IA 124: Introduction to IT

Security

VPN & FIREWALL

1
 VPN
• Stands for Virtual Private Network
– Is an encrypted connection over the Internet from a device
to a network.

– The encrypted connection helps ensure that sensitive data

• Scenario:
– Imagine an organization having offices across a country, continent or the
world, instead of creating a private network to connect its offices, it uses
the Internet to connect the offices/branches – VPN is the usual secure
solution.
 VPN
• Traffic on the virtual network is sent securely by
establishing an encrypted connection across the
Internet known as a tunnel.
– VPN traffic from a device such as a computer, tablet, or
smartphone is encrypted as it travels through this
tunnel.
• Offsite employees can then use the virtual network to access
the corporate network.
VPN
 VPN
• Types of VPN – Two types:
– Remote access
• This securely connects a device outside the corporate office.
– These devices are known as endpoints and may be laptops, tablets,
or smartphones.
– Think of remote access as computer to network.
– Site-to-site
• This connects the corporate (HQ) office to branch offices
over the Internet.
– Site-to-site VPNs are used when distance makes it impractical to
have direct network connections between these offices.
– Think of site-to-site access as network to network.
 Firewall
• Most organization require a network to perform
their operations/tasks.
• Network for a branch or to other branches
• Internet connection
• Also clients/customers/business partners need access to
remotely accessible electronic services from the organization.
– As a result internet connection is not an option to most
organizations.
• Organizations:
– Government institutions, agencies, ministries, … other offices
– Banks – branches
– Telecom companies – zones/branches
– +Other businesses
 Firewall
• Whist the Internet allows organizations to better
perform their tasks, it also enables the outside
world to reach these organizations.
– This posses a threat to these organizations.
• As a result a means to protect the organizations is needed.
 Firewall
• Possible approach:
– One can aim to implement strong security features on
all machines on the local network.
• But this becomes more challenging if the network consists of
hundreds or thousands of computers that use various OSs/
(Wins, MacOSX and Linux)
– What if a security flaw is discovered in the OSs?
» It will be costly to fix the issue – a resource intensive approach.
• Will take time and other resources to fix the issue.
» This approach is difficult, though possible.
• This approach is necessary if only host-based security is
used.
 Firewall
• Alternative approach (more effective):
– The use of a firewall
• Widely accepted alternative
• Can also be used to complement the host based security.
• The firewall
– It is inserted between the premises (trusted) network
and the Internet (untrusted) to establish a controlled
link and to create an outer security wall or perimeter.
– Goal:
• Protect the premises network from Internet-based attacks
and to provide a single choke point where security and
auditing can be imposed.
 Firewall
• The firewall may be a single computer system or a
set of two or more systems that cooperate to
perform the firewall function.
– It provides an additional layer of defence, insulating the
internal systems from external networks.
 Before Firewalls
• Before the existence of firewalls, network security
was performed using Access Control Lists (ACLs)
– ACLs resided on routers.
– ACLs are rules that determine whether network access
should be granted or denied to specific IP address.
• But ACLs cannot determine the nature of packet it is blocking.
• Also, ACL alone does not have the capacity to keep threats
out of the network.
• Hence, Firewall was introduced.
 What is a firewall?
• Is a software or hardware that checks information
coming from the Internet or a network, and then
either blocks it or allows it to pass through to a
computer or network, depending on the
settings/rules.
– It defines a single choke point of control and
monitoring that keeps unauthorized users out of the
protected network.
• Isolates organization’s internal network from other networks
like the Internet, allowing some packets to pass while
blocking others.
 What is a firewall?
•
 What is a firewall?

