7/29/2019 Unit 3 Info Sec.pptx
1/72
Security Technologies: FireUnit 3:
7/29/2019 Unit 3 Info Sec.pptx
2/72
Technical Control & Physical De
7/29/2019 Unit 3 Info Sec.pptx
3/72
Mandatory access controls (MACs) - lattice-based accecontrol
Nondiscretionary controls - role-based Controls & task-controls
Discretionary access controls (DACs)
Access Control
7/29/2019 Unit 3 Info Sec.pptx
4/72
7/29/2019 Unit 3 Info Sec.pptx
5/72
Identification
Authentication
Authorization
Accountability
all access control approaches on as the following mechanism
7/29/2019 Unit 3 Info Sec.pptx
6/72
Firewalls can be categorized by processing mode, deveera, or structure.
Firewalls
7/29/2019 Unit 3 Info Sec.pptx
7/72
packet-filtering firewalls,
Application gateways,
circuit gateways,
MAC layer firewalls, and
hybrids.
Firewall Processing Modes
7/29/2019 Unit 3 Info Sec.pptx
8/72
packet-filtering firewalls
7/29/2019 Unit 3 Info Sec.pptx
9/72
IP source and destination address
Direction (inbound or outbound)
Protocol (for firewalls capable of examining the IP proto
Transmission Control Protocol (TCP) or User Datagram Pr(UDP) source and destination port requests (for firewalls
of examining the TCP/UPD layer)
7/29/2019 Unit 3 Info Sec.pptx
10/72
There are three subsets of packet-filtering firewalls:
static filtering,
dynamic filtering, and
stateful inspection.
7/29/2019 Unit 3 Info Sec.pptx
11/72
The application firewall is also known as a proxy server siruns special software that acts as a proxy for a service re
Application Gateways
7/29/2019 Unit 3 Info Sec.pptx
12/72
operates at the transport layer
Do prevent direct connections between one network aanother.
Creating tunnels connecting specific processes or systemeach side of the firewall, and then allowing only authoritraffic,
Circuit Gateways
7/29/2019 Unit 3 Info Sec.pptx
13/72
MAC Layer Firewalls&
Hybrid Firewalls
7/29/2019 Unit 3 Info Sec.pptx
14/72
7/29/2019 Unit 3 Info Sec.pptx
15/72
7/29/2019 Unit 3 Info Sec.pptx
16/72
First generation firewalls are static packet-filtering firewa
Second generation firewalls are application-level firewaproxy servers
Third generation firewalls are stateful inspection firewalls
Fourth generation firewalls, which are also known as dyn
packet-filtering firewalls,
Fifth generation firewalls include the kernel proxy,
Firewalls Categorized by Gener
7/29/2019 Unit 3 Info Sec.pptx
17/72
Commercial-Grade Firewall Appliances
Commercial-Grade Firewall Systems
Small Office/Home Office (SOHO) Firewall Appliances
Residential-Grade Firewall Software
Firewalls Categorized by Structu
7/29/2019 Unit 3 Info Sec.pptx
18/72
The configuration that works best for a particular organizdepends on three factors:
The objectives of the network,
the organizations ability to develop and implement thearchitectures, and
the budget available for the function.
Firewall Architectures
7/29/2019 Unit 3 Info Sec.pptx
19/72
Packet-filtering routers,
Screened host firewalls,
dual-homed firewalls, and
Screened Subnet (DMZ)
common architecturalimplementations
7/29/2019 Unit 3 Info Sec.pptx
20/72
Screened host firewalls,
7/29/2019 Unit 3 Info Sec.pptx
21/72
Dual-Homed Host Firewall
7/29/2019 Unit 3 Info Sec.pptx
22/72
Screened Subnet (DMZ)
7/29/2019 Unit 3 Info Sec.pptx
23/72
SOCKS is the protocol for handling TCP traffic via a proxy
place the filtering requirements on the individual workstarather than on a single point of defense (and thus point failure).
SOCKS Servers
7/29/2019 Unit 3 Info Sec.pptx
24/72
1. Which type of firewall technology offers the right bala
between protection and cost for the needs of the organ
2. What features are included in the base price? What fare available at extra cost? Are all cost factors known?
3. How easy is it to set up and configure the firewall? Hoaccessible are the staff technicians who can competenconfigure the firewall?
