Lecture 6.5 Flashcards
Technical controls – ?
Identify
Firewalls and VPN
essential
Technical controls – ?
Identify
Firewalls and VPN
essential
Enforcing policy for many ?
Identify
Firewalls and VPN
IT functions
Not involve direct ?
Identify
Firewalls and VPN
human control
Improve organization’s ability to ?
Identify
Firewalls and VPN
balance
?
Use data classification schemes
Identify
Firewalls and VPN - Access Control
Mandatory access control (MAC)
?
Give users and data owners limited control over access
Identify
Firewalls and VPN - Access Control
Mandatory access control (MAC)
?
Each collection of information is rated
Identify
Firewalls and VPN - Access Control
Data classification schemes
?
Each user is rated
Identify
Firewalls and VPN - Access Control
Data classification schemes
?
May use matrix or authorization
Identify
Firewalls and VPN - Access Control
Data classification schemes
?
Managed by central authority
Identify
Firewalls and VPN - Access Control
Nondiscretionary controls
?
Tied to the role a user performs
Identify
Firewalls and VPN - Access Control
Role-based
?
Tied to a set of tasks user performs
Identify
Firewalls and VPN - Access Control
Task-based
?
Implemented at the option of the data user
Identify
Firewalls and VPN - Access Control
Discretionary access controls
?
Used by peer to peer networks
Identify
Firewalls and VPN - Access Control
Discretionary access controls
? ?? ??? ????
(4) All controls rely on
Enumerate
Firewalls and VPN - Access Control
- Identification
- Authentication
- Authorization
- Accountability
Unverified entity – ?
Identify
Firewalls and VPN - Access Control - Identification
supplicant
Seek access to a resource by ?
Identify
Firewalls and VPN - Access Control - Identification
label
?
is called an identifier
Identify
Firewalls and VPN - Access Control - Identification
Label
Mapped to one & only one ?
Identify
Firewalls and VPN - Access Control - Identification
entity
Authentication:
* Something a supplicant ?
* Something a supplicant ??
* Something a supplicant ???
Identify
Firewalls and VPN - Access Control - Authentication
- knows
- has
- is
Matches supplicant to ?
Identify
Firewalls and VPN - Access Control - Authorization
resource
Often uses access control ?
Identify
Firewalls and VPN - Access Control - Authorization
matrix
(3) Handled by 1 of 3 ways
Enumerate
Firewalls and VPN - Access Control - Authorization
- Authorization for each authenticated users
- Authorization for members of a group
- Authorization across multiple systems
Accountability known as ?
Identify
Firewalls and VPN - Access Control - Accountability
auditability
All actions on a system can be attributed to an authenticated ?
Identify
Firewalls and VPN - Access Control - Accountability
identity
System logs and ?
Identify
Firewalls and VPN - Access Control - Accountability
database journals
Prevent information from moving between the ? and ??
Identify
Firewalls and VPN - Firewalls - Purpose
- outside world
- inside world
?
untrusted network
Identify
Firewalls and VPN - Firewalls - Purpose
Outside world
?
trusted network
Identify
Firewalls and VPN - Firewalls - Purpose
Inside world
?
Five major categories
Enumerate
Firewalls and VPN - Processing Mode
- Packet filtering
- Application gateway
- Circuit gateway
- MAC layer
- Hybrids
?
Filtering firewall
Identify
Firewalls and VPN
Packet Filtering
?
Examine header information & data packets
Identify
Firewalls and VPN
Packet Filtering
? ?? ??? ???? ?????
(5) Installed on TCP/IP based network
Enumerate
Firewalls and VPN - Packet Filtering
- Functions at the IP level
- Drop a packet (deny)
- Forward a packet (allow)
- Action based on programmed rules
- Examines each incoming packet
Inspect networks at the ?
Identify
Firewalls and VPN - Filtering Packets
network layer
Packet matching restriction = ?
Identify
Firewalls and VPN - Filtering Packets
deny movement
? ?? ??? ????
