Security Policy Project Thesis
REGIS UNIVERSITY
Academic Research Network Security Policy
Project Thesis
By:
Madhu Akkihebbal Networking Team, SEAD-2005A MSCIT Program
Project Advisor: Daniel Likarish
June 28, 2005
Madhu Akkihebbal 1
Security Policy Project Thesis
Certificate of Authorship
I, hereby certify that all matter presented in this paper are a result of my own research
from various sources such as white papers, research papers, product materials, and
presentation articles.
All the reference material has been listed in the section ‘Bibliography’ and I am
thankful to various authors and subject matter experts for sharing their findings and
knowledge through their papers and other publications.
Madhu AkkihebbalName Signature Date
Madhu Akkihebbal 2
Security Policy Project Thesis
Acknowledgements
First, I would like to fervently thank My Lord & Almighty for giving me the strength to take up this Masters Degree course and complete it.
My wife, Sumana Madhu - your encouragement and support enabled me to pursue this program.
My 7-year-old son, Shashank Madhu – you cooperated throughout the course and cheered me towards completion. I owe you a big one!
My parents, Mangala and AnanthRamiah Akkihebbal - your blessings and sacrifice helped me reach my goal in life.
My Advisor, Dan Likarish – your timely guidance and support helped me in this project work.
Madhu Akkihebbal 3
Security Policy Project Thesis
Advisor Approval Page
Regis UniversitySchool for Professional StudiesMSCIT Program
Student’s Name: ___________________________
Professional Project Title: ____________________
Advisor’s Declaration: I have advised this student through the Professional Project Process and approve of the final document as acceptable to be submitted as fulfillment of requirements for the MSC 696A, 696B and 696C courses. The student has received project approval from Advisory Board and has followed due process in the completion of the project and subsequent documentation.
ADVISOR
Name Signature Date
Madhu Akkihebbal 4
Security Policy Project Thesis
Project Paper Revision HistoryVersion Submitted On Comments1.0 Draft A 27 March 2005 Initial Draft for Review2.0 18 May 2005 -Updated with comments
from Dan-Modified the title of the project paper to reflect the research focus – Security Policy-Added a section on the evaluation of Cisco PIX 501 (Appendix B)-Added a section on ‘Brief History of Firewall Implementations in the RU ARN’
3.0 04 June 2005
18 June – 27 June 2005
- Security Policy Framework introduced.
- Added new sections related to Security Policy.
- Paper Finalization.
Table Of Contents:
Madhu Akkihebbal 5
Security Policy Project Thesis
Project Thesis..................................................................................................1Certificate of Authorship.................................................................................2Acknowledgements.........................................................................................3Advisor Approval Page...................................................................................4Project Paper Revision History.......................................................................5Abstract...........................................................................................................8
Security Requirements................................................................................9The Background: ARN Network Elements...................................................10Firewalls in the Security Apparatus..............................................................10
Firewall Basics..........................................................................................11Packet Filter Firewalls...........................................................................12Stateful Inspection Firewalls.................................................................13Application-Proxy Gateway Firewalls..................................................14Dedicated Proxy Servers.......................................................................15Hybrid Firewall Technologies...............................................................15Network Address Translation...............................................................16Virtual Private Networks.......................................................................16Intrusion Detection Systems.................................................................17
Guidelines To Build RU ARN Firewall Environment..............................19RU ARN Security Policy -- The Framework...............................................21
ARN Security Policy: The Details...........................................................26Policy Document...................................................................................26ARN User Awareness and Education...................................................26Policy Enforcement...............................................................................27Physical Security...................................................................................27Legitimate Users and Threat Perceptions.............................................27High Availability of Systems and Services...........................................28Layered Security: Defense-in-Depth.....................................................31ARN User Responsibility......................................................................32ARN Security: Future Considerations..................................................33
Brief History of Firewall Implementations in the RU ARN.....................38Selection of Firewalls............................................................................39
SonicWALL Firewalls..............................................................................39Acronyms..................................................................................................44Bibliography..............................................................................................45Appendix A...............................................................................................48
An Evaluation of CISCO PIX 501........................................................48
List Of Figures
Madhu Akkihebbal 6
Security Policy Project Thesis
Figure 1. The OSI Model…………………………………………………12Figure 2. A VPN / Firewall Server in the Network …..………………… 17 Figure 3. High Level ARN Architecture Diagram ………………………42Figure 4. ARN Architecture Diagram with PIX 501 ……………………43 List of Tables
Table 1. Components of Security Policy…………………………………20
Madhu Akkihebbal 7
Security Policy Project Thesis
Abstract
Regis University Networking Lab Practicum 2005A is a continuation of the practicum
work from the previous years. New teams have taken up the positions in order to
continue the research, design and implementation. The Networking group has a specific
mandate, of which Firewall implementation is a critical component.
Firewalls are computer security facilities used to control or restrict network connectivity;
they are used to enforce a security policy, and are typically placed between networks with
different security needs. However, it is critical to note that firewalls by themselves do
not guarantee complete network and data security. Additional mechanisms must be
employed along with Firewalls.
This paper highlights the expectations and a high-level plan to achieve those goals.
During the course of the project, its scope has extended such that the paper shall discuss
ARN Security Policy Framework in general and some concrete ideas to pursue
implementation of the policy in the near term, along with some details on firewalls. Also,
some action points for future consideration are also covered.
Madhu Akkihebbal 8
Security Policy Project Thesis
Security Requirements
RU ARN serves a growing academic community. It is vital for Regis’ daily activities.
Thus, security is one of the foremost concerns being addressed as part of the Networking
team activities in the SEAD program.
