firewalls & vpns(edit)2
TRANSCRIPT
-
7/31/2019 Firewalls & VPNS(Edit)2
1/55
Security Technology:Firewalls & VPNS
-
7/31/2019 Firewalls & VPNS(Edit)2
2/55
-
7/31/2019 Firewalls & VPNS(Edit)2
3/55
FIREWALLS (Contd)
Firewalls can be packet filtering, stateful packet filtering,proxy, or application level.
A firewall can be a single device or a firewall subnet,
which consists of multiple firewalls creating a bufferbetween the outside and inside networks. Thus, firewallscan be used to create security perimeters.
A firewall is an information security program which is
similar to a buildings firewall in that it prevents specifictypes of information from moving between the outsideworld, known as the untrusted network(Eg. Internet), andthe inside world, known as the trusted network.
-
7/31/2019 Firewalls & VPNS(Edit)2
4/55
FIREWALLS (Contd)
-
7/31/2019 Firewalls & VPNS(Edit)2
5/55
Places Where Firewalls Are Used
In commercial and residential construction,firewalls are concrete or masonry walls that runfrom the basement through the roof, to preventfire from jumping from one section of thebuilding to another.
In aircrafts and automobiles. For a firewall is an
insulated metal barrier that keeps the hot anddangerous moving parts of the motor separatefrom the inflammable interior where thepassengers sit.
-
7/31/2019 Firewalls & VPNS(Edit)2
6/55
Different Types Of Firewalls
Packet Filtering Firewalls: Also called filteringfirewall, examines the header information of datapackets that come into a network.
Stateful Inspection Firewalls: Also calledstateful firewalls, keep track of each networkconnection between internal and externalsystems using a state table.
Application-Level Firewalls: Is frequentlyinstalled on a dedicated computer, separatefrom the filtering router, but is commonly used inconjunction with a filtering router.It is also knownas a proxy server.
-
7/31/2019 Firewalls & VPNS(Edit)2
7/55
Different Types Of Firewalls(Contd)
Circuit Gateway Firewalls: Operates at the transportlayer. Again, connections are authorized based onaddresses. Like filtering firewalls, circuit gatewayfirewalls do not usually look at traffic flowing betweenone network and another, but they do prevent direct
connections between one network and another.
MAC Layer Firewalls: Designed to operate at the mediaaccess control sub-layer of the data link layer(Layer 2) ofthe OSI model. This enable these firewalls to consider
the specific host computers identity, as represented byits MAC or Network Interface Card(NIC) address in itsfiltering decisions.
-
7/31/2019 Firewalls & VPNS(Edit)2
8/55
-
7/31/2019 Firewalls & VPNS(Edit)2
9/55
Different Types Of Firewalls(Contd)
Hybrid Firewalls: Hybrid firewalls combine the elementsof other types of firewalls.That is the elements of packetfiltering and proxy services, or of packet filtering andcircuit gateways. A hybrid firewall system may actually
consist of two separate firewall devices; each is aseparate firewall system, but they are connected so thatthey work in tandem. An advantage to the hybrid firewallapproach is that it enables an organization to make a
security improvement without completely replacing itsexisting firewalls.
-
7/31/2019 Firewalls & VPNS(Edit)2
10/55
Firewalls Categorized By Generation
First Generation : Firewalls are static packetfiltering firewalls- that is, simple networkingdevices that filters packets according to theirheaders as the packets travel to and from theorganizations networks.
Second Generation: Firewalls are application-
level firewalls or proxy servers- that is, dedicatedsystems that are separate from the filteringrouter and that provide intermediate services forrequestors.
-
7/31/2019 Firewalls & VPNS(Edit)2
11/55
Firewalls Categorized By Generation(Contd)
Third Generation : Firewalls are statefulinspection firewalls, which, as describedpreviously, monitor network connectionsbetween internal and external systems usingstate tables.
Fourth Generation : Firewalls, which are also
known as dynamic packet filtering firewalls,allow only a particular packet with a particularsource, destination, and port address to enter.
-
7/31/2019 Firewalls & VPNS(Edit)2
12/55
Firewalls Categorized By Generation(Contd)
Fifth Generation: Firewalls are the kernelproxy, a specialized form that works underWindows NT Executive, which is the kernel of
Windows NT, this type of firewall evaluatespackets at multiple layers of the protocol stack,by checking security in the kernel as data ispassed up and down the stack.