– The firewall can permit, deny, or redirect the flow of

• NOTE:
– Firewalls are to implement and enforce a security policy
for communication between networks.
– The earliest firewalls were simply routers.
 Firewall Design Goals
• Below are the firewall design goals:
– All traffic from inside to outside, and vice versa, must
pass through the firewall.
• This is achieved by physically blocking all access to the local
network except via the firewall.
– The firewall is used as the gate into and out of the local network.
– Only authorized traffic, as defined by the local security
policy, will be allowed to pass.
• Various types of firewalls are used, which implement various
types of security policies.
 Firewall Design Goals
• NOTE:
– A critical component in the planning and implementation
of a firewall is specifying a suitable access policy.
• This lists the types of traffic allowed to pass the firewall
including:
– (IP) Address ranges
– Protocols
– Applications
– Content types
• The policy should be developed from an organization’s
information security risk assessment and policy.
 Firewall Filtering Characteristics
• A firewall can filter traffic based on a number of
characteristics, including:
– IP Address and Protocol Values
– Application Protocol
– User Identity
– Network Activity
 Firewall Filtering Characteristics
• IP Address and Protocol Values
– Controls access based on source or destination address
and port numbers (service numbers like HTTP, HTTPS,
FTP, …), direction of flow being inbound or outbound
and other network and transport layer characteristics.
– This is usually used by packet filter and stateful
inspection firewalls.
– It is usually used to limit access to specific services.
 Firewall Filtering Characteristics
• Application Protocol
– Controls access based on authorized application protocol
data.
• Used by application level gateway that relays and monitors the
exchange of information for specific application protocol such as
checking SMTP email for spam, or HTTP web requests to
authorized sites only.
• User Identity
– Controls access based on user identity, usually for inside
users.
• Network Activity
– Controls access based on considerations such as the time or
request.
• E.g. only in business hours, rate of requests, such as to detect
scanning attempts or other security patterns.
 Firewall Scope
• The following capabilities are within the scope of
firewalls:
– A firewall defines a single choke point.
• It attempts to keep unauthorized users out of the protected
network, prohibit potentially vulnerable services from
entering or leaving the network, and provide protection from
various kinds of security attacks.
• The use of a single choke point simplifies security
management because security capabilities are consolidated
on a single system or set of systems.
– A firewall provides a location for monitoring security-
related events.
• Audits and alarms can be implemented on the firewall
system.
 Firewall Scope
• The following capabilities are within the scope of
firewalls: Continued…
– A firewall is a convenient platform for several Internet
functions that are not security related.
• These include a network address translator, which maps local
addresses to Internet addresses, and a network management
function that audits or logs Internet usage.
 Firewall Limitations
• Firewalls have their limitations, including the
following:
– The firewall cannot protect against attacks that bypass the
firewall.
• The use of modems to connect to ISP (the Internet) by-passes the
firewall, thus unprotected/unfiltered traffic by-passes the firewall.
– The firewall may not protect fully against Internal threats.
• Such as a disgruntled employee or an employee who unwittingly
cooperates with an external attacker.
• Poor management of passwords.
– A laptop, PDA, or portable storage device may be used and
infected outside the corporate network and then attached
and used internally.
• Can result into malware (virus, worms, …) infection to the local
network regardless of the presence of the firewall.
 Types of Firewall
• Common types of firewalls:
– Packet filtering firewall
– Circuit level gateway
– Application level gateway
– Stateful Inspection Firewall
 Types of Firewall
• Common types of firewalls: Cont…
– Packet filtering firewall
• This performs a simple check of the data packets coming
through the router, by inspecting information such as the
source and destination IP addresses and port numbers,
without opening up the packet to inspect its contents.
• They are not resource intensive.
– Do not have huge impact on system performance and are relatively
simple.
 Types of Firewall
• Common types of firewalls: Cont…
– Circuit level gateway
• Works by verifying the transmission control protocol (TCP)
handshake.
– This TCP handshake check is designed to make sure that the session
the packet is from is legitimate.
– Similar to packet filtering firewalls, they are resource efficient too.
– NOTE:
» They do not check the packet itself.
• So, if a packet held malware, but had the right TCP
handshake, it would pass right through.
• This is why circuit-level gateways are not enough to
protect your business by themselves.
 Types of Firewall
• Common types of firewalls: Cont…
– Stateful Inspection Firewall
• These firewalls combine both packet inspection technology
and TCP handshake verification to create a level of protection
greater than either of the previous two architectures could
provide alone.
• However, these firewalls do put more of a strain on
computing resources as well. This may slow down the transfer
of legitimate packets compared to the other solutions.
 Types of Firewall
• Common types of firewalls: Cont…
– Application (proxy )level gateway
• These operate at the application layer to filter incoming traffic
between your network and the traffic source—hence, the
name “application-level gateway.”
• Rather than letting traffic connect directly, it first establishes a
connection to the source of the traffic and inspects the
incoming data packet.
• This check is similar to the stateful inspection firewall in that
it looks at both the packet and at the TCP handshake protocol.
– However, proxy firewalls may also perform deep-layer packet
inspections, checking the actual contents of the information packet to
verify that it contains no malware.
– If there’s one drawback to proxy firewalls, it’s that they can create
significant slowdown because of the extra steps in the data packet
processing.
END

END