4. Can the candidate firewall adapt to the growing netwthe target organization?
Selecting the Right Firewall
7/29/2019 Unit 3 Info Sec.pptx
25/72
Good policy and practice dictates that each firewall de
the configuration of firewall policies can be complex andifficult.
syntax errors and logic errors
Configuring firewall policies is as much an art as it is a sc
Configuring and Managing Firew
7/29/2019 Unit 3 Info Sec.pptx
26/72
organizations are muchmore willing to live with potentiathan certain failure.
7/29/2019 Unit 3 Info Sec.pptx
27/72
All traffic from the trusted network is allowed out. This allo
members of the organization to access the services they
The firewall device is never directly accessible from the pnetwork for configuration or management purposes.
Only authorized firewall administrators access the devicthrough secure authentication mechanisms, preferably method that is based on cryptographically strong autheand uses two-factor access control techniques.
Best Practices for Firewalls
7/29/2019 Unit 3 Info Sec.pptx
28/72
Simple Mail Transport Protocol (SMTP) data is allowed to
through the firewall, but is routed to a well-configured SMgateway to filter and route messaging traffic securely.
All Internet Control Message Protocol (ICMP) data shouldenied. Known as the ping service, ICMP is a common mfor hacker reconnaissance and should be turned off to
snooping.
7/29/2019 Unit 3 Info Sec.pptx
29/72
Telnet (terminal emulation) access to all internal servers
public networks should be blocked. At the very least, Teaccess to the organizations Domain Name System (DNSshould be blocked to prevent illegal zone transfers and prevent attackers from taking down the organizations enetwork.
If internal users need to access an organizations networoutside the firewall, the organization should enable thema Virtual Private Network (VPN) client or other secure sysprovides a reasonable level of authentication.
7/29/2019 Unit 3 Info Sec.pptx
30/72
When Web services are offered outside the firewall, HTTP
should be blocked from internal networks through the ussome form of proxy access or DMZ architecture. That waemployees are running Web servers for internal use on thdesktops, the services are invisible to the outside Interne
All data that is not verifiably authentic should be denied
7/29/2019 Unit 3 Info Sec.pptx
31/72
that which is not permitted is prohibited, - expressly pe
rules
Firewall Rules
7/29/2019 Unit 3 Info Sec.pptx
32/72
7/29/2019 Unit 3 Info Sec.pptx
33/72
E t l Filt i Fi ll O tb
7/29/2019 Unit 3 Info Sec.pptx
34/72
External Filtering Firewall OutbouInterface Rule Set
7/29/2019 Unit 3 Info Sec.pptx
35/72
A content filter is a software filtertechnically not a firew
reverse firewalls,
Content Filters
content filter hastwo components: rating and filtering.
7/29/2019 Unit 3 Info Sec.pptx
36/72
The rating is like a set of firewall rules for Web sites and is
common in residential content filters. The rating can be with multiple access control settings for different levels oorganization, or it can be simple, with a basic allow/ denscheme like that of a firewall.
The filtering is a method used to restrict specific access rto the identified resources, which may be Web sites, servwhatever resources the content filter administrator conf
7/29/2019 Unit 3 Info Sec.pptx
37/72
7/29/2019 Unit 3 Info Sec.pptx
38/72
7/29/2019 Unit 3 Info Sec.pptx
39/72
Protecting Remote Connections
7/29/2019 Unit 3 Info Sec.pptx
40/72
Remote Access
7/29/2019 Unit 3 Info Sec.pptx
41/72
7/29/2019 Unit 3 Info Sec.pptx
42/72
7/29/2019 Unit 3 Info Sec.pptx
43/72
7/29/2019 Unit 3 Info Sec.pptx
44/72
R t A th ti ti Di l I U
7/29/2019 Unit 3 Info Sec.pptx
45/72
Remote Authentication Dial-In UService (RADIUS)
7/29/2019 Unit 3 Info Sec.pptx
46/72
T i l A C t ll A
7/29/2019 Unit 3 Info Sec.pptx
47/72
TACACS, - combines authentication and authorization s
Extended TACACS - separates the steps needed toauthenticate. & keeps records for accountability,
TACACS+ - uses dynamic
passwords and incorporates two-factor authentication.
