Access Controls, Firewalls and VPNs
Access Controls, Firewalls and VPNs
Controls,Firewalls and
VPNs
Objectives
Upon completion of this material, you should be able to:
◦ Discuss the role of access control in information systems, and identify and discuss the four fundamental
functions of access control systems
◦ Define authentication and explain the three commonly used authentication factors
◦ Describe firewall technologies and the various categories of firewalls
◦ Discuss the various approaches to firewall implementation
◦ Identify the various approaches to control remote and dial-up access by authenticating and authorizing
users
◦ Describe virtual private networks (VPNs) and discuss the technology that enables them
Introduction
Technical controls are essential in enforcing policy for many IT functions that are not under
direct human control.
Technical control solutions, when properly implemented, improve an organization’s ability to
balance the objectives of making information readily available and preserving the information’s
confidentiality and integrity.
Access Control
Access control: A selective method by which systems specify who may use a particular resource and how
they may use it.
Mandatory access controls (MACs): A required, structured data classification scheme that rates each
collection of information as well as each user.
Discretionary access controls (DACs): Access controls that are implemented at the discretion or option of
the data user.
Nondiscretionary controls: Access controls that are implemented by a central authority.
In general, all access control approaches rely on the following four mechanisms, which represent the four
fundamental functions of access control systems:
◦ Identification: I am a user of the system.
◦ Authentication: I can prove I’m a user of the system.
◦ Authorization: Here’s what I can do with the system.
◦ Accountability: You can track and monitor my use of the system.
Access Control Approaches
Identification
Identification: The access control mechanism that requires the validation and verification of an
unauthenticated entity’s purported identity.
Identifiers can be composite identifiers, concatenating elements—department codes, random
numbers, or special characters—to make them unique.
Most organizations use a single piece of unique information, such as a complete name or the
user’s first initial and surname.
Authentication
Authentication: The access control mechanism that requires the validation and verification of an
unauthenticated entity’s purported identity.
Authentication factors
◦ Something you know
◦ Password: a private word or a combination of characters that only the user should know
◦ Passphrase: a series of characters, typically longer than a password, from which a virtual password is derived
◦ Something you have
◦ Dumb card: ID or ATM card with magnetic stripe
◦ Smart card: contains a computer chip that can verify and validate information
◦ Synchronous tokens
◦ Asynchronous tokens
◦ Something you are
◦ Relies upon individual characteristics
◦ Strong authentication
Authorization
Authorization: The access control mechanism that represents the matching of an
authenticated entity to a list of information assets and corresponding access levels.
Authorization can be handled in one of three ways:
◦ Authorization for each authenticated user
◦ Authorization for members of a group
◦ Authorization across multiple systems
Authorization credentials, also called authorization tickets, are issued by an
authenticator and are honored by many or all systems within the authentication
domain.
Accountability
Accountability: The access control mechanism that ensures all actions on a system—authorized
or unauthorized—can be attributed to an authenticated identity. Also known as auditability.
Accountability is most often accomplished by means of system logs and database journals, and
the auditing of these records.
Systems logs record specific information.
Logs have many uses
Biometrics
Approach based on the use of measurable
human characteristics/traits to authenticate
identity.
Only fingerprints, retina of eye, and iris of eye
and DNA are considered truly unique.
Evaluated on false reject rate, false accept rate,
and crossover error rate.
Highly reliable/effective biometric systems are
often considered intrusive by users.
Firewall policies
Untrusted
Firewall
Internet
Policy Actions
Packets flowing through a firewall can have one of three outcomes:
◦ Accepted: permitted through the firewall
◦ Dropped: not allowed through with no indication of failure
◦ Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was
rejected
Policies used by the firewall to handle packets are based on several properties of the packets
being inspected, including the protocol used, such as:
◦ TCP or UDP
◦ the source and destination IP addresses
◦ the source and destination ports
◦ the application-level payload of the packet (e.g., whether it contains a virus).
Blacklists and Whitelists
Two fundamental approaches to creating firewall policies (or rulesets)
Blacklist approach (default-allow)
◦ All packets are allowed through except those that fit the rules defined specifically in a blacklist.
