8/10/2019 Firewalls (9)

1/16

Firewalls and Security

Ngoc Nguyen

8/10/2019 Firewalls (9)

2/16

Facts of Internet Systems

vulnerability Recent denial-of-service attacks on

Amazon, eBay, Yahoo, etc.

31% of key Internet hosts were wide open

to potential attackers.

65% of companies reported security

breaches in three year from 1997 to 1999.

8/10/2019 Firewalls (9)

3/16

Typical security approaches

Access Control

Cryptography

Intrusion detection systems

Firewalls

8/10/2019 Firewalls (9)

4/16

Traditional firewalls consist of 3

main architectures Screening routers.

Proxy servers.

Stateful inspectors.

8/10/2019 Firewalls (9)

5/16

Screening Routers

Router screens the information, allowing only

approved informationto pass through.

Requirements of continually change with moreaddresses required to be added to the allowable

address lists.

Dont have user-level authentication protection.

As a result, spoofingwhich means a packet looks

like an authorized and legal one breaches the

firewall.

8/10/2019 Firewalls (9)

6/16

Proxy Servers

Employ user-level authentication.

Provide logging and accounting information

( good for detecting intrusions and intrusion

attempts).

8/10/2019 Firewalls (9)

7/16

Stateful Inspectors

Inspect packets to verify application, user,

and transportation method to investigate the

possibility of harmful viruses hiding inaudio or video packets.

Application must be continually updated to

recognize new viruses or intrusive applets.

8/10/2019 Firewalls (9)

8/16

Two approaches to enhance

Internet security Encryption and Firewalls.

Proactive Identification Model (PAIM).

8/10/2019 Firewalls (9)

9/16

Encryption can provide firewall

protection in several ways: By encrypting passwords and authentication

procedures, eavesdroppers are not able to copypasswords for later use in spoofing the system.

Without the correct key, any encrypted data sentby an intruder would translate into unintelligiblerandom characters and therefore have no meaningto the receiving system, i.e., no harmful viruses or

programs can be inserted into the host system.

Any intruder reading corporate data being on anopen network would not be able to gather anyintelligence.

8/10/2019 Firewalls (9)

10/16

8/10/2019 Firewalls (9)

11/16

Proactive Identification Model

(PAIM) As long as the hacker is not creating any

hazardous situation or destroying anything,

seasoned investigators will tell you that it ismuch more beneficial to watch the hacker

over time and collect as much data as

possible to develop a good case for thearrest and prosecution of the hacker in the

courts. (Hancock 2002)

8/10/2019 Firewalls (9)

12/16

PAIM consists of 3 components

Firewall: has an audit log used to log bothauthorized and unauthorized accessing of thenetwork.

Operating system: has user profiles and audit logs.User profiles and audit logs are controls whichwill provide information on the users or hackersaction. These controls will be used to constructtwo graphs.

Fuzzy engine: process information obtained fromthe firewall and the operating system in real-time.

8/10/2019 Firewalls (9)

13/16

PAIM (cont.)

The fuzzy engine will compute two graphs,

template and user action. Then template

graphrepresents typical actions of a user(hacker) when carrying out eight steps of

generic hacking methodology. User action

graphrepresents actual actions of the user(hacker) on the system.

8/10/2019 Firewalls (9)

14/16

8/10/2019 Firewalls (9)

15/16

PAIMs operations

Maps two template and user action graphs to

determine whether a user (hacker) is performing a

hacking attempt if there is a match between twographs.

Sends alert message on hacking attempt to the

information security officer at the security

working station.

Collects data from the hackers action for later use

in court prosecution.

8/10/2019 Firewalls (9)

16/16