Uploaded byShielaLasala
81 views

Security Technologys: Access Control, Firewall, VPN

ds

Embed presentation

Download to read offline
SECURITY TECHNOLOGIES: Access Controls,Firewalls and VPNs
Objectives Upon completion of this material, you should be able to: ◦ Discuss the role of access control in information systems, and identify and discuss the four fundamental functions of access control systems ◦ Define authentication and explain the three commonly used authentication factors ◦ Describe firewall technologies and the various categories of firewalls ◦ Discuss the various approaches to firewall implementation ◦ Identify the various approaches to control remote and dial-up access by authenticating and authorizing users ◦ Describe virtual private networks (VPNs) and discuss the technology that enables them
Introduction Technical controls are essential in enforcing policy for many IT functions that are not under direct human control. Technical control solutions, when properly implemented, improve an organization’s ability to balance the objectives of making information readily available and preserving the information’s confidentiality and integrity.
Access Control Access control: A selective method by which systems specify who may use a particular resource and how they may use it. Mandatory access controls (MACs): A required, structured data classification scheme that rates each collection of information as well as each user. Discretionary access controls (DACs): Access controls that are implemented at the discretion or option of the data user. Nondiscretionary controls: Access controls that are implemented by a central authority. In general, all access control approaches rely on the following four mechanisms, which represent the four fundamental functions of access control systems: ◦ Identification: I am a user of the system. ◦ Authentication: I can prove I’m a user of the system. ◦ Authorization: Here’s what I can do with the system. ◦ Accountability: You can track and monitor my use of the system.
Access Control Approaches
Identification Identification: The access control mechanism that requires the validation and verification of an unauthenticated entity’s purported identity. Identifiers can be composite identifiers, concatenating elements—department codes, random numbers, or special characters—to make them unique. Most organizations use a single piece of unique information, such as a complete name or the user’s first initial and surname.
Authentication Authentication: The access control mechanism that requires the validation and verification of an unauthenticated entity’s purported identity. Authentication factors ◦ Something you know ◦ ◦ Password: a private word or a combination of characters that only the user should know Passphrase: a series of characters, typically longer than a password, from which a virtual password is derived ◦ Something you have ◦ ◦ ◦ ◦ Dumb card: ID or ATM card with magnetic stripe Smart card: contains a computer chip that can verify and validate information Synchronous tokens Asynchronous tokens ◦ Something you are ◦ ◦ Relies upon individual characteristics Strong authentication
Authorization Authorization: The access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels. Authorization can be handled in one of three ways: ◦ Authorization for each authenticated user ◦ Authorization for members of a group ◦ Authorization across multiple systems Authorization credentials, also called authorization tickets, are issued by an authenticator and are honored by many or all systems within the authentication domain.
Accountability Accountability: The access control mechanism that ensures all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity. Also known as auditability. Accountability is most often accomplished by means of system logs and database journals, and the auditing of these records. Systems logs record specific information. Logs have many uses
Biometrics Approach based on the use of measurable human characteristics/traits to authenticate identity. Only fingerprints, retina of eye, and iris of eye and DNA are considered truly unique. Evaluated on false reject rate, false accept rate, and crossover error rate. Highly reliable/effective biometric systems are often considered intrusive by users. Biometric recognition characteristics
Firewalls
A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system. A network firewall is similar to firewalls in building construction, because in both cases they are intended to isolate one "network" or "compartment" from another. In information security, a firewall is a combination of hardware and software that filters or prevents specific information from moving between the outside (untrusted) network and the inside (trusted) network. May be: ◦ Separate computer system ◦ Software service running on existing router or server ◦ Separate network containing supporting devices
Firewall Policies To protect private networks and individual machines from the dangers of the greater Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies. Trusted internal network Firewall Firewall policies Untrusted Internet
Policy Actions Packets flowing through a firewall can have one of three outcomes: ◦ ◦ ◦ Accepted: permitted through the firewall Dropped: not allowed through with no indication of failure Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was rejected Policies used by the firewall to handle packets are based on several properties of the packets being inspected, including the protocol used, such as: ◦ TCP or UDP ◦ the source and destination IP addresses ◦ the source and destination ports ◦ the application-level payload of the packet (e.g., whether it contains a virus).
