbers, and special characters. These requirements not only enhance
security but also significantly reduce the likelihood of unauthorized access.
• Password Education and Awareness: To foster a culture of security awareness, it
is crucial to educate users about the inherent risks associated with predictable
passwords. Highlighting the potential dangers of weak password choices can
motivate individuals to prioritize password strength. Provide comprehensive
guidelines and best practices for effective password creation, and encourage users
to regularly update their passwords to maintain optimal security.
• Two-Factor Authentication (2FA): The implementation of two-factor authentication
serves as an indispensable additional layer of security. This method requires users
to provide a secondary form of verification, such as a unique code sent to their
mobile device or generated by an authenticator app, in conjunction with their
password. This dual verification process greatly enhances protection against
unauthorized access and strengthens overall system security.

By promoting password diversity and complexity, organizations can reduce the risk of
password bias attacks and enhance overall security.
Sources:

using System;

public class PasswordSystem

{
public static void Main(string[] args)
{
Console.WriteLine("Welcome to the Password System!");

bool loggedIn = false;

int attempts = 3;
string password = "";

while (!loggedIn && attempts > 0)

{
Console.WriteLine("Enter '1' to log in or '2' to create a new password:");
string userInput = Console.ReadLine();

if (userInput == "1")
{
loggedIn = LogIn(password, attempts);
}
else if (userInput == "2")
{
password = CreatePassword();

8
 Console.WriteLine("Password created successfully!");
}
else
{
Console.WriteLine("Invalid input. Please try again.");
}
}

if (attempts == 0)
{
Console.WriteLine("You have exceeded the maximum number of attempts.
Please try again later.");
}
}

public static bool LogIn(string password, int attempts)

{
Console.WriteLine("Enter your password:");
string userInput = Console.ReadLine();

if (userInput == password)
{
Console.WriteLine("Congratulations! You have successfully logged in.");
return true;
}
else
{
attempts--;
Console.WriteLine($"Incorrect password. You have {attempts} attempts
remaining.");
return false;
}
}

public static string CreatePassword()

{
string password = "";

while (true)
{
Console.WriteLine("Enter a new password:");
password = Console.ReadLine();

if (IsStrongPassword(password))
{
break;

9
 }
else
{
Console.WriteLine("Weak password. Please choose a stronger password.");
}
}

return password;
}

public static bool IsStrongPassword(string password)

{
// Password strength criteria
int minLength = 8;
bool hasUppercase = false;
bool hasLowercase = false;
bool hasDigit = false;
bool hasSpecialChar = false;

// Check password length

if (password.Length < minLength)
{
return false;
}

// Check for uppercase, lowercase, digit, and special character

foreach (char c in password)
{
if (char.IsUpper(c))
{
hasUppercase = true;
}
else if (char.IsLower(c))
{
hasLowercase = true;
}
else if (char.IsDigit(c))
{
hasDigit = true;
}
else if (char.IsSymbol(c) || char.IsPunctuation(c))
{
hasSpecialChar = true;
}
}

10
 // Check if all criteria are met
return hasUppercase && hasLowercase && hasDigit && hasSpecialChar;
}
}

VI. Authentication Tokens

Authentication tokens are used to verify the identity of a user during the authentication
process. These tokens can be physical devices (e.g., smart cards or USB tokens) or
virtual tokens generated by software applications. Authentication tokens provide an
additional layer of security by requiring users to possess something physical or unique to
authenticate themselves.

Example: A common example of an authentication token is a One-Time Password (OTP)

generated by a mobile app or a hardware device. When logging into an account, the user
is prompted to enter the OTP, which is valid for a limited time. This adds an extra layer of
security as the attacker would need both the user's password and the OTP to gain access.

Example: One common example of an authentication token is a One-Time Password

(OTP) generated by a mobile app or a hardware device. When logging into an account,
the user is prompted to enter the OTP, which is valid for a limited time. This adds an extra
layer of security as the attacker would need both the user's password and the OTP to
gain access.
Authentication tokens can come in various forms, including:

1. Connected Tokens: These tokens are connected to a physical device, such as a

USB token or a smart card. The user inserts the token into a device or connects it
to a computer to verify their identity.
2. Contactless Tokens: These tokens use wireless technology, such as Near Field
Communication (NFC), to transmit authentication information without the need for
physical contact. Examples include contactless smart cards or mobile devices with
built-in NFC capabilities.
3. Disconnected Tokens: These tokens generate one-time passwords or
authentication codes that can be used without the need for a physical connection
to a device. Users typically enter the code manually during the authentication
process.