Apart from the threats like viruses, crackers, hackers, intruders, and attacks like
Denial of Service (DOS), it is also important to guard against “Passive Information
Gathering”. This is caused by unintentional information leakage and the perpetrator may
not ever directly come in contact with ARN servers. Depending upon the source of this
leakage, the information may lead to the components used within the ARN physical
infrastructure, the management processes in place, or the operational personnel
organization structure. Such types of passive information gathering can be addressed via
methods like “Penetration Testing”. It is also called as pentesting or active probing. This
is also a part of ethical hacking, which is required to evaluate an organization’s current
security status. Such activities and results related to active probing are easily identified
with the firewall and IDS log files.
NOTE: It is important to understand that ARN is physically separate from Regis Net that
stores all confidential and student information.
ARN may want to adopt such proactive techniques at some point after the current
plans for network implementation are in place. For the moment, primary objective of this
project is to come up with a security policy framework that is relevant for ARN users and
environment, along with a special focus on the new SonicWALL firewall.
Madhu Akkihebbal 9
Security Policy Project Thesis
The Background: ARN Network Elements
The next section deals with technical introduction of various network elements of
ARN such as firewalls, VPN, IDS, etc.
Firewalls in the Security Apparatus
As per one school of thought, Firewalls are one among the most important security
considerations in the network security area. The other essential security features being
Secure Sockets Layer (SSL) with encryption, Antivirus software, Smart cards with one-
time passwords, Java security mechanisms (relatively newer approach) and the new
Intrusion Prevention Systems. Still, the fact is that network security continues to attract
academic research interest, as well industry and government funding. That is mainly due
to ever changing security requirements and continuous improvements in proven
technologies. Latest threats include (but not limited to) Adware, Malware and Spyware.
These kinds of software usually get installed on PCs without the knowledge of the users.
They can collect personal information, cause more pop-ups and/or create a profile of
browsing habits, log the keystrokes, and send it to a remote server. They can also
damage the system or cause unwanted network traffic.
As more nodes are connected via the Internet, attacks on network protocols and host
machines vulnerabilities also increased, and firewalls emerged as effective
countermeasure.
For the SEAD purpose, SonicWALL Firewall products have been chosen to replace
and supplement the existing firewall mechanisms in the RU ARN. It is important to note
that firewalls alone do not help secure any network. We looked at few emerging threats
Madhu Akkihebbal 10
Security Policy Project Thesis
above; in order to secure RU ARN, we must adopt a “Defense-in-Depth” as a policy such
that the risk is managed with multiple defensive strategies.
Firewall Basics
Before we embark on evaluating steps to implement a reliable security policy for
ARN, let us briefly explore some of the basic firewall types. Basic firewalls will operate
on a smaller number of layers [OSI layers, refer Figure [1]]; more advanced firewalls will
cover more number of layers. Evidently, firewalls capable of examining a larger number
of layers are more thorough and effective. Additional layer coverage also increases the
configuration granularity present in the firewall; while layer awareness allows the
firewall to accommodate advanced applications and protocols. Increasing the layers a
firewall can examine also allows the firewall to provide services that are very user-
oriented, such as user authentication. The following diagram provides a high-level view
of the 7 layers of OSI model, which is being addressed in this discussion.
Madhu Akkihebbal 11
Security Policy Project Thesis
Figure 1: The OSI Model
Modern firewalls operate upon the 4 layers such as layer 2, 3, 4 and 7. The following
discussion describes the various types of firewalls and their merits.
Packet Filter Firewalls
The most basic, fundamental type of firewall is called a packet filter. Packet filter
firewalls are essentially routing devices that include access control functionality for
system addresses and communication sessions [Ref.: Wack, J., Cutler, K. & Pole, J [6]].
The access control functionality of a packet filter firewall is governed by a set of
directives collectively referred to as a rule set. They address only layers 2 and 3. Due to
Madhu Akkihebbal 12
7. Application [E-mail, Web Apps]
6. Presentation[HTTP, FTP, DNS]
5. Session[Ports 23 and 80]
4. Transport[UDP, TCP]
3. Network[IP V4 and V6]
2. Data Link[SLIP, PPP]
1. Physical[Coax, RS-232, CAT-5]
Security Policy Project Thesis
the nature of the functionality offered, packet filter firewalls have some limitations such
as –
The logs offer no useful information other than source address, destination
address, and traffic type.
No support for advanced user-authentication schemes.
Vulnerable to attacks and exploits that take advantage of problems within the
TCP/IP specification and protocol stack, such as network layer address spoofing.
Packet filter firewalls are susceptible to security breaches caused by improper
configurations.
Stateful Inspection Firewalls
Stateful inspection firewalls are packet filters that incorporate added awareness of the
OSI model data at Layer 4 [Ref.: Wack, J., Cutler, K. & Pole, J [6]]. Stateful inspection
evolved from the need to accommodate certain features of the TCP/IP protocol suite that
make firewall deployment difficult. When a TCP (connection-oriented transport)
application creates a session with a remote host system, a port is also created on the
source system for the purpose of receiving network traffic from the destination system.
According to the TCP specifications, this client source port will be some number greater
than 1023 and less than 16384. The stateful inspection solution is more secure because
the firewall tracks client ports individually rather than opening all high-numbered ports
for external access.
Madhu Akkihebbal 13
Security Policy Project Thesis
In essence, stateful inspection firewalls add Layer 4 awareness to the standard packet
filter architecture. Stateful inspection firewalls share the strengths and weaknesses of
packet filter firewalls, but due to the state table implementation, stateful inspection
firewalls are generally considered to be more secure than packet filter firewalls.
Application-Proxy Gateway Firewalls
Application-Proxy Gateway firewalls are advanced firewalls that combine lower layer
access control with upper layer (Layer 7, Application Layer) functionality [Ref.: Wack,
J., Cutler, K. & Pole, J [6]].
Application-proxy gateway firewalls do not require a Layer 3 (Network Layer) route
between the inside and outside interfaces of the firewall; the firewall software performs
the routing. In the event the application-proxy gateway software ceases to function, the
firewall system is unable to pass network packets through the firewall system. All
network packets that traverse the firewall must do so under software (application-proxy)
control.