Blacklists and Whitelists Two fundamental approaches to creating firewall policies (or rulesets) Blacklist approach (default-allow) ◦ All packets are allowed through except those that fit the rules defined specifically in a blacklist. ◦ Pros: flexible in ensuring that service to the internal network is not disrupted by the firewall ◦ Cons: unexpected forms of malicious traffic could go through Whitelist approach (default-deny) ◦ Packets are dropped or rejected unless they are specifically allowed by the firewall ◦ Pros: A safer approach to defining a firewall ruleset ◦ Cons: must consider all possible legitimate traffic in rulesets
Firewalls Processing Modes Processing modes by which firewalls can be categorized: ◦ Packet filtering ◦ Application layer proxy ◦ MAC layer firewalls ◦ Hybrids
Packet-Filtering Firewalls Packet-filtering firewalls examine the header information of data packets Most often based on the combination of: ◦ IP source and destination address ◦ Direction (inbound or outbound) ◦ Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests Simple firewall models enforce rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.
Packet-Filtering Firewall
Firewall Types •Packet filters (stateless) – If a packet matches the packet filter's set of rules, the packet filter will drop or accept it •"Stateful" filters – it maintains records of all connections passing through it and can determine if a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. •Application layer – It works like a proxy it can “understand” certain applications and protocols. – It may inspect the contents of the traffic, blocking what it views as inappropriate content (i.e. websites, viruses, vulnerabilities, ...)
Stateless Firewalls A stateless firewall doesn’t maintain any remembered context (or “state”) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously. Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Client Firewall Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80 Server
Stateless Restrictions Stateless firewalls may have to be fairly restrictive in order to prevent most attacks. Trusted internal network SYN Seq = y Port=80 Allow outbound SYN packets, destination port=80 Drop inbound SYN packets, Allow inbound SYN-ACK packets, source port=80 Client Attacker (blocked) Firewall
Stateful Firewalls Stateful firewalls can tell when packets are part of legitimate sessions originating within a trusted network. Stateful firewalls maintain tables containing information on each active connection, including the IP addresses, ports, and sequence numbers of packets. Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to a connection initiated from within the internal network.
Stateful Firewall Allow only requested TCP connections: TCP-based connections are easy to check ◦ TCP SYN packet UDP-based traffic is not so clear ◦ There is no UDP connection set up ◦ Treat a UDP session starts when a legitimate UDP packet is allowed through the firewall (such as from inside to outside) ◦ Session is defined by (source IP, source port, dest IP, dest port) SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Allow outbound TCP sessions, destination port=80 Client SYN-ACK Seq = y Port=80 Attacker Trusted internal network (blocked) Established TCP session: (128.34.78.55, 76.120.54.101) 128.34.78.55 76.120.54.101 Firewall state table Server Firewall
Application-level Firewall A device capable of functioning both as a firewall and an application layer proxy server. Since proxy servers are often placed in unsecured area of the network (e.g., DMZ), they are exposed to higher levels of risk from less trusted networks. Additional filtering routers can be implemented behind the proxy firewall, further protecting internal systems.
Application-level Firewall Filters packets on application data as well as on IP/TCP/UDP fields. Example: allow select internal users to telnet outside. 7-25 host-to-gateway session gateway-to-remote host session application gateway router and filter  Example: block user access to know porn websites  Check if the Web URL is in a “black-list” 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway.
MAC layer Firewalls ◦ Designed to operate at media access control sublayer of network’s data link layer ◦ Make filtering decisions based on specific host computer’s identity ◦ MAC addresses of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked
Hybrid Firewalls ◦ Combine elements of other types of firewalls, that is, elements of packet filtering and proxy services, or of packet filtering and circuit gateways ◦ Alternately, may consist of two separate firewall devices; each a separate firewall system, but connected to work in tandem ◦ Enables an organization to make security improvement without completely replacing existing firewalls ◦ Include the Next Generation Firewall (NGFW) and Unified Threat Management (UTM) devices
Firewall Types and Protocol Models
Tunnels
Tunnels The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP connection, he can often see the complete contents of the payloads in this session. One way to prevent such eavesdropping without changing the software performing the communication is to use a tunneling protocol. In such a protocol, the communication between a client and server is automatically encrypted, so that useful eavesdropping is infeasible.
Tunneling Prevents Eavesdropping Packets sent over the Internet are automatically encrypted. Client Server Tunneling protocol (does end-t o - end encryption and decryption) Payloads are encrypted here TCP/IP TCP/IP Untrusted Internet