Authentication tokens offer several advantages, including:

• Enhanced Security: Tokens provide an additional layer of security beyond

passwords. Attackers would need both the token and the user's password to gain
unauthorized access.
• Convenience: Tokens can be easily carried or stored on a mobile device, making
them convenient for users to authenticate themselves without relying solely on
passwords.

11
 • Time-Sensitive: Many authentication tokens, such as one-time passwords, are
time-sensitive and expire after a certain period. This adds an extra level of security
as the token becomes invalid after a specific timeframe.

It's important to note that the implementation and usage of authentication tokens may
vary depending on the specific system or application. Organizations can choose the type
of authentication token that best suits their security needs and user requirements.

Signing Algorithms

Signing algorithms are algorithms used to sign tokens issued for your application or API.
A signature is part of a JSON Web Token (JWT) and is used to verify that the sender of
the token is who it says it is and to ensure that the message wasn't changed along the
way.

You can select from the following signing algorithms:

• RS256 (RSA Signature with SHA-256): An asymmetric algorithm, which means

that there are two keys: one public key and one private key that must be kept
secret. Auth0 has the private key used to generate the signature, and the
consumer of the JWT retrieves a public key from the metadata endpoints provided
by Auth0 and uses it to validate the JWT signature.
• HS256 (HMAC with SHA-256): A symmetric algorithm, which means that there is
only one private key that must be kept secret, and it is shared between the two
parties. Since the same key is used both to generate the signature and to validate
it, care must be taken to ensure that the key is not compromised. This private key
(or secret) is created when you register your application (client secret) or API
(signing secret) and choose the HS256 signing algorithm.

The most secure practice, and our recommendation, is to use RS256 because:

• With RS256, you are sure that only the holder of the private key (Auth0) can sign
tokens, while anyone can check if the token is valid using the public key.
• With RS256, if the private key is compromised, you can implement key rotation
without having to re-deploy your application or API with the new secret (which you
would have to do if using HS256).

For troubleshooting help, review Troubleshooting Invalid Token Errors.

using System;
using System.Collections.Generic;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using Microsoft.IdentityModel.Tokens;

public class AuthenticationTokens

12
{
// Secret key used for token generation and verification
private const string SecretKey = "your_secret_key_here";

public static void Main(string[] args)

{
// Generate a token
string token = GenerateToken("user123");

Console.WriteLine("Generated Token:");
Console.WriteLine(token);
Console.WriteLine();

// Verify the token

bool isValid = VerifyToken(token);

if (isValid)
{
Console.WriteLine("Token is valid. User is authenticated.");
}
else
{
Console.WriteLine("Token is invalid. User is not authenticated.");
}
}

public static string GenerateToken(string username)

{
// Create claims for the token
var claims = new List<Claim>
{
new Claim(ClaimTypes.Name, username)
};

// Create the token

var tokenHandler = new JwtSecurityTokenHandler();
var key = Convert.FromBase64String(SecretKey);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(claims),
Expires = DateTime.UtcNow.AddHours(1),
SigningCredentials = new SigningCredentials(new
SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateToken(tokenDescriptor);

13
 // Serialize the token to a string
var tokenString = tokenHandler.WriteToken(token);

return tokenString;
}

public static bool VerifyToken(string token)

{
try
{
var tokenHandler = new JwtSecurityTokenHandler();
var key = Convert.FromBase64String(SecretKey);

// Set token validation parameters

var validationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(key),
ValidateIssuer = false,
ValidateAudience = false
};

// Validate the token

SecurityToken validatedToken;
tokenHandler.ValidateToken(token, validationParameters, out
validatedToken);

return true;
}
catch
{
return false;
}
}
}

V. Biometric Authentication:
5. Biometric authentication uses unique physical or behavioral characteristics of an
individual to verify their identity. This can include fingerprints, facial recognition, iris
scans, voice recognition, or even typing patterns. Biometric authentication
provides a high level of security as these characteristics are difficult to replicate.