Application-proxy gateway firewalls have numerous advantages over packet filter
firewalls and stateful inspection packet filter firewalls. First, application-proxy gateway
firewalls usually have more extensive logging capabilities due to the firewall being able
to examine the entire network packet rather than just the network addresses and ports.
Another advantage is that application-proxy gateway firewalls allow security
administrators to enforce whatever type of user authentication is deemed appropriate for a
Madhu Akkihebbal 14
Security Policy Project Thesis
given enterprise infrastructure. Application-proxy gateways are capable of authenticating
users directly, as opposed to packet filter firewalls and stateful inspection packet filter
firewalls which normally authenticate users based on the network layer address of the
system they reside on. Finally, given that application-proxy gateway firewalls are not
simply Layer 3 devices, they can be made less vulnerable to address spoofing attacks.
Dedicated Proxy Servers
Dedicated proxy servers differ from application-proxy gateway firewalls in that they
retain proxy control of traffic but they do not contain firewall capability. They are
typically deployed behind traditional firewall platforms for this reason. In typical use, a
main firewall might accept inbound traffic; determine which application is being targeted,
and then hand off the traffic to the appropriate proxy server, e.g., an email proxy server.
The proxy server typically would perform filtering or logging operations on the traffic
and then forward it to internal systems.
Hybrid Firewall Technologies
Recent advances in network infrastructure engineering and information security have
caused a blurring of the lines that differentiate the various firewall platforms discussed
earlier. As a result of these advances, firewall products currently incorporate functionality
from several different classifications of firewall platforms. For example, many
Application-Proxy Gateway firewall vendors have implemented basic packet filter
functionality in order to provide better support for UDP (User Datagram) based
applications. Likewise, many packet filter or stateful inspection packet filter firewall
Madhu Akkihebbal 15
Security Policy Project Thesis
vendors have implemented basic application-proxy functionality to offset some of the
weaknesses associated with their firewall platform. In most cases, packet filter or stateful
inspection packet filter firewall vendors implement application proxies to provide
improved network traffic logging and user authentication in their firewalls.
Network Address Translation
Network Address Translation (NAT) technology was developed in response to two
major issues in network engineering and security. First, network address translation is an
effective tool for hiding the network-addressing schema present behind a firewall
environment. In essence, network address translation allows an organization to deploy an
addressing schema of its choosing behind a firewall, while still maintaining the ability to
connect to external resources through the firewall. Second, the depletion of the IP
address space has caused some organizations to use NAT for mapping non-routable IP
addresses to a smaller set of legal addresses, according to RFC 1918.
Virtual Private Networks
Another valuable use for firewalls and firewall environments is the construction of
Virtual Private Networks (VPNs). A virtual private network is constructed on top of
existing network media and protocols by using additional protocols and usually,
encryption. If the VPN is encrypted, it can be used as an extension of the inner, protected
network.
In most cases, virtual private networks are used to provide secure network links across
networks that are not trusted. For example, virtual private network technology is
Madhu Akkihebbal 16
Security Policy Project Thesis
increasingly used in the area of providing remote user access to organizational networks
via the global Internet.
Fig. 2: A VPN / Firewall Appliance in the Network [Diagram reproduced from Page 24 of Bibliography item 6 - NIST Publication]
Intrusion Detection Systems
Intrusion Detection Systems (IDS) are designed to notify and in some cases prevent
unauthorized access to a networked system or resource. Many intrusion detection systems
are also capable of interacting with firewalls in order to bring a reactive element to the
provision of network security services. Firewalls that interact with intrusion detection
systems are capable of responding to perceived remote threats automatically, without the
delays associated with a human response. For example, if an intrusion detection system
detects a denial-of-service attack in progress, it can instruct certain firewalls to
automatically block the source of the attack (albeit, false positives responses can occur).
Madhu Akkihebbal 17
Security Policy Project Thesis
RU ARN has planned to use NETIQ and OPNET (also for modeling and simulation)
products to help in monitoring the network and logging. These are on-going concurrent
projects taken up by other teams; readers are referred to the appropriate documentation
for more details in this regard.
Madhu Akkihebbal 18
Security Policy Project Thesis
Guidelines To Build RU ARN Firewall Environment
Let us look at a high-level approach to planning and implementing firewalls for ARN. For
starters, National Institute of Standards and Technology recommends following thumb rules -
Keep it simple
Use devices as they were intended to be used
Create Defense in Depth
Pay attention to internal threats as well
Based on this, the immediate and on-going objectives for Firewall team are:
1. A clearly defined ARN Security Policy Framework
2. Evaluation and deeper understanding of SonicWALL Firewall products
3. Research and document the dependencies and configuration based on the VPN
components
4. Definition of Firewall controlled network elements and details of configuration and
policies
5. Implementation of Firewall / VPN / IDS entities, etc.
6. Firewall maintenance / upgrade / update plan
7. Documentation and Configuration Management of all phases – configuration, policies,
procedures, upgrades, implementation, etc.
The above form a subset of the security policy requirements. Further details are shown in the
following sections. Different teams of SEAD program handle these tasks on an on-going basis,
upon recommendation of Dan Likarish, Project Lead and Advisor.
Madhu Akkihebbal 19
Security Policy Project Thesis
This page intentionally left blank.
Madhu Akkihebbal 20
Security Policy Project Thesis
RU ARN Security Policy -- The Framework
Foremost importance must be given to the security policy - creating a high-level management
policy statement, conduct a systematic analysis of organization assets and business goals,
examine risks, develop an implementation strategy, crisis management plan, identify security
management team that will enforce the policy.
The ARN Security policy will be revised and adopted over the next few months; appropriate
documentation will be created and distributed to all stakeholders. This thesis sets the initial tone
for a formal ARN security policy. It is expected that subsequent SEAD projects would work on
implementing the security policy and also update the policy as and when required.
