CSS 111 - Introduction to Information System Security

Chapter 6, Security Technology: Firewalls and VPNs; Chapter 7, Security Technology: Intrusion Detection and Prevention Systems, and other Security Tools

Objectives:

This lesson discusses several technology tools used to secure networks. Objectives important to this lesson:

  1. Identify different technologies in relation to network, data, and application security
  2. Access control, access control models
  3. Authentication
  4. Credentials
  5. Authentication models
  6. Identify types of firewall, intrusion detection, dial-up, and networking analysis tools
  7. Identify types of encryption, cryptography, and trap-and-trace technology.
Concepts:
Chapter 6

The text begins with the topic of access control. This chapter uses what may be a familiar meaning, allowing, restricting, and denying access to resources.

Before we begin, there is a distinction between authorization and access you need to understand. Authorization is permission, and access is means. Authorization means we allow someone to do something. Access means someone can get at an asset. Other than that, a bit more vocabulary will help you understand the first terms in the chapter:

  • owner - A person responsible for the integrity and security of an asset. This may be a management role instead of a technical role.
  • custodian - A person who maintains the security of a system, perhaps by adding and removing access by user accounts. (This role is also called an administrator.)
  • end user - A person who uses the asset, such as reading a file, opening a web page, or printing some data from a database, but who is not allowed to change access rights to the asset. This concept is also called a subject in some texts.
  • subjects (users or processes acting for users) perform operations on objects (assets)
  • supplicant - the text also users this word as a synonym for "requester"; it is not used in common discussion unless you are a rather pedantic member of the attendant mathematical priesthood

Page 246 introduces three access control methods. You should know something about each of them:

  • Mandatory Access Control (MAC) - the most restrictive model; the owner defines a security policy, the custodian implements it, and the end users cannot change it; this may be implemented by setting a security level for each asset and granting authorization to users by assigning them to a level
  • Nondiscretionary controls come in two types
    • Role Based Access Control (RBAC) - access is granted to roles (groups) defined on the systems, end users are assigned to roles so they can access assets needed for their jobs; the text uses Windows Server 2008 as an example of a system that can use this model
    • Task Based Access Control (TBAC) - may be the most complex model; rules can change which role a user is assigned to, based on the task the user is performing, changing the level of access the user has
  • Discretionary Access Control (DAC) - least restrictive model; subjects (end users) can own objects, and have total control over them (like a SharePoint web server system); end users must set and maintain security for their assets, which most people will do badly; processes run by end users inherit their permission levels

The text tells us that users must first identify themselves to a system, but identification is pointless without authentication. Identification is simply entering a user name. Authentication is one of three key elements to security:

  • authentication - confirmation of identity
  • authorization - granting permissions that are linked to the user's account
  • accounting, accountability, auditing - tracking what the user does

Image of a SecurID deviceMost security is based on one or more of three types of things: something you have (like a key or an ID card), something you know (like a PIN or a password), or something you are (like a fingerprint).

When a person logs in from a standard workstation in a normal environment, one level of protection, like an ID and password pair, may be secure enough.

For a situation that is more vulnerable, like logging in from a remote location through a public data network, two levels may be required, such as a user name-password pair along with a one-time password from a security device (that may require a PIN as well). You see the layers? My password (something I know) is no good unless I use the one-time key from the device (something I have), which is no good unless I know the PIN that proves I am allowed to use the device (something else I have to know). The one-time password shown in the image on the right, by the way, is only good for one minute. After that minute, a new six numeral code will be generated.

The text abruptly jumps to the topic of firewalls, which we are told may be classified three different ways:

  • by their processing type
  • by their evolutional generation
  • by the way they are implemented (structure).
Firewalls by Processing type:

1. Packet-filtering firewalls

Traffic on a network is broken into packets, smaller message units. Each packet must hold at least two addresses: that of the sender and that of the recipient. A packet-filtering firewall will hold a database of rules that tell it what to do with packets. Often the rules are based on the addresses mentioned above and the protocol (network rules) the packet is being sent under. The rules may include all three ideas, such as the three rules shown at the top of page 253.

