Ch 6 - Security Technology-Firewalls and VPNs

Question 1

Story Time

Beg. Chapter

Answer 1

Kelvin Urich - scheduled to present a plan to Charlie Moody and the IT planning staff in 2 weeks on the Internet connection architecture

W/O this they cannot start costing the project or planning for deployment

Laverne Nguyen (architecture team) - No consensus on 2 design alternatives presented by the consultant:

1. Screened subnet with bastion hosts
2. Screened subnet with proxy servers

Miller Harrison (contractor brought in to help with the project) - seems to be in disagreement and pouting.

Ends with Kelvin calling for a meeting the next day with the consultant to make the decision

Question 2

Learning Objectives

Answer 2

1. Recognize the important role of access control in computerized information systems, and identify and discuss commonly used authentication factors
2. Describe firewall technology and the various approaches to its implementation
3. Identify the various approaches to control remote and dial-up access by means of the authentication and authorization of users
4. Discuss content filtering technology
5. Describe the technology that enables the use of VPNs (virtual private networks).

Question 3

Access Control

Answer 3

is the method by which systems determine whether and how to admit a user into a trusted area of the organization.

Restricted areas could be: computer room

How is access control achieved? via a combination of policies, programs, and technologies

ACs can be: mandatory, non-discretionary or discretionary

Question 4

Mandatory access controls (MACs)

Answer 4

use data classification schemes, giving users and data owners limited controls over access to information resources.

How does a data classification scheme work?

Information is rated by sensitivity and each user is assigned the level of information that they may access

Question 5

Lattice-based access control

Answer 5

a form of access control where users are assigned a matrix of authorizations for particular areas of access.

It relies on:

Access Control List (ACL) - column of attributes of a particular object (i.e. printer)

Capabilities Table - a row of attributes associated with a particular subject

Question 6

Nondiscretionary Controls

Answer 6

strictly enforced version of MACs that are managed by a central authority in the organization.

Can be role-based controls or task-based controls

Question 7

Discretionary access controls (DACs)

Answer 7

implemented at the discretion or option of the data user.

Question 8

Authentication

Answer 8

process of validating a supplicant’s purported identity

Question 9

3 Widely used authentication mechanisms/factors:

Answer 9

1. Something the supplicant knows
2. Something a supplicant has
3. Something a supplicant is

Question 10

Something a supplicant knows?

Answer 10

1. password
2. passphrase

Question 11

Something a supplicant has?

Answer 11

1. dumb cards - atm
2. smart cards
3. synchronous tokens
4. asynchronous tokens

Question 12

Something a supplicant is or can produce

Answer 12

1. Fingerprints, palm prints, hand topography
2. iris scans, voice patterns
3. signatures

biometrics

Question 13

authorization

Answer 13

the matching of an authenticated entity to a list of information assets and corresponding access levels

Question 14

accountability or auditability

Answer 14

ensures all actions on a system authorized or otherwise can be attributed to an authenticated identity

Question 15

Firewalls

Answer 15

prevents specific types of information from moving between the outside world, known as the untrusted network, and the inside world, known as the trusted network.

Firewalls can be categorized by:

processing mode,

development,

or structure

Question 16

Firewall processing mode categories

Answer 16

1. Packet-filtering firewalls
2. Application gateways
3. Circuit gateways
4. MAC layer firewalls
5. Hybrids-use a combination of the previous 4 - most firewalls fall in this category

Question 17

Packet-filtering firewalls

Answer 17

Packet-filtering firewalls examine every incoming packet header and can selectively filter packets based on header information such as destination address, source address, packet type, and other key information

Question 18

Packet-filtering Firewalls Types

Answer 18

1. Static
2. Dynamic
3. Stateful (More thorough, more processing req.)

Question 19

Application Gateways - application-level firewall - application firewall

Answer 19

is frequently installed on a dedicated computer, separate from the filtering router, but is commonly used in conjunction with a filtering router. The application firewall is also known as a proxy server since it runs special software that acts as a proxy for a service request.

