unit 3 info sec.pptx

7/29/2019 Unit 3 Info Sec.pptx

1/72

Security Technologies: FireUnit 3:


2/72

Technical Control & Physical De


3/72

Mandatory access controls (MACs) - lattice-based accecontrol

Nondiscretionary controls - role-based Controls & task-controls

Discretionary access controls (DACs)

Access Control


4/72


5/72

Identification

Authentication

Authorization

Accountability

all access control approaches on as the following mechanism


6/72

Firewalls can be categorized by processing mode, deveera, or structure.

Firewalls


7/72

packet-filtering firewalls,

Application gateways,

circuit gateways,

MAC layer firewalls, and

hybrids.

Firewall Processing Modes


8/72

packet-filtering firewalls


9/72

IP source and destination address

Direction (inbound or outbound)

Protocol (for firewalls capable of examining the IP proto

Transmission Control Protocol (TCP) or User Datagram Pr(UDP) source and destination port requests (for firewalls

of examining the TCP/UPD layer)


10/72

There are three subsets of packet-filtering firewalls:

static filtering,

dynamic filtering, and

stateful inspection.


11/72

The application firewall is also known as a proxy server siruns special software that acts as a proxy for a service re

Application Gateways


12/72

operates at the transport layer

Do prevent direct connections between one network aanother.

Creating tunnels connecting specific processes or systemeach side of the firewall, and then allowing only authoritraffic,

Circuit Gateways


13/72

MAC Layer Firewalls&

Hybrid Firewalls


14/72


15/72


16/72

First generation firewalls are static packet-filtering firewa

Second generation firewalls are application-level firewaproxy servers

Third generation firewalls are stateful inspection firewalls

Fourth generation firewalls, which are also known as dyn

packet-filtering firewalls,

Fifth generation firewalls include the kernel proxy,

Firewalls Categorized by Gener


17/72

Commercial-Grade Firewall Appliances

Commercial-Grade Firewall Systems

Small Office/Home Office (SOHO) Firewall Appliances

Residential-Grade Firewall Software

Firewalls Categorized by Structu


18/72

The configuration that works best for a particular organizdepends on three factors:

The objectives of the network,

the organizations ability to develop and implement thearchitectures, and

the budget available for the function.

Firewall Architectures


19/72

Packet-filtering routers,

Screened host firewalls,

dual-homed firewalls, and

Screened Subnet (DMZ)

common architecturalimplementations


20/72

Screened host firewalls,


21/72

Dual-Homed Host Firewall


22/72

Screened Subnet (DMZ)


23/72

SOCKS is the protocol for handling TCP traffic via a proxy

place the filtering requirements on the individual workstarather than on a single point of defense (and thus point failure).

SOCKS Servers


24/72

1. Which type of firewall technology offers the right bala

between protection and cost for the needs of the organ

2. What features are included in the base price? What fare available at extra cost? Are all cost factors known?

3. How easy is it to set up and configure the firewall? Hoaccessible are the staff technicians who can competenconfigure the firewall?

4. Can the candidate firewall adapt to the growing netwthe target organization?

Selecting the Right Firewall


25/72

Good policy and practice dictates that each firewall de

the configuration of firewall policies can be complex andifficult.

syntax errors and logic errors

Configuring firewall policies is as much an art as it is a sc

Configuring and Managing Firew


26/72

organizations are muchmore willing to live with potentiathan certain failure.


27/72

All traffic from the trusted network is allowed out. This allo

members of the organization to access the services they

The firewall device is never directly accessible from the pnetwork for configuration or management purposes.

Only authorized firewall administrators access the devicthrough secure authentication mechanisms, preferably method that is based on cryptographically strong autheand uses two-factor access control techniques.

Best Practices for Firewalls


28/72

Simple Mail Transport Protocol (SMTP) data is allowed to

through the firewall, but is routed to a well-configured SMgateway to filter and route messaging traffic securely.

All Internet Control Message Protocol (ICMP) data shouldenied. Known as the ping service, ICMP is a common mfor hacker reconnaissance and should be turned off to

snooping.


29/72

Telnet (terminal emulation) access to all internal servers

public networks should be blocked. At the very least, Teaccess to the organizations Domain Name System (DNSshould be blocked to prevent illegal zone transfers and prevent attackers from taking down the organizations enetwork.

If internal users need to access an organizations networoutside the firewall, the organization should enable thema Virtual Private Network (VPN) client or other secure sysprovides a reasonable level of authentication.