Terminal Access Controller AccControl System (TACACS)
7/29/2019 Unit 3 Info Sec.pptx
48/72
7/29/2019 Unit 3 Info Sec.pptx
49/72
Kerberos
7/29/2019 Unit 3 Info Sec.pptx
50/72
uses symmetric key encryption to validate
keeps a database containing the private keys of clients
also generates temporary session keys, which are privatto the two parties in a conversation.
Kerberos consists of three interactin
7/29/2019 Unit 3 Info Sec.pptx
51/72
1.Authentication server (AS), which is a Kerberos server that
authenticates clients and servers. 2. Key Distribution Center (KDC), which generates and issues
keys.
3. Kerberos ticket granting service (TGS), which provides tickeclients who request services. In Kerberos a ticket is an identificcard for a particular client that verifies to the server that the c
requesting services and that the client is a valid member of thKerberos system and therefore authorized to receive servicesticket consists of the clients name and network address, a ticvalidation starting and ending time, and the session key, all ein the private key of the server from which the client is reques
services.
Kerberos consists of three interactinservices, all of which use a databaslibrary:
7/29/2019 Unit 3 Info Sec.pptx
52/72
Kerberos is based on the following
7/29/2019 Unit 3 Info Sec.pptx
53/72
The KDC knows the secret keys of all clients and servers o
network.
The KDC initially exchanges information with the client aby using these secret keys.
Kerberos authenticates a client to a requested service oserver through TGS and by issuing temporary session key
communications between the client and KDC, the serveKDC, and the client and server.
Communications then take place between the client anusing these temporary session keys.
Kerberos is based on the followingprinciples:
7/29/2019 Unit 3 Info Sec.pptx
54/72
7/29/2019 Unit 3 Info Sec.pptx
55/72
7/29/2019 Unit 3 Info Sec.pptx
56/72
7/29/2019 Unit 3 Info Sec.pptx
57/72
token is then presented to a privilege attribute server (insa ticket granting service as in Kerberos)
SESAME uses public key encryption to distribute secret ke
Secure European System forApplications in a MultivendorEnvironment (SESAME)
7/29/2019 Unit 3 Info Sec.pptx
58/72
7/29/2019 Unit 3 Info Sec.pptx
59/72
The SESAME technology offers sophisticated single sign-o
added distributed access control features and cryptogrprotection of interchanged data.
SESAME is similar to Kerberos, but has a lot of extensions Kerberos. one important extension is it supports role baseaccess control using PAS (Privilege Arribute Server)
http://www.cs.nyu.edu/~wanghua/course/security/finalation.html
http://www.cs.nyu.edu/~wanghua/course/security/final/presentation.htmlhttp://www.cs.nyu.edu/~wanghua/course/security/final/presentation.htmlhttp://www.cs.nyu.edu/~wanghua/course/security/final/presentation.htmlhttp://www.cs.nyu.edu/~wanghua/course/security/final/presentation.html7/29/2019 Unit 3 Info Sec.pptx
60/72
virtual private network (VPN)
7/29/2019 Unit 3 Info Sec.pptx
61/72
a private data network that makof the public telecommunicationinfrastructure, maintaining privacythrough the use of a tunneling proand security
procedures.
7/29/2019 Unit 3 Info Sec.pptx
62/72
Virtual Private Network Consortium (VPNC) defines three
technologies:
Trusted VPNs,
secure VPNs, and
hybrid VPNs.
7/29/2019 Unit 3 Info Sec.pptx
63/72
7/29/2019 Unit 3 Info Sec.pptx
64/72
7/29/2019 Unit 3 Info Sec.pptx
65/72
Encapsulation of incoming and outgoing data,
Encryption of incoming and outgoing data
Authentication of the remote computer and, perhaps, thuser as well.
7/29/2019 Unit 3 Info Sec.pptx
66/72
7/29/2019 Unit 3 Info Sec.pptx
67/72
Transport Mode
7/29/2019 Unit 3 Info Sec.pptx
68/72
Transport Mode
7/29/2019 Unit 3 Info Sec.pptx
69/72
7/29/2019 Unit 3 Info Sec.pptx
70/72
Tunnel Mode
7/29/2019 Unit 3 Info Sec.pptx
71/72
7/29/2019 Unit 3 Info Sec.pptx
72/72