(4) Restrictions most commonly implemented in Filtering Packets
Enumerate
Firewalls and VPN - Filtering Packets
- IP source and destination addresses
- Direction (incoming or outgoing)
- Protocol
- Transmission Control Protocol (TCP) or User Datagram Protocol (UD) source or destination
?
Requires rules to be developed and installed with firewall
Identify
Firewalls and VPN - Packet Filtering Subsets
Static filtering
?
Allows only a particular packet with a particular source, destination, and port address to enter
Identify
Firewalls and VPN - Packet Filtering Subsets
Dynamic filtering
?
Uses a state table
Identify
Firewalls and VPN - Packet Filtering Subsets
Stateful
?
Tracks the state and context of each packet
Identify
Firewalls and VPN - Packet Filtering Subsets
Stateful
?
Records which station sent what packet and when
Identify
Firewalls and VPN - Packet Filtering Subsets
Stateful
?
Perform packet filtering but takes extra step
Identify
Firewalls and VPN - Packet Filtering Subsets
Stateful
?
Can expedite responses to internal requests
Identify
Firewalls and VPN - Packet Filtering Subsets
Stateful
?
Vulnerable to DOS attacks because of processing time required
Identify
Firewalls and VPN - Packet Filtering Subsets
Stateful
?
Installed on dedicated computer
Identify
Firewalls and VPN
Application Gateway
?
Used in conjunction with filtering router
Identify
Firewalls and VPN
Application Gateway
?
Goes between external request and webpage
Identify
Firewalls and VPN - Application Gateway
Proxy server
?
Between trusted and untrusted network
Identify
Firewalls and VPN - Application Gateway - 1/4 ?
Resides in DMZ
?
Exposed to risk
Identify
Firewalls and VPN - Application Gateway - 2/4 ?
Resides in DMZ
?
Can place additional filtering routers behind
Identify
Firewalls and VPN - Application Gateway - 3/4 ?
Resides in DMZ
?
Restricted to a single application
Identify
Firewalls and VPN - Application Gateway - 4/4 ?
Resides in DMZ
?
Operates at transport level
Identify
Firewalls and VPN - 1/6 ?
Circuit Gateways
?
Authorization based on addresses
Identify
Firewalls and VPN - 2/6 ?
Circuit Gateways
?
Don’t look at traffic between networks
Identify
Firewalls and VPN - 3/6 ?
Circuit Gateways
?
Do prevent direct connections
Identify
Firewalls and VPN - 4/6 ?
Circuit Gateways
?
Create tunnels between networks
Identify
Firewalls and VPN - 5/6 ?
Circuit Gateways
?
Only allowed traffic can use tunnels
Identify
Firewalls and VPN - 6/6 ?
Circuit Gateways
?
Designed to operate at media access sublayer
Identify
Firewalls and VPN - 1/3 ?
MAC Layer Firewalls
?
Able to consider specific host computer identity in filtering
Identify
Firewalls and VPN - 2/3 ?
MAC Layer Firewalls
?
Allows specific types of packets that are acceptable to each host
Identify
Firewalls and VPN - 3/3 ?
MAC Layer Firewalls
? ?? ??? ???? ????? ?????? ???????
(7) OSI Model
Enumerate
Firewalls and VPN
- Physical
- Data
- Network
- Transport
- Session
- Presentation
- Application
?
Combine elements of other types of firewalls; i.e., elements of packet filtering and proxy services, or of packet filtering and circuit gateways
Identify
Firewalls and VPN - 1/2 ?
Hybrid Firewalls
?
Alternately, may consist of two separate firewall devices; each a separate firewall system, but are connected to work in tandem
Identify
Firewalls and VPN - 2/2 ?
Hybrid Firewalls
?
Static packet filtering
Identify
Firewalls and VPN - Categorization by Development Generation - 1/3 ?
First Generation
?
Simple networking devices
Identify
Firewalls and VPN - Categorization by Development Generation - 2/3 ?
First Generation
?
Filter packets according to their headers
Identify
Firewalls and VPN - Categorization by Development Generation - 3/3 ?
First Generation
?
Application level or proxy servers
Identify
Firewalls and VPN - Categorization by Development Generation - 1/3 ?
Second Generation
?