30/72

When Web services are offered outside the firewall, HTTP

should be blocked from internal networks through the ussome form of proxy access or DMZ architecture. That waemployees are running Web servers for internal use on thdesktops, the services are invisible to the outside Interne

All data that is not verifiably authentic should be denied


31/72

that which is not permitted is prohibited, - expressly pe

rules

Firewall Rules


32/72


33/72

E t l Filt i Fi ll O tb


34/72

External Filtering Firewall OutbouInterface Rule Set


35/72

A content filter is a software filtertechnically not a firew

reverse firewalls,

Content Filters

content filter hastwo components: rating and filtering.


36/72

The rating is like a set of firewall rules for Web sites and is

common in residential content filters. The rating can be with multiple access control settings for different levels oorganization, or it can be simple, with a basic allow/ denscheme like that of a firewall.

The filtering is a method used to restrict specific access rto the identified resources, which may be Web sites, servwhatever resources the content filter administrator conf


37/72


38/72


39/72

Protecting Remote Connections


40/72

Remote Access


41/72


42/72


43/72


44/72

R t A th ti ti Di l I U


45/72

Remote Authentication Dial-In UService (RADIUS)


46/72

T i l A C t ll A


47/72

TACACS, - combines authentication and authorization s

Extended TACACS - separates the steps needed toauthenticate. & keeps records for accountability,

TACACS+ - uses dynamic

passwords and incorporates two-factor authentication.

Terminal Access Controller AccControl System (TACACS)


48/72


49/72

Kerberos


50/72

uses symmetric key encryption to validate

keeps a database containing the private keys of clients

also generates temporary session keys, which are privatto the two parties in a conversation.

Kerberos consists of three interactin


51/72

1.Authentication server (AS), which is a Kerberos server that

authenticates clients and servers. 2. Key Distribution Center (KDC), which generates and issues

keys.

3. Kerberos ticket granting service (TGS), which provides tickeclients who request services. In Kerberos a ticket is an identificcard for a particular client that verifies to the server that the c

requesting services and that the client is a valid member of thKerberos system and therefore authorized to receive servicesticket consists of the clients name and network address, a ticvalidation starting and ending time, and the session key, all ein the private key of the server from which the client is reques

services.

Kerberos consists of three interactinservices, all of which use a databaslibrary:


52/72

Kerberos is based on the following


53/72

The KDC knows the secret keys of all clients and servers o

network.

The KDC initially exchanges information with the client aby using these secret keys.

Kerberos authenticates a client to a requested service oserver through TGS and by issuing temporary session key

communications between the client and KDC, the serveKDC, and the client and server.

Communications then take place between the client anusing these temporary session keys.

Kerberos is based on the followingprinciples:


54/72


55/72


56/72


57/72

token is then presented to a privilege attribute server (insa ticket granting service as in Kerberos)

SESAME uses public key encryption to distribute secret ke

Secure European System forApplications in a MultivendorEnvironment (SESAME)


58/72


59/72

The SESAME technology offers sophisticated single sign-o

added distributed access control features and cryptogrprotection of interchanged data.

SESAME is similar to Kerberos, but has a lot of extensions Kerberos. one important extension is it supports role baseaccess control using PAS (Privilege Arribute Server)

http://www.cs.nyu.edu/~wanghua/course/security/finalation.html
http://www.cs.nyu.edu/~wanghua/course/security/final/presentation.htmlhttp://www.cs.nyu.edu/~wanghua/course/security/final/presentation.htmlhttp://www.cs.nyu.edu/~wanghua/course/security/final/presentation.htmlhttp://www.cs.nyu.edu/~wanghua/course/security/final/presentation.html


60/72

virtual private network (VPN)


61/72

a private data network that makof the public telecommunicationinfrastructure, maintaining privacythrough the use of a tunneling proand security

procedures.


62/72

Virtual Private Network Consortium (VPNC) defines three

technologies:

Trusted VPNs,

secure VPNs, and

hybrid VPNs.


63/72


64/72


65/72

Encapsulation of incoming and outgoing data,

Encryption of incoming and outgoing data

Authentication of the remote computer and, perhaps, thuser as well.


66/72


67/72

Transport Mode


68/72

Transport Mode


69/72


70/72

Tunnel Mode


71/72


72/72

unit 3 info sec.pptx

Documents