-
7/31/2019 Firewalls & VPNS(Edit)2
13/55
Firewalls Categorized By Structure
Commercial-Grade Firewall Appliances
Commercial-Grade Firewall Systems
Small Office/Home Office(SOHO) FirewallAppliances
Residential-Grade Firewall Software
-
7/31/2019 Firewalls & VPNS(Edit)2
14/55
Firewall Architectures
The following makes up the architectual structure offirewalls:
Packet Filtering Routers
Screened Host Firewalls
Dual-Homed Host Firewalls
Screened Subnet Firewalls(With DMZ)
-
7/31/2019 Firewalls & VPNS(Edit)2
15/55
Screened Host Firewall Diagram
-
7/31/2019 Firewalls & VPNS(Edit)2
16/55
Dual-Homed Host Firewall Diagram
-
7/31/2019 Firewalls & VPNS(Edit)2
17/55
Screened Subnet (DMZ) Diagram
-
7/31/2019 Firewalls & VPNS(Edit)2
18/55
Questions to ask when choosing aFirewall
What type of firewall technology offers the rightbalance between protection and cost for theneeds of the organization?
What features are included in the base price?What features are available at extra cost? Are allcost factors known?
How easy is it to set up and configure thefirewall? How accessible are the stafftechnicians who can competently configure the
firewall?
-
7/31/2019 Firewalls & VPNS(Edit)2
19/55
The most important factor is, of course, theextent to which the firewall design provides therequired protection. The second most important
factor is cost. Cost may keep a certain make,model, or type out of reach. As with all securitydecisions, certain compromises may benecessary in order to provide a viable solution
under the budgetary constraints stipulated bymanagement.
-
7/31/2019 Firewalls & VPNS(Edit)2
20/55
-
7/31/2019 Firewalls & VPNS(Edit)2
21/55
Types of Networks
There are two types of Neworks:
1.A trusted Network-this is usually the Internet
2.A trusted Network which is one in which the user isnot exposed to Viruses and Spam.
-
7/31/2019 Firewalls & VPNS(Edit)2
22/55
Upon completion of this chapter, you should be ableto:
Define risk management and its role in theorganization
Begin using risk management techniques to identifyand prioritize risk factors for information assets
Assess risk based on the likelihood of adverse
events and the effects on information assets whenevents occur
Begin to document the results of risk identification
Management of Information Security 22
-
7/31/2019 Firewalls & VPNS(Edit)2
23/55
Information security departments are createdprimarily to manage IT risk
Managing risk is one of the key responsibilities
of every manager within the organization
In any well-developed risk managementprogram, two formal processes are at work:
Risk identification and assessment
Risk control
Management of Information Security 23
-
7/31/2019 Firewalls & VPNS(Edit)2
24/55
This means identifying, examining andunderstanding information and how it isprocessed, stored, and transmitted
Armed with this knowledge, then initiate anin-depth risk management program
Risk management is a process, which means
the safeguards and controls that are devisedand implemented are not install-and-forgetdevices
Management of Information Security 24
-
7/31/2019 Firewalls & VPNS(Edit)2
25/55
This means identifying, examining, andunderstanding the threats facing theorganizations information assets
Managers must be prepared to fully identifythose threats that pose risks to theorganization and the security of itsinformation assets
Risk management is the process ofassessing the risks to an organizationsinformation and determining how those riskscan be controlled or mitigated
Management of Information Security 25
-
7/31/2019 Firewalls & VPNS(Edit)2
26/55
Risk identification begins with the processof self-examination
Managers identify the organizationsinformation assets, classify them into
useful groups, and prioritize them by theiroverall importance
Management of Information Security 26
-
7/31/2019 Firewalls & VPNS(Edit)2
27/55
Identify information assets, includingpeople, procedures, data and information,software, hardware, and networking
elements
Should be done without pre-judging valueof each asset
Values will be assigned later in the processManagement of Information Security 27
-
7/31/2019 Firewalls & VPNS(Edit)2
28/55
Management of Information Security 28
-
7/31/2019 Firewalls & VPNS(Edit)2
29/55
Whether automated or manual, theinventory process requires a certainamount of planning
Determine which attributes of each ofthese information assets should betracked
Will depend on the needs of the organization
and its risk management effortsManagement of Information Security 29
-
7/31/2019 Firewalls & VPNS(Edit)2
30/55
When deciding which attributes to track for eachinformation asset, consider the following list ofpotential attributes:
Name
IP address
MAC address
Asset type Serial number
Manufacturer name
Manufacturers model or part number
Software version, update revision, or FCO number Physical location
