Security

Technology
Information Assurance Security 2
OUTLINE
1. Access Control
1. Identification
2. Authentication
3. Authorization
4. Accountability
2. Firewalls
1. Firewall Processing Models
2. Firewalls Categorized by Generation
3. Firewalls Categorized by Structure
4. Firewall Architecture
5. Selecting the Right Firewall
6. Configuring and Managing Firewalls
7. Content Filters
3. Protecting Remote Connections
1. Remote Access
2. Virtual Private Networks
INTRODUCTION

“If you think technology can solve your

security problems, then you don’t
understand the problems and you don’t
understand the technology”

-BRUCE SCHNEIER, AMERICAN

CRYPTOGRAPHER, COMPUTER
SECURITY SPECIALIST, AND
WRITER
01
ACCESS
CONTROL
ACCESS CONTROL

Access control is the method by which systems determine whether and how to admit
a user into a trusted area of the organization—that is, information systems, restricted
areas such as computer rooms, and the entire physical location.
ACCESS CONTROL

Access Control Approaches

ACCESS CONTROL

● Discretionary access controls

(DACs) provide the ability to share
resources in a peer-to-peer
configuration that allows users to
control and possibly provide access
to information or resources at their
disposal.
ACCESS CONTROL

● Nondiscretionary access controls (NDACs) are managed by a central authority

in the organization.
● A form of nondiscretionary access controls is called lattice-based access
control (LBAC), in which users are assigned a matrix of authorizations for
particular areas of access.
● Some lattice-based controls are tied to a person’s duties and responsibilities;
such controls include role-based access controls (RBACs) and task-based access
controls (TBACs).
MANDATORY ACCESS CONTROLS
(MACS)

● Mandatory access controls (MACs) are also a form of lattice-based,

nondiscretionary access controls that use data classification schemes; they give
users and data owners limited control over access to information resources.
ATTRIBUTE-BASED ACCESS CONTROLS (ABACs)

● An ABAC system simply uses one of these attributes to regulate access to a

particular set of data.

“There are characteristics or attributes of a subject such as name, date of birth,

home address, training record, and job function that may, either individually or
when combined, comprise a unique identity that distinguishes that person from all
others. These characteristics are often called subject attributes.”
ACCESS CONTROL MECHANISMS

In general, all access control approaches rely on the following four mechanisms,
which represent the four fundamental functions of access control systems:
● Identification: I am a user of the system.
● Authentication: I can prove I’m a user of the system.
● Authorization: Here’s what I can do with the system.
● Accountability: You can track and monitor my use of the system.
IDENTIFICATION

● Identification is a mechanism whereby unverified or unauthenticated entities

who seek access to a resource provide a label by which they are known to the
system.
● This label is called an identifier (ID), and it must be mapped to one and only one
entity within the security domain.
AUTHENTICATION

● Authentication is the process of validating an unauthenticated entity’s purported

identity.

There are three widely used authentication mechanisms, or authentication factors:

● Something you know
● Something you have
● Something you are
AUTHENTICATION – Something You Know

● This factor of authentication relies on what the unverified user or system knows
and can recall
○ Password
○ Passphrase
○ Other unique authentication code such as a personal identification number
(PIN)
AUTHENTICATION – Something You Know – Password

● A password is a private word or combination of characters that only the user

should know.
AUTHENTICATION – Something You Know – Paraphrase

● A passphrase is a series of characters that is typically longer than a password

and can be used to derive a virtual password.
AUTHENTICATION – Something You Have

● This authentication factor relies on something an unverified user or system has

and can produce when necessary.

○ Dumb cards (ID cards or ATM cards)

○ The smart card contains a computer chip that can verify and validate
several pieces of information instead of just a PIN.

○ Token – a card or key fob with a computer chip and a LCD that shows a
computer-generated number used to support remote login authentication.
AUTHENTICATION – Something You Have - Tokens

● Tokens are synchronous or asynchronous.

○ Synchronous tokens are synchronized with a server, both the server and
token use the same time or a time-based database to generate a number that
must be entered during the user login phase.

○ Asynchronous tokens don’t require that the server and tokens maintain the
same time setting.
AUTHENTICATION – Something You Have - Tokens
AUTHENTICATION – Something You Are or Can Produce

● This authentication factor relies on individual characteristics, such as

fingerprints, palm prints, hand topography, hand geometry, or retina and iris
scans, or something an unverified user can produce on demand, such as voice
patterns, signatures, or keyboard kinetic measurements.