14
Example: Many smartphones now offer fingerprint or facial recognition as a biometric
authentication method. Users can unlock their devices or authorize transactions by simply
using their fingerprint or face, making it convenient and secure.
Sources:

• NIST Special Publication 800-63B

• OWASP Authentication Cheat Sheet

Example: Many smartphones now offer fingerprint or facial recognition as a biometric

authentication method. Users can unlock their devices or authorize transactions by simply
using their fingerprint or face, making it convenient and secure.
Biometric authentication offers several advantages over traditional authentication
methods:

1. Enhanced Security: Biometric characteristics are unique to individuals, making it

difficult for unauthorized users to impersonate someone else. This adds an extra
layer of security to the authentication process.
2. Convenience: Biometric authentication eliminates the need to remember and enter
complex passwords. Users can simply use their biometric data, such as a
fingerprint or face, to authenticate themselves quickly and easily.
3. Non-Transferable: Biometric data is inherently tied to an individual and cannot be
easily transferred or shared. This reduces the risk of unauthorized access through
stolen or shared credentials.
4. User-Friendly: Biometric authentication is intuitive and user-friendly. Users are
already familiar with their own biometric characteristics, making it a natural and
seamless authentication method.
5. Scalability: Biometric authentication can be easily scaled across various devices
and applications. It can be integrated into smartphones, laptops, access control
systems, and other devices to provide consistent and secure authentication.

It's important to note that while biometric authentication offers significant advantages, it
also has limitations. Biometric data can be subject to privacy concerns, and there is a
possibility of false positives or false negatives in the authentication process.
Organizations implementing biometric authentication should carefully consider these
factors and ensure proper security measures are in place.
Sources:

• TechTarget: What is biometric authentication?

• Heimdal Security: What Is Biometric Authentication? A Complete Overview
• Spiceworks: What Is Biometric Authentication? Definition, Benefits, and Tools
• Okta Blog: What Is Biometric Authentication? Biometrics Explained
• Frontegg: Biometric Authentication: 6 Types & 3 Ways to Integrate Biometrics

15
VI. Firewall Rule Best Practices:
• Firewall rules are essential for controlling incoming and outgoing network traffic
and ensuring the security of a network. Here are some best practices for
configuring firewall rules:
• Document and Label Rules: It is crucial to maintain proper documentation of
firewall rules, including their purpose and any associated policies. Labeling rules
can help in identifying and managing them effectively.
• Regularly Review and Update Rules: Firewall rules should be periodically reviewed
to ensure they are up to date and aligned with the organization's security
requirements. Remove any unnecessary or outdated rules to minimize potential
vulnerabilities.
• Group Rules by Function: Grouping firewall rules based on their function or
purpose can make management and troubleshooting more efficient. It allows for
easier identification and modification of specific rule sets.
• Implement Application-Level Control: Application-level control in firewall rules
provides granular control over specific applications or services. This helps in
preventing unauthorized access and reducing the attack surface.
• Limit Access to Management Interfaces: Restricting access to firewall
management interfaces to specific hosts or IP ranges adds an extra layer of
security. This prevents unauthorized individuals from tampering with firewall
configurations.

Example: Suppose you have a firewall protecting your organization's network. To ensure
the highest level of security, you document all firewall rules and regularly review them for
any updates or changes. You group the rules based on their function, such as web traffic,
email traffic, and database access. Additionally, you implement application-level control
to allow or block specific applications or services based on your organization's security
policies.

VII. Rule Methodology

This response will explore the concept of firewall rule methodology, examining how
firewalls use rules to control network traffic, the different types of rules, and best
practices for creating and managing them. We will draw upon the provided search
results to offer a detailed and informative explanation.

Understanding Firewall Rules

Firewall rules are the core of a firewall's operation. They act as instructions that dictate
how the firewall should handle incoming and outgoing network traffic. These rules are
based on specific criteria, such as:

16
 • Source and destination IP addresses: Identifying the origin and intended
recipient of the traffic.
• Ports: Specifying the communication channels used by applications.
• Protocols: Determining the communication language used (e.g., TCP, UDP,
ICMP).
• Services: Pinpointing the specific applications or services involved (e.g., HTTP,
FTP, SSH).

