Access

Controls,Firewalls and
VPNs
Objectives
Upon completion of this material, you should be able to:
◦ Discuss the role of access control in information systems, and identify and discuss the four fundamental
functions of access control systems
◦ Define authentication and explain the three commonly used authentication factors
◦ Describe firewall technologies and the various categories of firewalls
◦ Discuss the various approaches to firewall implementation
◦ Identify the various approaches to control remote and dial-up access by authenticating and authorizing
users
◦ Describe virtual private networks (VPNs) and discuss the technology that enables them
Introduction
Technical controls are essential in enforcing policy for many IT functions that are not under
direct human control.
Technical control solutions, when properly implemented, improve an organization’s ability to
balance the objectives of making information readily available and preserving the information’s
confidentiality and integrity.
Access Control
Access control: A selective method by which systems specify who may use a particular resource and how
they may use it.
Mandatory access controls (MACs): A required, structured data classification scheme that rates each
collection of information as well as each user.
Discretionary access controls (DACs): Access controls that are implemented at the discretion or option of
the data user.
Nondiscretionary controls: Access controls that are implemented by a central authority.
In general, all access control approaches rely on the following four mechanisms, which represent the four
fundamental functions of access control systems:
◦ Identification: I am a user of the system.
◦ Authentication: I can prove I’m a user of the system.
◦ Authorization: Here’s what I can do with the system.
◦ Accountability: You can track and monitor my use of the system.
Access Control Approaches
Identification
Identification: The access control mechanism that requires the validation and verification of an
unauthenticated entity’s purported identity.
Identifiers can be composite identifiers, concatenating elements—department codes, random
numbers, or special characters—to make them unique.
Most organizations use a single piece of unique information, such as a complete name or the
user’s first initial and surname.
Authentication
Authentication: The access control mechanism that requires the validation and verification of an
unauthenticated entity’s purported identity.
Authentication factors
◦ Something you know
◦ Password: a private word or a combination of characters that only the user should know
◦ Passphrase: a series of characters, typically longer than a password, from which a virtual password is derived
◦ Something you have
◦ Dumb card: ID or ATM card with magnetic stripe
◦ Smart card: contains a computer chip that can verify and validate information
◦ Synchronous tokens
◦ Asynchronous tokens
◦ Something you are
◦ Relies upon individual characteristics
◦ Strong authentication
Authorization
Authorization: The access control mechanism that represents the matching of an
authenticated entity to a list of information assets and corresponding access levels.
Authorization can be handled in one of three ways:
◦ Authorization for each authenticated user
◦ Authorization for members of a group
◦ Authorization across multiple systems
Authorization credentials, also called authorization tickets, are issued by an
authenticator and are honored by many or all systems within the authentication
domain.
Accountability
Accountability: The access control mechanism that ensures all actions on a system—authorized
or unauthorized—can be attributed to an authenticated identity. Also known as auditability.
Accountability is most often accomplished by means of system logs and database journals, and
the auditing of these records.
Systems logs record specific information.
Logs have many uses
Biometrics
Approach based on the use of measurable
human characteristics/traits to authenticate
identity.
Only fingerprints, retina of eye, and iris of eye
and DNA are considered truly unique.
Evaluated on false reject rate, false accept rate,
and crossover error rate.
Highly reliable/effective biometric systems are
often considered intrusive by users.

Biometric recognition characteristics

Firewalls
A firewall is an integrated collection of security measures designed to prevent unauthorized
electronic access to a networked computer system.
A network firewall is similar to firewalls in building construction, because in both cases they are
intended to isolate one "network" or "compartment" from another.
In information security, a firewall is a combination of hardware and software that filters or
prevents specific information from moving between the outside (untrusted) network and the
inside (trusted) network.
May be:
◦ Separate computer system
◦ Software service running on existing router or server
◦ Separate network containing supporting devices
Firewall Policies
To protect private networks and individual machines from the dangers of the greater Internet, a
firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules
called firewall policies.
Trusted internal network

Firewall policies

Untrusted
Firewall
Internet
Policy Actions
Packets flowing through a firewall can have one of three outcomes:
◦ Accepted: permitted through the firewall
◦ Dropped: not allowed through with no indication of failure
◦ Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was
rejected