○ Biometrics
AUTHORIZATION

● Authorization is the matching of an authenticated entity to a list of information

assets and corresponding access levels. This list is usually an ACL or access
control matrix.
AUTHORIZATION

In general, authorization can be handled in one of three ways:

1. Authorization for each authenticated user
2. Authorization for members of a group
3. Authorization across multiple systems
AUTHORIZATION

● Authorization credentials, which are also called authorization tickets, are issued
by an authenticator and are honored by many or all systems within the
authentication domain (single sign-on (SSO) or reduced sign-on).
ACCOUNTABILITY

● Accountability, also known as auditability, ensures that all actions on a system—

authorized or unauthorized—can be attributed to an authenticated identity.
● Accountability is most often accomplished by means of system logs, database
journals, and the auditing of these records.
ACCOUNTABILITY – System Logs

● Systems logs record specific information, such as failed access attempts and
systems modifications.
● Logs have many uses, such as intrusion detection, determining the root cause of
a system failure, or simply tracking the use of a particular resource.
BIOMETRIC ACCESS CONTROL

● Biometric access control relies on recognition—the same thing you rely on to

identify friends, family, and other people you know.
● The use of biometric-based authentication is expected to have a significant
impact in the future as technical and ethical issues are resolved with the
technology.
BIOMETRIC ACCESS CONTROL

Biometric authentication technologies include the following:

● Fingerprint comparison of the unauthenticated person’s actual fingerprint to a
stored fingerprint
● Palm print comparison of the unauthenticated person’s actual palm print to a
stored palm print
● Hand geometry comparison of the unauthenticated person’s actual hand to a
stored measurement
● Facial recognition using a photographic ID card, in which a human security
guard compares the unauthenticated person’s face to a photo
BIOMETRIC ACCESS CONTROL

Biometric authentication technologies include the following:

● Facial recognition using a digital camera, in which an unauthenticated person’s
face is compared to a stored image
● Retinal print comparison of the unauthenticated person’s actual retina to a stored
image
● Iris pattern comparison of the unauthenticated person’s actual iris to a stored
image
BIOMETRIC ACCESS CONTROL

Among all possible biometrics, only three human characteristics are usually
considered truly unique:
● Fingerprints
● Retina of the eye (blood vessel pattern)
● Iris of the eye (random pattern of features found in the iris, including freckles,
pits, striations, vasculature, coronas, and crypts)
BIOMETRIC ACCESS CONTROL
BIOMETRIC ACCESS CONTROL

● Most of the technologies that scan human characteristics convert these images to
some form of minutiae.
● Signature and voice recognition technologies are also considered to be biometric
access control measures.
EFFECTIVENESS OF BIOMETRICS

Biometric technologies are evaluated on three basic criteria:

● false reject rate
● false accept rate
● crossover error rate
FALSE REJECT RATE

● which is the percentage of authorized users who are denied access;

● The false reject rate describes the number of legitimate users who are denied
access because of a failure in the biometric device.
● This failure is known as a Type I error.
FALSE ACCEPT RATE

● which is the percentage of unauthorized users who are granted access;

● The false accept rate conversely describes the number of unauthorized users
who somehow are granted access to a restricted system or area, usually because
of a failure in the biometric device.
● This failure is known as a Type II error and is unacceptable to security
professionals.
CROSSOVER ERROR RATE (CER)

● the level at which the number of false rejections equals the false acceptances.
● The crossover error rate (CER), the point at which false reject and false accept
rates intersect, is possibly the most common and important overall measure of
accuracy for a biometric system.
ACCEPTABILITY OF BIOMETRICS

● a balance must be struck between a security system’s acceptability to users and

how effective it is in maintaining security.
ACCEPTABILITY OF BIOMETRICS
ACCESS CONTROL ARCHITECTURE MODELS

● Security access control architecture models, which are often referred to simply
as architecture models, illustrate access control implementations and can help
organizations quickly make improvements through adaptation.
TCSEC’s TRUSTED COMPUTING BASE

● The Trusted Computer System

Evaluation Criteria (TCSEC) is an older
DoD standard that defines the criteria for
assessing the access controls in a
computer system.
INFORMATION TECHNOLOGY SYSTEM
EVALUATION CRITERIA

● The Information Technology System Evaluation Criteria (ITSEC), an

international set of criteria for evaluating computer systems, is very similar
to TCSEC.
● Under ITSEC, Targets of Evaluation (ToE) are compared to detailed security
function specifications, resulting in an assessment of systems functionality
and comprehensive penetration testing.
THE COMMON CRITERIA

● The Common Criteria for Information Technology Security Evaluation, often

called the Common Criteria or just CC, is an international standard (ISO/IEC
15408) for computer security certification.
● It is widely considered the successor to both TCSEC and ITSEC in that it
reconciles some differences between the various other standards.
● CC seeks the widest possible mutual recognition of secure IT products.
● The CC process assures that the specification, implementation, and
evaluation of computer security products are performed in a rigorous and
standard manner.
CC TERMINOLOGIES

