Firewalls & VPNS(Edit)2

7/31/2019 Firewalls & VPNS(Edit)2

1/55

Security Technology:Firewalls & VPNS


2/55


3/55

FIREWALLS (Contd)

Firewalls can be packet filtering, stateful packet filtering,proxy, or application level.

A firewall can be a single device or a firewall subnet,

which consists of multiple firewalls creating a bufferbetween the outside and inside networks. Thus, firewallscan be used to create security perimeters.

A firewall is an information security program which is

similar to a buildings firewall in that it prevents specifictypes of information from moving between the outsideworld, known as the untrusted network(Eg. Internet), andthe inside world, known as the trusted network.


4/55

FIREWALLS (Contd)


5/55

Places Where Firewalls Are Used

In commercial and residential construction,firewalls are concrete or masonry walls that runfrom the basement through the roof, to preventfire from jumping from one section of thebuilding to another.

In aircrafts and automobiles. For a firewall is an

insulated metal barrier that keeps the hot anddangerous moving parts of the motor separatefrom the inflammable interior where thepassengers sit.


6/55

Different Types Of Firewalls

Packet Filtering Firewalls: Also called filteringfirewall, examines the header information of datapackets that come into a network.

Stateful Inspection Firewalls: Also calledstateful firewalls, keep track of each networkconnection between internal and externalsystems using a state table.

Application-Level Firewalls: Is frequentlyinstalled on a dedicated computer, separatefrom the filtering router, but is commonly used inconjunction with a filtering router.It is also knownas a proxy server.


7/55

Different Types Of Firewalls(Contd)

Circuit Gateway Firewalls: Operates at the transportlayer. Again, connections are authorized based onaddresses. Like filtering firewalls, circuit gatewayfirewalls do not usually look at traffic flowing betweenone network and another, but they do prevent direct

connections between one network and another.

MAC Layer Firewalls: Designed to operate at the mediaaccess control sub-layer of the data link layer(Layer 2) ofthe OSI model. This enable these firewalls to consider

the specific host computers identity, as represented byits MAC or Network Interface Card(NIC) address in itsfiltering decisions.


8/55


9/55

Different Types Of Firewalls(Contd)

Hybrid Firewalls: Hybrid firewalls combine the elementsof other types of firewalls.That is the elements of packetfiltering and proxy services, or of packet filtering andcircuit gateways. A hybrid firewall system may actually

consist of two separate firewall devices; each is aseparate firewall system, but they are connected so thatthey work in tandem. An advantage to the hybrid firewallapproach is that it enables an organization to make a

security improvement without completely replacing itsexisting firewalls.


10/55

Firewalls Categorized By Generation

First Generation : Firewalls are static packetfiltering firewalls- that is, simple networkingdevices that filters packets according to theirheaders as the packets travel to and from theorganizations networks.

Second Generation: Firewalls are application-

level firewalls or proxy servers- that is, dedicatedsystems that are separate from the filteringrouter and that provide intermediate services forrequestors.


11/55

Firewalls Categorized By Generation(Contd)

Third Generation : Firewalls are statefulinspection firewalls, which, as describedpreviously, monitor network connectionsbetween internal and external systems usingstate tables.

Fourth Generation : Firewalls, which are also

known as dynamic packet filtering firewalls,allow only a particular packet with a particularsource, destination, and port address to enter.


12/55

Firewalls Categorized By Generation(Contd)

Fifth Generation: Firewalls are the kernelproxy, a specialized form that works underWindows NT Executive, which is the kernel of

Windows NT, this type of firewall evaluatespackets at multiple layers of the protocol stack,by checking security in the kernel as data ispassed up and down the stack.


13/55

Firewalls Categorized By Structure

Commercial-Grade Firewall Appliances

Commercial-Grade Firewall Systems

Small Office/Home Office(SOHO) FirewallAppliances

Residential-Grade Firewall Software


14/55

Firewall Architectures

The following makes up the architectual structure offirewalls:

Packet Filtering Routers

Screened Host Firewalls

Dual-Homed Host Firewalls

Screened Subnet Firewalls(With DMZ)


15/55

Screened Host Firewall Diagram


16/55

Dual-Homed Host Firewall Diagram


17/55

Screened Subnet (DMZ) Diagram


18/55

Questions to ask when choosing aFirewall

What type of firewall technology offers the rightbalance between protection and cost for theneeds of the organization?

What features are included in the base price?What features are available at extra cost? Are allcost factors known?

How easy is it to set up and configure thefirewall? How accessible are the stafftechnicians who can competently configure the

firewall?


