Oluwatosin Oguntola Firewalls

Firewall Security systems Perimeter security for networks Internal separation of critical data Device installed at the point where network connections enter a site Organizations typically deploy a deny-all methodology The flip-side is the accept-all methodology

General features

Block access to particular sites on the internet Limit traffic to relevant addresses and ports Prevent certain users from accessing certain servers or services Monitor communication between an internal and external network Can be extended to protect against viruses and OS exploitation attacks

Types Router Packet filtering Application firewall systems Stateful inspection

Router Packet Filtering Firewalls First generation firewalls Here, a screening router examines packet header travelling between the internet and corporate network Packet headers have information in them such as the IP of sender and receiver and port numbers. Based on this, the router knows what kind of internet service e.g. Web based or ftp is being used to send the data. And using this information can prevent certain packets from being sent between the internet and corporate network

Very simple and stable Performs at the network layer of the OSI Simplicity is also a disadvantage as it’s very vulnerable to attacks from improperly configured filters Also, if a single packet filtering router is compromised, every system on the private network may be compromised Packet Filtering Firewalls – adv.

IP Spoofing; Attacker fakes the IP address of either an internal network host or a trusted network host Source routing specification; Defining the route the packets would take and to bypass the firewall rule. To do this, one must know IP address, subnet mask and default gateway settings at the firewall routing station. Attacks against packet filtering.

Miniature fragment attack; The attacker fragments the IP packet into smaller ones and pushes it through the firewall hoping that the first of the sequence would be examined and the others bypassed. Attacks against packet filtering.

Application Level Firewalls Application and Circuit level firewalls Provide greater protection capabilities Where packet filtering allows direct flow of packets between internal and external systems, A&C firewalls allow information to flow but not the direct exchange of packets Both work at the application layer of the OSI Application level gateway analyzes packets through a set of proxies – one for each service

Application Level Firewalls Circuit level are generally more efficient Both employ the concept of bastion hosting – heavily fortified and having a single host handling incoming requests thus making it easier to maintain security and track attacks. Pretty much like a fuse. Application level firewalls are set up as proxies Advantages include; hiding the internal network. Disadvantages are poor performance and scalability as internet usage grows

Stateful Inspection Firewalls Keeps track of destination IP address of each packet that leaves the organizations network When a message is received, it references what was sent to confirm it is a response Advantages are; control the flow of IP traffic by matching information contained in the headers of connection-oriented or connectionless IP packets at the transport layer Disadvantages include being difficult to administer

Firewall implementations

Firewall issues Creates a false sense of security Misconfigured firewalls may allow unknown and dangerous services to pass freely Policies may not be appropriately applied and reviewed Can be circumvented through the use of modems which connect users directly to ISPs As most operate at network layer, they cannot stop application based attacks

Firewall platforms Hardware based firewalls provide better performance and minimal system overload Software based firewalls are more flexible and scalable although they are slower and have significant overload Appliance type firewalls are faster and easier to recover being that they are hardened operating system based.

Intrusion detection systems Works in conjunction with firewalls by monitoring network usage anomalies. Notifies an administrator of perceived threats

Categories of IDS Network Based – identify attacks within the monitored network and issue warnings to the operator. Can be placed between the internet and firewall or between the firewall and corporate network. It is not a substitute for a firewall, but complements the firewall.

Categories of IDS Host Based – configured for a specific environment and to monitor internal resources. They can detect the modification of an executable program, deletion of files and issue a warning when a privileged command is being run.

Components of an IDS Signature based – protect against detected intrusion patterns and the patterns they detect are stored in the form of signatures. Statistical based – need a comprehensive definition of the known and expected behaviour of systems. Neural networks – monitors the general patterns of activity and traffic on a network and creates a database. Similar to statistical but has a self-learning functionality.

Features Intrusion detection Evidence collection on intrusive activity Automated response Security policy Interfaces with system tools Security policy management

Limitations An IDS can’t help with the ffg weaknesses; Policy definition weaknesses Application level vulnerabilities Back-doors into applications Weaknesses in Identification and Authentication schemes

Intrusion Prevention Systems Closely related to IDS Not only detect, but also prevent Helps in limiting damage done to systems that are attacked Must be properly configured and tuned to be effective Threshold settings too high or low will lead to limited effectiveness Could be subject to fake attacks which leaves them dysfunctional.

Examples of Firewall Implementations Screened-host firewall: this uses a packet filtering router and a bastion host i.e. Implementing network layer as well as application level security. This means that an intruder would have to penetrate 2 separate systems before reaching the private network.bastion host It’s configured thus:

Bastion Host A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers proxy serverfirewallDMZ

Screened Host Bastion host connected to the private network with a packet filtering router between the internet and the bastion host. Router filtering rules allow inbound traffic to access only the bastion which blocks access to internal systems

Examples of Firewall Implmtns Dual-homed Firewall: firewall system that has 2 or more network interfaces for the separate networks they are facing – it is a more restrictive form of a screened-host firewall in which a dual homed bastion host is configured with one interface established for information servers and another for the private network

Examples of Firewall Implmtns DMZ or screened subnet firewall: uses 2 packet filtering routers and a bastion host, it creates the most secure firewall system. The DMZ acts as a small isolated network for an organization’s public servers, bastion host information servers and modem pools. key benefits are – intruder must penetrate 3 separate devices and private network addresses are not disclosed to the internet plus internal systems do not have direct access to the www

Honeypots and Honeynets Software application that pretends to be an unfortunate server on the internet and not setup actively to prevent breakins. Rather acts a decoy to lure hackers and is more valuable when targeted.

Types of honeypots High-interaction – Give hackers a real environment to attack Low-interaction – Emulate production environments and as such provide limited information. An IDS triggers a virtual alarm when an attacker breaches security of any networked computer.

Some Terms Data Owner – generally managers and directors responsible for using the information to run and control the business. Security responsibilities include; Authorizing access Ensuring access rules are updated when personnel changes occur Regularly reviewing access rules for their data

Some Terms Data Custodians – responsible for storing and safeguarding the data and include ITS personnel such as systems analysts and computer operators Security Admin – provides adequate physical and logical security for IS programs, data and equipment New Users – Pg 370

Some Terms Data Users – including the internal and external users. Their access level should be authorized by a and restricted/monitored by a