Secure Shell (SSH) A secure interactive command session: The client connects to the server via a TCP session. The client and server exchange information on administrative details, such as supported encryption methods and their protocol version, each choosing a set of protocols that the other supports. ◦ Example: check ssh client software to see what are supported. The client and server initiate a secret-key exchange to establish a shared secret session key, which is used to encrypt their communication (but not for authentication). This session key is used in conjunction with a chosen block cipher (typically AES, 3DES) to encrypt all further communications The server sends the client a list of acceptable forms of authentication, which the client will try in sequence. ◦ Password based authentication ◦ Public-key authentication method ◦ ◦ ◦ Client sends the server its public key The server then checks if this key is stored in its list of authorized keys. If so, the server encrypts a challenge using the client’s public key and sends it to the client The client decrypts the challenge with its private key and responds to the server, proving its identity
Digital signature
Content Filters
Content Filters A software program or hardware/software appliance that allows administrators to restrict content that comes into or leaves a network Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations Primary purpose to restrict internal access to external material Most common content filters restrict users from accessing non-business Web sites or deny incoming spam
Protecting Remote Connections Installing Internetwork connections requires leased lines or other data channels; these connections are usually secured under the requirements of a formal service agreement. When individuals seek to connect to an organization’s network, a more flexible option must be provided. Options such as virtual private networks (VPNs) have become more popular due to the spread of Internet.
Virtual Private Network (VPN)
VPN Virtual private networking (VPN) is a technology that allows private networks to be safely extended over long physical distances by making use of a public network, such as the Internet, as a means of transport. VPN provides guarantees of data confidentiality, integrity, and authentication, despite the use of an untrusted network for transmission. Private and secure network connection between systems; uses data communication capability of unsecured and public network Securely extends organization’s internal network connections to remote locations Three VPN technologies defined: ◦ Trusted VPN ◦ Secure VPN ◦ Hybrid VPN (combines trusted and secure)
VPN Transport Mode ◦ Data within IP packet are encrypted, but header information is not and allows user to establish secure link directly with remote host, encrypting only data contents of packet ◦ Two popular uses: ◦ End-to-end transport of encrypted data ◦ Remote access worker connects to an office network over Internet by connecting to a VPN server on the perimeter
VPN Tunnel Mode ◦ Establishes two perimeter tunnel servers to encrypt all traffic that will traverse an unsecured network ◦ Entire client package encrypted and added as data portion of packet from one tunneling server to another ◦ Primary benefit to this model is that an intercepted packet reveals nothing about the true destination system ◦ Example of tunnel mode VPN: Microsoft’s Internet Security and Acceleration (ISA) Server
Intrusion Detection System (IDS)
Introduction Intrusion ◦ Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking resources) Intrusion detection ◦ The identification through intrusion signatures and report of intrusion activities Intrusion prevention ◦ The process of both detecting intrusion activities and managing automatic responsive actions throughout the network
IDS Components IDS manager compiles data from the IDS sensors to determine if an intrusion has occurred. If an IDS manager detects an intrusion, then it sounds an alarm. IDS Manager Untrusted Internet router router router IDS Sensor IDS Sensor Firewall
Alarms can be sounded (positive) or not (negative) Possible Alarm Outcomes Intrusion Attack No Intrusion Attack Alarm Sounded True Positive False Positive True Negative False Negative Bad (miss attack) No Alarm Sounded Bad (reject normal)
Types of Intrusion Detection Systems Rule-Based Intrusion Detection ◦ Rules and signatures identify the types of actions that match certain known profiles for an intrusion attack ◦ Alarm raised can indicate what attack triggers the alarm ◦ Problem: Cannot deal with unknown attacks Statistical Intrusion Detection ◦ Statistical representation (profile) of the typical ways that a user acts or a host is used ◦ Determine when a user or host is acting in highly unusual, anomalous ways. ◦ Alarm when a user or host deviates significantly from the stored profile for that person or machine ◦ Problem: High false positive rate, cannot tell which attack triggers the alarm
Port Scanning Purpose: Attackers need to know where a potential target is TCP scan: use OS system call to check if TCP connection can be set up on a target machine on any port ◦ Example scanner: nmap ◦ See how nmap works on department eustis machine! SYN scan: low-level TCP program to send out SYN packet without intent to finish the TCP connection setup ◦ On receiving SYN/ACK, issues a RST packet to terminate
Port Scanning Two port scanning mode: ◦ Vertical scan: target numerous destination ports on a singular host (e.g., nmap) ◦ Horizontal scan: target the same port on many target hosts, effectively looking for a specific vulnerability ◦ ◦ E.g., worm E.g., attacker conduct reconnaissance before real attack
Reference Whitman, M & Mattord, H. (2018). Principles of Information Security, 6th Edition ◦ ◦
Thank You