  • The first rule says if the packet is from any address on the 172.16.0.0 network (172.16.x.x) and being sent to any address on the 10.10.0.0 network, using any protocol (Any), drop the packet (Deny). The x characters are used as wildcards on some firewalls, as the text mentions later. Other firewalls might use zeros instead, so you need to know the syntax for the firewall you are configuring.
  • The second rule says if the packet is from any address on the 192.168.0.0 network (192.168.x.x) and being sent to the specific address 10.10.10.25 (10.10.10.25), using the HTTP protocol (HTTP is hypertext transfer protocol), let that packet through (Allow). This tells me that 10.10.10.25 is the address of a web server on that network, because HTTP is for web pages.
  • The third rule says if the source address is specifically 192.168.0.1 (192.168.0.1) and the destination address is specifically 10.10.10.10, and the protocol is FTP (FTP is file transfer protocol), then let the packet through (Allow).

Packet filtering firewalls come in three types.

  • static - a system administrator sets the rules for the firewall
  • dynamic - the firewall sets some rules for itself, such as dropping packets from an address that is sending many bad packets
  • stateful - packets sent by an attacker often are sent to a port that the attacker has guessed is open; a stateful firewall denies packets sent to any port unless a connection to that port has already been negotiated; this kind of checking puts more processing overhead on the firewall

2. Application gateway firewalls

To understand this one and the next two, I have to explain the ISO-OSI Network Model. In fact, it will help you to understand all of these processing types. The ISO-Open Systems Interconnect networking model has seven layers that describe what happens to a packet as it is prepared to be sent out on a network, and what happens when that packet is received by the machine that is meant to act on it.

Packets leaving a device start at the top layer of the model (Application, layer 7) and are processed down to stack to the bottom layer (Physical, layer 1). Packets being received by a device arrive at the Physical layer, and are handed off to each successive layer until they are received by an application at layer 7.

The chart below shows the seven layers of the ISO-OSI model, the firewall types associated with several layers, and a summary of the many things that happen on each layer. Do you need to know all the material in the third column? Not for this lesson, but eventually you will.

So, what's an application gateway? The text tells us that a proxy server, discussed in the last lesson, is an example of an application gateway. It acts as an intermediary between a requester and a more protected device. The text tells us that it is probably dedicated to one application, then confuses the issue by listing five protocols. The protocols listed correspond to particular services on a network, whose functions live on layer 7: FTP is for file service, Telnet is for remote sessions, HTTP is for web pages, SMTP is for mail service, and SNMP is for managing a network. The proxy server can make the connection, and can examine the data for allowable content. For example, a business may set up a proxy server that runs an application to prevent staff from accessing particular kinds of web sites, such as gambling, gaming, or sports sites.

Firewall? Layer name
Topics & Methods
application gateways live here
 Application
(layer 7)
  • Network Services
    • File services
    • Print services
    • Message services
    • Application services
    • Database services
  • Service Advertisement - how services become known
  • Service Use - how services are obtained
Presentation
(layer 6)
  • Translation - bit translation, byte translation, character code translation, file translation
  • Encryption - cipher, private key or public key
Session
(layer 5)
  • Dialog Control - simplex, half-duplex and duplex
  • Session Administration - connection establishment, data transfer and connection release
circuit gateways
live here 		Transport
(layer 4)
  • Address/name Resolution
  • Addressing
  • Segment Development - breaking large messages into segments,
    combining small messages into segments
  • Connection Services
packet filtering
firewalls live here
 Network
(layer 3)
  • Addressing - network addresses. 2 methods:
    • Logical Network
    • Service
  • Switching - route creation for packets, messages and circuits. 3 methods:
    • Packet switching
    • Message switching
    • Circuit switching
  • Route Discovery - finding a route. 2 methods:
    • Distance vector
    • Link-state
  • Route Selection - choosing a route. 2 methods:
    • Static
    • Dynamic
  • Connection Services - flow control, error control and packet sequence control. 3 methods:
    • Network-layer flow control
    • Error control
    • Packet sequence control
MAC layer firewalls
live here		 Data link
(layer 2)
  • MAC sublayer
    • Logical Topology - 2 methods:
      • Bus
      • Ring
    • Media Access - 3 methods:
      • Contention
      • Token Passing
      • Polling
    • Addressing - 1 method:
      • Physical Device Address - the MAC address
  • LLC sublayer
    • Transmission Synchronization - 3 methods:
      • Synchronous
      • Asynchronous
      • Isochronous
    • Connection Services - 3 methods:
      • Unacknowledged Connectionless
      • Connection Oriented
      • Acknowledged Connectionless
no firewall lives here:
no addresses on this layer
 Physical
(layer 1)
  • Connection Type - 2 methods:
    • Point-to-Point
    • Multipoint
  • Physical Topology - 5 methods:
    • Bus
    • Ring
    • Star
    • Mesh
    • Cellular
  • Digital Signaling - 2 methods:
    • Current State
    • State Transition
  • Analog Signaling - 2 methods:
    • Current State
    • State Transition
  • Bit Synchronization - 2 methods:
    • Synchronous
    • Asynchronous
  • Bandwidth Usage - 2 methods:
    • Baseband
    • Broadband
  • Multiplexing - 3 methods:
    • Frequency Division
    • Time Division
    • Statistical Time Division