● Target of Evaluation (ToE): The system being evaluated

● Protection Profile (PP): User-generated specification for security
requirements
● Security Target (ST): Document describing the ToE’s security properties
● Security Functional Requirements (SFRs): Catalog of a product’s security
functions
● Evaluation Assurance Levels (EALs): The rating or grading of a ToE after
evaluation
EAL is typically rated on the following scale:

● EAL1: Functionally Tested: Confidence in operation against nonserious

threats
● EAL2: Structurally Tested: More confidence required but comparable with
good business practices
● EAL3: Methodically Tested and Checked: Moderate level of security
assurance
● EAL4: Methodically Designed, Tested, and Reviewed: Rigorous level of
security assurance but still economically feasible without specialized
development
EAL is typically rated on the following scale:

● EAL5: Semiformally Designed and Tested: Certification requires specialized

development above standard commercial products
● EAL6: Semiformally Verified Design and Tested: Specifically designed
security ToE
● EAL7: Formally Verified Design and Tested: Developed for extremely high-
risk situations or for high-value systems.7
BELL-LAPADULA CONFIDENTIALITY MODEL

● The Bell-LaPadula (BLP) confidentiality model is a “state machine reference

model”—in other words, a model of an automated system that is able to
manipulate its state or status over time.
BIBA INTEGRITY MODEL

● The Biba integrity model is similar to BLP.

● It is based on the premise that higher levels of integrity are more worthy of
trust than lower ones.
● The intent is to provide access controls to ensure that objects or subjects
cannot have less integrity as a result of read/write operations.
● The Biba model assigns integrity levels to subjects and objects using two
properties: the simple integrity (read) property and the integrity * property
(write).
CLARK-WILSON INTEGRITY MODEL

● The Clark-Wilson integrity model, which is built upon principles of change

control rather than integrity levels, was designed for the commercial
environment. The model’s change control principles are:

○ No changes by unauthorized subjects

○ No unauthorized changes by authorized subjects

○ The maintenance of internal and external consistency

CLARK-WILSON INTEGRITY MODEL

The elements of the Clark-Wilson model are:

● Constrained data item (CDI): Data item with protected integrity
● Unconstrained data item: Data not controlled by Clark-Wilson; nonvalidated
input or any output
● Integrity verification procedure (IVP): Procedure that scans data and
confirms its integrity
● Transformation procedure (TP): Procedure that only allows changes to a
constrained data item
GRAHAM-DENNING ACCESS CONTROL MODEL

● The Graham-Denning access control model has three parts: a set of objects, a
set of subjects, and a set of rights.

○ The subjects are composed of two things: a process and a domain.

○ The domain is the set of constraints that control how subjects may
access objects.

○ The set of rights governs how subjects may manipulate the passive
objects.
GRAHAM-DENNING ACCESS CONTROL MODEL

The eight primitive protection rights are:

1. Create object
2. Create subject
3. Delete object
4. Delete subject
5. Read access right
6. Grant access right
7. Delete access right
8. Transfer access right
HARRISON-RUZZO-ULLMAN MODEL

● The Harrison-Ruzzo-Ullman (HRU) model defines a method to allow

changes to access rights and the addition and removal of subjects and objects,
a process that the Bell-LaPadula model does not allow.
HARRISON-RUZZO-ULLMAN MODEL

HRU is built on an access control matrix and includes a set of generic rights and
a specific set of commands. These include:
● Create subject/create object
● Enter right X into
● Delete right X from
● Destroy subject/destroy object
BREWER-NASH MODEL (CHINESE WALL)

● The Brewer-Nash model, commonly known as a Chinese Wall, is designed to

prevent a conflict of interest between two parties.
 02
FIREWALLS
FIREWALL: A SIMPLE ANALOGY
FIREWALLS

● A firewall in an information security program is similar to a building’s

firewall in that it prevents specific types of information from moving
between two different levels of networks, such as an untrusted network like
the Internet and a trusted network like the organization’s internal network.
● A firewall is an access control device that looks at the IP packet, compares
with policy rules and decides whether to allow, deny or take some other
action on the packet.
FIREWALL PROCESSING MODES

Firewalls fall into several major categories of processing modes:

● packet-filtering firewalls
● application layer proxy firewalls
● media access control layer firewalls, and hybrids
PACKET-FILTERING FIREWALLS

● The packet-filtering firewall

examines the header information
of data packets that come into a
network.
PACKET-FILTERING FIREWALLS

● Packet-filtering firewalls scan network data packets looking for compliance

with the rules of the firewall’s database or violations of those rules.
● Filtering firewalls inspect packets at the network layer, or Layer 3, of the
Open Systems Interconnect (OSI) model, which represents the seven layers
of networking processes.
PACKET-FILTERING FIREWALLS

