Learning Objectives

Upon completion of this material, you should be able to:

 Explain the role of physical design in the implementation
of a comprehensive security program
 Describe firewall technology and the various approaches
to firewall implementation
 Identify the various approaches to remote and dial-up
access protection—that is, how these connection methods
can be controlled to assure confidentiality of information,
and the authentication and authorization of users
 Explain content filtering technology
 Describe the technology that enables the use of virtual
private networks
Principles of Information Security, 3rd Edition 2
 Introduction
 Technical controls are essential in enforcing policy for
many IT functions that do not involve direct human control
 Technical control solutions improve an organization’s ability
to balance making information readily available against
increasing information’s levels of confidentiality and
integrity

Principles of Information Security, 3rd Edition 3

 Physical Design
 The physical design process:

 Selects technologies to support information security blueprint

 Identifies complete technical solutions based on these

technologies, including deployment, operations, and
maintenance elements, to improve security of environment

 Designs physical security measures to support technical

solution

 Prepares project plans for implementation phase that follows

Principles of Information Security, 3rd Edition 4

 Firewalls

 Prevent specific types of information from moving between

the outside world (untrusted network) and the inside world
(trusted network)
 May be separate computer system; a software service
running on existing router or server; or a separate network
containing supporting devices

Principles of Information Security, 3rd Edition 5

 Processing Modes of Firewalls

 Five processing modes that firewalls can be categorized

by are:
 Packet filtering
 Application gateways
 Circuit gateways
 MAC layer firewalls
 Hybrids

Principles of Information Security, 3rd Edition 6

 Packet Filtering

 Packet filtering firewalls examine header information of data

packets
 Most often based on combination of:
 Internet Protocol (IP) source and destination address
 Direction (inbound or outbound)
 Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP) source and destination port requests
 Simple firewall models enforce rules designed to prohibit
packets with certain addresses or partial addresses

Principles of Information Security, 3rd Edition 7

 Packet Filtering (continued)

 Three subsets of packet filtering firewalls:

 Static filtering: requires that filtering rules governing how the
firewall decides which packets are allowed and which are
denied are developed and installed
 Dynamic filtering: allows firewall to react to emergent event
and update or create rules to deal with event
 Stateful inspection: firewalls that keep track of each network
connection between internal and external systems using a
state table

Principles of Information Security, 3rd Edition 8

Principles of Information Security, 3rd Edition 9
Principles of Information Security, 3rd Edition 10
Principles of Information Security, 3rd Edition 11
Principles of Information Security, 3rd Edition 12
 Application Gateways

 Frequently installed on a dedicated computer; also known

as a proxy server
 Since proxy server is often placed in unsecured area of the
network (e.g., DMZ), it is exposed to higher levels of risk
from less trusted networks
 Additional filtering routers can be implemented behind the
proxy server, further protecting internal systems

Principles of Information Security, 3rd Edition 13

 Circuit Gateways

 Circuit gateway firewall operates at transport layer

 Like filtering firewalls, do not usually look at data traffic
flowing between two networks, but prevent direct
connections between one network and another
 Accomplished by creating tunnels connecting specific
processes or systems on each side of the firewall, and
allow only authorized traffic in the tunnels

Principles of Information Security, 3rd Edition 14

 MAC Layer Firewalls

 Designed to operate at the media access control layer of

OSI network model
 Able to consider specific host computer’s identity in its
filtering decisions
 MAC addresses of specific host computers are linked to
access control list (ACL) entries that identify specific types
of packets that can be sent to each host; all other traffic is
blocked

Principles of Information Security, 3rd Edition 15

Principles of Information Security, 3rd Edition 16
 Hybrid Firewalls

 Combine elements of other types of firewalls; i.e., elements

of packet filtering and proxy services, or of packet filtering
and circuit gateways
 Alternately, may consist of two separate firewall devices;
each a separate firewall system, but connected to work in
tandem

Principles of Information Security, 3rd Edition 17

Firewalls Categorized by Generation

 First generation: static packet filtering firewalls

 Second generation: application-level firewalls or proxy
servers
 Third generation: stateful inspection firewalls
 Fourth generation: dynamic packet filtering firewalls; allow
only packets with particular source, destination, and port
addresses to enter
 Fifth generation: kernel proxies; specialized form working
under kernel of Windows NT

Principles of Information Security, 3rd Edition 18

 Firewalls Categorized by Structure
 Most firewalls are appliances: stand-alone, self-contained
systems
 Commercial-grade firewall system consists of firewall
application software running on general-purpose computer
 Small office/home office (SOHO) or residential-grade
firewalls, aka broadband gateways or DSL/cable modem
routers, connect user’s local area network or a specific
computer system to Internetworking device
 Residential-grade firewall software is installed directly on
the user’s system

Principles of Information Security, 3rd Edition 19

 Firewall Architectures
 Firewall devices can be configured in a number of network
connection architectures
 Configuration that works best depends on three factors:
 Objectives of the network
 Organization’s ability to develop and implement architectures
 Budget available for function
 Four common architectural implementations of firewalls:
packet filtering routers, screened host firewalls, dual-homed
firewalls, screened subnet firewalls

Principles of Information Security, 3rd Edition 22

 Packet Filtering Routers

 Most organizations with Internet connection have a router

serving as interface to Internet

 Many of these routers can be configured to reject packets

that organization does not allow into network

 Drawbacks include a lack of auditing and strong

authentication

Principles of Information Security, 3rd Edition 23

Principles of Information Security, 3rd Edition 24
 Screened Host Firewalls

 Combines packet filtering router with separate, dedicated

firewall such as an application proxy server
 Allows router to prescreen packets to minimize traffic/load
on internal proxy
 Separate host is often referred to as bastion host; can be
rich target for external attacks and should be very
thoroughly secured