By evaluating each data packet against these rules, firewalls decide whether to allow or
block the traffic, ensuring only legitimate and authorized communication is permitted.
Types of Firewall Rules

Firewall rules can be categorized into several types, each serving a distinct purpose:

• Access Control Rules: These rules are the most fundamental, determining
which traffic is allowed to enter or exit a network. They are based on criteria like
IP addresses, ports, and protocols.
• Network Address Translation (NAT) Rules: NAT rules enable the translation of
IP addresses between private and public networks. This helps to obscure the
internal network structure and enhance security.
• Stateful Packet Filtering: This type of rule inspects each packet that passes
through the firewall and keeps track of the connection state. It allows or denies
packets based on their connection context.
• Application Level Gateways: Also known as proxy servers, these act as
gatekeepers between the internet and an internal network. They operate at the
application layer (layer 7 of the OSI model) and provide a more granular level of
traffic inspection.
• Circuit Level Gateways: These rules enforce security measures at the session
layer (layer 5 of the OSI model). They monitor TCP handshakes to ensure
sessions are initiated in a trusted manner.

Firewall Rule Methodology in pfSense

pfSense, a popular open-source firewall software, utilizes a specific rule methodology. It

applies rules on a per-interface basis, always in the inbound direction. This means
traffic initiated from hosts connected to the LAN is filtered using the LAN interface rules,
while traffic from the internet is filtered using the WAN interface rules.

pfSense also incorporates floating rules, which can act on any interface in either the
inbound or outbound direction. However, outbound rules are typically not necessary
because filtering is already applied on the inbound direction of every interface.
Rule Processing Order

17
The order in which firewall rules are processed is crucial. In pfSense, rules are
processed in the following order:

1. Floating Rules: These rules are evaluated first and can affect traffic on any
interface.
2. Interface Group Rules: These rules apply to a collection of interfaces and are
processed after floating rules.
3. Interface Rules: These rules are specific to a particular interface and are
evaluated last.

Best Practices for Firewall Rules

To ensure optimal security and performance, it's vital to follow best practices when
creating and managing firewall rules:

• Document Firewall Rules: Clearly document the purpose, services affected,

users and hardware impacted, creation date, and expiration timeline for each
rule. This helps with maintenance and troubleshooting.
• Implement a Deny by Default Policy: Start with a policy that denies all traffic
unless explicitly allowed. This minimizes the risk of unknown threats entering the
network.
• Monitor Firewall Logs: Regularly review firewall logs to identify suspicious
activity, troubleshoot problems, and track traffic flow.
• Group Firewall Rules: Organize rules into groups based on similar
characteristics to simplify management and improve performance.
• Configure Application-Level Control: Restrict access to specific applications
and services to enhance security.
• Use Monitor Mode: Use monitor mode to observe network traffic before creating
a rule, ensuring you only allow necessary traffic.
• Implement Least-Privileged Access: Grant users only the minimum
permissions required for their tasks.
• Remove Redundant Rules: Regularly check for and remove unnecessary or
overlapping rules to avoid confusion and performance issues.
• Regularly Review Firewall Rules: Periodically review and update firewall rules
to address evolving threats and security policies.
• Block Unnecessary Ports: Block outbound traffic on high-risk ports to minimize
the network's vulnerability.

18
 VIII. Configuring firewall rules

how to configure firewall rules in pfSense to implement authentication, focusing on methods like
VPN, RADIUS, and IPsec. We will utilize the provided search results to provide a
comprehensive and informative guide.
Authentication Methods in pfSense

pfSense offers various methods to authenticate users and devices accessing the network. Here are
some common approaches:

• VPN: Virtual Private Networks (VPNs) provide a secure and encrypted tunnel between
the user's device and the network. They often incorporate authentication mechanisms like
username/password or certificates.
• RADIUS: Remote Authentication Dial-In User Service (RADIUS) is a centralized
authentication server that handles user authentication and authorization requests. It can be
integrated with pfSense to authenticate users accessing the network.
• IPsec: Internet Protocol Security (IPsec) is a suite of protocols that provides secure
communication over IP networks. It can be used for authentication and encryption,
ensuring only authorized users can access the network.