Logical location
Controlling entity Management of Information Security 30
-
7/31/2019 Firewalls & VPNS(Edit)2
31/55
Responsibility for identifying, describing,and evaluating these information assetsshould be assigned to managers who
possess the necessary knowledge,experience, and judgment
As these assets are identified, they shouldbe recorded via a reliable data-handling
process like the one used for hardwareManagement of Information Security 31
-
7/31/2019 Firewalls & VPNS(Edit)2
32/55
PeoplePosition name/number/ID
Supervisor name/number/ID
Security clearance levelSpecial skills
ProceduresDescription
Intended purposeSoftware/hardware/networking elements to
which it is tied
Location where it is stored for reference
Location where it is stored for update purposesManagement of Information Security 32
-
7/31/2019 Firewalls & VPNS(Edit)2
33/55
Data
Classification
Owner/creator/manager
Size of data structure
Data structure used
Online or offline
Location
Backup procedures Management of Information Security 33
-
7/31/2019 Firewalls & VPNS(Edit)2
34/55
Once initial inventory is assembled,determine whether its asset categories aremeaningful
Inventory should also reflect sensitivityand security priority assigned to eachinformation asset
A classification scheme categorizes theseinformation assets based on their
sensitivity and security needsManagement of Information Security 34
-
7/31/2019 Firewalls & VPNS(Edit)2
35/55
Each of these categories designates levelof protection needed for a particularinformation asset
Some asset types, such as personnel,may require an alternative classification
scheme that would identify the clearanceneeded to use the asset type
Classification categories must be
comprehensive and mutually exclusiveManagement of Information Security 35
-
7/31/2019 Firewalls & VPNS(Edit)2
36/55
As each information asset is identified,categorized, and classified, assign a relative value
Relative values are comparative judgments madeto ensure that the most valuable informationassets are given the highest priority, for example: Which information asset is the most critical to the
success of the organization?
Which information asset generates the most revenue?
Which information asset generates the highestprofitability?
Which information asset is the most expensive toreplace?
Which information asset is the most expensive torotect? Management of Information Security 36
-
7/31/2019 Firewalls & VPNS(Edit)2
37/55
The final step in the risk identificationprocess is to list the assets in order ofimportance
Can be achieved by using a weighted factoranalysis worksheet
Management of Information Security 37
-
7/31/2019 Firewalls & VPNS(Edit)2
38/55
Data owners must classify informationassets for which they are responsible andreview the classifications periodically
Example:
Public
For official use only
Sensitive
Classified Management of Information Security 38
-
7/31/2019 Firewalls & VPNS(Edit)2
39/55
U.S. military classification scheme relieson a more complex categorization systemthan the schemes of most corporations
Uses a five-level classification scheme asdefined in Executive Order 12958:
Unclassified Data
Sensitive But Unclassified (SBU) Data
Confidential Data
Secret Data
Top Secret Data Management of Information Security 39
-
7/31/2019 Firewalls & VPNS(Edit)2
40/55
Managing an information asset includesconsidering the storage, distribution,portability, and destruction of that
information asset
Information asset that has a classification
designation other than unclassified orpublic:
Must be clearly marked as suchManagement of Information Security 40
-
7/31/2019 Firewalls & VPNS(Edit)2
41/55
To maintain confidentiality of classifieddocuments, managers can implement aclean desk policy
When copies of classified information are
no longer valuable or too many copiesexist, care should be taken to destroythem properly to discourage dumpster
diving Management of Information Security 41
-
7/31/2019 Firewalls & VPNS(Edit)2
42/55
Any organization typically faces a widevariety of threats
If you assume that every threat can andwill attack every information asset, thenthe project scope becomes too complex
To make the process less unwieldy, eachstep in the threat identification andvulnerability identification processes is
managed separately and then coordinatedManagement of Information Security 42
-
7/31/2019 Firewalls & VPNS(Edit)2
43/55
Each threat presents a unique challengeto information security
Must be handled with specific controls thatdirectly address particular threat and threatagents attack strategy
Before threats can be assessed in riskidentification process, each threat must befurther examined to determine its potentialto affect targeted information asset
Management of Information Security 43
-
7/31/2019 Firewalls & VPNS(Edit)2
