Chapter 6

Security Technology: Firewalls and

VPNs
If you think technology can solve your security problems,
then you don’t understand the problems and you don’t
understand the technology.
BRUCE SCHNEIER, AMERICAN CRYPTOGRAPHER,
COMPUTER SECURITY SPECIALIST, AND WRITER
 Learning Objectives

• Upon completion of this material, you should be

able to:
– Recognize the important role of access control in
computerized information systems, and identify and
discuss widely-used authentication factors
– Describe firewall technology and the various
approaches to firewall implementation
– Identify the various approaches to control remote
and dial-up access by means of the authentication
and authorization of users

Abdul K Mustafa, Fall 2017

 Learning Objectives (cont’d.)
– Discuss content filtering technology
– Describe the technology that enables the use of
virtual private networks

Abdul K Mustafa, Fall 2017

 Introduction

• Technical controls are essential in enforcing policy

for many IT functions that do not involve direct
human control
• Technical control solutions improve an
organization’s ability to balance making information
readily available against increasing information’s
levels of confidentiality and integrity

Abdul K Mustafa, Fall 2017

 Access Control

• Access control: method by which systems

determine whether and how to admit a user into a
trusted area of the organization
• Mandatory access controls (MACs): use data
classification schemes
• Nondiscretionary controls: strictly-enforced version
of MACs that are managed by a central authority
• Discretionary access controls (DACs): implemented
at the discretion or option of the data user

Abdul K Mustafa, Fall 2017

 Access Control

Abdul K Mustafa, Fall 2017

 Access Control -DAC

Abdul K Mustafa, Fall 2017

 Access Control Mechanism

• Identification
• Authentication
• Authorization
• Accountability

Abdul K Mustafa, Fall 2017

 Identification

• Identification: mechanism whereby an unverified

entity that seeks access to a resource proposes a
label by which they are known to the system
• Supplicant: entity that seeks a resource
• Identifiers can be composite identifiers,
concatenating elements-department codes,
random numbers, or special characters to make
them unique
• Some organizations generate random numbers

Abdul K Mustafa, Fall 2017

 Authentication

• Authentication: the process of validating a

supplicant’s purported identity
• Authentication factors
– Something a supplicant knows
• Password: a private word or combination of characters
that only the user should know
• Passphrase: a series of characters, typically longer
than a password, from which a virtual password is
derived

Abdul K Mustafa, Fall 2017

 Authentication (cont’d.)

• Authentication factors (cont’d.)

– Something a supplicant has
• Smart card: contains a computer chip that can verify
and validate information
• Synchronous tokens
• Asynchronous tokens
– Something a supplicant is
• Relies upon individual characteristics
• Strong authentication

Abdul K Mustafa, Fall 2017

 Authorization

• Authorization: the matching of an authenticated

entity to a list of information assets and
corresponding access levels
• Authorization can be handled in one of three ways
– Authorization for each authenticated user
– Authorization for members of a group
– Authorization across multiple systems
• Authorization tickets

Abdul K Mustafa, Fall 2017

 Accountability

• Accountability (auditability): ensures that all actions

on a system—authorized or unauthorized—can be
attributed to an authenticated identity
• Most often accomplished by means of system logs
and database journals, and the auditing of these
records
• Systems logs record specific information
• Logs have many uses

Abdul K Mustafa, Fall 2017

 Biometric Access Control

• Based on the use of some measurable human

characteristic or trait to authenticate the identity of
a proposed systems user (a supplicant)
• Relies upon recognition
• Includes fingerprint comparison, palm print
comparison, hand geometry, facial recognition
using a photographic id card or digital camera,
retinal print, iris pattern
• Characteristics considered truly unique:
fingerprints, retina of the eye, iris of the eye

Abdul K Mustafa, Fall 2017

 Figure 6-5 Biometric Recognition Characteristics
Abdul K Mustafa, Fall 2017
 Effectiveness of Biometrics