Let us explore the components of a security policy. The table below deals with a set of details
expected in formulating, adopting, implanting and enforcing a formal security policy.
Table 1: Components of ARN Security Policy
Component Comments
Objectives What does ARN business need; what data exists; Regis’ rights to systems, data and network
Security Policy Team Who are the key team members? IT, Security experts, Administrators, H.R., Finance, Legal, and Top Management.
Implementation Who are responsible to implement it? What is required to implement it and what is the duration? What is acceptable network behavior? What problems arise and how to deal with them?
Communication/Documentation Details of the policy and implementation. Actions and names assigned to the actions. Command hierarchy.
Madhu Akkihebbal 21
Security Policy Project Thesis
Critical responses scenarios.Education Train all stakeholders about the policy.
Educate the security team and related positions about the policy and the reasoning behind it.Define acceptable behavior, crisis management, change management, and revision policy.
Enforcement Assign names to action. Constant monitoring and reporting.Disaster management and recovery.Root cause analysis and accountability.
Review Living document.Needs and conditions constantly change. Policy must meet new technical challenges and dangers. Review and update regularly.
Generally speaking, security policy may have to consider various factors and for a network of
the magnitude of ARN, it may easily become an overhead of sorts. But, it is critical to scope the
policy such that the focus is not lost. In summary, ARN security policy requirements can be in
listed as following –
Serve as a policy document for the overall ARN security
Educate the users about the security requirements
Enforcement of the security policy – people responsible and the steps involved
Review of ARN status every 6 months against the backdrop of security policy
Physical security
Identify legitimate users (student, teaching community and administration staff) and
allow their access to intended services
Maintain a virus (and worms, et al) free network
Prevent access to hackers, crackers and intruders
Network/Systems Administration - maintain high availability of all systems and services
Madhu Akkihebbal 22
Security Policy Project Thesis
Use of various perimeter and network wide security measures such as firewalls, IDS, etc.
Incident response plan – who are the people responsible to act in case of a threat or an
emergency, what are the necessary actions to be taken by them
Disaster recovery plan – key steps to be taken by ARN authorities in order to recover
from an incident and ensure critical services for business continuity
Defense-in-Depth approach for maximum security
Network configuration management, authorized changes and updates
Use DMZ in order to reduce critical services from being directly accessible from the
external network
EULA – no hacking and not trained for hacking
Consequences of willful compromise of ARN security and threat-mongering
Future considerations – penetration testing, ethical hacking and Intrusion Prevention
Systems (IPS)
Constantly evaluate the security policy and modify as necessary
Policy design and specification is more of an art than a science. At the outset, it is expected
that ARN’s current security policies will provide the initial groundwork to enable us to prove
that SonicWall (chosen firewall for ARN) can perform as per the legacy requirements. Later, the
expansion of SonicWall’s abilities will be combined with a revision of the security/firewall
policies.
It must be noted that policy management is a sensitive area. We must care for the policy
anomalies. For instance, the ordering of filtering rules in a security policy is very crucial in determining
the firewall policy because the firewall packet filtering process is performed by sequentially matching the
Madhu Akkihebbal 23
Security Policy Project Thesis
packet against filtering rules until a match is found. If filtering rules are independent (or completely
disjoint), the ordering of the rules is insignificant. However, it is very common to have filtering rules that
are inter-related. In this case, if the relative rule ordering is not carefully assigned, some rules may be
always screened by other rules producing an incorrect security policy and action. Moreover, when large
number of filtering rules exists in a policy, the possibility of writing conflicting or redundant rules is
relatively high. A firewall policy anomaly is defined as the existence if two or more different filtering
rules that match the same packet.
In general, firewall policy must address following –
Access Control
Assurance – Configuration and policy documents
Availability
Logging
This page intentionally left blank.
Madhu Akkihebbal 24
Security Policy Project Thesis
ARN Security Policy: The Details
Policy Document
Madhu Akkihebbal 25
Security Policy Project Thesis
This document serves as a preliminary version of ARN security policy. Basically, ARN
management must review and approve this to be considered as an official policy. Having said
that, future SEAD projects have enough scope to pick up some of the action items pointed out in
this document. While some of the concepts noted here (e.g., pen testing, IPS) may not be high
on the ARN priority list, some other details such as formal firewall policy, incident response,
disaster recovery, formal authorities in the ARN hierarchy, legal policies, user awareness and
education, change management, etc. should be addressed on a priority.
ARN User Awareness and Education
ARN security and high-availability is very important to the users and Regis University
business and educational services. In this situation, it is necessary to reach out to all the users
and educate them about the various risks to ARN and how we can all help to maintain secure
network and services.
Since majority of ARN users would be the student community, appropriate measures must be
taken up to educate them and other users of the need to adopt and follow security procedures
very strictly. EULA is another way that some of the security measures will be conveyed to the
users. Propaganda on ARN website, e-mail, etc may be adopted to inform users about the rules
and regulations of using ARN. The same may be used to convey any major policy changes.
Policy Enforcement
ARN management supervises enforcement of security policy. This is an ongoing activity that
helps keep up the ARN security. Network and System administrators, consultants, students and
Madhu Akkihebbal 26
Security Policy Project Thesis
staff – all ARN users are responsible to follow the regulations. Policy can be enforced using
software applications such as firewall ACL, VPN policies, regulations on data and system
access, password rules, configuration management, etc.
Physical Security
It is critical that ARN physical security is maintained along with network and information
security. Physical resources and assets are key to the business. All the technology-based
controls discussed in this document can be circumvented if an attacker gains physical access to
the devices of concern.
ARN shall take appropriate steps to safeguard the systems and devices such that only
authorized personnel and users can physically access the systems. Secure computer rooms, door
locks, identification badges and smart cards, electronic monitoring are some of the techniques
that ARN may apply to ensure physical security.