More Related Content

PPTX
Information Security (Firewall)
byZara Nawaz
 
PPT
A firewall is a network security system that monitors and controls network tr...
byssuserb2b355
 
PPT
Ch06-NetworkSecurity2-firewall-tunneling-IDS.ppt
bygocokir267
 
PPT
Network Security Firewalls (description).ppt
bysadiaafrin562177
 
PPTX
Lecture-13-Firewall_information_Security.pptx
byhomecooking511
 
PPT
Tech 101: Understanding Firewalls
byLikan Patra
 
PDF
Firewalls
byDr.Florence Dayana
 
PPTX
Sapna ppt
bySapna Kumari
 
Information Security (Firewall)
byZara Nawaz
 
A firewall is a network security system that monitors and controls network tr...
byssuserb2b355
 
Ch06-NetworkSecurity2-firewall-tunneling-IDS.ppt
bygocokir267
 
Network Security Firewalls (description).ppt
bysadiaafrin562177
 
Lecture-13-Firewall_information_Security.pptx
byhomecooking511
 
Tech 101: Understanding Firewalls
byLikan Patra
 
Firewalls
byDr.Florence Dayana
 
Sapna ppt
bySapna Kumari
 

Similar to Security Technologys: Access Control, Firewall, VPN

PPTX
Firewalls and packet filters
byMOHIT AGARWAL
 
PPTX
firewall
byChirag Patel
 
PPT
Firewall in tell communication_Basics.ppt
byMohammedAli580048
 
PPT
Class 10 Cyber Security for engineering students
byDrVikasMahor
 
PPTX
Network defenses
byPrachi Gulihar
 
PPTX
U-2.pptx............................................
by322103310075
 
PPT
Firewall
byAmuthavalli Nachiyar
 
PPT
Firewall protection
byVC Infotech
 
PDF
what is firewall in information security?
byhaq107457
 
PPTX
network security, group policy and firewalls
bySapna Kumari
 
PPTX
Computing security ppt for firewall and its application.pptx
byStargaze4
 
PPTX
UNIT-4 network information security ID system
byagasyabutolia
 
PDF
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
byams1ams11
 
PPTX
Cyber Security - Firewall and Packet Filters
byRadhika Talaviya
 
PPT
Cryptography and Network Security Slide.
byadaiki2023
 
PPTX
Firewall
bySaurabh Chauhan
 
PPT
firewall.ppt
byssuser530a07
 
PPTX
Firewalls
byvaishnavi
 
PPT
download-20171010 115629.ppt
bydohofe3551
 
PDF
what is firewall in information security?
byezoicxcom
 
Firewalls and packet filters
byMOHIT AGARWAL
 
firewall
byChirag Patel
 
Firewall in tell communication_Basics.ppt
byMohammedAli580048
 
Class 10 Cyber Security for engineering students
byDrVikasMahor
 
Network defenses
byPrachi Gulihar
 
U-2.pptx............................................
by322103310075
 
Firewall
byAmuthavalli Nachiyar
 
Firewall protection
byVC Infotech
 
what is firewall in information security?
byhaq107457
 
network security, group policy and firewalls
bySapna Kumari
 
Computing security ppt for firewall and its application.pptx
byStargaze4
 
UNIT-4 network information security ID system
byagasyabutolia
 
Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [312-342...
byams1ams11
 
Cyber Security - Firewall and Packet Filters
byRadhika Talaviya
 
Cryptography and Network Security Slide.
byadaiki2023
 
Firewall
bySaurabh Chauhan
 
firewall.ppt
byssuser530a07
 
Firewalls
byvaishnavi
 
download-20171010 115629.ppt
bydohofe3551
 
what is firewall in information security?
byezoicxcom
 

Recently uploaded

PDF
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
PPTX
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Track Phone Location by Number (2026)_ What’s Actually Possible for Free (and...
byEmily Woods
 