• Biometric technologies evaluated on three basic

criteria:
– False reject rate: the rejection of legitimate users
– False accept rate: the acceptance of unknown users
– Crossover error rate (CER): the point where false
reject and false accept rates cross when graphed
• CER of 1 percent is much superior than CER of 5
percent

Abdul K Mustafa, Fall 2017

 Acceptability of Biometrics

• Balance must be struck between how acceptable

security system is to users and its effectiveness in
maintaining security
• Many biometric systems that are highly reliable and
effective are considered intrusive
• As a result, many information security
professionals, in an effort to avoid confrontation
and possible user boycott of biometric controls,
don’t implement them
• More effectiveness results in less acceptance

Abdul K Mustafa, Fall 2017

 Table 6-1 Ranking of Biometric Effectiveness and Acceptance
H=High, M=Medium, L=Low
Reproduced from The ‘123’ of Biometric Technology, 2003, by Yun,
Yau Wei22

Abdul K Mustafa, Fall 2017

 Access Control Architecture Models

• Trusted Computing Base (TCB)

– Trusted Computer System Evaluation Criteria
(TCSEC) is an older DoD standard
– Reference Monitor manages access controls
• Bell-LaPadula Confidentiality model
– Do not allow information to be moved from higher
level to lower level
• Biba Integrity Model
• Clark-Wilson integrity model
• Brewer-Nash Model (Chinese Wall)
Abdul K Mustafa, Fall 2017
 The TCSEC Rainbow series

Abdul K Mustafa, Fall 2017

 Firewalls

• Prevent specific types of information from moving

between the outside world (untrusted network) and
the inside world (trusted network)
• May be:
– Separate computer system
– Software service running on existing router or server
– Separate network containing supporting devices

Abdul K Mustafa, Fall 2017

 Firewalls Processing Modes

• Five processing modes by which firewalls can be

categorized:
– Packet filtering
– Application gateways
– Circuit gateways
– MAC layer firewalls
– Hybrids

Abdul K Mustafa, Fall 2017

 Firewalls Processing Modes (cont’d.)

• Packet filtering firewalls examine header

information of data packets
• Most often based on combination of:
– Internet Protocol (IP) source and destination address
– Direction (inbound or outbound)
– Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP) source and destination
port requests
• Simple firewall models enforce rules designed to
prohibit packets with certain addresses or partial
addresses
Abdul K Mustafa, Fall 2017
 Firewalls Processing Modes (cont’d.)

• Three subsets of packet filtering firewalls:

– Static filtering: requires that filtering rules governing
how the firewall decides which packets are allowed
and which are denied are developed and installed
– Dynamic filtering: allows firewall to react to emergent
event and update or create rules to deal with event
– Stateful inspection: firewalls that keep track of each
network connection between internal and external
systems using a state table

Abdul K Mustafa, Fall 2017

 Figure 6-7 IP Packet Structure
Abdul K Mustafa, Fall 2017
 Figure 6-8 TCP Packet Structure

Figure 6-9 UDP Datagram Structure

Abdul K Mustafa, Fall 2017
 Table 6-2 Sample Firewall Rule and Format

Abdul K Mustafa, Fall 2017

 Table 6-3 State Table Entries

Abdul K Mustafa, Fall 2017

 Firewalls Processing Modes (cont’d.)

• Application gateways
– Frequently installed on a dedicated computer; also
known as a proxy server
– Since proxy server is often placed in unsecured area
of the network (e.g., DMZ), it is exposed to higher
levels of risk from less trusted networks
– Additional filtering routers can be implemented
behind the proxy server, further protecting internal
systems

Abdul K Mustafa, Fall 2017

 Firewalls Processing Modes (cont’d.)

• Circuit gateway firewall

– Operates at transport layer
– Like filtering firewalls, do not usually look at data
traffic flowing between two networks, but prevent
direct connections between one network and
another
– Accomplished by creating tunnels connecting
specific processes or systems on each side of the
firewall, and allow only authorized traffic in the
tunnels

Abdul K Mustafa, Fall 2017

 Firewalls Processing Modes (cont’d.)