The restrictions most commonly implemented in packet-filtering firewalls are

based on a combination of the following:
● IP source and destination address
● Direction (inbound or outbound)
● Protocol, for firewalls capable of examining the IP protocol layer
● Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)
source and destination port requests, for firewalls capable of examining the
TCP/UPD layer
PACKET-FILTERING FIREWALLS
PACKET-FILTERING FIREWALLS
PACKET-FILTERING FIREWALLS
PACKET-FILTERING FIREWALLS
PACKET-FILTERING FIREWALLS

The three subsets of packet-filtering firewalls are

● static packet filtering,
● dynamic packet filtering
● stateful packet inspection (SPI).
PACKET-FILTERING FIREWALLS

Dynamic packet-filtering firewall

● can react to an emergent event and update or create rules to deal with that
event.
● Reaction

○ Positive - as in allowing an internal user to engage in a specific activity

upon request,

○ Negative - as in dropping all packets from a particular address when an

increased presence of a particular type of malformed packet is detected
PACKET-FILTERING FIREWALLS

Static packet-filtering firewall

● allow entire sets of one type of packet to enter in response to authorized
requests, dynamic packet filtering allows only a particular packet with a
particular source, destination, and port address to enter
PACKET-FILTERING FIREWALLS

Stateful Packet Inspection (SPI) firewall

● keep track of each network connection between internal and external systems
using a state table
● A state table tracks the state and context of each packet in the conversation
by recording which station sent what packet and when.
PACKET-FILTERING FIREWALLS
APPLICATION LAYER PROXY FIREWALLS

● The application layer proxy firewall, also known as an application firewall, is

frequently installed on a dedicated computer separate from the filtering
router, but it is commonly used in conjunction with a filtering router.
● The application firewall is also known as a proxy server (or reverse proxy)
because it can be configured to run special software that acts as a proxy for a
service request.
MEDIA ACCESS CONTROL LAYER FIREWALLS

● Media Access Control layer firewalls make filtering decisions based on the
specific host computer’s identity, as represented by its media access control
(MAC) or network interface card (NIC) address, which operates at the data
link layer of the OSI model or the subnet layer of the TCP/IP model.
MEDIA ACCESS CONTROL LAYER FIREWALLS
HYBRID FIREWALLS

● Hybrid firewalls combine the elements of other types of firewalls—that is,

the elements of packet filtering, application layer proxy, and media access
control layer firewalls.
● A hybrid firewall system may actually consist of two separate firewall
devices; each is a separate firewall system, but they are connected so that
they work in tandem.
HYBRID FIREWALL TYPES

● Unified Threat Management (UTM)

○ These devices are categorized by their ability to perform the work of an

SPI firewall, network intrusion detection and prevention system, content
filter, spam filter, and malware scanner and filter.
HYBRID FIREWALL TYPES

● Next Generation Firewall (NextGen or NGFW)

○ Similar to UTM devices, NextGen firewalls combine traditional firewall

functions with other network security functions, such as deep packet
inspection, IDPSs, and the ability to decrypt encrypted traffic.
RESIDENTIAL VS COMMERCIAL FIREWALLS

● When selecting a firewall, size does matter. CPU size and capability,
memory, and drive space are system factors that need to be scaled depending
on the amount of traffic that will be processed by the firewall device.
● The most common categories of firewalls are commercial-grade and small
office/home office (SOHO).
● Most commercial-grade firewalls are dedicated appliances.
FIREWALL ARCHITECTURES

● All firewall devices can be configured in several network connection

architectures.
● The configuration that works best for a particular organization depends on
three factors:

○ the objectives of the network

○ the organization’s ability to develop and implement the architectures

○ the budget available for the function

FIREWALL ARCHITECTURES

Three architectural implementations of firewalls are especially common

● single bastion hosts,
● screened host firewalls,
● screened subnet firewalls
SINGLE BASTION HOSTS

● The next option in firewall architecture is a single firewall that provides

protection behind the organization’s router.
SINGLE BASTION HOSTS

● Any system, router, or firewall that is exposed to the untrusted network can
be referred to as a bastion host.
● The bastion host is sometimes referred to as a sacrificial host because it
stands alone on the network perimeter.
SINGLE BASTION HOSTS

● The bastion host is usually implemented as a dual-homed host because it

contains two network interfaces: one that is connected to the external
network and one that is connected to the internal network.
● All traffic must go through the device to move between the internal and
external networks.
SCREENED HOST ARCHITECTURE

● A screened host architecture combines the packet-filtering router with a

separate, dedicated firewall, such as an application proxy server, which
retrieves information on behalf of other system users and often caches copies
of Web pages and other needed information on its internal drives to speed up
access.
SCREENED HOST ARCHITECTURE
SCREENED SUBNET ARCHITECTURE (WITH DMZ)

● The dominant architecture today is the screened subnet used with a DMZ.
● The DMZ can be a dedicated port on the firewall device linking a single
bastion host, or it can be connected to a screened subnet.
SCREENED SUBNET ARCHITECTURE (WITH DMZ)