44/55
Once you have identified the information assets ofthe organization and documented some threatassessment criteria, you can begin to review everyinformation asset for each threat
Leads to creation of list of vulnerabilities that remainpotential risks to organization
Vulnerabilities are specific avenues that threat
agents can exploit to attack an information asset At the end of the risk identification process, a list
of assets and their vulnerabilities has beendeveloped
This list serves as startin oint for next ste in the riskManagement of Information Security 44
-
7/31/2019 Firewalls & VPNS(Edit)2
45/55
The goal at this point is to create a methodto evaluate relative risk of each listedvulnerability
Management of Information Security 45
-
7/31/2019 Firewalls & VPNS(Edit)2
46/55
Likelihood is the overall rating - often anumerical value on a defined scale (suchas 0.1 1.0) - of the probability that a
specific vulnerability will be exploited
Using the information documented duringthe risk identification process, you canassign weighted scores based on thevalue of each information asset, i.e. 1-100,
low-med-high, etc Management of Information Security 46
-
7/31/2019 Firewalls & VPNS(Edit)2
47/55
To be effective, the likelihood values must beassigned by asking:
Which threats present a danger to thisorganizations assets in the given environment?
Which threats represent the most danger to theorganizations information?
How much would it cost to recover from asuccessful attack?
Which threats would require the greatestexpenditure to prevent?
Which of the aforementioned questions is the
most important to the protection of informationfrom threats within this or anization?Management of Information Security 47
-
7/31/2019 Firewalls & VPNS(Edit)2
48/55
It is not possible to know everything aboutevery vulnerability
The degree to which a current control canreduce risk is also subject to estimationerror
Uncertainty is an estimate made by the
manager using judgment and experienceManagement of Information Security 48
-
7/31/2019 Firewalls & VPNS(Edit)2
49/55
Access controls specifically addressadmission of a user into a trusted area of theorganization
These areas can include informationsystems, physically restricted areas such as
computer rooms, and even the organizationin its entirety
Access controls usually consist of aManagement of Information Security 49
-
7/31/2019 Firewalls & VPNS(Edit)2
50/55
Mandatory Access Controls (MACs):
Required
Structured and coordinated with a dataclassification scheme
When implemented, users and data owners
have limited control over their access toinformation resources
Use data classification scheme that rates each
collection of informationManagement of Information Security 50
-
7/31/2019 Firewalls & VPNS(Edit)2
51/55
In lattice-based access controls, users areassigned a matrix of authorizations forparticular areas of access
Matrix contains subjects and objects The boundaries associated with each
subject/object pair are clearly demarcated
With this type of control, the column of
attributes associated with a particularobject is called an access control list (ACL)
The row of attributes associated with aparticular subject is a capabilities table
Management of Information Security 51
-
7/31/2019 Firewalls & VPNS(Edit)2
52/55
Nondiscretionary controls are determinedby a central authority in the organization
Can be based on rolescalled role-based
controlsor on a specified set of taskscalledtask-based controls
Task-based controls can, in turn, be based on
lists maintained on subjects or objectsRole-based controls are tied to the role that a
particular user performs in an organization,whereas task-based controls are tied to a
particular assignment or responsibilityManagement of Information Security 52
-
7/31/2019 Firewalls & VPNS(Edit)2
53/55
Discretionary Access Controls (DACs) areimplemented at the discretion or option ofthe data user
The ability to share resources in a peer-to-peer configuration allows users to controland possibly provide access to informationor resources at their disposal
The users can allow general, unrestrictedaccess, or they can allow specificindividuals or sets of individuals to access
these resources Management of Information Security 53
-
7/31/2019 Firewalls & VPNS(Edit)2
54/55
The goal of the risk management process:
Identify information assets and theirvulnerabilities
Rank them according to the need forprotection
In preparing this list, wealth of factual
information about the assets and thethreats they face is collected
Also, information about the controls that
are already in place is collectedManagement of Information Security 54
-
7/31/2019 Firewalls & VPNS(Edit)2
55/55
Introduction
Risk Management
Risk Identification
Risk Assessment
Documenting the Results of RiskAssessment