3. Circuit gateways

According to our text, this firewall lives on the transport layer, which is associated with guaranteed delivery of packets, Other than that, the explanation in the text is very unclear. The explanation at the PCStats web site is clearer. It explains that the function of the circuit gateway is less analytical than the proxy server, but that it does serve as an intermediary as well, making sure that only requested data is returned to the requester. It will not examine the data for content.

4. MAC layer firewalls

The MAC sublayer of the ISO-OSI Data Link layer is concerned with MAC addresses, the hard coded addresses that are generally burned into network cards when they are manufactured. This kind of firewall will check the MAC address of a requester to determine whether the device being used to make the connection is authorized to access the data in question. This would be useful in situations where devices are placed in lobbies for customers who are allowed to browse a catalog, but not allowed to place orders that would affect inventory.

5. Hybrids - the fifth processing firewall type combines features of the other four.

Firewalls by Generation type
  • First generation - static packet filtering
  • Second generation - application level
  • Third generation - stateful inspection
  • Fourth generation - dynamic packet filtering
  • Fifth generation - examines packets at several layers
Firewalls by Structure
  • Commercial appliances - runs on a custom operating system, on a dedicated device
  • Commercial systems - a software solution that runs on a computer that may or may not be dedicated
  • Small Office - Home Office appliances - device may actually be a cable modem, or DSL modem, may also include router and WAP services, may include intrusion protection
  • Residential (consumer) software - typically a combination of anti-virus, firewall, intrusion detection software; should be run on all devices that connect to a home network

Note that none of the firewall solutions discussed will protect a network from user error. You can still trigger an incident by following a link to a malware site that is not forbidden, by running a Trojan or a worm, or by any other action that a user is allowed to take.

Let's move ahead to page 268, where the text discusses some advice for configuring firewalls.

  • All traffic from the trusted network (our network) is allowed out. Gee, I hope we aren't infected by another worm.
  • Firewalls are not configurable from the public facing part of the network. This makes sense: we should manage our best protection devices from inside the network, to remove the possibility that a hacker could modify the firewall's rules.
  • Mail traffic sent by SMTP is sent to a mail gateway. Some may be allowed, some denied, but all should be examined by a dedicated device.
  • All ICMP (ping) packets from outside our network should be denied. This is not always done in practice. You should try to ping a few public web serves to see if it works in our classroom.
  • Telnet requests from the outside should be blocked. This technology is not often used any more, but it is a potential hack that could be used to control our servers.
  • Public facing web servers should be in a DMZ, should use the secure form of HTTP (HTTPS), and should block requests made on them to contact our trusted network assets.
  • Deny traffic that has not been authenticated.

The text discusses some rules that could be set on most firewalls. It notes that a typical approach to firewall rules is to decide what is allowed, write rules allowing those things, and then deny everything else. An alternative is to write rules for everything you want to deny, then allow everything else. Note that the examples on page 276 show a rule database that contains a mixture of rules that allow and deny packets, as is probably the most common approach. The section on firewall rules is pretty extensive, and a bit beyond what we want for this course, so we will continue to the next item.

Page 277 discusses content filters, which are typically used to prevent your users from accessing websites that are deemed unacceptable by your organization. A company policy that directs staff not to access such sites on company time, company equipment, or company network would be a necessary first step. The text mentions NetNanny and SurfControl, two name-brand products in the field. There are other products that do similar things, and most of them are offered on a subscription basis. Your administrators download periodic updates to your proxy servers on a regular basis, which will keep your staff from accessing known sites that feature objectionable content. As you might imagine, staff who conduct investigations of violations of related policies would need to be able to access websites without restriction.

