WEEK 6

SECURITY TECHNOLOGY:
FIREWALLS AND VPNs

IAS102 - INFORMATION ASSURANCE AND SECURITY

 • Discuss access control
• Understand how firewall works
• Understand virtual private networks

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Access Control
Access Control
 Is the method by which system
determine whether and how to admit
a user into a trusted area of the
organization
 Achieved by means of a combination
of policies, program, technologies
 Can be mandatory, non-discretionary,
or discretionary

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Access Control
Access Control
 Mandatory access control
 use data classification schemes, users and data owners limited control to
information resources
 Nondiscretionary control
 are strictly-enforced version of MAC’s that are managed by central authority
in the organization and can be based on an individual role
 Discretionary access control
 are implemented at the discretion or option of the data user

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Access Control
Access Control This figure shows an example of a discretionary access control
from peer-to-peer network using Microsoft Windows
In general, all access
control approaches rely on
as the following
mechanism
 Identification
 Authentication
 Authorization
 Accountability

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Access Control
Identification
 Identification is a mechanism
whereby an unverified entity – called
a supplicant – that seeks access to
resource proposes a label by which
they are known to the system
Identifier (ID) the label applied to
the supplicant or supplied by the
supplicant

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Access Control
Authentication
 Authentication is the process of
validating a supplicant’s purported
identity
 Three widely used authentication
mechanism or authentication factors
 Something a supplicant knows
 something a supplicant has
 something a supplicant is

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Access Control
Authorization
 Authorization is the matching of
authenticated entity to a list of
information assets and corresponding
access level
 It can be handled in one of three ways
 Authorization for each authenticated user
 Authorization for members of a group
 Authorization across multiple system

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Access Control
Accountability
 Accountability also known as
auditability, ensures that all action
on a system – authorized or
unauthorized – can be attributed to
an authenticated identity
 it is accomplished by means of
system logs and database journals
and auditing of records

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Firewall
Firewall
 A firewall in an information
technology is prevent
specific types of information
from moving between the
outside world known as
untrusted network and the
inside world known as
trusted network

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Firewall
Firewall Processing Mode
 Firewalls fall into five major processing-mode categories
 Packet-filtering
 application gateway
 circuit gateway
 Mac layer firewalls
 Hybrids

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Firewall
Firewall Processing Mode
 Firewalls fall into five major
processing-mode categories
 Packet-filtering
 application gateway
 circuit gateway
 Mac layer firewalls
 Hybrids

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Firewall
Packet-Filtering Firewall It shows the structure of IPv4 packet
 technique used to control network access by
monitoring outgoing and incoming packets
and allowing them to pass or halt based on
the source and destination internet protocol
address, protocols and ports
 it examine incoming packet header and filter
based on header information such as:
Destination address
Source address
Packet type
Other key information

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Firewall
Packet-Filtering Firewall
 Restriction most commonly
implemented are based on a
combination of the following
 IP source and destination address
 Direction
 Protocol
 TCP or UDP source and destination
port request

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Firewall
Packet-Filtering Firewalls
 Three subset of packet-filtering firewalls
Static filtering
 allow entire sets of on type of packet to enter in
response to authorized request
Dynamic filtering
it allows only particular packet with particular
source, destination and port address to enter
Stateful inspection
 also called satefull firewals, it can expedite
incoming packets that are responses to internal
request.

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Firewall
Application Gateways
 Also known as application-level firewall
or application firewall and proxy server
 it is frequently installed on a dedicated
computer, separate from the filtering
router, but is commonly used in
conjunction with filtering router
 Demilitarized Zone or DMZ is an area
between a trusted network and untrusted
network
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Firewall
Circuit Gateway
It does not usually look at traffic
flowing between one network
and another, but they do prevent
direct connections between one
network and another.