19/55

The most important factor is, of course, theextent to which the firewall design provides therequired protection. The second most important

factor is cost. Cost may keep a certain make,model, or type out of reach. As with all securitydecisions, certain compromises may benecessary in order to provide a viable solution

under the budgetary constraints stipulated bymanagement.


20/55


21/55

Types of Networks

There are two types of Neworks:

1.A trusted Network-this is usually the Internet

2.A trusted Network which is one in which the user isnot exposed to Viruses and Spam.


22/55

Upon completion of this chapter, you should be ableto:

Define risk management and its role in theorganization

Begin using risk management techniques to identifyand prioritize risk factors for information assets

Assess risk based on the likelihood of adverse

events and the effects on information assets whenevents occur

Begin to document the results of risk identification

Management of Information Security 22


23/55

Information security departments are createdprimarily to manage IT risk

Managing risk is one of the key responsibilities

of every manager within the organization

In any well-developed risk managementprogram, two formal processes are at work:

Risk identification and assessment

Risk control



24/55

This means identifying, examining andunderstanding information and how it isprocessed, stored, and transmitted

Armed with this knowledge, then initiate anin-depth risk management program

Risk management is a process, which means

the safeguards and controls that are devisedand implemented are not install-and-forgetdevices



25/55

This means identifying, examining, andunderstanding the threats facing theorganizations information assets

Managers must be prepared to fully identifythose threats that pose risks to theorganization and the security of itsinformation assets

Risk management is the process ofassessing the risks to an organizationsinformation and determining how those riskscan be controlled or mitigated



26/55

Risk identification begins with the processof self-examination

Managers identify the organizationsinformation assets, classify them into

useful groups, and prioritize them by theiroverall importance



27/55

Identify information assets, includingpeople, procedures, data and information,software, hardware, and networking

elements

Should be done without pre-judging valueof each asset

Values will be assigned later in the processManagement of Information Security 27


28/55



29/55

Whether automated or manual, theinventory process requires a certainamount of planning

Determine which attributes of each ofthese information assets should betracked

Will depend on the needs of the organization

and its risk management effortsManagement of Information Security 29


30/55

When deciding which attributes to track for eachinformation asset, consider the following list ofpotential attributes:

Name

IP address

MAC address

Asset type Serial number

Manufacturer name

Manufacturers model or part number

Software version, update revision, or FCO number Physical location

Logical location

Controlling entity Management of Information Security 30


31/55

Responsibility for identifying, describing,and evaluating these information assetsshould be assigned to managers who

possess the necessary knowledge,experience, and judgment

As these assets are identified, they shouldbe recorded via a reliable data-handling

process like the one used for hardwareManagement of Information Security 31


32/55

PeoplePosition name/number/ID

Supervisor name/number/ID

Security clearance levelSpecial skills

ProceduresDescription

Intended purposeSoftware/hardware/networking elements to

which it is tied

Location where it is stored for reference

Location where it is stored for update purposesManagement of Information Security 32


33/55

Data

Classification

Owner/creator/manager

Size of data structure

Data structure used

Online or offline

Location

Backup procedures Management of Information Security 33


34/55

Once initial inventory is assembled,determine whether its asset categories aremeaningful

Inventory should also reflect sensitivityand security priority assigned to eachinformation asset

A classification scheme categorizes theseinformation assets based on their

sensitivity and security needsManagement of Information Security 34


35/55

Each of these categories designates levelof protection needed for a particularinformation asset

Some asset types, such as personnel,may require an alternative classification

scheme that would identify the clearanceneeded to use the asset type

Classification categories must be

comprehensive and mutually exclusiveManagement of Information Security 35


36/55

As each information asset is identified,categorized, and classified, assign a relative value

Relative values are comparative judgments madeto ensure that the most valuable informationassets are given the highest priority, for example: Which information asset is the most critical to the

success of the organization?

Which information asset generates the most revenue?

Which information asset generates the highestprofitability?

Which information asset is the most expensive toreplace?

