Guide to Firewalls and Vpns Chapter 1 Review Questions

CSS 111 - Introduction to Information System Security

Chapter 6, Security Technology: Firewalls and VPNs; Chapter 7, Security Technology: Intrusion Detection and Prevention Systems, and other Security Tools

Objectives:

This lesson discusses several engineering science tools used to secure networks. Objectives important to this lesson:

1. Identify different technologies in relation to network, information, and application security
2. Access command, access command models
3. Authentication
4. Credentials
5. Authentication models
6. Place types of firewall, intrusion detection, dial-up, and networking analysis tools
7. Identify types of encryption, cryptography, and trap-and-trace technology.

Concepts:

Chapter 6

The text begins with the topic of admission control. This chapter uses what may be a familiar meaning, allowing, restricting, and denying access to resources.

Earlier we begin, there is a distinction between authorization and admission you lot need to empathize. Potency is permission, and admission is means. Dominance means nosotros permit someone to do something. Access ways someone can get at an asset. Other than that, a bit more than vocabulary will help you sympathise the starting time terms in the chapter:

• possessor - A person responsible for the integrity and security of an asset. This may be a management role instead of a technical role.
  
• custodian - A person who maintains the security of a system, possibly past calculation and removing access by user accounts. (This office is also chosen an administrator.)
• end user - A person who uses the asset, such as reading a file, opening a spider web page, or press some data from a database, but who is non allowed to change access rights to the asset. This concept is besides called a subject in some texts.
• subjects (users or processes interim for users) perform operations on objects (assets)
• supplicant - the text also users this word equally a synonym for "requester"; it is not used in mutual discussion unless you are a rather pedantic member of the attendant mathematical priesthood

Folio 246 introduces 3 access control methods. You should know something about each of them:

• Mandatory Access Control (MAC) - the most restrictive model; the owner defines a security policy, the custodian implements it, and the finish users cannot modify it; this may exist implemented past setting a security level for each asset and granting authority to users by assigning them to a level
  
• Nondiscretionary controls come in two types
  
• Function Based Access Control (RBAC) - access is granted to roles (groups) defined on the systems, cease users are assigned to roles so they can access assets needed for their jobs; the text uses Windows Server 2008 as an instance of a system that tin can employ this model
• Task Based Access Control (TBAC) - may be the nearly complex model; rules can change which role a user is assigned to, based on the task the user is performing, changing the level of access the user has
• Discretionary Admission Control (DAC) - least restrictive model; subjects (finish users) can own objects, and have total control over them (like a SharePoint web server organisation); end users must set up and maintain security for their assets, which most people will exercise badly; processes run by stop users inherit their permission levels

The text tells u.s.a. that users must commencement identify themselves to a system, but identification is pointless without authentication. Identification is simply entering a user proper name. Authentication is one of three cardinal elements to security:

• authentication - confirmation of identity
• authorization - granting permissions that are linked to the user's business relationship
• accounting, accountability, auditing - tracking what the user does

Most security is based on one or more of 3 types of things: something you lot have (like a key or an ID carte), something you know (like a PIN or a countersign), or something you lot are (like a fingerprint).

When a person logs in from a standard workstation in a normal environment, one level of protection, like an ID and password pair, may be secure enough.

For a state of affairs that is more than vulnerable, like logging in from a remote location through a public information network, 2 levels may be required, such every bit a user name-password pair along with a one-fourth dimension password from a security device (that may require a PIN as well). You see the layers? My password (something I know) is no practiced unless I employ the one-time key from the device (something I have), which is no good unless I know the PIN that proves I am allowed to use the device (something else I have to know). The one-time countersign shown in the paradigm on the right, past the mode, is but good for i minute. Afterwards that minute, a new 6 numeral code volition be generated.

The text abruptly jumps to the topic of firewalls, which we are told may be classified iii dissimilar ways:

• by their processing type
• by their evolutional generation
• past the way they are implemented (structure).
  