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Firewall
MAC Layer Firewall
 MAC layer firewall link the
address of specific host
computers to ACL entries
that identify the specific
types of packets that can be
sent to each host, and block Figure 6-6: shows
all other traffic where in the OSI
model each of the
firewall processing
inspects data

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Firewall
Hybrid Firewalls
 Combine the elements of other
types of firewalls
A packet filtering and proxy server
 packet filtering and circuit gateways
 it consist of two separate firewall
devices, each is separate firewall
system, but they are connected so
that they worked in tandem

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Firewall
Firewall Architecture
 All firewall devices can be configures in a number of
network connection architecture
Three factors configuration that works best
 the objectives of the network
 the organization’s ability to develop and implement the
architecture
 the budget available for the function
 Four common architectural implementations
 Packet-filtering routers
 Screened host firewalls
 Dual-homed firewalls
 screened subnet firewalls

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Firewall
Firewall Rules
 Examine the control information in
individual packets. The rules either block
or allow those packets based on rules
that are defined on these pages.
 Firewall rules are assigned directly to
computers or to policies that are in turn
assigned to a computer or collection of
computers
Firewall rules operates on the principles
of “that which is not permitted is
prohibited”
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Firewall
Content Filters
 Content filters is a software filter that allows administration to restrict
access to content from within a network
 Set of program that restricts user in
 to access networking protocols and internet locations
From receiving general types or specific examples of internet content
 Reverse firewalls
Restrict internal access to external material
 two components
Rating
Filtering

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Protecting Remote Connections

Remote Access
 Organizations created private networks and allowed individuals and
other organization to connect to them using dial or leased line
connections
 War dialer
 is a automatic phone-dialing program that dials every number in a configured
ranged and checks to see if the person, answering machine or modern picks up
Technologies improved the authentication process
RADIUS, TACACS and Diameter
 Securing Authentication with Kerberos
 SESAME
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Protecting Remote Connections

Virtual Private Networks (VPN’s)
 Virtual private networks are implementation of cryptographic
technology
 it is a private and secure network connection between system
 VPNC defines three VPN technologies
 Trusted VPN’s
 Secure VPN’s
 Hybrid VPN’s

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Protecting Remote Connections

Virtual Private Networks (VPN’s)
 Trusted VPN
Also known as a legacy VPN
Uses leased circuit from service provider and conduct packet switching
 Secure VPN
Use security protocol and encrypt traffic transmitted across unsecured public
networks like internet
 Hybrid VPN
Combines the two providing encrypted transmission over some or all of a
trusted VPN network

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Protecting Remote Connections

Virtual Private Networks
(VPN’s)
 its proposes to offer a
secure and reliable
capability while relying
on public networks must
accomplish the following
Encapsulation
Encryption
Authentication

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Protecting Remote Connections

Virtual Private Networks (VPN’s)
 Transport Mode
 data within IP is encrypted but the
header information is not
 Two popular uses of transport
mode VPN’s
 End-to-end transport of encrypted
data, two end user can communicate
directly, encrypting and decrypting
their communication Figure 6-19 Illustrates the transport mode methods of
implementing VPN’s
 Remote access worker or teleworker
connects to an office network over the
internet by connecting VPN
IAS102 – INFORMATION ASSURANCE AND SECURITY 2
 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Protecting Remote Connections

Virtual Private Networks
(VPN’s)
 Tunnel Mode
 Establishes two perimeter
tunnel servers that encrypt all
traffic that will traverse an
unsecured network
 it intercept packet reveals
Figure 6-20 Shows an example of tunnel mode VPN
nothing about the true
implementation
destination system

IAS102 – INFORMATION ASSURANCE AND SECURITY 2

 WEEK 6 – SECURITY TECHNOLOGY: FIREWALLS AND VPNs

Protecting Remote Connections

 The process is
straightforward
 First, connect to
the internet
through an ISP or
direct network
connection
 Second, establish
the link with the
remote VPN server Figure 6-21 shows the connection screen used to
configured the VPN link

IAS102 – INFORMATION ASSURANCE AND SECURITY 2