6: Security Technology 1

Technical controls

essential in enforcing policy for many IT functions that do not involve direct human control

Technical control solutions

improve an organization's ability to balance making information readily available against increasing information's levels of confidentiality and integrity

Access control

method by which systems determine whether and how to admit a user into a trusted area of the organization

Mandatory access controls (MACs)

use data classification schemes

Nondiscretionary controls

strictly-enforced version of MACs that are managed by a central authority

Discretionary access controls (DACs)

implemented at the discretion or option of the data user

Identification

mechanism whereby an unverified entity that seeks access to a resource proposes a label by which they are known to the system

Supplicant

entity that seeks a resource

Identifiers

can be composite identifiers, concatenating elements-department codes, random numbers, or special characters to make them unique

Authentication

the process of validating a supplicant's purported identity

Authentication factors

Something a supplicant knows, Something a supplicant has, Something a supplicant is

Password

a private word or combination of characters that only the user should know

Passphrase

a series of characters, typically longer than a password, from which a virtual password is derived

Smart card

contains a computer chip that can verify and validate information

Something a supplicant has

Smart card, Synchronous tokens, Asynchronous tokens

Something a supplicant is

Relies upon individual characteristics, Strong authentication

Authorization

the matching of an authenticated entity to a list of information assets and corresponding access levels

Authorization tickets

used to handle authorization

Accountability (auditability)

ensures that all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity

Systems logs

record specific information

Firewalls

Prevent specific types of information from moving between the outside world (untrusted network) and the inside world (trusted network)

Five processing modes by which firewalls can be categorized

Packet filtering, Application gateways, Circuit gateways, MAC layer firewalls, Hybrids

Packet filtering firewalls

examine header information of data packets

Simple firewall models

enforce rules designed to prohibit packets with certain addresses or partial addresses

Three subsets of packet filtering firewalls

Static filtering, Dynamic filtering, Stateful inspection

Static filtering

requires that filtering rules governing how the firewall decides which packets are allowed and which are denied are developed and installed

Dynamic filtering

allows firewall to react to emergent event and update or create rules to deal with event

Stateful inspection

firewalls that keep track of each network connection between internal and external systems using a state table

Application gateways

Frequently installed on a dedicated computer; also known as a proxy server

Proxy server exposure

Since proxy server is often placed in unsecured area of the network (e.g., DMZ), it is exposed to higher levels of risk from less trusted networks

Additional filtering routers

can be implemented behind the proxy server, further protecting internal systems

Circuit gateway firewall

Operates at transport layer

Circuit gateway function

Like filtering firewalls, do not usually look at data traffic flowing between two networks, but prevent direct connections between one network and another

Circuit gateway accomplishment

Accomplished by creating tunnels connecting specific processes or systems on each side of the firewall, and allow only authorized traffic in the tunnels

MAC layer firewalls

Designed to operate at the media access control layer of OSI network model

MAC layer firewalls capability

Able to consider specific host computer's identity in its filtering decisions

MAC addresses of specific host computers

are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked

Hybrid firewalls

Combine elements of other types of firewalls; i.e., elements of packet filtering and proxy services, or of packet filtering and circuit gateways;

Hybrid firewalls

Alternately, may consist of two separate firewall devices; each a separate firewall system, but connected to work in tandem

First generation

static packet filtering firewalls

Second generation

application-level firewalls or proxy servers

Third generation

stateful inspection firewalls

Fourth generation

dynamic packet filtering firewalls; allow only packets with particular source, destination, and port addresses to enter

Fifth generation

kernel proxies; specialized form working under kernel of Windows NT

Firewall categories by structure

Commercial-grade firewall system, Small office/home office (SOHO) firewall appliances, Residential-grade firewall software

Firewall devices

can be configured in a number of network connection architectures

Packet filtering routers

Most organizations with Internet connection have a router serving as interface to Internet;

Packet filtering routers

Many of these routers can be configured to reject packets that organization does not allow into network;

Packet filtering routers

Drawbacks include a lack of auditing and strong authentication

Screened host firewalls

Combines packet filtering router with separate, dedicated firewall such as an application proxy server;

Screened host firewalls

Allows router to prescreen packets to minimize traffic/load on internal proxy

Bastion host

Separate host often referred to as a --

Bastion host

can be rich target for external attacks and should be very thoroughly secured

Bastion host

Also known as a sacrificial host

Dual-homed host firewalls

Bastion host contains two network interface cards (NICs): one connected to external network, one connected to internal network;

Dual-homed host firewalls

Implementation of this architecture often makes use of network address translation (NAT), creating another barrier to intrusion from external attackers

Screened subnet firewall

the dominant architecture used today; Commonly consists of two or more internal bastion hosts behind packet filtering router, with each host protecting trusted network

Another facet of DMZs

extranets

SOCKS servers

SOCKS is the protocol for handling TCP traffic via a proxy server

SOCKS servers

A proprietary circuit-level proxy server that places special SOCKS client-side agents on each workstation;

SOCKS system

A -- can require support and management resources beyond those of traditional firewalls

Second most important issue in selecting a firewall

cost

Content Filters

Software filter—not a firewall—that allows administrators to restrict content access from within network;

Content Filters

Essentially a set of scripts or programs restricting user access to certain networking protocols/Internet locations

Content Filters

Primary focus to restrict internal access to external material;

Content Filters

Most common -- restrict users from accessing non-business Web sites or deny incoming span

Internetwork connections

Installing requires leased lines or other data channels; these connections are usually secured under requirements of formal service agreement

virtual private networks (VPNs)

Options such as -- have become more popular due to spread of Internet

Remote Access

Unsecured, dial-up connection points represent a substantial exposure to attack

war dialer

Attacker can use device called a -- to locate connection points

War dialer

automatic phone-dialing program that dials every number in a configured range and records number if modem picks up

RADIUS, TACACS, and Diameter

Systems that authenticate user credentials for those trying to access an organization's network via dial-up

Remote Authentication Dial-In User Service (RADIUS)

centralizes management of user authentication system in a central RADIUS server

Diameter

emerging alternative derived from RADIUS

Terminal Access Controller Access Control System (TACACS)

validates user's credentials at centralized server (like RADIUS); based on client/server configuration

Sesame meaning

Secure European System for Applications in a Multivendor Environment (SESAME)

Sesame

User is first authenticated to authentication server and receives token

Token then presented to privilege attribute server as proof of identity to gain privilege attribute certificate

Uses public key encryption; adds additional and more sophisticated access control features; more scalable encryption systems; improved manageability; auditing features; delegation of responsibility for allowing access

Virtual Private Networks (VPNs)

Private and secure network connection between systems; uses data communication capability of unsecured and public network;

Virtual Private Networks (VPNs)

Securely extends organization's internal network connections to remote locations beyond trusted network

Tunnel mode

Organization establishes two perimeter tunnel servers; These servers act as encryption points, encrypting all traffic that will traverse unsecured network; Primary benefit to this model is that an intercepted packet reveals nothing about true destination system

Example of tunnel mode VPN

Microsoft's Internet Security and Acceleration (ISA) Server

Firewalls

Technology from packet filtering to dynamic stateful inspection; Architectures vary with the needs of the network

Virtual private networks

Encryption between networks over the Internet