Firewalls by Processing type:

i. Packet-filtering firewalls

Traffic on a network is cleaved into packets, smaller message units. Each packet must hold at least two addresses: that of the sender and that of the recipient. A parcel-filtering firewall will hold a database of rules that tell information technology what to do with packets. Frequently the rules are based on the addresses mentioned to a higher place and the protocol (network rules) the packet is being sent under. The rules may include all 3 ideas, such equally the three rules shown at the top of page 253.

• The kickoff dominion says if the package is from any accost on the 172.16.0.0 network (172.16.10.x) and being sent to whatever accost on the 10.10.0.0 network, using any protocol (Any), drop the bundle (Deny). The 10 characters are used as wildcards on some firewalls, equally the text mentions later. Other firewalls might use zeros instead, then you need to know the syntax for the firewall you are configuring.
  
• The second rule says if the bundle is from any address on the 192.168.0.0 network (192.168.x.10) and existence sent to the specific address 10.10.10.25 (10.ten.ten.25), using the HTTP protocol (HTTP is hypertext transfer protocol), let that packet through (Allow). This tells me that x.10.10.25 is the accost of a web server on that network, because HTTP is for web pages.
• The 3rd rule says if the source accost is specifically 192.168.0.ane (192.168.0.i) and the destination accost is specifically 10.10.10.10, and the protocol is FTP (FTP is file transfer protocol), then allow the packet through (Allow).
  

Bundle filtering firewalls come in three types.

• static - a system ambassador sets the rules for the firewall
  
• dynamic - the firewall sets some rules for itself, such as dropping packets from an address that is sending many bad packets
  
• stateful - packets sent by an assailant often are sent to a port that the attacker has guessed is open; a stateful firewall denies packets sent to any port unless a connexion to that port has already been negotiated; this kind of checking puts more processing overhead on the firewall
  

2. Application gateway firewalls

To sympathize this one and the next ii, I have to explain the ISO-OSI Network Model. In fact, it volition assistance you to understand all of these processing types. The ISO-Open Systems Interconnect networking model has seven layers that describe what happens to a packet as it is prepared to exist sent out on a network, and what happens when that packet is received by the automobile that is meant to human action on it.

Packets leaving a device start at the tiptop layer of the model (Awarding, layer vii) and are processed downwardly to stack to the bottom layer (Concrete, layer 1). Packets existence received past a device arrive at the Concrete layer, and are handed off to each successive layer until they are received by an application at layer vii.

The chart below shows the seven layers of the ISO-OSI model, the firewall types associated with several layers, and a summary of the many things that happen on each layer. Do you demand to know all the material in the third column? Not for this lesson, but somewhen you will.

So, what'southward an application gateway? The text tells u.s. that a proxy server, discussed in the final lesson, is an example of an application gateway. It acts as an intermediary between a requester and a more protected device. The text tells us that it is probably dedicated to i awarding, so confuses the result by listing five protocols. The protocols listed correspond to particular services on a network, whose functions live on layer 7: FTP is for file service, Telnet is for remote sessions, HTTP is for web pages, SMTP is for mail service, and SNMP is for managing a network. The proxy server can make the connection, and can examine the data for allowable content. For example, a business may ready a proxy server that runs an application to prevent staff from accessing particular kinds of web sites, such as gambling, gaming, or sports sites.