Policies used by the firewall to handle packets are based on several properties of the packets
being inspected, including the protocol used, such as:
◦ TCP or UDP
◦ the source and destination IP addresses
◦ the source and destination ports
◦ the application-level payload of the packet (e.g., whether it contains a virus).
Blacklists and Whitelists
Two fundamental approaches to creating firewall policies (or rulesets)
Blacklist approach (default-allow)
◦ All packets are allowed through except those that fit the rules defined specifically in a blacklist.
◦ Pros: flexible in ensuring that service to the internal network is not disrupted by the firewall
◦ Cons: unexpected forms of malicious traffic could go through

Whitelist approach (default-deny)

◦ Packets are dropped or rejected unless they are specifically allowed by the firewall
◦ Pros: A safer approach to defining a firewall ruleset
◦ Cons: must consider all possible legitimate traffic in rulesets
Firewalls Processing Modes
Processing modes by which firewalls can be categorized:
◦ Packet filtering
◦ Application layer proxy
◦ MAC layer firewalls
◦ Hybrids
Packet-Filtering Firewalls
Packet-filtering firewalls examine the header information of data packets
Most often based on the combination of:
◦ IP source and destination address
◦ Direction (inbound or outbound)
◦ Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port
requests

Simple firewall models enforce rules designed to prohibit packets with certain addresses or
partial addresses from passing through the device.
Packet-Filtering Firewall
Firewall Types
•Packet filters (stateless)
– If a packet matches the packet filter's set of rules, the packet filter will drop or accept it
•"Stateful" filters
– it maintains records of all connections passing through it and can determine if a packet is
either the start of a new connection, a part of an existing connection, or is an invalid packet .
•Application layer
– It works like a proxy it can “understand” certain applications and protocols.
– It may inspect the contents of the traffic, blocking what it views as inappropriate content (i.e.
websites, viruses, vulnerabilities, ...)
Stateless Firewalls
A stateless firewall doesn’t maintain any remembered context (or “state”) with respect to the
packets it is processing. Instead, it treats each packet attempting to travel through it in isolation
without considering packets that it has processed previously.
SYN
Seq = x
Port=80

SYN-ACK
Client Seq = y
Ack = x + 1

ACK
Seq = x + 1
Ack = y + 1
Trusted internal Server
network
Firewall

Allow outbound SYN packets, destination port=80

Allow inbound SYN-ACK packets, source port=80
Stateless Restrictions
Stateless firewalls may have to be fairly restrictive in order to prevent most attacks.

SYN
Client (blocked) Seq = y Attacker
Port=80

Trusted internal Firewall

network

Allow outbound SYN packets, destination port=80

Drop inbound SYN packets,
Allow inbound SYN-ACK packets, source port=80
Stateful Firewalls
Stateful firewalls can tell when packets are part of legitimate sessions originating within a
trusted network.
Stateful firewalls maintain tables containing information on each active connection, including
the IP addresses, ports, and sequence numbers of packets.
Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to
a connection initiated from within the internal network.
 Stateful Firewall
76.120.54.101
Allow only requested TCP SYN
connections: Seq = x Server
128.34.78.55 Port=80

TCP-based connections are easy to Client SYN-ACK

check
Seq = y
Ack = x + 1

◦ TCP SYN packet

ACK
Seq = x + 1

UDP-based traffic is not so clear Trusted internal

Ack = y + 1

◦ There is no UDP connection set up network (blocked)

SYN-ACK
Seq = y
Attacker
◦ Treat a UDP session starts when a Port=80

legitimate UDP packet is allowed

Allow outbound TCP sessions,
through the firewall (such as from
inside to outside) destination port=80
Firewall
◦ Session is defined by (source IP, source port,
dest IP, dest port)
Established TCP session:
(128.34.78.55, 76.120.54.101)
Firewall state table
Application-level Firewall
A device capable of functioning both as a firewall and an application layer proxy server.
Since proxy servers are often placed in unsecured area of the network (e.g., DMZ), they are
exposed to higher levels of risk from less trusted networks.
Additional filtering routers can be implemented behind the proxy firewall, further protecting
internal systems.
 gateway-to-remote

Application-level Firewall
host session
host-to-gateway
session

Filters packets on application data as well as on IP/TCP/UDP

application
fields. gateway
router and filter

Example: allow select internal users to telnet outside.