The next section of this chapter discusses protecting your network when users connect to your network by other means than your LAN jacks. There is a good bit of discussion about connecting over a dial-up connection, and the technologies that are used to support that, but this is very dated. Is there anyone who would connect to a system by plain old telephone service (POTS) when the Internet is available in so many ways? For historical reference, it can't hurt to know this material. Or if you should find yourself transported to a location with phones, without Internet access, with affordable telephone costs, and with the need to connect to your home network, be aware of RADIUS, TACACS, and Diameter.

The section on Virtual Private Networks (page 282) is more current. The text points out that a VPN is called that because it provides a private connection even though it passes through a public carrier. How? The text discusses three ways:

  • trusted VPN - uses leased data lines from a data vendor that are guaranteed to be separate from the rest of their network; obviously this is expensive and not an option if you do not trust the vendor
  • secure VPN - uses security technology and encryption to make your traffic meaningless to eavesdroppers
  • hybrid VPN - uses both of the methods above, typically over several hops to the target network (What's a hop? Every time our signals pass across another router, that's a hop.)

The text describes more technology that is used in VPN connections, but it is not necessary for the scope of this class.

Assignment 1: Chapter 6 and more CBA

  1. Review Questions for chapter 6 are on page 287. Answer numbers 1, 5, 8, 11, 16, and 19.

  2. Return to chapter 4, page 169, You should have your answers from Exercise 3 by now. Use that information and do Exercise 5.

    Continuing with Exercise 5, review the chapter and calculate the CBA for each row in the table.
    The formula requires the ALE values from this exercise, the ALE values from exercise 3, and the ACS for each line.

    CBA = ALE (without the safeguard) - ALE (with the safeguard) - ACS of this safeguard
Chapter 7

Chapter 7 begins with material about intrusion detection and more security tools. The introduction to the chapter effectively sets the mood for the topics: an employee has been discharged, he is angry, and he is plotting revenge against the company. Has the company applied enough security to guard against his attack?

The text has some definitions on page 293. Too many, actually. Let's look at a few:

  • intrusion - someone tries to access or disrupt a system
  • intrusion detection - if a product only does detection, it will notice an attempted or actual intrusion, and will probably tell someone; a detection system does not take action against the intrusion
  • intrusion reaction - if a product reacts to intrusions, it attempts to stop them, contain them, or minimize their effects
  • intrusion prevention - if a product acts to prevent intrusion, it probably does detection as well; I am sometimes notified by my security suite that an attempted intrusion has been detected and stopped, which is what you want such a system to do

When you are researching products in this category, you should be careful to note what the product actually does. If it is marketed as an intrusion detection system, don't expect it to prevent or stop intrusions. As the text says, an intrusion detection and prevention system (IDPS) would be preferable to a system that only performed one of those functions.

The text asks the question "Why use an IDPS?" Well, which would you rather see on your screen, a message that says an attack has just been stopped without damage, or a  (insert your favorite emblem of disaster)? There are some reasons on page 295 that go a bit farther:

  • If employees know about an IDPS, they may be less likely to go postal on your network.
  • Detection of events will tell you when your other layers of security are not working.
  • Dealing with probes that are used before an attack may serve to present that "walled city" Sun Tzu wrote about.
  • An IDPS keeps a log of events, which can be analyzed for current threats and for trends.

As mentioned in another chapter, an IDPS may be installed on a computer or a network appliance and allowed to sniff all the packets that pass by. This sort of network-based IDPS may need to be duplicated in various parts of your network, since it has to watch every packet that goes by, and it will not see any packets that are not passed to the network segment it lives on.

The second major option for an IDPS is a host-based IDPS. This kind of system can detect changes on the host where it is installed that do not depend on network traffic. On the other hand, it needs to be installed on every host you intend to protect. In a home network, this is not a large burden, but in a commercial setting it can be a lot of work. A convincing argument may be that the antivirus program provided as part of your home contract with a cable provider probably includes this feature. If you are installing Norton 360, for example, you are already installing a system to watch for intrusions as well as to watch for viruses.