Firewall?	Layer name	Topics & Methods
application gateways live here	Application (layer vii)	Network Services File services Impress services Message services Application services Database services Service Advertising - how services become known Service Utilise - how services are obtained
	Presentation (layer half dozen)	Translation - bit translation, byte translation, character lawmaking translation, file translation Encryption - cipher, private central or public fundamental
	Session (layer v)	Dialog Control - simplex, half-duplex and duplex Session Administration - connexion institution, data transfer and connexion release
excursion gateways live here	Transport (layer 4)	Address/proper noun Resolution Addressing Segment Development - breaking large messages into segments, combining small letters into segments Connectedness Services
packet filtering firewalls live hither	Network (layer 3)	Addressing - network addresses. 2 methods: Logical Network Service Switching - route cosmos for packets, messages and circuits. 3 methods: Package switching Message switching Circuit switching Road Discovery - finding a road. 2 methods: Distance vector Link-state Road Selection - choosing a road. two methods: Static Dynamic Connection Services - flow control, error control and packet sequence command. iii methods: Network-layer flow control Error control Bundle sequence command
MAC layer firewalls live here	Data link (layer 2)	MAC sublayer Logical Topology - two methods: Bus Band Media Access - 3 methods: Contention Token Passing Polling Addressing - 1 method: Physical Device Address - the MAC accost LLC sublayer Transmission Synchronization - iii methods: Synchronous Asynchronous Isochronous Connectedness Services - 3 methods: Unacknowledged Connectionless Connection Oriented Acknowledged Connectionless
no firewall lives hither: no addresses on this layer	Physical (layer 1)	Connection Type - two methods: Indicate-to-Point Multipoint Concrete Topology - 5 methods: Bus Band Star Mesh Cellular Digital Signaling - ii methods: Current State State Transition Analog Signaling - ii methods: Current State Country Transition Bit Synchronization - 2 methods: Synchronous Asynchronous Bandwidth Usage - two methods: Baseband Broadband Multiplexing - 3 methods: Frequency Partitioning Fourth dimension Division Statistical Time Division

iii. Excursion gateways

According to our text, this firewall lives on the ship layer, which is associated with guaranteed commitment of packets, Other than that, the explanation in the text is very unclear. The explanation at the PCStats web site is clearer. Information technology explains that the function of the circuit gateway is less analytical than the proxy server, but that it does serve as an intermediary also, making sure that only requested data is returned to the requester. It will not examine the information for content.

4. MAC layer firewalls

The MAC sublayer of the ISO-OSI Data Link layer is concerned with MAC addresses, the hard coded addresses that are generally burned into network cards when they are manufactured. This kind of firewall will check the MAC accost of a requester to decide whether the device existence used to brand the connexion is authorized to access the data in question. This would be useful in situations where devices are placed in lobbies for customers who are immune to scan a catalog, but not allowed to place orders that would affect inventory.

5. Hybrids - the fifth processing firewall blazon combines features of the other four.

Firewalls by Generation type

• First generation - static bundle filtering
  
• 2nd generation - awarding level
  
• 3rd generation - stateful inspection
  
• Fourth generation - dynamic packet filtering
  
• Fifth generation - examines packets at several layers
  

Firewalls past Structure

• Commercial appliances - runs on a custom operating system, on a dedicated device
  
• Commercial systems - a software solution that runs on a figurer that may or may not be dedicated
  
• Small Office - Home Function appliances - device may actually exist a cable modem, or DSL modem, may also include router and WAP services, may include intrusion protection
  
• Residential (consumer) software - typically a combination of anti-virus, firewall, intrusion detection software; should be run on all devices that connect to a dwelling house network
  

Notation that none of the firewall solutions discussed volition protect a network from user error. Y'all can still trigger an incident by following a link to a malware site that is not forbidden, past running a Trojan or a worm, or past whatsoever other action that a user is allowed to take.

Let's move ahead to page 268, where the text discusses some advice for configuring firewalls.

• All traffic from the trusted network (our network) is allowed out. Gee, I promise we aren't infected past another worm.
• Firewalls are not configurable from the public facing part of the network. This makes sense: we should manage our best protection devices from within the network, to remove the possibility that a hacker could modify the firewall's rules.
• Post traffic sent by SMTP is sent to a mail gateway. Some may be allowed, some denied, merely all should exist examined by a dedicated device.
• All ICMP (ping) packets from outside our network should be denied. This is not always done in exercise. You should effort to ping a few public web serves to see if it works in our classroom.
• Telnet requests from the outside should be blocked. This engineering is non frequently used any more than, but it is a potential hack that could be used to control our servers.
• Public facing web servers should be in a DMZ, should utilize the secure form of HTTP (HTTPS), and should block requests fabricated on them to contact our trusted network assets.
• Deny traffic that has non been authenticated.
  