1. Require all telnet users to telnet through gateway.

2. For authorized users, gateway sets up telnet connection to
dest host. Gateway relays data between 2 connections
3. Router filter blocks all telnet connections not originating from
gateway.
 Example: block user access to know porn websites
 Check if the Web URL is in a “black-list”

7-25
MAC layer Firewalls
◦ Designed to operate at media access control sublayer of network’s data link layer
◦ Make filtering decisions based on specific host computer’s identity
◦ MAC addresses of specific host computers are linked to access control list (ACL)
entries that identify specific types of packets that can be sent to each host; all other
traffic is blocked
Hybrid Firewalls
◦ Combine elements of other types of firewalls, that is, elements of packet filtering and proxy
services, or of packet filtering and circuit gateways
◦ Alternately, may consist of two separate firewall devices; each a separate firewall system, but
connected to work in tandem
◦ Enables an organization to make security improvement without completely replacing existing
firewalls
◦ Include the Next Generation Firewall (NGFW) and Unified Threat Management (UTM) devices
Firewall Types and Protocol Models
Firewall Architectures
Firewall devices can be configured in several network connection architectures.
Best configuration depends on three factors:
◦ Objectives of the network
◦ Organization’s ability to develop and implement architectures
◦ Budget available for function

Three common architectural implementations of firewalls:

1. single bastion hosts
2. screened host
3. screened subnet (with DMZ).
 Single Bastion Hosts
◦ Commonly referred to as sacrificial
host, as it stands as sole defender on
the network perimeter
◦ Usually implemented as a dual-homed
host, which contains two network
interface cards (NICs): one that is
connected to external network and
one that is connected to internal
network
◦ Implementation of this architecture
often makes use of network address
translation (NAT), creating another
barrier to intrusion from external
attackers
 Screened Subnet Architecture (with
DMZ)
◦ Is the dominant architecture used today
◦ Commonly consists of two or more internal
firewalls behind packet-filtering router, with
each protecting a trusted network:
◦ Connections from outside or untrusted
network are routed through external filtering
router.
◦ Connections from outside or untrusted
network are routed into and out of routing
firewall to separate the network segment
known as DMZ.
◦ Connections into trusted internal network are
allowed only from DMZ bastion host servers.
 Screened Subnet Architecture (with
DMZ)
Screened subnet performs two functions:
◦ Protects DMZ systems and information from
outside threats
◦ Protects the internal networks by limiting how
external connections can gain access to internal
systems

Another facet of DMZs: creation of extranets

Selecting the right Firewall
◦ How easy is it to set up and configure the firewall? Does the organization have
staff on hand that are trained to configure the firewall, or would the hiring of
additional employees be required?
◦ Can the firewall adapt to the growing network in the target organization?
1. Most important factor is provision of required protection
2. Second most important issue is cost
Configuring and Managing Firewalls
•The organization must provide for the initial configuration and ongoing management of
firewall(s)
•Each firewall device must have its own set of configuration rules regulating its actions
•Firewall policy configuration is usually complex and difficult
•Configuring firewall policies is both an art and a science
•When security rules conflict with the performance of business, security often loses
Configuring and Managing Firewalls
Best Practices
◦ All traffic from the trusted network is allowed out.
◦ Firewall device is never directly accessed from public network.
◦ Simple Mail Transport Protocol (SMTP) data are allowed
to pass through firewall.
◦ Internet Control Message Protocol (ICMP) data are denied.
◦ Telnet access to internal servers should be blocked.
◦ When Web services are offered outside the firewall, HTTP traffic should be blocked from reaching
internal networks.
◦ All data that are not verifiably authentic should be denied.

Firewall rules
◦ Firewalls operate by examining data packets and performing comparison with predetermined logical
rules
Firewall on Windows and Linux
On Linux, Iptables is used to provide firewall On Windows, use “control panel” “Windows
function Firewall”
http://en.wikipedia.org/wiki/Iptables
Tunnels
Tunnels
The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a
TCP connection, he can often see the complete contents of the payloads in this session.
One way to prevent such eavesdropping without changing the software performing the
communication is to use a tunneling protocol.
In such a protocol, the communication between a client and server is automatically encrypted,
so that useful eavesdropping is infeasible.
Tunneling Prevents Eavesdropping
Packets sent over the Internet are automatically encrypted.
Client Server
Tunneling protocol
(does end-to-end encryption and decryption)

Untrusted
TCP/IP Internet TCP/IP

Payloads are encrypted here

Secure Shell (SSH)
A secure interactive command session:
The client connects to the server via a TCP session.
The client and server exchange information on administrative details, such as supported encryption methods
and their protocol version, each choosing a set of protocols that the other supports.
◦ Example: check ssh client software to see what are supported.