Dedicated systems
Identify
Firewalls and VPN - Categorization by Development Generation - 2/3 ?
Second Generation
?
Provides intermediate services for the requestors
Identify
Firewalls and VPN - Categorization by Development Generation - 3/3 ?
Second Generation
?
Stateful
Identify
Firewalls and VPN - Categorization by Development Generation - 1/2 ?
Third Generation
?
Uses state tables
Identify
Firewalls and VPN - Categorization by Development Generation - 2/2 ?
Third Generation
?
Dynamic filtering
Identify
Firewalls and VPN - Categorization by Development Generation - 1/2 ?
Fourth Generation
?
Particular packet with a particular source, destination, and port address to enter
Identify
Firewalls and VPN - Categorization by Development Generation - 2/2 ?
Fourth Generation
?
Kernel proxy
Identify
Firewalls and VPN - Categorization by Development Generation - 1/4 ?
Fifth Generation
?
Works un the Windows NT Executive
Identify
Firewalls and VPN - Categorization by Development Generation - 2/4 ?
Fifth Generation
?
Evaluates at multiple layers
Identify
Firewalls and VPN - Categorization by Development Generation - 3/4 ?
Fifth Generation
?
Checks security as packet passes from one level to another
Identify
Firewalls and VPN - Categorization by Development Generation - 4/4 ?
Fifth Generation
?
State-alone
Identify
Firewalls and VPN - Categorized by Structure - 1/3 ?
Commercial-Grade
?
Combination of hardware and software
Identify
Firewalls and VPN - Categorized by Structure - 2/3 ?
Commercial-Grade
?
Many of features of stand alone computer
Identify
Firewalls and VPN - Categorized by Structure - 3/3 ?
Commercial-Grade
?
Configured application software
Identify
Firewalls and VPN - Categorized by Structure - 1/2 ?
Commercial-Grade Firewall Systems
?
Runs on general-purpose computer
Identify
Firewalls and VPN - Categorized by Structure - 2/2 ?
Commercial-Grade Firewall Systems
? ??
(2) Runs on general-purpose computer
Enumerate
Firewalls and VPN - Categorized by Structure - Runs on general-purpose computer
- Existing computer
- Dedicated computer
?
Broadband gateways or DSL/cable modem routers
Identify
Firewalls and VPN - Categorized by Structure - 1/6 ?
Small Office/Home Office (SOHO)
?
First – stateful
Identify
Firewalls and VPN - Categorized by Structure - 2/6 ?
Small Office/Home Office (SOHO)
?
Many newer one – packet filtering
Identify
Firewalls and VPN - Categorized by Structure - 3/6 ?
Small Office/Home Office (SOHO)
?
Can be configured by use
Identify
Firewalls and VPN - Categorized by Structure - 4/6 ?
Small Office/Home Office (SOHO)
?
Router devices with WAP and stackable LAN switches
Identify
Firewalls and VPN - Categorized by Structure - 5/6 ?
Small Office/Home Office (SOHO)
?
Some include intrusion detection
Identify
Firewalls and VPN - Categorized by Structure - 6/6 ?
Small Office/Home Office (SOHO)
?
Installed directly on user’s system
Identify
Firewalls and VPN - Categorized by Structure - 1/3 ?
Residential
?
Many free version not fully functional
Identify
Firewalls and VPN - Categorized by Structure - 2/3 ?
Residential
?
Limited protection
Identify
Firewalls and VPN - Categorized by Structure - 3/3 ?
Residential
?
Lacks auditing and strong authentication
Identify
Firewalls and VPN - Firewall Architectures - 1/2 ?
Packet filtering routers
?
Can degrade network performance
Identify
Firewalls and VPN - Firewall Architectures - 2/2 ?
Packet filtering routers
?
Combines packet filtering router with dedicated firewall – such as proxy server
Identify
Firewalls and VPN - Firewall Architectures - 1/3 ?
Screened Host firewall
?
- Allows router to prescreen packets
- Application proxy examines at application layer
Identify
Firewalls and VPN - Firewall Architectures - 2/3 ?
Screened Host firewall
?