Legitimate Users and Threat Perceptions
Threats emanate from various sources. It could be a result of human error or failure.
Deliberate acts such as trespass, information extortion, sabotage, vandalism, theft, espionage
should be guarded against. Obsolete technology cannot help in maintaining network and
information security. There are forces of nature such as fire, flood, earthquake, typhoon, and
electrostatic discharge, which could cause havoc. Attacks take advantage of vulnerabilities to
compromise a controlled system. Some examples of attacks include malicious code, hoaxes,
password crack, brute force, Denial-of-Service (DoS), spoofing, spam, mail bombing, phishing,
sniffers, buffer overflow, timing attack, and social engineering based attacks.
Madhu Akkihebbal 27
Security Policy Project Thesis
Since ARN users connect from different parts of the world, it is critical to identify legitimate
users. ARN shall use Single Sign-On (SSO) technique, whereby a single action of user
authentication and authorization can permit a user to access all computers and systems where he
has access permission, without the need to enter multiple passwords. Single sign-on reduces
human error, a major component of systems failure and is therefore highly desirable but difficult
to implement. In future, ARN may consider the use of biometric identification systems.
Techniques such as firewalls, VPNs, and IDS help prevent unwanted, unauthorized traffic. It
is equally important to keep up with the technology. A simple example would be to stay up to
date on the virus definitions. Any number of regulations and devices will not help if the network
and systems are not keeping up with constantly improving technology.
High Availability of Systems and Services
In order to guarantee high availability of services to the users, network administrators and
managers strive to maintain the network. Most network management architectures use the same
basic structure and set of relationships. End stations (managed devices), such as computer
systems and other network devices, run software that enables them to send alerts when they
recognize problems (for example, when one or more user-determined thresholds are exceeded).
Upon receiving these alerts, management entities are programmed to react by executing one,
several, or a group of actions, including operator notification, event logging, system shutdown,
and automatic attempts at system repair.
Some of the popular network management protocols include the Simple Network
Management Protocol (SNMP) and Common Management Information Protocol (CMIP).
Madhu Akkihebbal 28
Security Policy Project Thesis
Management proxies are entities that provide management information on behalf of other
entities.
ARN has adopted various measures for network management and some of the ongoing
projects contribute towards that. These would also bring some level of standardization in the
approach to network management. For instance, ISO has contributed a great deal to network
standardization. Its network management model is the primary means for understanding the
major functions of network management systems. This model covers five conceptual areas:
Performance Management -
Helps measure and make available various aspects of network performance so that
internetwork performance can be maintained at an acceptable level. Some examples of
performance variables include network throughput, user response times, and line utilization.
Data is gathered, and analyzed to determine baseline levels; based on this data, right threshold is
set so that any deviation would require attention.
Configuration Management -
It is about monitoring network and system configuration information, so that the effects of
various versions of hardware and software elements on network operation can be tracked and
managed.
A system may have layered applications or different software components, each of them have
their own version or release numbers. Documents have their own version (revision) numbers.
Users of the document / software and policies are usually expected to work with the latest
approved versions. Some of the ARN users use SharePoint website for some of the
configuration management.
Madhu Akkihebbal 29
Security Policy Project Thesis
It is critical for ARN to identify and manage the network components and applications that
will undergo version changes, and updates. For each of this change, an authorization structure
must be put in place. All changes, big or small, that would apply any to hardware/software or
other ARN resources must be approved by ARN management and / or delegated authority.
Accounting Management - It deals with measurement of network utilization parameters so that individual or group using
on the network can be regulated appropriately. It minimizes network problems and maximizes
the fairness of network access across all users. One example is the NetIQ product used by ARN,
which can integrate, log files from network elements, such as firewalls, etc.
Fault Management -
It helps detect, log, notify users of, and in some cases, automatically fix network problems to
keep the network running effectively. In order to discover problems and find faults, it is
necessary to identify the vulnerabilities. This may be related to both security and non-security
information systems. Usually, penetration testing is employed to identify such vulnerabilities
and problems. Other aspect of this technique is to monitor and resolve user complaints.
Techniques such as help-desk applications help minimize efforts needed to resolve issues such as
learning from past experiences. It also helps understand trend of the problems.
ARN uses Track-It software as a help-desk solution.
Security Management -
Security Management is a technique to control access to network resources according to local
guidelines so that the network is secure and sensitive information is not accessed or modified by
unauthorized people. Access to information is controlled on a "need-to-access" or "need-to-
Madhu Akkihebbal 30
Security Policy Project Thesis
know" basis. Partitioning network resources into authorized and unauthorized areas does this.
Security systems that help manage sensitive network resources (including systems and data)
and determine mappings between sensitive network resources and user sets. It must be
reiterated that ARN is physically separate from Regis Net and thus there is no student data
maintained by ARN. Additionally, ARN marks the De-Militarized Zone (DMZ) and secure zone
(SZ) using firewalls, etc.
Layered Security: Defense-in-Depth
Defense-in-Depth (DiD) principles are based on the principles of layering network and data
security. Shown below are some of the usual methods of technical security. ARN already uses
some of these devices and techniques. Others may be considered in future.
Firewalls – Perimeter security / Access Control Lists (ACL) / Content Filters
IDS – Passive monitoring of network / Alarm in case of intrusion detection
IPS – Combine the actions of firewall and IDS to prevent intrusions
Encryption – Security and privacy of information transferred
Software patches and updates – Helps prevent known issues and problems
Regulation – Users must conform to network and system access policies
PKI schemes – Reliable authentication and accountability schemes
Passwords, and other authentication mechanisms – Individual authentication schemes
Madhu Akkihebbal 31
Security Policy Project Thesis
VPNs – Secure internal network that is accessible from remote places
Honey pots and Honey nets – Lure hackers and threat-mongers into a look-alike
environment in order to trap them or launch a counter-attack
Ethical hacking – Organization learns of its vulnerabilities and loopholes by initiating
hacking on its own that is only to look for potential problems and fix them
Backup / Replication – Data assets must be backed up regularly and/or must be
maintained in different sites using replication or mirroring techniques. This helps in data
availability in case of physical destruction of premises.