The client and server initiate a secret-key exchange to establish a shared secret session key, which is used to
encrypt their communication (but not for authentication). This session key is used in conjunction with a
chosen block cipher (typically AES, 3DES) to encrypt all further communications
The server sends the client a list of acceptable forms of authentication, which the client will try in
sequence.
◦ Password based authentication
◦ Public-key authentication method
◦ Client sends the server its public key
◦ The server then checks if this key is stored in its list of authorized keys. If so, the server encrypts a challenge using the client’s
public key and sends it to the client
◦ The client decrypts the challenge with its private key and responds to the server, proving its identity
IPSec
IPSec defines a set of protocols to provide confidentiality and authenticity for IP packets
Authentication Header (AH)
◦ provide connectionless integrity and data origin authentication for IP datagrams
◦ provides protection against replay attacks
◦ No confidentiality (packets are still unencrypted)

Encapsulating Security Payload (ESP)

◦ provide confidentiality, data-origin authentication, connectionless integrity, and limited traffic-flow
confidentiality.
◦ Port numbers are encrypted, poses challenge for NAT

http://en.wikipedia.org/wiki/IPsec
Digital
signature
Content Filters
Content Filters
A software program or hardware/software appliance that allows administrators to restrict
content that comes into or leaves a network
Essentially a set of scripts or programs restricting user access to certain networking
protocols/Internet locations
Primary purpose to restrict internal access to external material
Most common content filters restrict users from accessing non-business Web sites or deny
incoming spam
Protecting Remote Connections
Installing Internetwork connections requires leased lines or other data channels; these
connections are usually secured under the requirements of a formal service agreement.
When individuals seek to connect to an organization’s network, a more flexible option must be
provided.
Options such as virtual private networks (VPNs) have become more popular due to the spread of
Internet.
Remote Access
Unsecured, dial-up connection points represent a substantial exposure to attack.
Attacker can use a device called a war dialer to locate the connection points.
War dialer: automatic phone-dialing program that dials every number in a configured range and
records number if a modem picks up.
Some technologies that have improved the authentication process.
1. Kerberos
2. RADIUS systems
3. TACACS
4. CHAP password systems
Kerberos
◦ Provides secure third-party authentication
◦ Uses symmetric key encryption to validate individual user to various network
resources
◦ Keeps database containing private keys of clients/servers
◦ Consists of three interacting services:
◦ Authentication server (AS)
◦ Key Distribution Center (KDC)
◦ Kerberos ticket granting service (TGS)
 Kerberos Login
1. User logs into client machine (c)
2. Client machine encrypts password to create client
key (Kc)
3. Client machine sends clear request to Kerberos
Authentication Server (AS)
4. Kerberos AS returns ticket consisting of:
◦ Client/TGS session key for future communications
between client and TGS [Kc,TGS], encrypted with
the client's key
◦ Ticket granting ticket (TGT). The TGT contains the
client name, client address, ticket valid times, and
the client/TGS session key, all encrypted in the TGS'
private key
Kerberos request for services
RADIUS, Diameter, and TACACS
RADIUS-Remote Authentication Dial-In User Service (RADIUS) centralizes
responsibility for user authentication in a central RADIUS server
Diameter - emerging alternative derived from RADIUS
TACACS - Terminal Access Controller Access Control System validates user’s
credentials at centralized server (like RADIUS); based on client/server
configuration
RADIUS Configuration