Which information asset is the most expensive torotect? Management of Information Security 36


37/55

The final step in the risk identificationprocess is to list the assets in order ofimportance

Can be achieved by using a weighted factoranalysis worksheet



38/55

Data owners must classify informationassets for which they are responsible andreview the classifications periodically

Example:

Public

For official use only

Sensitive

Classified Management of Information Security 38


39/55

U.S. military classification scheme relieson a more complex categorization systemthan the schemes of most corporations

Uses a five-level classification scheme asdefined in Executive Order 12958:

Unclassified Data

Sensitive But Unclassified (SBU) Data

Confidential Data

Secret Data

Top Secret Data Management of Information Security 39


40/55

Managing an information asset includesconsidering the storage, distribution,portability, and destruction of that

information asset

Information asset that has a classification

designation other than unclassified orpublic:

Must be clearly marked as suchManagement of Information Security 40


41/55

To maintain confidentiality of classifieddocuments, managers can implement aclean desk policy

When copies of classified information are

no longer valuable or too many copiesexist, care should be taken to destroythem properly to discourage dumpster

diving Management of Information Security 41


42/55

Any organization typically faces a widevariety of threats

If you assume that every threat can andwill attack every information asset, thenthe project scope becomes too complex

To make the process less unwieldy, eachstep in the threat identification andvulnerability identification processes is

managed separately and then coordinatedManagement of Information Security 42


43/55

Each threat presents a unique challengeto information security

Must be handled with specific controls thatdirectly address particular threat and threatagents attack strategy

Before threats can be assessed in riskidentification process, each threat must befurther examined to determine its potentialto affect targeted information asset



44/55

Once you have identified the information assets ofthe organization and documented some threatassessment criteria, you can begin to review everyinformation asset for each threat

Leads to creation of list of vulnerabilities that remainpotential risks to organization

Vulnerabilities are specific avenues that threat

agents can exploit to attack an information asset At the end of the risk identification process, a list

of assets and their vulnerabilities has beendeveloped

This list serves as startin oint for next ste in the riskManagement of Information Security 44


45/55

The goal at this point is to create a methodto evaluate relative risk of each listedvulnerability



46/55

Likelihood is the overall rating - often anumerical value on a defined scale (suchas 0.1 1.0) - of the probability that a

specific vulnerability will be exploited

Using the information documented duringthe risk identification process, you canassign weighted scores based on thevalue of each information asset, i.e. 1-100,

low-med-high, etc Management of Information Security 46


47/55

To be effective, the likelihood values must beassigned by asking:

Which threats present a danger to thisorganizations assets in the given environment?

Which threats represent the most danger to theorganizations information?

How much would it cost to recover from asuccessful attack?

Which threats would require the greatestexpenditure to prevent?

Which of the aforementioned questions is the

most important to the protection of informationfrom threats within this or anization?Management of Information Security 47


48/55

It is not possible to know everything aboutevery vulnerability

The degree to which a current control canreduce risk is also subject to estimationerror

Uncertainty is an estimate made by the

manager using judgment and experienceManagement of Information Security 48


49/55

Access controls specifically addressadmission of a user into a trusted area of theorganization

These areas can include informationsystems, physically restricted areas such as

computer rooms, and even the organizationin its entirety

Access controls usually consist of aManagement of Information Security 49


50/55

Mandatory Access Controls (MACs):

Required

Structured and coordinated with a dataclassification scheme

When implemented, users and data owners

have limited control over their access toinformation resources

Use data classification scheme that rates each

collection of informationManagement of Information Security 50


51/55

In lattice-based access controls, users areassigned a matrix of authorizations forparticular areas of access

Matrix contains subjects and objects The boundaries associated with each

subject/object pair are clearly demarcated

With this type of control, the column of

attributes associated with a particularobject is called an access control list (ACL)

The row of attributes associated with aparticular subject is a capabilities table



52/55

Nondiscretionary controls are determinedby a central authority in the organization

Can be based on rolescalled role-based

controlsor on a specified set of taskscalledtask-based controls

Task-based controls can, in turn, be based on

lists maintained on subjects or objectsRole-based controls are tied to the role that a

particular user performs in an organization,whereas task-based controls are tied to a

particular assignment or responsibilityManagement of Information Security 52


53/55

Discretionary Access Controls (DACs) areimplemented at the discretion or option ofthe data user

The ability to share resources in a peer-to-peer configuration allows users to controland possibly provide access to informationor resources at their disposal

The users can allow general, unrestrictedaccess, or they can allow specificindividuals or sets of individuals to access

these resources Management of Information Security 53


54/55

The goal of the risk management process:

Identify information assets and theirvulnerabilities

Rank them according to the need forprotection

In preparing this list, wealth of factual

information about the assets and thethreats they face is collected

Also, information about the controls that

are already in place is collectedManagement of Information Security 54


55/55

Introduction

Risk Management

Risk Identification

Risk Assessment

Documenting the Results of RiskAssessment

Documents

Firewalls & VPNS(Edit)2