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 

Security Technologys: Access Control, Firewall, VPN

  • 1.
  • 2.
    Objectives Upon completion ofthis material, you should be able to: ◦ Discuss the role of access control in information systems, and identify and discuss the four fundamental functions of access control systems ◦ Define authentication and explain the three commonly used authentication factors ◦ Describe firewall technologies and the various categories of firewalls ◦ Discuss the various approaches to firewall implementation ◦ Identify the various approaches to control remote and dial-up access by authenticating and authorizing users ◦ Describe virtual private networks (VPNs) and discuss the technology that enables them
  • 3.
    Introduction Technical controls areessential in enforcing policy for many IT functions that are not under direct human control. Technical control solutions, when properly implemented, improve an organization’s ability to balance the objectives of making information readily available and preserving the information’s confidentiality and integrity.
  • 4.
    Access Control Access control:A selective method by which systems specify who may use a particular resource and how they may use it. Mandatory access controls (MACs): A required, structured data classification scheme that rates each collection of information as well as each user. Discretionary access controls (DACs): Access controls that are implemented at the discretion or option of the data user. Nondiscretionary controls: Access controls that are implemented by a central authority. In general, all access control approaches rely on the following four mechanisms, which represent the four fundamental functions of access control systems: ◦ Identification: I am a user of the system. ◦ Authentication: I can prove I’m a user of the system. ◦ Authorization: Here’s what I can do with the system. ◦ Accountability: You can track and monitor my use of the system.
  • 5.
  • 6.
    Identification Identification: The accesscontrol mechanism that requires the validation and verification of an unauthenticated entity’s purported identity. Identifiers can be composite identifiers, concatenating elements—department codes, random numbers, or special characters—to make them unique. Most organizations use a single piece of unique information, such as a complete name or the user’s first initial and surname.
  • 7.
    Authentication Authentication: The accesscontrol mechanism that requires the validation and verification of an unauthenticated entity’s purported identity. Authentication factors ◦ Something you know ◦ ◦ Password: a private word or a combination of characters that only the user should know Passphrase: a series of characters, typically longer than a password, from which a virtual password is derived ◦ Something you have ◦ ◦ ◦ ◦ Dumb card: ID or ATM card with magnetic stripe Smart card: contains a computer chip that can verify and validate information Synchronous tokens Asynchronous tokens ◦ Something you are ◦ ◦ Relies upon individual characteristics Strong authentication
  • 8.
    Authorization Authorization: The accesscontrol mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels. Authorization can be handled in one of three ways: ◦ Authorization for each authenticated user ◦ Authorization for members of a group ◦ Authorization across multiple systems Authorization credentials, also called authorization tickets, are issued by an authenticator and are honored by many or all systems within the authentication domain.
  • 9.
    Accountability Accountability: The accesscontrol mechanism that ensures all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity. Also known as auditability. Accountability is most often accomplished by means of system logs and database journals, and the auditing of these records. Systems logs record specific information. Logs have many uses
  • 10.
    Biometrics Approach based onthe use of measurable human characteristics/traits to authenticate identity. Only fingerprints, retina of eye, and iris of eye and DNA are considered truly unique. Evaluated on false reject rate, false accept rate, and crossover error rate. Highly reliable/effective biometric systems are often considered intrusive by users. Biometric recognition characteristics
  • 11.
  • 12.