Other security measures are discussed, starting on page 325. You should be familiar with these terms, know what they do, and know why you will probably not use them:

  • honeypot - The usual explanation of this metaphor is Winnie the Pooh getting stuck in a jar of honey. The idea is to put a fake, attractive looking, unprotected resource on your network that will attract the attention of a hacker looking for assets to steal, destroy, or otherwise vandalize. The honeypot system should include an IDPS element that notes the intrusion and sets off alarms, but does not actually stop it. One of the tricks here is that the honeypot system must be attractive: it must look like a real asset ready to be attacked. Ideally, it should be something that will take the attacker a significant amount of time to exploit, so that your security staff have time to react.
  • honeynet - A more extensive collection of honeypots on a subnet may be called a honeynet.
  • padded cell - Another variation, this one is a honeypot that presents a challenge to the hacker. In this regard, it is more credible to the hacker. If the resource was real and valuable, why would it not be protected? Of course, if it is too well protected, why should the attacker break into the padded cell instead of one of your real assets?
  • trap-and-trace - Taking this concept to the next level, if we have detected an intruder, why not figure out who and where the attacker is? Well, the reason not to do it is to avoid the cost of the lawsuit that will follow.

The text discusses the ideas of entrapment and enticement that could be part of lawsuits brought against your company, and which apply to all the items in this list. Be aware of the concepts and accept the idea that you will do better without most of this.

The text moves on to discuss tools that analyze networks on page 328. We have already discussed intrusion detection and prevention tools and firewalls. The authors suggest vulnerability scanners, log analyzers (application log, security log,system log), and packet sniffers. They describe preliminary processes that a would-be attacker might use in gathering information about a target on pages 328 and 329. Common early practices are examining web resources and using social engineering. I have placed a pdf file on our BlackBoard site under week 4 that discusses a social engineering competition. You should read this file for ideas about closing gaps in your company's security.

The text discusses particular kinds of network tools useful to people looking for vulnerabilities, starting on page 332.

  • port scanners - The text recommends Nmap. This sort of utility looks for devices on a network, and scans them for open ports. In this case, a port is not a physical thing waiting for a plug. It is a service running on a computer that is identified by a number which stands for a place in that computer's memory. A service of this sort may run at a port whose number is commonly used (like 80 for HTTP, or 25 for SMTP) or it may run at any port number specified by the person or process that started it. A Wikipedia page with lots of port numbers and their commonly associated services can be seen here. If a port is open, it can receive requests, and possibly commands from an attacker.
  • firewall analysis tools - The text explains one way that Nmap can be used to determine if a machine is live beyond a firewall. It also discusses Firewalk and HPING, two other tools that can help an attacker determine what a firewall is allowing to pass.
  • operating system detection tools - The only tool mentioned by the text is XProbe, which sends ICMP packets to computers and checks their responses against a list of responses from machines with known operating systems. Why do you want to know the OS of a computer? To exploit known vulnerabilities or protect against such exploits.
  • vulnerability scanners - The text recommends Nessus, a free program that does everything we have discussed so far, as well as having other features. It is effective for scanning a network that is using over the counter software. To scan a network with custom or in-house-developed software, it recommends a "fuzzy" scanner called SPIKE. It features a proxy server that sounds like a good tool for a man in the middle attack, as well as being a tool to test the stability of your own web servers and sites. These are both active scanners, that send traffic into a network to test it.
    The text mentions two passive scanners, that only watch the traffic that is already being sent through a network. The two products mentioned are Passive Vulnerability Scanner (PVS) and RNA.
  • packet sniffers - A more formal term is network protocol analyzer. The text lists three products. Sniffer is one you have to buy, Snort is an open source product, and Wireshark is freeware. Take the authors' description of the legal requirements for using this sort of software as a warning. Do not use them unless all three of the tests on page 337 are met:
    • You must be using this on a network your organization owns.
    • You must have been authorized by the network owners to do this.
    • You must be doing this with the knowledge and consent of the content owners.
      • As you might imagine, it is rather difficult to pass all three of these tests.
  • wireless security tools- In passing, the text informs you that the IEEE standard that applies to wireless networking is 802.11.The text mentions several wireless tools that were named as good choices in 2006. As I type this, it is now 2014. Let's update the list for this year as an assignment.

The chapter ends with a discussion of using biometric authentication as a means of stopping intrusions. The text discusses them for three pages, ending with the observation that many people do not use these methods because of user confrontation and refusal to use them. They are not 100% reliable, as the text explains.

Assignment 2: Chapter 7

  1. Read the list of wireless oriented security tools that starts on page 339. Note also the source of the authors' list for those tools.
  2. Conduct a web search for a more recent list of wireless diagnostic tools. Make sure that it is from an authoritative source.
  3. Submit your list of tools, specifying what they are good for. Cite your source, the publication date of the material, and explain why you think this is a valid source for this assignment.