Configuring Firewall Rules for Authentication

Here's a step-by-step guide on how to configure firewall rules for authentication in pfSense:

1. VPN Authentication:
o OpenVPN:
▪ Navigate to VPN > OpenVPN in the pfSense web interface.
▪ Create a new OpenVPN server and configure its settings.
▪ Enable authentication using username/password or certificates.
▪ Create firewall rules on the OpenVPN interface to allow traffic from
authenticated users.
o IPsec:
▪ Navigate to VPN > IPsec in the pfSense web interface.
▪ Create a new IPsec tunnel and configure its settings.
▪ Enable authentication using pre-shared keys, certificates, or RADIUS.
▪ Create firewall rules on the IPsec interface to allow traffic from
authenticated users.
2. RADIUS Authentication:
o Configure RADIUS Server:
▪ Install and configure a RADIUS server (e.g., FreeRADIUS) on a separate
machine.

19
 ▪ Configure the RADIUS server to authenticate users against a database or
LDAP directory.
o Integrate RADIUS with pfSense:
▪ Navigate to System > User Manager > RADIUS in the pfSense web
interface.
▪ Configure the RADIUS server settings, including its IP address, shared
secret, and authentication method.
o Create Firewall Rules:
▪ Create firewall rules on the relevant interfaces to allow traffic from
authenticated users.
▪ Use the RADIUS authentication method in the firewall rules to enforce
authentication.

Additional Considerations

• Firewall Rule Order: Ensure that authentication rules are placed at the top of the rule
list to prioritize authentication checks.
• Log Authentication Attempts: Enable logging for authentication rules to track
successful and failed attempts. This helps with troubleshooting and security monitoring.
• Two-Factor Authentication: Consider implementing two-factor authentication (2FA)
for enhanced security, requiring users to provide an additional authentication factor
beyond their password.
• Security Best Practices: Follow security best practices for password complexity,
account lockout policies, and regular password changes.

Activity

20
1. What is the purpose of a password system?
a) To control incoming and outgoing network traffic
b) To enhance security and protect sensitive information
c) To generate authentication tokens
d) To enforce firewall rules
2. Which decade saw the introduction of the first password system at MIT?
a) 1960s
b) 1970s
c) 1980s
d) 1990s
3. What is the main advantage of using biometric authentication?
a) Enhanced security
b) Convenience
c) Non-transferability
d) All of the above
4. Which type of attack involves systematically trying all possible combinations of characters to guess a password?
a) Dictionary attack
b) Brute force attack
c) Social engineering attack
d) Pattern-based attack
5. What is the purpose of grouping firewall rules by function?
a) To make management and troubleshooting more efficient
b) To restrict access to management interfaces
c) To implement application-level control
d) To enhance password security
6. Which signing algorithm is recommended for authentication tokens due to its enhanced security and key rotation capabilities?
a) RS256
b) HS256
c) RSA
d) HMAC
7. What is the main advantage of using multi-factor authentication?
a) Enhanced security
b) Convenience
c) Non-transferability
d) Scalability
8. Which type of attack targets specific patterns commonly used in passwords?
a) Dictionary attack
b) Brute force attack
c) Social engineering attack
d) Pattern-based attack
9. What is the purpose of authentication tokens?
a) To control incoming and outgoing network traffic
b) To enhance security and protect sensitive information
c) To generate firewall rules
d) To enforce password complexity requirements
10. Which decade saw the rise of the internet and increased connectivity, leading to the importance of strong passwords?
a) 1960s
b) 1970s
c) 1980s
d) 1990s
11. Which type of attack involves using precompiled lists of common words and passwords to guess user passwords?
a) Dictionary attack
b) Brute force attack
c) Social engineering attack
d) Pattern-based attack
12. What is the main advantage of implementing two-factor authentication (2FA)?
a) Enhanced security
b) Convenience
c) Non-transferability
d) Scalability
13. Which type of attack involves gathering personal information about the target to guess their password?
a) Dictionary attack
b) Brute force attack
c) Social engineering attack
d) Pattern-based attack
14. What is the purpose of implementing application-level control in firewall rules?
a) To make management and troubleshooting more efficient
b) To restrict access to management interfaces
c) To enhance password security
d) To provide granular control over specific applications or services
15. Which signing algorithm uses an asymmetric key pair consisting of a public key and a private key?
a) RS256
b) HS256
c) RSA
d) HMAC

21
Assessment Task

22
 Choice two situation and solve it the draw the illustration for any situation you choose?

192.168.1.0/24 (LAN network) for all scenarios

Internet for all configuration 10.0.0.2 (Server IP)

Situation:

1. You are responsible for configuring firewall rules on a pfSense router to enforce network
security policies. Your goal is to allow or block TCP, UDP, and ICMP traffic based on certain criteria.