ARN User Responsibility
All ARN users (students based in the campus, students online, teaching community,
administrators, management, consultants, etc.) are bound by the prime duty to understand,
and adopt ARN security principles. ARN users must realize the value of a secure ARN
network. In order to maintain high level of productivity through high-availability of services,
it is important that ARN functions with as less problems as possible.
Users must understand the security principles and regulations. If there are doubts and
concerns, they must immediately escalate it to the ARN management. ARN management
reserves the final say in the matters of ARN security. Users must be vigilant and work with
security consciousness. Details such as individual passwords must be kept secret.
End-User License Agreement (EULA) indicates that ARN users are not going to carry out
any type of hacking activity against the ARN. Also, they must certify that they have had no
Madhu Akkihebbal 32
Security Policy Project Thesis
training in hacking. EULA also stresses the consequences of any user involving in untoward
activities that affect ARN in any way. Such user(s) will be prosecuted as per the law and
cyber-regulations. Also, their association with ARN and Regis University in general will be
in jeopardy.
Users must be familiar with the ARN command hierarchy in order to handle any crisis in
the network. Users must be willing to convey any information they know in case of a foul
play with regards to the network.
ARN Security: Future Considerations
ARN must initially focus on adopting the security policy as an official document. There are
quiet a few areas that SEAD community can pick up as follow up projects related to the security
policy and the thesis. Here is a list of areas that needs future attention. ARN management shall
prioritize the future considerations.
1. Expand the security policy to bring more details into the areas of –
ARN Architecture Management
Various Firewalls Policies and Rule Sets
VPN Usage Policies
IDS Policies
Router Configuration Policies
DMZ Policies
Mail and Other Server Usage Policies
Remote Users Policies
Madhu Akkihebbal 33
Security Policy Project Thesis
Policies for Campus Based Students
Standard Authentication Procedures
Fault Management – TrackIt, etc.
Accounting and Auditing Management - OPNET
Performance Management – NetIQ, etc.
Configuration Management – Sharepoint, etc.
NOTE: The last 4 items above are being covered by current SEAD activities.
2. Establish a formal ARN Security Team. This team will be directly answerable to ARN
management. This team will maintain/upgrade the security policy, educate and create
awareness among users, identify people responsible for key activities – system
administration, network configuration, configuration management, etc.
This team also deals with the important task of overseeing the implementation and
enforcement of the security policy.
3. There is a need for a “crisis management” team. This team may be part of the ARN
security team. It will act when there is an attack or some kind of threat to the ARN. The
team will have the authority to take necessary steps to ensure ARN network health is
restored and keep up business continuity. This team will device and communicate the
following plans –
Incident response plan
Disaster Recovery Plan
Business Continuity Plan
4. Explore the possibilities of implementing Intrusion Prevention Systems (IPS) in ARN.
Madhu Akkihebbal 34
Security Policy Project Thesis
5. Another example of new-generation network security devices is Cisco’s Adaptive
Threat Defense. It is the next phase of Cisco’s concept of “Self Defending Network”.
It is said to help to further minimize network security risks by dynamically addressing
threats at multiple layers, enabling tighter control of network traffic, endpoints, users,
and applications. Supposedly, it aims to protect every packet and its flow on a network.
This security portfolio includes devices such as New Intrusion Prevention, Application
Firewall, SSL VPN, and Endpoint Security innovations that could deliver advanced
protection of mission-critical resources.
6. Ensure that all ARN hardware and network devices assets are being used in the right way.
For instance, if there are some Cisco PIX 501 devices lying around, they must be used so
that all assets are put into best use.
7. ARN may consider using biometric identification systems.
8. In order to create a robust, secure ARN; it may be necessary to conduct proactive tests for
the vulnerabilities and weaknesses of ARN. This is termed as penetration testing also
called as ethical hacking. ARN stands to gain a lot if they conduct such test in a
controlled manner, from an external attacker’s perspective.
9. Ensure that ARN security policy is updated on a regular basis or as the need arises. All
relevant users must be made aware of the updates and must follow the changes.
10. In future, when ARN achieves stability, ARN Management may consider the option of
ARN / Regis Network participating in the Abilene Network. Abilene Network is an
Internet2 high-performance backbone network that enables the development of
advanced Internet applications and the deployment of leading-edge network services to
Internet2 universities and research labs across the country. The network has become the
Madhu Akkihebbal 35
Security Policy Project Thesis
most advanced native IP backbone network available to universities participating in
Internet2. The Abilene Network supports the development of applications such as virtual
laboratories, digital libraries, distance education and tele-immersion, as well as the
advanced networking capabilities that are the focus of Internet2. Abilene complements
and peers with other high-performance research networks in the U.S. and internationally
[14]. Participating in Abilene project gives a technological edge for Research work at
Regis as well bring the best of the Internet2 and IPV6 world (including network
bandwidth, high-speed and higher level of security).
Madhu Akkihebbal 36
Security Policy Project Thesis
This page intentionally left blank.
Madhu Akkihebbal 37
Security Policy Project Thesis
Brief History of Firewall Implementations in the RU ARN
Cisco PIX 501 has been used in ARN in the initial years. In the initial years, PIX 501 has
offered certain service in terms of DHCP service and NAT at certain locations (mainly DTC).
Since PIX is not effective to work with a server farm and also historically it has been very
complex to configure and manage at DTC. Though it provided certain functionalities like packet
filtering, NAT and routing to internal lab, it is said to have many problems.