◦ Pros: flexible in ensuring that service to the internal network is not disrupted by the firewall
◦ Cons: unexpected forms of malicious traffic could go through
Simple firewall models enforce rules designed to prohibit packets with certain addresses or
partial addresses from passing through the device.
Packet-Filtering Firewall
Firewall Types
•Packet filters (stateless)
– If a packet matches the packet filter's set of rules, the packet filter will drop or accept it
•"Stateful" filters
– it maintains records of all connections passing through it and can determine if a packet is
either the start of a new connection, a part of an existing connection, or is an invalid packet .
•Application layer
– It works like a proxy it can “understand” certain applications and protocols.
– It may inspect the contents of the traffic, blocking what it views as inappropriate content (i.e.
websites, viruses, vulnerabilities, ...)
Stateless Firewalls
A stateless firewall doesn’t maintain any remembered context (or “state”) with respect to the
packets it is processing. Instead, it treats each packet attempting to travel through it in isolation
without considering packets that it has processed previously.
SYN
Seq = x
Port=80
SYN-ACK
Client Seq = y
Ack = x + 1
ACK
Seq = x + 1
Ack = y + 1
Trusted internal Server
network
Firewall
SYN
Client (blocked) Seq = y Attacker
Port=80
check
Seq = y
Ack = x + 1
Application-level Firewall
host session
host-to-gateway
session
7-25
MAC layer Firewalls
◦ Designed to operate at media access control sublayer of network’s data link layer
◦ Make filtering decisions based on specific host computer’s identity
◦ MAC addresses of specific host computers are linked to access control list (ACL)
entries that identify specific types of packets that can be sent to each host; all other
traffic is blocked
Hybrid Firewalls
◦ Combine elements of other types of firewalls, that is, elements of packet filtering and proxy
services, or of packet filtering and circuit gateways
◦ Alternately, may consist of two separate firewall devices; each a separate firewall system, but
connected to work in tandem
◦ Enables an organization to make security improvement without completely replacing existing
firewalls
◦ Include the Next Generation Firewall (NGFW) and Unified Threat Management (UTM) devices
Firewall Types and Protocol Models
Firewall Architectures
Firewall devices can be configured in several network connection architectures.
Best configuration depends on three factors:
◦ Objectives of the network
◦ Organization’s ability to develop and implement architectures
◦ Budget available for function
Firewall rules
◦ Firewalls operate by examining data packets and performing comparison with predetermined logical
rules
Firewall on Windows and Linux
On Linux, Iptables is used to provide firewall On Windows, use “control panel” “Windows
function Firewall”
http://en.wikipedia.org/wiki/Iptables
Tunnels
Tunnels
The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a
TCP connection, he can often see the complete contents of the payloads in this session.
One way to prevent such eavesdropping without changing the software performing the
communication is to use a tunneling protocol.
In such a protocol, the communication between a client and server is automatically encrypted,
so that useful eavesdropping is infeasible.
Tunneling Prevents Eavesdropping
Packets sent over the Internet are automatically encrypted.
Client Server
Tunneling protocol
(does end-to-end encryption and decryption)
Untrusted
TCP/IP Internet TCP/IP
The client and server initiate a secret-key exchange to establish a shared secret session key, which is used to
encrypt their communication (but not for authentication). This session key is used in conjunction with a
chosen block cipher (typically AES, 3DES) to encrypt all further communications
The server sends the client a list of acceptable forms of authentication, which the client will try in
sequence.
◦ Password based authentication
◦ Public-key authentication method
◦ Client sends the server its public key
◦ The server then checks if this key is stored in its list of authorized keys. If so, the server encrypts a challenge using the client’s
public key and sends it to the client
◦ The client decrypts the challenge with its private key and responds to the server, proving its identity
IPSec
IPSec defines a set of protocols to provide confidentiality and authenticity for IP packets
Authentication Header (AH)
◦ provide connectionless integrity and data origin authentication for IP datagrams
◦ provides protection against replay attacks
◦ No confidentiality (packets are still unencrypted)
http://en.wikipedia.org/wiki/IPsec
Digital
signature
Content Filters
Content Filters
A software program or hardware/software appliance that allows administrators to restrict
content that comes into or leaves a network
Essentially a set of scripts or programs restricting user access to certain networking
protocols/Internet locations
Primary purpose to restrict internal access to external material
Most common content filters restrict users from accessing non-business Web sites or deny
incoming spam
Protecting Remote Connections
Installing Internetwork connections requires leased lines or other data channels; these
connections are usually secured under the requirements of a formal service agreement.