    A firewall isan integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system. A network firewall is similar to firewalls in building construction, because in both cases they are intended to isolate one "network" or "compartment" from another. In information security, a firewall is a combination of hardware and software that filters or prevents specific information from moving between the outside (untrusted) network and the inside (trusted) network. May be: ◦ Separate computer system ◦ Software service running on existing router or server ◦ Separate network containing supporting devices
  • 13.
    Firewall Policies To protectprivate networks and individual machines from the dangers of the greater Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies. Trusted internal network Firewall Firewall policies Untrusted Internet
  • 14.
    Policy Actions Packets flowingthrough a firewall can have one of three outcomes: ◦ ◦ ◦ Accepted: permitted through the firewall Dropped: not allowed through with no indication of failure Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was rejected Policies used by the firewall to handle packets are based on several properties of the packets being inspected, including the protocol used, such as: ◦ TCP or UDP ◦ the source and destination IP addresses ◦ the source and destination ports ◦ the application-level payload of the packet (e.g., whether it contains a virus).
  • 15.
    Blacklists and Whitelists Twofundamental approaches to creating firewall policies (or rulesets) Blacklist approach (default-allow) ◦ All packets are allowed through except those that fit the rules defined specifically in a blacklist. ◦ Pros: flexible in ensuring that service to the internal network is not disrupted by the firewall ◦ Cons: unexpected forms of malicious traffic could go through Whitelist approach (default-deny) ◦ Packets are dropped or rejected unless they are specifically allowed by the firewall ◦ Pros: A safer approach to defining a firewall ruleset ◦ Cons: must consider all possible legitimate traffic in rulesets
  • 16.
    Firewalls Processing Modes Processingmodes by which firewalls can be categorized: ◦ Packet filtering ◦ Application layer proxy ◦ MAC layer firewalls ◦ Hybrids
  • 17.
    Packet-Filtering Firewalls Packet-filtering firewallsexamine the header information of data packets Most often based on the combination of: ◦ IP source and destination address ◦ Direction (inbound or outbound) ◦ Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests Simple firewall models enforce rules designed to prohibit packets with certain addresses or partial addresses from passing through the device.
  • 18.
  • 19.
    Firewall Types •Packet filters(stateless) – If a packet matches the packet filter's set of rules, the packet filter will drop or accept it •"Stateful" filters – it maintains records of all connections passing through it and can determine if a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. •Application layer – It works like a proxy it can “understand” certain applications and protocols. – It may inspect the contents of the traffic, blocking what it views as inappropriate content (i.e. websites, viruses, vulnerabilities, ...)
  • 20.
    Stateless Firewalls A statelessfirewall doesn’t maintain any remembered context (or “state”) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously. Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Client Firewall Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80 Server
  • 21.
    Stateless Restrictions Stateless firewallsmay have to be fairly restrictive in order to prevent most attacks. Trusted internal network SYN Seq = y Port=80 Allow outbound SYN packets, destination port=80 Drop inbound SYN packets, Allow inbound SYN-ACK packets, source port=80 Client Attacker (blocked) Firewall
  • 22.
    Stateful Firewalls Stateful firewallscan tell when packets are part of legitimate sessions originating within a trusted network. Stateful firewalls maintain tables containing information on each active connection, including the IP addresses, ports, and sequence numbers of packets. Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to a connection initiated from within the internal network.
  • 23.