1. REMOTE WORKER DIALS NAS AND SUBMITS USERNAME AND PASSWORD

2. NAS PASSES USERNAME AND PASSWORD TO RADIUS SERVER
3. RADIUS SERVER APPROVES OR REJECTS REQUEST AND PROVIDES ACCESS
AUTHORIZATION
4. NAS PROVIDES ACCESS TO AUTHORIZED REMOTE WORKER
SESAME
Secure European System for Applications in a Multivendor Environment (SESAME) is
similar to Kerberos
◦ User is first authenticated to authentication server and receives token
◦ Token is then presented to a privilege attribute server as proof of identity to
gain a privilege attribute certificate
◦ Uses public key encryption, adds sophisticated access control features, more
scalable encryption systems, improved manageability, auditing features, and
options for delegation of responsibility for allowing access
Virtual Private Network
(VPN)
VPN
Virtual private networking (VPN) is a technology that allows private networks to be safely
extended over long physical distances by making use of a public network, such as the Internet, as a
means of transport.
VPN provides guarantees of data confidentiality, integrity, and authentication, despite the use of
an untrusted network for transmission.
Private and secure network connection between systems; uses data communication capability of
unsecured and public network
Securely extends organization’s internal network connections to remote locations
Three VPN technologies defined:
◦ Trusted VPN
◦ Secure VPN
◦ Hybrid VPN (combines trusted and secure)
 VPN Transport Mode
◦ Data within IP packet are encrypted, but
header information is not and allows user to
establish secure link directly with remote
host, encrypting only data contents of packet
◦ Two popular uses:
◦ End-to-end transport of encrypted data
◦ Remote access worker connects to an office
network over Internet by connecting to a
VPN server on the perimeter
 VPN Tunnel Mode
◦ Establishes two perimeter tunnel servers
to encrypt all traffic that will traverse an
unsecured network
◦ Entire client package encrypted and
added as data portion of packet from one
tunneling server to another
◦ Primary benefit to this model is that an
intercepted packet reveals nothing about
the true destination system
◦ Example of tunnel mode VPN: Microsoft’s
Internet Security and Acceleration (ISA)
Server
Intrusion Detection
System (IDS)
Introduction
Intrusion
◦ Actions aimed at compromising the security of the target (confidentiality,
integrity, availability of computing/networking resources)
Intrusion detection
◦ The identification through intrusion signatures and report of intrusion activities
Intrusion prevention
◦ The process of both detecting intrusion activities and managing automatic
responsive actions throughout the network
IDS Components
IDS manager compiles data from the IDS sensors to determine if an intrusion has
occurred. If an IDS manager detects an intrusion, then it sounds an alarm.
IDS Manager
Untrusted
Internet

router

IDS Sensor IDS Sensor

Firewall

router router
Possible Alarm Outcomes
Intrusion Attack No Intrusion Attack
Alarms can be sounded
(positive) or not (negative) Bad
(reject normal)
Alarm
Sounded

True Positive False Positive

Bad
(miss attack)
No
Alarm
Sounded

False Negative True Negative

The Base-Rate Fallacy
true-positive rate is conflict with false-negative rate.
◦ There is a trade-off

If # of intrusions << # of all events, the effectiveness of an intrusion detection system can be
reduced.
In particular, the effectiveness of some IDSs can be misinterpreted due to a statistical error
known as the base-rate fallacy.
This type of error occurs when the probability of some conditional event is assessed without
considering the “base rate” of that event.
The Base-Rate Fallacy
Suppose an IDS has 1% chance of false positives, and 1% of false negatives. Suppose further…
◦ An intrusion detection system generates 1,000,100 log entries.
◦ Only 100 of the 1,000,100 entries correspond to actual malicious events.

Among the 100 malicious events, 99 will be detected as malicious, which means we have 1 false
negative.
Among the 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is,
we have 10,000 false positives!
Thus, there will be 10,099 alarms sounded, 10,000 of which are false alarms. That means false
alarm rate is roughly 99%!
Types of Intrusion Detection Systems
Rule-Based Intrusion Detection
◦ Rules and signatures identify the types of actions that match certain known profiles for an intrusion
attack
◦ Alarm raised can indicate what attack triggers the alarm
◦ Problem: Cannot deal with unknown attacks

Statistical Intrusion Detection

◦ Statistical representation (profile) of the typical ways that a user acts or a host is used
◦ Determine when a user or host is acting in highly unusual, anomalous ways.
◦ Alarm when a user or host deviates significantly from the stored profile for that person or machine
◦ Problem: High false positive rate, cannot tell which attack triggers the alarm
Port Scanning
Purpose: Attackers need to know where a potential target is
TCP scan: use OS system call to check if TCP connection can be set up on a target machine on
any port
◦ Example scanner: nmap
◦ See how nmap works on department eustis machine!

SYN scan: low-level TCP program to send out SYN packet without intent to finish the TCP
connection setup
◦ On receiving SYN/ACK, issues a RST packet to terminate
Port Scanning
Two port scanning mode:
◦ Vertical scan: target numerous destination ports on a singular host (e.g., nmap)

◦ Horizontal scan: target the same port on many target hosts, effectively looking for a specific vulnerability
◦ E.g., worm
◦ E.g., attacker conduct reconnaissance before real attack
End of Lesson