• MAC layer firewalls

– Designed to operate at the media access control
layer of OSI network model
– Able to consider specific host computer’s identity in
its filtering decisions
– MAC addresses of specific host computers are
linked to access control list (ACL) entries that
identify specific types of packets that can be sent to
each host; all other traffic is blocked

Abdul K Mustafa, Fall 2017

 Figure 6-11 Firewall Types and the OSI Model

Abdul K Mustafa, Fall 2017

 Firewalls Processing Modes (cont’d.)

• Hybrid firewalls
– Combine elements of other types of firewalls; i.e.,
elements of packet filtering and proxy services, or of
packet filtering and circuit gateways
– Alternately, may consist of two separate firewall
devices; each a separate firewall system, but
connected to work in tandem

Abdul K Mustafa, Fall 2017

 Firewalls Categorized by Generation

• First generation: static packet filtering firewalls

• Second generation: application-level firewalls or
proxy servers
• Third generation: stateful inspection firewalls
• Fourth generation: dynamic packet filtering
firewalls; allow only packets with particular source,
destination, and port addresses to enter
• Fifth generation: kernel proxies; specialized form
working under kernel of Windows NT

Abdul K Mustafa, Fall 2017

 Firewalls Categorized by Structure

• Most firewalls are appliances: stand-alone, self-

contained systems
• Commercial-grade firewall system
• Small office/home office (SOHO) firewall
appliances
• Residential-grade firewall software

Abdul K Mustafa, Fall 2017

 Figure SOHO Firewall Devices
Abdul K Mustafa, Fall 2017
 Software vs. Hardware: the SOHO
Firewall Debate
• Which firewall type should the residential user
implement?
• Where would you rather defend against a hacker?
• With the software option, hacker is inside your
computer
• With the hardware device, even if hacker manages
to crash firewall system, computer and information
are still safely behind the now disabled connection

Abdul K Mustafa, Fall 2017

 Firewall Architectures

• Firewall devices can be configured in a number of

network connection architectures
• Best configuration depends on three factors:
– Objectives of the network
– Organization’s ability to develop and implement
architectures
– Budget available for function
• Four common architectural implementations of
firewalls: packet filtering routers, screened host
firewalls, dual-homed firewalls, screened
subnet firewalls
Abdul K Mustafa, Fall 2017
 Firewall Architectures (cont’d.)

• Packet filtering routers

– Most organizations with Internet connection have a
router serving as interface to Internet
– Many of these routers can be configured to reject
packets that organization does not allow into
network
– Drawbacks include a lack of auditing and strong
authentication

Abdul K Mustafa, Fall 2017

 Figure 6-10 Packet-Filtering Router

Abdul K Mustafa, Fall 2017

 Firewall Architectures (cont’d.)

• Screened host firewalls, Bastion Hosts

– Combines packet filtering router with separate,
dedicated firewall such as an application proxy
server
– Allows router to prescreen packets to minimize
traffic/load on internal proxy
– Separate host is often referred to as bastion host
• Can be rich target for external attacks and should be
very thoroughly secured
• Also known as a sacrificial host

Abdul K Mustafa, Fall 2017

 Firewall Architectures (cont’d.)

• Dual-homed host firewalls

– Bastion host contains two network interface cards
(NICs): one connected to external network, one
connected to internal network
– Implementation of this architecture often makes use
of network address translation (NAT), creating
another barrier to intrusion from external attackers

Abdul K Mustafa, Fall 2017

 Figure 6-17 Screened Host Firewall

Abdul K Mustafa, Fall 2017

 Table 6-4 Reserved Nonroutable Address Ranges

Abdul K Mustafa, Fall 2017

 Figure 6-16 Dual-Homed Host Firewall

Abdul K Mustafa, Fall 2017

 Firewall Architectures (cont’d.)
• Screened subnet firewall is the dominant
architecture used today
• Commonly consists of two or more internal bastion
hosts behind packet filtering router, with each host
protecting trusted network:
– Connections from outside (untrusted network) routed
through external filtering router
– Connections from outside (untrusted network) are
routed into and out of routing firewall to separate
network segment known as DMZ
– Connections into trusted internal network allowed
only from DMZ bastion host servers
Abdul K Mustafa, Fall 2017
 Firewall Architectures (cont’d.)