Principles of Information Security, 3rd Edition 25

Principles of Information Security, 3rd Edition 26
 Dual-Homed Host Firewalls

 Bastion host contains two network interface cards (NICs):

one connected to external network, one connected to
internal network

 Implementation of this architecture often makes use of

network address translation (NAT), creating another
barrier to intrusion from external attackers

Principles of Information Security, 3rd Edition 27

Principles of Information Security, 3rd Edition 28
Principles of Information Security, 3rd Edition 29
 Screened Subnet Firewalls (with DMZ)
 Dominant architecture used today is the screened subnet
firewall
 Commonly consists of two or more internal bastion hosts
behind packet filtering router, with each host protecting
trusted network:
 Connections from outside (untrusted network) routed
through external filtering router
 Connections from outside (untrusted network) are routed into
and out of routing firewall to separate network segment
known as DMZ
 Connections into trusted internal network allowed only from
DMZ bastion host servers

Principles of Information Security, 3rd Edition 30

 Screened Subnet Firewalls (with DMZ)
(continued)
 Screened subnet performs two functions:

 Protects DMZ systems and information from outside threats

 Protects the internal networks by limiting how external

connections can gain access to internal systems

 Another facet of DMZs: extranets

Principles of Information Security, 3rd Edition 31

Principles of Information Security, 3rd Edition 32
 Selecting the Right Firewall

 When selecting firewall, consider a number of factors:

 What firewall offers right balance between protection and cost
for needs of organization?
 Which features are included in base price and which are not?
 Ease of setup and configuration? How accessible are staff
technicians who can configure the firewall?
 Can firewall adapt to organization’s growing network?

 Second most important issue is cost

Principles of Information Security, 3rd Edition 33

 Configuring and Managing Firewalls

 Each firewall device must have own set of configuration

rules regulating its actions

 Firewall policy configuration is usually complex and

difficult

 Configuring firewall policies is both an art and a science

 When security rules conflict with the performance of

business, security often loses

Principles of Information Security, 3rd Edition 34

 Best Practices for Firewalls
 All traffic from trusted network is allowed out
 Firewall device never directly accessed from public network
 Simple Mail Transport Protocol (SMTP) data allowed to
pass through firewall
 Internet Control Message Protocol (ICMP) data denied
 Telnet access to internal servers should be blocked
 When Web services offered outside firewall, HTTP traffic
should be denied from reaching internal networks

Principles of Information Security, 3rd Edition 35

 Firewall Rules

 Operate by examining data packets and performing

comparison with predetermined logical rules

 Logic based on set of guidelines most commonly referred

to as firewall rules, rule base, or firewall logic

 Most firewalls use packet header information to

determine whether specific packet should be allowed or
denied

Principles of Information Security, 3rd Edition 36

Principles of Information Security, 3rd Edition 37
Principles of Information Security, 3rd Edition 38
Principles of Information Security, 3rd Edition 39
Principles of Information Security, 3rd Edition 40
Principles of Information Security, 3rd Edition 41
Principles of Information Security, 3rd Edition 42
Principles of Information Security, 3rd Edition 43
Principles of Information Security, 3rd Edition 44
Principles of Information Security, 3rd Edition 45
 Content Filters

 Software filter—not a firewall—that allows administrators

to restrict content access from within network

 Essentially a set of scripts or programs restricting user

access to certain networking protocols/Internet locations

 Primary focus to restrict internal access to external

material

 Most common content filters restrict users from accessing

non-business Web sites or deny incoming span

Principles of Information Security, 3rd Edition 46

 Protecting Remote Connections
 Installing Internetwork connections requires leased lines
or other data channels; these connections are usually
secured under requirements of formal service agreement

 When individuals seek to connect to organization’s

network, more flexible option must be provided

 Virtual Private Networks (VPNs) have become very

popular

Principles of Information Security, 3rd Edition 47

 Virtual Private Networks (VPNs)

 Private and secure network connection between systems;

uses data communication capability of unsecured and
public network
 Securely extends organization’s internal network
connections to remote locations beyond trusted network
 Three VPN technologies defined:
 Trusted VPN
 Secure VPN
 Hybrid VPN (combines trusted and secure)

Principles of Information Security, 3rd Edition 55

 Virtual Private Networks (VPNs) (continued)

 VPN must accomplish:

 Encapsulation of incoming and outgoing data

 Encryption of incoming and outgoing data

 Authentication of remote computer and (perhaps) remote

user as well

Principles of Information Security, 3rd Edition 56

 Transport Mode

 Data within IP packet is encrypted, but header

information is not
 Allows user to establish secure link directly with remote
host, encrypting only data contents of packet
 Two popular uses:
 End-to-end transport of encrypted data
 Remote access worker connects to office network over
Internet by connecting to a VPN server on the perimeter

Principles of Information Security, 3rd Edition 57

Principles of Information Security, 3rd Edition 58
 Tunnel Mode

 Organization establishes two perimeter tunnel servers

 These servers act as encryption points, encrypting all

traffic that will traverse unsecured network

 Primary benefit to this model is that an intercepted packet

reveals nothing about true destination system

 Example of tunnel mode VPN: Microsoft’s Internet

Security and Acceleration (ISA) Server

Principles of Information Security, 3rd Edition 59

Principles of Information Security, 3rd Edition 60
 Summary

 Firewall technology

 Various approaches to remote and dial-up access

protection

 Content filtering technology

 Virtual private networks

Principles of Information Security, 3rd Edition 62