When individuals seek to connect to an organization’s network, a more flexible option must be
provided.
Options such as virtual private networks (VPNs) have become more popular due to the spread of
Internet.
Remote Access
Unsecured, dial-up connection points represent a substantial exposure to attack.
Attacker can use a device called a war dialer to locate the connection points.
War dialer: automatic phone-dialing program that dials every number in a configured range and
records number if a modem picks up.
Some technologies that have improved the authentication process.
1. Kerberos
2. RADIUS systems
3. TACACS
4. CHAP password systems
Kerberos
◦ Provides secure third-party authentication
◦ Uses symmetric key encryption to validate individual user to various network
resources
◦ Keeps database containing private keys of clients/servers
◦ Consists of three interacting services:
◦ Authentication server (AS)
◦ Key Distribution Center (KDC)
◦ Kerberos ticket granting service (TGS)
Kerberos Login
1. User logs into client machine (c)
2. Client machine encrypts password to create client
key (Kc)
3. Client machine sends clear request to Kerberos
Authentication Server (AS)
4. Kerberos AS returns ticket consisting of:
◦ Client/TGS session key for future communications
between client and TGS [Kc,TGS], encrypted with
the client's key
◦ Ticket granting ticket (TGT). The TGT contains the
client name, client address, ticket valid times, and
the client/TGS session key, all encrypted in the TGS'
private key
Kerberos request for services
RADIUS, Diameter, and TACACS
RADIUS-Remote Authentication Dial-In User Service (RADIUS) centralizes
responsibility for user authentication in a central RADIUS server
Diameter - emerging alternative derived from RADIUS
TACACS - Terminal Access Controller Access Control System validates user’s
credentials at centralized server (like RADIUS); based on client/server
configuration
RADIUS Configuration
router
router router
Possible Alarm Outcomes
Intrusion Attack No Intrusion Attack
Alarms can be sounded
(positive) or not (negative) Bad
(reject normal)
Alarm
Sounded
If # of intrusions << # of all events, the effectiveness of an intrusion detection system can be
reduced.
In particular, the effectiveness of some IDSs can be misinterpreted due to a statistical error
known as the base-rate fallacy.
This type of error occurs when the probability of some conditional event is assessed without
considering the “base rate” of that event.
The Base-Rate Fallacy
Suppose an IDS has 1% chance of false positives, and 1% of false negatives. Suppose further…
◦ An intrusion detection system generates 1,000,100 log entries.
◦ Only 100 of the 1,000,100 entries correspond to actual malicious events.
Among the 100 malicious events, 99 will be detected as malicious, which means we have 1 false
negative.
Among the 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is,
we have 10,000 false positives!
Thus, there will be 10,099 alarms sounded, 10,000 of which are false alarms. That means false
alarm rate is roughly 99%!
Types of Intrusion Detection Systems
Rule-Based Intrusion Detection
◦ Rules and signatures identify the types of actions that match certain known profiles for an intrusion
attack
◦ Alarm raised can indicate what attack triggers the alarm
◦ Problem: Cannot deal with unknown attacks
SYN scan: low-level TCP program to send out SYN packet without intent to finish the TCP
connection setup
◦ On receiving SYN/ACK, issues a RST packet to terminate
Port Scanning
Two port scanning mode:
◦ Vertical scan: target numerous destination ports on a singular host (e.g., nmap)
◦ Horizontal scan: target the same port on many target hosts, effectively looking for a specific vulnerability
◦ E.g., worm
◦ E.g., attacker conduct reconnaissance before real attack
End of Lesson