Allow TCP Traffic from Specific Source to Destination:

o Action: ________________

o Protocol: ________________

o Source: ________________

o Destination: ________________

o Description: Allow TCP traffic from LAN to Server.

Block UDP Traffic from Any Source to Specific Destination Port:

o Action: ________________

o Protocol: ________________

o Source: ________________

o Destination: 203.0.113.5 (DNS Server IP)

o Destination Port Range: ________________

o Description: Block UDP traffic to DNS server.

Allow ICMP Ping Requests from Any Source to LAN Interface:

o Action: ________________

o Protocol: ________________

o Type: Echo Request (Ping)

o Source: ________________

23
Situation:

1. Your organization wants to enforce strict security measures by allowing only HTTPS traffic (TCP port 443)
to communicate with the internet through the pfSense firewall. All other outbound traffic should be blocked
to ensure that only secure web browsing is permitted

• Configure Outbound Rule to Allow TCP Port 443:

• Action: ________________

• Interface: ________________

• Address Family: IPv4 (or IPv6 if applicable)

• Protocol: ________________

• Source: ________________

• Destination: ________________

• Destination Port Range: ________________

• Description: Allow outbound HTTPS traffic to the internet.

24
Situation:

1. Your organization has two branch offices located in different cities, and you need to
establish a secure connection between them to facilitate seamless communication and data
transfer. You decide to set up a site-to-site VPN using pfSense firewalls installed at each branch
office.

• Configure Phase 1 (Main Office):

• Click on the "Add P1" button.

• Enter a unique Description for the Phase 1 entry.

• Key Exchange Version: ________________

• Internet Protocol: ________________

• Interface: WAN.

• Remote Gateway: Enter the public IP address of the branch office pfSense firewall.

• Authentication Method: Choose a suitable authentication method (e.g., Mutual PSK).

• Pre-Shared Key: ________________

• Encryption Algorithm: ________________

• Hash Algorithm: ________________

• DH Group: ________________

• Lifetime: Set an appropriate lifetime for the phase.

• Click on the "Save" button.

• Configure Phase 2 (Main Office):

• Under Phase 1, click on the "Add P2" button.

• Enter a Description for the Phase 2 entry.

• Mode: Select "Tunnel IPv4" (or IPv6 if applicable).

• Local Network: ________________

25
 Criteria Excellent (5) Very Good (4) Good (3) Fair (2) Poor (1) Score
All configuration Most configuration Some configuration Configuration tasks are
Configuration tasks are
Accuracy tasks are tasks are completed tasks are completed severely incomplete or
incomplete or inaccurate,
and completed accurately with but lack inaccurate, with numerous
with many functionalities
Completion accurately and minor errors or completeness or critical functionalities
not properly configured.
comprehensively. oversights. accuracy. missing or misconfigured.
Configuration
Configuration Configuration
settings are
settings are mostly settings are Configuration settings Configuration settings are
logically organized
organized and somewhat organized lack organization and chaotic and poorly
Complexity and well-
documented, with and documented, but documentation, making documented, making it
/Readability documented, with
explanations some explanations it difficult to understand nearly impossible to
clear explanations
provided for most may be unclear or the setup. understand the setup.
provided for each
setups. missing.
setup.
Configuration tasks Configuration tasks Configuration tasks
Configuration tasks lack Configuration tasks lack
demonstrate show some creativity follow conventional
creativity, relying solely any semblance of
innovative in problem-solving, approaches, with
Creativity on standard setups creativity, with setups
approaches and with attempts to limited attempts to
without attempting to being overly simplistic and
creative problem- implement novel implement unique
innovate. unimaginative.
solving. configurations. configurations.
Configuration efforts Configuration efforts Configuration efforts show
Configuration
demonstrate good show some Configuration efforts lack a complete lack of
efforts show
Perseveranc perseverance, with perseverance, but perseverance, with perseverance, with
exceptional
e challenges being challenges are not challenges often left challenges being quickly
perseverance and
addressed in a timely always addressed unresolved or ignored. abandoned or ignored
dedication.
manner. promptly. altogether.
Other Comments/ Observations:
Total Score