    Stateful Firewall Allow onlyrequested TCP connections: TCP-based connections are easy to check ◦ TCP SYN packet UDP-based traffic is not so clear ◦ There is no UDP connection set up ◦ Treat a UDP session starts when a legitimate UDP packet is allowed through the firewall (such as from inside to outside) ◦ Session is defined by (source IP, source port, dest IP, dest port) SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Allow outbound TCP sessions, destination port=80 Client SYN-ACK Seq = y Port=80 Attacker Trusted internal network (blocked) Established TCP session: (128.34.78.55, 76.120.54.101) 128.34.78.55 76.120.54.101 Firewall state table Server Firewall
  • 24.
    Application-level Firewall A devicecapable of functioning both as a firewall and an application layer proxy server. Since proxy servers are often placed in unsecured area of the network (e.g., DMZ), they are exposed to higher levels of risk from less trusted networks. Additional filtering routers can be implemented behind the proxy firewall, further protecting internal systems.
  • 25.
    Application-level Firewall Filters packetson application data as well as on IP/TCP/UDP fields. Example: allow select internal users to telnet outside. 7-25 host-to-gateway session gateway-to-remote host session application gateway router and filter  Example: block user access to know porn websites  Check if the Web URL is in a “black-list” 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway.
  • 26.
    MAC layer Firewalls ◦Designed to operate at media access control sublayer of network’s data link layer ◦ Make filtering decisions based on specific host computer’s identity ◦ MAC addresses of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked
  • 27.
    Hybrid Firewalls ◦ Combineelements of other types of firewalls, that is, elements of packet filtering and proxy services, or of packet filtering and circuit gateways ◦ Alternately, may consist of two separate firewall devices; each a separate firewall system, but connected to work in tandem ◦ Enables an organization to make security improvement without completely replacing existing firewalls ◦ Include the Next Generation Firewall (NGFW) and Unified Threat Management (UTM) devices
  • 28.
    Firewall Types andProtocol Models
  • 29.
  • 30.
    Tunnels The contents ofTCP packets are not normally encrypted, so if someone is eavesdropping on a TCP connection, he can often see the complete contents of the payloads in this session. One way to prevent such eavesdropping without changing the software performing the communication is to use a tunneling protocol. In such a protocol, the communication between a client and server is automatically encrypted, so that useful eavesdropping is infeasible.
  • 31.
    Tunneling Prevents Eavesdropping Packetssent over the Internet are automatically encrypted. Client Server Tunneling protocol (does end-t o - end encryption and decryption) Payloads are encrypted here TCP/IP TCP/IP Untrusted Internet
  • 32.
    Secure Shell (SSH) Asecure interactive command session: The client connects to the server via a TCP session. The client and server exchange information on administrative details, such as supported encryption methods and their protocol version, each choosing a set of protocols that the other supports. ◦ Example: check ssh client software to see what are supported. The client and server initiate a secret-key exchange to establish a shared secret session key, which is used to encrypt their communication (but not for authentication). This session key is used in conjunction with a chosen block cipher (typically AES, 3DES) to encrypt all further communications The server sends the client a list of acceptable forms of authentication, which the client will try in sequence. ◦ Password based authentication ◦ Public-key authentication method ◦ ◦ ◦ Client sends the server its public key The server then checks if this key is stored in its list of authorized keys. If so, the server encrypts a challenge using the client’s public key and sends it to the client The client decrypts the challenge with its private key and responds to the server, proving its identity
  • 33.
  • 34.
  • 35.
    Content Filters A softwareprogram or hardware/software appliance that allows administrators to restrict content that comes into or leaves a network Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations Primary purpose to restrict internal access to external material Most common content filters restrict users from accessing non-business Web sites or deny incoming spam