- Separate host – bastion or sacrificial host
- Requires external attack to compromise 2 separate systems.
Identify
Firewalls and VPN - Firewall Architectures - 3/3 ?
Screened Host firewall
?
Two network interface cards
Identify
Firewalls and VPN - Firewall Architectures
Dual Homed Host
?
- Dominant architecture used today
- Provides DMZ
Identify
Firewalls and VPN - Firewall Architectures
Screened Subnet Firewalls (with DMZ)
?
Protocol for handling TCP traffic through a proxy server
Identify
Firewalls and VPN - Firewall Architectures - 1/3 ?
SOCS Servers
?
Proprietary circuit-level proxy server
Identify
Firewalls and VPN - Firewall Architectures - 2/3 ?
SOCS Servers
?
Places special SOCS client-side agents on each workstation
Identify
Firewalls and VPN - Firewall Architectures - 3/3 ?
SOCS Servers
?
Extent to which the firewall design provides the required protection
Identify
Firewalls and VPN - Selecting the Right Firewall
Most important factor
?
Cost
Identify
Firewalls and VPN - Selecting the Right Firewall
Second most important factor
?
Software filter—not a firewall—that allows administrators to restrict content access from within network
Identify
Firewalls and VPN - 1/4 ?
Content Filters
?
Essentially a set of scripts or programsrestricting user access to certain networking protocols/Internet locations
Identify
Firewalls and VPN - 2/4 ?
Content Filters
?
Primary focus to restrict internal access to external material
Identify
Firewalls and VPN - 3/4 ?
Content Filters
?
Most common content filters restrict users from accessing non-business Web sites or deny incoming span
Identify
Firewalls and VPN - 4/4 ?
Content Filters
?
Installing internetwork connections requires leased lines or other data channels; these connections usually secured under requirements of formal service agreement
Identify
Firewalls and VPN
Protecting Remote Connections
?
Unsecured, dial-up connection points represent a substantial exposure to attack
Identify
Firewalls and VPN - Protecting Remote Connections
Dial-Up
?
: automatic phone-dialing program that dials every number in a configured range and records number if modem picks up
Identify
Firewalls and VPN - Protecting Remote Connections - Dial-Up
War dialer
? ??
(2) Authentication Systems
Enumerate
Firewalls and VPN - Protecting Remote Connections - Authentication systems
- RADIUS AND TACACS
- Kerberos
?
Access control for dial-up
Identify
Firewalls and VPN - Protecting Remote Connections - 1/2 Authentication systems
RADIUS AND TACACS
?
- Symmetric key encryption to validate
- Keeps a database containing the private keys
Identify
Firewalls and VPN - Protecting Remote Connections - 2/2 Authentication systems 1/2 ?
Kerberos
?
- Both networks and clients have to register
- Does the authentication based on database
Identify
Firewalls and VPN - Protecting Remote Connections - 2/2 Authentication systems 2/2 ?
Kerberos
?
- Secure European System for applications in Multiple vendor Environment
- Similar to Kerberos
Identify
Firewalls and VPN - Protecting Remote Connections
Sesame
?
Implementation of cryptographic technology
Identify
Firewalls and VPN - Protecting Remote Connections
VPN
? ?? ???
(3) Private and secure network connection
Enumerate
Firewalls and VPN - Protecting Remote Connections - VPN
- Trusted VPN
- Secure VPN
- Hybrid VPN
?
Data within IP packet is encrypted, but header information is not
Identify
Firewalls and VPN - 1/2 ?
Transport Mode
?
Allows user to establish secure link directly with remote host, encrypting only data contents of packet
Identify
Firewalls and VPN - 2/2 ?
Transport Mode
?
Organization establishes two perimeter tunnel servers
Identify
Firewalls and VPN - 1/3 ?
Tunnel Mode
?
These servers act as encryption points, encrypting all traffic that will traverse unsecured network
Identify
Firewalls and VPN - 2/3 ?
Tunnel Mode
?
Primary benefit to this model is that an intercepted packet reveals nothing about true destination system
Identify
Firewalls and VPN - 3/3 ?
Tunnel Mode