• Screened subnet performs two functions:

– Protects DMZ systems and information from outside
threats
– Protects the internal networks by limiting how
external connections can gain access to internal
systems
• Another facet of DMZs: extranets

Abdul K Mustafa, Fall 2017

 Firewall Architectures (cont’d.)

• SOCKS servers
– SOCKS is the protocol for handling TCP traffic via a
proxy server
– A proprietary circuit-level proxy server that places
special SOCKS client-side agents on each
workstation
– A SOCKS system can require support and
management resources beyond those of traditional
firewalls

Abdul K Mustafa, Fall 2017

 Figure 6-14 Screened Subnet (DMZ)

Abdul K Mustafa, Fall 2017

 Selecting the Right Firewall

• When selecting firewall, consider a number of

factors:
– What firewall offers right balance between protection
and cost for needs of organization?
– Which features are included in base price and which
are not?
– Ease of setup and configuration? How accessible
are staff technicians who can configure the firewall?
– Can firewall adapt to organization’s growing
network?
• Second most important issue is cost
Abdul K Mustafa, Fall 2017
 Configuring and Managing Firewalls

• Each firewall device must have own set of

configuration rules regulating its actions
• Firewall policy configuration is usually complex and
difficult
• Configuring firewall policies is both an art and a
science
• When security rules conflict with the performance
of business, security often loses

Abdul K Mustafa, Fall 2017

 Configuring and Managing Firewalls
(cont’d.)
• Best practices for firewalls
– All traffic from trusted network is allowed out
– Firewall device never directly accessed from public
network
– Simple Mail Transport Protocol (SMTP) data allowed
to pass through firewall
– Internet Control Message Protocol (ICMP) data
denied
– Telnet access to internal servers should be blocked
– When Web services offered outside firewall, HTTP
traffic should be denied from reaching internal
networks
Abdul K Mustafa, Fall 2017
 Configuring and Managing Firewalls
(cont’d.)
• Firewall rules
– Operate by examining data packets and performing
comparison with predetermined logical rules
– Logic based on set of guidelines most commonly
referred to as firewall rules, rule base, or firewall
logic
– Most firewalls use packet header information to
determine whether specific packet should be allowed
or denied

Abdul K Mustafa, Fall 2017

 Figure 6-15 Example Network Configuration

Abdul K Mustafa, Fall 2017

 Table 6-5 Select Well-Known Port Numbers

Abdul K Mustafa, Fall 2017

 Table 6-16 External Filtering Firewall Inbound Interface Rule Set

Abdul K Mustafa, Fall 2017

 Table 6-17 External Filtering Firewall Outbound Interface Rule Set

Abdul K Mustafa, Fall 2017

 Content Filters

• Software filter—not a firewall—that allows

administrators to restrict content access from within
network
• Essentially a set of scripts or programs restricting
user access to certain networking
protocols/Internet locations
• Primary focus to restrict internal access to external
material
• Most common content filters restrict users from
accessing non-business Web sites or deny
incoming span
Abdul K Mustafa, Fall 2017
 Protecting Remote Connections

• Installing Internetwork connections requires leased

lines or other data channels; these connections are
usually secured under requirements of formal
service agreement
• When individuals seek to connect to organization’s
network, more flexible option must be provided
• Options such as virtual private networks (VPNs)
have become more popular due to spread of
Internet

Abdul K Mustafa, Fall 2017

 Remote Access

• Unsecured, dial-up connection points represent a

substantial exposure to attack
• Attacker can use device called a war dialer to
locate connection points
• War dialer: automatic phone-dialing program that
dials every number in a configured range and
records number if modem picks up
• Some technologies (RADIUS systems; TACACS;
CHAP password systems) have improved
authentication process

Abdul K Mustafa, Fall 2017

 Remote Access (cont’d.)