In this situation, Jeff Brown, a SEAD student (2003-2004) decided to implement an Open-
BSD based firewall for the DTC campus. At that time, this firewall was also necessary to
prevent DoS attacks that occurred frequently. For the record, apart from a functional OpenBSD
based firewall, Jeff also implemented an IPSec based VPN between DTC, ALC, and ILB
campuses.
The plan is to replace OpenBSD firewall using Sonic WALL TZ170 and 3060 at the ARN
production centers, which is the focus of current SEAD-Networking group. At the same time,
since Cisco PIX 501 is not being used in the best way, efforts are focused on towards using it for
VPN access. Note that the discussion of ARN VPN implementation itself is beyond the scope of
this thesis.
Madhu Akkihebbal 38
Security Policy Project Thesis
Selection of Firewalls
The selection of a firewall for RU ARN is dependent on the firewall’s ability to meet the
following criterion:
Protocols
Hardware and Operating Systems
Management Interfaces
User Authentication
Encryption
Firewall Validation
Services
For the purpose of RU ARN, SonicWall firewalls have been chosen based on an evaluation of
its characteristics and offerings in the backdrop of the above.
SonicWALL Firewalls
In one of the product evaluations, SonicWall is described as – “It looks like a small black router,
but is in fact a little firewall with NAT & state based filtering that can also defend against SYN
flooding, Ping of death, IP spoofing and filter ActiveX, Java and cookies. (It is) Configured via a
Web browser”.
The SonicWALL Firewall products chosen for the SEAD are – SonicWALL Pro 3060 and TZ
170. These are working in tandem with the VPN products in ARN.
Madhu Akkihebbal 39
Security Policy Project Thesis
While VPNs are effective remote access solution, it is not complete nor does it provide
symbiotic Internet access security. A firewall protects against Internet based theft, destruction or
modification of data by examining all data passing from Internet or WAN to the LAN.
As we saw earlier in this document, in general, firewalls use various techniques to carry out
the operations:
1. NAT (Network Address Translation)
2. Proxy
3. Stateful or "Active Inspection"
SonicWALL firewalls employ Stateful Packet Inspection technique to protect against DoS
attacks, IP spoofing, and other TCP/IP borne attacks.
All SonicWALL Firewall products can be setup and administered over a web-based interface.
Also, they can be managed remotely using SonicWALL’s Global Management Console.
The SonicWALL PRO 3060, part of SonicWALL's PRO Series Internet Security Platform,
delivers complete business continuity for even the most complex networks. Powered by
SonicWALL's next-generation SonicOS operating system and powerful deep packet inspection
architecture, the PRO 3060 provides integrated gateway anti-virus, anti-spy ware, intrusion
prevention and anti-spam capabilities for real-time protection against today's dynamic threats.
The SonicWALL TZ 170, part of SonicWALL's TZ 170 Series, is the ultimate total security
platform for home, small, remote and branch office deployments. With integrated support for
SonicWALL's Gateway Anti-Virus, Anti-Spy ware and Intrusion Prevention Service, the
Madhu Akkihebbal 40
Security Policy Project Thesis
TZ 170 delivers real-time protection against viruses, spy ware, worms, Trojans and other
malicious threats. The TZ 170 also combines built-in anti-spam protection and support for
SonicWALL's Content Filtering Service to provide enhanced productivity and network
utilization.
The following diagram depicts the high level architecture involving firewalls and VPN.
Madhu Akkihebbal 41
Security Policy Project Thesis
VPN
CSD
SW TZ170 CS
ALC
DTC
ILB
FCSW FW Pro3060
Figure 3: High Level ARN Architecture Diagram
Madhu Akkihebbal 42
Security Policy Project Thesis
VPN
CSD
SW TZ170 CS
ALC
DTC
ILB
FCSW FW Pro3060
PIX 501
Computer
SNAPIX501
VPN
Figure 4: ARN Architecture Diagram Showing PIX 501 Usage With VPN
Madhu Akkihebbal 43
Security Policy Project Thesis
AcronymsACL Access Control ListARN Advanced Research NetworkDoS Denial of ServiceDHCP Dynamic Host Configuration ProtocolDMZ De-Militarized ZoneEULA End-User License AgreementHTTP Hyper Text Transfer ProtocolIDS Intrusion Detection SystemIPS Intrusion Prevention SystemNAT Network Address TranslationRU Regis UniversitySSL Secure Sockets LayerSSO Single Sign-OnSZ Secure ZoneTCP/IP Transmission Control Protocol/Internet ProtocolUDP User Datagram ProtocolVPN Virtual Private Network
Madhu Akkihebbal 44
Security Policy Project Thesis
Bibliography
1. Virtual Private Networks for Small and Medium Organizations. Retrieved February 15, 2005,
from https://partners.mysonicwall.com/WhitePaper/DownloadCenter/WhitePapers.asp
2. Protecting and Connecting the Distributed Organization – A Comprehensive Security and
VPN Strategy. Retrieved February 15, 2005, from
https://partners.mysonicwall.com/WhitePaper/DownloadCenter/WhitePapers.asp
3. Ollmann, G. (2004, January). Passive Information Gathering. Retrieved February 20, from
http://offlinehbpl.hbpl.co.uk/misc/mcs/whitepapers/PassiveInformationGathering.pdf