References
• TechTarget. (n.d.). Authentication factor. Retrieved from TechTarget
• Atatus. (n.d.). Authentication Factor. Retrieved from Atatus
• StrongDM. (2021). Authentication Vulnerabilities. Retrieved from StrongDM
• LoginRadius. (n.d.). Authentication Vulnerabilities and Security. Retrieved from LoginRadius
• GeeksforGeeks. (n.d.). Sniffing of Login Credential or Password Capturing in Wireshark.
Retrieved from GeeksforGeeks
• HackerCoolMagazine. (n.d.). Password Sniffing Tutorial for Beginners. Retrieved from
HackerCoolMagazine
• Brainly. (n.d.). Password Search Space Calculation. Retrieved from Brainly
• LinkedIn. (2021). 14 Critical Authentication Vulnerabilities You Should Know. Retrieved from
LinkedIn
• FasterCapital. (n.d.). Token Problem: Token Security and Safeguarding Your Digital Assets.
Retrieved from FasterCapital
• TechVera. (2021). The Vulnerabilities of User Authentication Tokens and How to Protect
Your Organization. Retrieved from TechVera
• SpringerLink. (n.d.). Biometric Security Vulnerabilities. Retrieved from SpringerLink
• Software Tested. (2021). Biometric Security Vulnerabilities. Retrieved from Software Tested
• Innovatrics. (n.d.). Biometric Security. Retrieved from Innovatrics
• Mofiria. (n.d.). Vulnerability in Biometrics. Retrieved from Mofiria
• Intersec Expo. (n.d.). Biometric Vulnerabilities and Fixes. Retrieved from Intersec Expo

26
Write the Answer on paper the picture it and submit it
Reminder, I need the hard copy paper
That will be submitted during our f2f meeting

1. Evolution of the Password System

Scenario: A financial institution still uses 8-character passwords without multi-factor

authentication (MFA). After a breach, they migrate to passphrases (e.g.,
"PurpleTiger$JumpsHigh!") and later adopt FIDO2 security keys.
Question:

• Why are passphrases more secure than traditional passwords, and what risks remain if
MFA isn’t enforced?

2. Password Guessing

Scenario: An attacker uses credential stuffing (reusing leaked passwords from LinkedIn’s 2012
breach) to access employees’ Slack accounts at a tech startup.
Question:

• How can companies detect and prevent credential stuffing attacks?

3. Attacks on Password Bias

Scenario: Hackers exploit password patterns (e.g., "Summer2023!", "Winter2023!") in a

corporate environment where users change passwords quarterly.
Question:

• What policies can enforce truly random passwords without predictable biases?

4. Authentication Tokens

Scenario: A developer accidentally commits an OAuth token to a public GitHub repo, allowing
attackers to access Google Cloud resources.
Question:

• How should organizations monitor and revoke exposed tokens in real-time?

27
5. Biometric Authentication

Scenario: A deepfake voice recording bypasses a bank’s voice recognition system to authorize
a fraudulent wire transfer.
Question:

• What are the limitations of biometrics, and how can they be combined with other factors
for security?

6. Firewall Rule Best Practices

Scenario: A hospital’s firewall allows RDP (port 3389) from any IP to critical servers, leading
to a ransomware attack.
Question:

• Why is the principle of least privilege critical in firewall rules, and how would you fix
this misconfiguration?

7. Rule Methodology

Scenario: An e-commerce company’s firewall has 500+ legacy rules, slowing traffic and
creating shadow IT risks.
Question:

• What’s a structured approach to auditing and cleaning up obsolete firewall rules?

8. Configuring Firewall Rules

Scenario: A cloud engineer at a SaaS firm misconfigures an AWS Security Group, exposing a
customer database to the internet.
Question:

• How can infrastructure-as-code (e.g., Terraform) prevent firewall misconfigurations?

28
29