  • 36.
    Protecting Remote Connections InstallingInternetwork connections requires leased lines or other data channels; these connections are usually secured under the requirements of a formal service agreement. When individuals seek to connect to an organization’s network, a more flexible option must be provided. Options such as virtual private networks (VPNs) have become more popular due to the spread of Internet.
  • 37.
  • 38.
    VPN Virtual private networking(VPN) is a technology that allows private networks to be safely extended over long physical distances by making use of a public network, such as the Internet, as a means of transport. VPN provides guarantees of data confidentiality, integrity, and authentication, despite the use of an untrusted network for transmission. Private and secure network connection between systems; uses data communication capability of unsecured and public network Securely extends organization’s internal network connections to remote locations Three VPN technologies defined: ◦ Trusted VPN ◦ Secure VPN ◦ Hybrid VPN (combines trusted and secure)
  • 39.
    VPN Transport Mode ◦Data within IP packet are encrypted, but header information is not and allows user to establish secure link directly with remote host, encrypting only data contents of packet ◦ Two popular uses: ◦ End-to-end transport of encrypted data ◦ Remote access worker connects to an office network over Internet by connecting to a VPN server on the perimeter
  • 40.
    VPN Tunnel Mode ◦Establishes two perimeter tunnel servers to encrypt all traffic that will traverse an unsecured network ◦ Entire client package encrypted and added as data portion of packet from one tunneling server to another ◦ Primary benefit to this model is that an intercepted packet reveals nothing about the true destination system ◦ Example of tunnel mode VPN: Microsoft’s Internet Security and Acceleration (ISA) Server
  • 41.
  • 42.
    Introduction Intrusion ◦ Actions aimedat compromising the security of the target (confidentiality, integrity, availability of computing/networking resources) Intrusion detection ◦ The identification through intrusion signatures and report of intrusion activities Intrusion prevention ◦ The process of both detecting intrusion activities and managing automatic responsive actions throughout the network
  • 43.
    IDS Components IDS managercompiles data from the IDS sensors to determine if an intrusion has occurred. If an IDS manager detects an intrusion, then it sounds an alarm. IDS Manager Untrusted Internet router router router IDS Sensor IDS Sensor Firewall
  • 44.
    Alarms can besounded (positive) or not (negative) Possible Alarm Outcomes Intrusion Attack No Intrusion Attack Alarm Sounded True Positive False Positive True Negative False Negative Bad (miss attack) No Alarm Sounded Bad (reject normal)
  • 45.
    Types of IntrusionDetection Systems Rule-Based Intrusion Detection ◦ Rules and signatures identify the types of actions that match certain known profiles for an intrusion attack ◦ Alarm raised can indicate what attack triggers the alarm ◦ Problem: Cannot deal with unknown attacks Statistical Intrusion Detection ◦ Statistical representation (profile) of the typical ways that a user acts or a host is used ◦ Determine when a user or host is acting in highly unusual, anomalous ways. ◦ Alarm when a user or host deviates significantly from the stored profile for that person or machine ◦ Problem: High false positive rate, cannot tell which attack triggers the alarm
  • 46.
    Port Scanning Purpose: Attackersneed to know where a potential target is TCP scan: use OS system call to check if TCP connection can be set up on a target machine on any port ◦ Example scanner: nmap ◦ See how nmap works on department eustis machine! SYN scan: low-level TCP program to send out SYN packet without intent to finish the TCP connection setup ◦ On receiving SYN/ACK, issues a RST packet to terminate
  • 47.
    Port Scanning Two portscanning mode: ◦ Vertical scan: target numerous destination ports on a singular host (e.g., nmap) ◦ Horizontal scan: target the same port on many target hosts, effectively looking for a specific vulnerability ◦ ◦ E.g., worm E.g., attacker conduct reconnaissance before real attack
  • 48.
    Reference Whitman, M &Mattord, H. (2018). Principles of Information Security, 6th Edition ◦ ◦
  • 49.