The text discusses some rules that could be ready on most firewalls. It notes that a typical approach to firewall rules is to decide what is allowed, write rules assuasive those things, and then deny everything else. An alternative is to write rules for everything you want to deny, then allow everything else. Annotation that the examples on page 276 testify a dominion database that contains a mixture of rules that let and deny packets, equally is probably the nigh common approach. The section on firewall rules is pretty extensive, and a bit beyond what we want for this course, so we will continue to the next item.

Page 277 discusses content filters, which are typically used to prevent your users from accessing websites that are accounted unacceptable by your organization. A company policy that directs staff not to access such sites on company time, visitor equipment, or company network would exist a necessary first step. The text mentions NetNanny and SurfControl, two proper name-brand products in the field. At that place are other products that practice similar things, and most of them are offered on a subscription basis. Your administrators download periodic updates to your proxy servers on a regular footing, which will keep your staff from accessing known sites that feature objectionable content. As you lot might imagine, staff who conduct investigations of violations of related policies would need to be able to access websites without restriction.

The adjacent department of this chapter discusses protecting your network when users connect to your network by other ways than your LAN jacks. At that place is a good bit of discussion about connecting over a dial-up connection, and the technologies that are used to support that, but this is very dated. Is in that location anyone who would connect to a system by plain quondam phone service (POTS) when the Net is bachelor in so many ways? For historical reference, it can't hurt to know this cloth. Or if y'all should observe yourself transported to a location with phones, without Internet access, with affordable telephone costs, and with the need to connect to your domicile network, be enlightened of RADIUS, TACACS, and Diameter.

The department on Virtual Private Networks (page 282) is more current. The text points out that a VPN is called that considering information technology provides a private connexion even though it passes through a public carrier. How? The text discusses iii means:

• trusted VPN - uses leased data lines from a data vendor that are guaranteed to be separate from the residuum of their network; obviously this is expensive and not an option if you exercise not trust the vendor
• secure VPN - uses security technology and encryption to make your traffic meaningless to eavesdroppers
• hybrid VPN - uses both of the methods above, typically over several hops to the target network (What's a hop? Every time our signals pass across another router, that's a hop.)

The text describes more than engineering that is used in VPN connections, but it is not necessary for the scope of this course.

Assignment 1: Chapter vi and more CBA

1. Review Questions for chapter six are on page 287. Answer numbers 1, five, viii, 11, xvi, and 19.
2. Return to chapter four, page 169, You should have your answers from Exercise 3 by at present. Employ that information and practise Exercise v.

   Continuing with Exercise 5, review the chapter and calculate the CBA for each row in the table.
   The formula requires the ALE values from this exercise, the ALE values from exercise 3, and the ACS for each line.

   CBA = ALE (without the safeguard) - ALE (with the safeguard) - ACS of this safeguard

Affiliate vii

Chapter 7 begins with fabric about intrusion detection and more security tools. The introduction to the chapter effectively sets the mood for the topics: an employee has been discharged, he is angry, and he is plotting revenge against the company. Has the company applied enough security to baby-sit against his attack?

The text has some definitions on page 293. Likewise many, really. Let'southward wait at a few:

• intrusion - someone tries to access or disrupt a organisation
• intrusion detection - if a product but does detection, it will notice an attempted or bodily intrusion, and volition probably tell someone; a detection organisation does not take action against the intrusion
• intrusion reaction - if a product reacts to intrusions, it attempts to stop them, contain them, or minimize their effects
• intrusion prevention - if a product acts to prevent intrusion, it probably does detection as well; I am sometimes notified past my security suite that an attempted intrusion has been detected and stopped, which is what you lot want such a system to exercise

When yous are researching products in this category, you should be careful to note what the product actually does. If it is marketed equally an intrusion detection arrangement, don't wait it to preclude or stop intrusions. Equally the text says, an intrusion detection and prevention system (IDPS) would be preferable to a system that but performed one of those functions.