4. Gong, L. & Sandhu, R. (November-December 2000). What Makes Security Technologies
Relevant? Retrieved February 22, 2005 from
http://www.list.gmu.edu/misc_pubs/editorials/00895014.pdf
5. Bennett, T. (1998). Auditing Firewalls: A Practical Guide. Retrieved March 02,
2005 from http://www.itsecurity.com/papers/p5.htm
6. Wack, J., Cutler, K. & Pole, J. (January 2002). Guidelines on Firewalls and Firewall Policy
[NIST Publication]. Retrieved on March 20 from
http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf
7. Mastering Internet Security for Competitive Advantage. Retrieved on February 25, 2005
Madhu Akkihebbal 45
Security Policy Project Thesis
from http://www.sun.com/executives/sunjournal/v1n2/feature2.html
8. Al-Shaer, S.E. & Hamed, H.H. Design and Implementation of Firewall Policy Advisor Tools.
Retrieved on March 3, 2005 from
http://facweb.cs.depaul.edu/research/TechReports/TR04-011.pdf
9. Cooper, P.S. (February 1996). Network Security Management With Firewalls [DOE
Information Security Conference Presentations]. Retrieved on March 6 2005 from
http://doe-is.llnl.gov/ConferenceProceedings/DOECompSec96/firewall.pdf
10. IT Security Cookbook. (January 2002). Retrieved on March 10, 2005 from
http://www.boran.com/security/it12-firewall.html
11. Cisco PIX Firewall and VPN Configuration Guide, Version 6.2. Retrieved on April 25, 2005
from
http://www.cisco.com/en/US/products/sw/secursw/ps2120/
products_configuration _ guide_chapter09186a00800eb729.html#wp1032843
12. Network Management Basics (February 2002). Retrieved on June 2, 2005 from
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/nmbasics.htm#xtocid6
Madhu Akkihebbal 46
Security Policy Project Thesis
13. Cisco Self-Defending Network. Retrieved on June 6, 2005 from
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns413/networking_solutions_packag
e.html
14. Abilene Network. Retrieved on June 15, 2005 from
http://abilene.internet2.edu/about/index.html
15. Whitman, M.E, & Mattord. Principles of Information Security. Second Edition. 2005.
Thomson Course Technology.
Madhu Akkihebbal 47
Security Policy Project Thesis
Appendix A
An Evaluation of CISCO PIX 501
ARN has invested in Cisco PIX 501 in the past. While this device has been used in some
campuses (DTC) for packet filtering, etc., there were some issues. OpenBSD based firewall
replaced PIX 501 more than a year ago. Also, ARN production centers will be supported by
Sonic WALL firewalls this year. The idea is to be able to re-deploy Cisco PIX 501 for some
other use, say VPN access.
The following description focuses on the abilities and features of Cisco PIX 501 device. Some
of the following discussion are excerpts from the product literature available on the Cisco
website.
PIX 501 as a DHCP Server:
The DHCP server within the PIX Firewall is typically used within a SOHO environment with
a PIX 501 or PIX 506 unit. Connecting to the PIX Firewall are PC clients and other network
devices (DHCP clients) that establish network connections that are either insecure (unencrypted)
or secure (encrypted using IPSec) to access an enterprise or corporate network. As a DHCP
server, the PIX Firewall provides network configuration parameters to the DHCP clients through
the use of DHCP.
Using the firewall 6.1 version or higher, PIX 501 can handle up to a maximum number of 128
DHCP Client Addresses (with a 50-user license).
PIX 501 as a DHCP Client
DHCP client support within the PIX Firewall is designed for use within a small office, home
office (SOHO) environment using a PIX Firewall that is directly connected to a DSL or cable
Madhu Akkihebbal 48
Security Policy Project Thesis
modem that supports the DHCP server function.
With the DHCP client feature enabled on a PIX Firewall, the PIX Firewall functions as a
DHCP client to a DHCP server allowing the server to configure the outside interface with an IP
address, subnet mask, and optionally a default route. Use of the DHCP client feature to acquire
an IP address from a generic DHCP server is not supported. Also, the PIX Firewall DHCP client
does not support failover configurations.
PIX 501 Support for VoIP Terminals and Phones
In a small enterprise environment, Cisco CallManager may control Cisco IP phones. In such
an environment, PIX Firewall DHCP server can supports specialized functions such as:
Cisco IP Phones download their configuration from a TFTP server. PIX 501 can handle
DHCP option 150 request and provide the IP addresses of a list of TFTP servers
PIX 501 can also handle DHCP option 66, defined in RFC 2132 (DHCP Options and
BOOTP Vendor Extensions), gives the IP address or the host name of a single TFTP
server.
PIX 501 as Easy VPN Remote Device
PIX Firewall version 6.2 lets you use PIX Firewall as an Easy VPN Remote device when
connecting to an Easy VPN Server, such as a Cisco VPN 3000 Concentrator or a PIX Firewall.
This functionality, sometimes called a "hardware client," allows the PIX Firewall to establish a
VPN tunnel to the Easy VPN Server. Hosts running on the LAN behind the PIX Firewall can
connect through the Easy VPN Server without individually running any VPN client software.
We need to explore if this functionality is also good to work in RU ARN with a VPN server that
Madhu Akkihebbal 49
Security Policy Project Thesis
is not a Cisco product.
In can act in two modes:
Client mode—In this mode, VPN connections are initiated by traffic, so resources are
only used on demand. In client mode, the PIX Firewall applies Network Address
Translation (NAT) to all IP addresses of clients connected to the inside (higher security)
interface of the PIX Firewall. To use this mode, you must also enable the DHCP server
on the inside interface.
Network extension mode—In this mode, VPN connections are kept open even when not
required for transmitting traffic. This option does not apply NAT to any IP addresses of
clients on the inside (higher security) interface of the PIX Firewall.
PIX 501 with Improved ACL Feature
TurboACL is a feature introduced with PIX Firewall version 6.2 that improves the average
search time for access control lists containing a large number of entries. The TurboACL feature
causes the PIX Firewall to compile tables for ACLs and this improves searching of long ACLs.
One can enable this feature for the entire PIX Firewall and then disable it for specific ACLs,
or enable it only for specific ACLs. For short ACLs, TurboACL does not improve performance.
A TurboACL search, no matter how short the ACL, requires about the same amount of time as a
regular ACL search of from twelve to eighteen entries. For this reason, even when enabled, the
TurboACL feature is only applied to ACLs with nineteen or more entries.
Madhu Akkihebbal 50