Question 20

Circuit Gateways Firewall

Answer 20

operates at the transport layer.

Again, connections are authorized based on addresses. Like filtering firewalls, circuit gateway firewalls do not usually look at traffic flowing between one network and another, but they do prevent direct connections between one network and another. They accomplish this by creating tunnels connecting specific processes or systems on each side of the firewall, and then allowing only authorized traffic, such as a specific type of TCP connection for authorized users, in these tunnels.

Question 21

MAC Layer Firewalls

Answer 21

Thus, MAC layer firewalls link the addresses of specific host computers to ACL entries that identify the specific types of packets that can be sent to each host, and block all other traffic

Question 22

Firewall processing inspection location

Answer 22

Question 23

Firewalls by generation

First - Fifth

Answer 23

1. static packet-filtering firewalls
2. application-level firewalls or proxy servers
3. stateful inspection firewalls
4. dynamic packet-filtering
5. Kernel proxy - a specialized form that works under Windows NT Executive. Evaluates packets at multiple layers of the protocol stack

Question 24

Firewalls Categorized by Structure

Answer 24

1. Commercial-grade firewall applicances
2. Commercial-grade firewall systems
3. Small office/Home office (SOHO) Firewall appliances
4. Residential-Grade Firewall Software

Question 25

Firewall Architectures

Answer 25

1. Packet-filtering routers
2. Screened-host firewalls
3. Dual-Homed firewalls
4. Screened subnet firewalls

Question 26

Packet Filtering Routers

Answer 26

Most organizations with an Internet connection have some form of a router at the boundary between the organization’s internal networks and the external service provider. Many of these routers can be configured to reject packets that the organization does not want to allow into the network

Question 27

Sreened Host Firewalls

Answer 27

Screened host firewalls combine the packet-filtering router with a separate, dedicated firewall, such as an application proxy server.

Bastion Host - the separate host/proxy server - sole defender on the network perimeter - sometimes called sacrificial host

Question 28

Dual-Homed Host Firewalls

Answer 28

When this architectural approach is used, the bastion host contains two NICs (network interface cards) rather than one, as in the bastion host configuration. One NIC is connected to the external network, and one is connected to the internal network, providing an additional layer of protection. With two NICs, all traffic must physically go through the firewall to move between the internal and external networks.

Question 29

Screened Subnet Firewalls (with DMZ)

Answer 29

The dominant architecture used today is the screened subnet firewall. The architecture of a screened subnet firewall provides a DMZ. The DMZ can be a dedicated port on the firewall device linking a single bastion host, or it can be connected to a screened subnet

Until recently, servers providing services through an untrusted network were commonly placed in the DMZ. Examples of these include Web servers, file transfer protocol (FTP) servers, and certain database servers. More recent strategies using proxy servers have provided much more secure solutions

Question 30

4 Questions to consider to select the right firewall

Answer 30

1. Which type of firewall technology offers the right balance between protection and cost for the needs of the organization?
2. What features are included in the base price? What features are available at extra cost? Are all cost factors known?
3. How easy is it to set up and configure the firewall? How accessible are the staff technicians who can competently configure the firewall?
4. Can the candidate firewall adapt to the growing network in the target organization?

Question 31

VPNs must:

Answer 31

1. Encapsulate
2. Encrypt
3. Authenticate

Question 32

VPNs Transport Mode and Tunnel Mode

Answer 32

Transport Mode

In transport mode, the data within an IP packet is encrypted, but the header information is not. This allows the user to establish a secure link directly with the remote host, encrypting only the data contents of the packet. The downside to this implementation is that packet eavesdroppers can still identify the destination system. Once an attacker knows the destination, he or she may be able to compromise one of the end nodes and acquire the packet information from it

Tunnel Mode

Tunnel mode establishes two perimeter tunnel servers that encrypt all traffic that will traverse an unsecured network. In tunnel mode, the entire client packet is encrypted and added as the data portion of a packet addressed from one tunneling server to another. The receiving server decrypts the packet and sends it to the final address. The primary benefit to this model is that an intercepted packet reveals nothing about the true destination system