• RADIUS, TACACS, and Diameter

– Systems that authenticate user credentials for those
trying to access an organization’s network via dial-up
– Remote Authentication Dial-In User Service
(RADIUS): centralizes management of user
authentication system in a central RADIUS server
– Diameter: emerging alternative derived from
RADIUS
– Terminal Access Controller Access Control System
(TACACS): validates user’s credentials at
centralized server (like RADIUS); based on
client/server configuration
Abdul K Mustafa, Fall 2017
 Figure 6-16 RADIUS Configuration

Abdul K Mustafa, Fall 2017

 Remote Access (cont’d.)

• Securing authentication with Kerberos

– Provides secure third-party authentication
– Uses symmetric key encryption to validate individual
user to various network resources
– Keeps database containing private keys of
clients/servers
– Consists of three interacting services:
• Authentication server (AS)
• Key Distribution Center (KDC)
• Kerberos ticket granting service (TGS)

Abdul K Mustafa, Fall 2017

 Figure 6-17 Kerberos Login

Abdul K Mustafa, Fall 2017

 Figure 6-18 Kerberos Request for Services

Abdul K Mustafa, Fall 2017

 Remote Access (cont’d.)

• Sesame
– Secure European System for Applications in a
Multivendor Environment (SESAME) is similar to
Kerberos
• User is first authenticated to authentication server and
receives token
• Token then presented to privilege attribute server as
proof of identity to gain privilege attribute certificate
• Uses public key encryption; adds additional and more
sophisticated access control features; more scalable
encryption systems; improved manageability; auditing
features; delegation of responsibility for allowing
access
Abdul K Mustafa, Fall 2017
 Virtual Private Networks (VPNs)

• Private and secure network connection between

systems; uses data communication capability of
unsecured and public network
• Securely extends organization’s internal network
connections to remote locations beyond trusted
network
• Three VPN technologies defined:
– Trusted VPN
– Secure VPN
– Hybrid VPN (combines trusted and secure)

Abdul K Mustafa, Fall 2017

 Virtual Private Networks (VPNs)
(cont’d.)
• VPN must accomplish:
– Encapsulation of incoming and outgoing data
– Encryption of incoming and outgoing data
– Authentication of remote computer and (perhaps)
remote user as well

Abdul K Mustafa, Fall 2017

 Virtual Private Networks (VPNs)
(cont’d.)
• Transport mode
– Data within IP packet is encrypted, but header
information is not
– Allows user to establish secure link directly with
remote host, encrypting only data contents of packet
– Two popular uses:
• End-to-end transport of encrypted data
• Remote access worker connects to office network
over Internet by connecting to a VPN server on the
perimeter

Abdul K Mustafa, Fall 2017

 Figure 6-19 Transport Mode VPN

Abdul K Mustafa, Fall 2017

 Virtual Private Networks (VPNs)
(cont’d.)
• Tunnel mode
– Organization establishes two perimeter tunnel
servers
– These servers act as encryption points, encrypting
all traffic that will traverse unsecured network
– Primary benefit to this model is that an intercepted
packet reveals nothing about true destination system
– Example of tunnel mode VPN: Microsoft’s Internet
Security and Acceleration (ISA) Server

Abdul K Mustafa, Fall 2017

 Figure 6-20 Tunnel Mode VPN

Abdul K Mustafa, Fall 2017

 Summary

• Firewalls
– Technology from packet filtering to dynamic stateful
inspection
– Architectures vary with the needs of the network
• Various approaches to remote and dial-up access
protection
– RADIUS and TACACS
• Content filtering technology
• Virtual private networks
– Encryption between networks over the Internet
Abdul K Mustafa, Fall 2017