The text asks the question "Why use an IDPS?" Well, which would you lot rather see on your screen, a message that says an assail has just been stopped without impairment, or a  (insert your favorite emblem of disaster)? At that place are some reasons on page 295 that go a bit further:

• If employees know near an IDPS, they may be less likely to go postal on your network.
• Detection of events will tell you lot when your other layers of security are non working.
• Dealing with probes that are used before an attack may serve to present that "walled city" Sun Tzu wrote almost.
• An IDPS keeps a log of events, which can be analyzed for current threats and for trends.

As mentioned in another affiliate, an IDPS may be installed on a estimator or a network apparatus and allowed to sniff all the packets that pass past. This sort of network-based IDPS may need to be duplicated in various parts of your network, since it has to watch every bundle that goes by, and it volition not run across any packets that are not passed to the network segment information technology lives on.

The second major option for an IDPS is a host-based IDPS. This kind of organization can detect changes on the host where it is installed that practise not depend on network traffic. On the other hand, it needs to be installed on every host you intend to protect. In a habitation network, this is not a big brunt, just in a commercial setting information technology can be a lot of work. A convincing statement may be that the antivirus plan provided as part of your home contract with a cable provider probably includes this feature. If you are installing Norton 360, for example, yous are already installing a organization to watch for intrusions also as to watch for viruses.

Other security measures are discussed, starting on folio 325. You lot should be familiar with these terms, know what they do, and know why you will probably non use them:

• honeypot - The usual explanation of this metaphor is Winnie the Pooh getting stuck in a jar of love. The idea is to put a fake, attractive looking, unprotected resource on your network that will attract the attention of a hacker looking for avails to steal, destroy, or otherwise vandalize. The honeypot system should include an IDPS element that notes the intrusion and sets off alarms, only does not actually finish it. I of the tricks hither is that the honeypot organisation must be bonny: it must look like a real asset gear up to be attacked. Ideally, it should be something that volition accept the attacker a meaning amount of time to exploit, so that your security staff have time to react.
  
• honeynet - A more than extensive drove of honeypots on a subnet may be chosen a honeynet.
  
• padded cell - Some other variation, this 1 is a honeypot that presents a challenge to the hacker. In this regard, information technology is more apparent to the hacker. If the resource was real and valuable, why would it not exist protected? Of course, if it is too well protected, why should the aggressor break into the padded jail cell instead of one of your real assets?
• trap-and-trace - Taking this concept to the next level, if nosotros have detected an intruder, why not figure out who and where the attacker is? Well, the reason non to practise it is to avert the cost of the lawsuit that will follow.
  

The text discusses the ideas of entrapment and enticement that could exist part of lawsuits brought against your company, and which utilise to all the items in this list. Be aware of the concepts and accept the idea that you will do better without most of this.

The text moves on to hash out tools that clarify networks on page 328. Nosotros have already discussed intrusion detection and prevention tools and firewalls. The authors advise vulnerability scanners, log analyzers (application log, security log,system log), and packet sniffers. They depict preliminary processes that a would-be aggressor might use in gathering information about a target on pages 328 and 329. Common early practices are examining web resource and using social engineering. I accept placed a pdf file on our BlackBoard site under week 4 that discusses a social engineering competition. You should read this file for ideas most closing gaps in your company's security.

The text discusses detail kinds of network tools useful to people looking for vulnerabilities, starting on page 332.

• port scanners - The text recommends Nmap. This sort of utility looks for devices on a network, and scans them for open up ports. In this case, a port is non a physical thing waiting for a plug. It is a service running on a computer that is identified by a number which stands for a place in that computer's retentivity. A service of this sort may run at a port whose number is ordinarily used (like 80 for HTTP, or 25 for SMTP) or information technology may run at whatever port number specified by the person or process that started it. A Wikipedia folio with lots of port numbers and their commonly associated services can be seen here. If a port is open, it can receive requests, and possibly commands from an attacker.
  
• firewall analysis tools - The text explains i mode that Nmap can be used to determine if a machine is live beyond a firewall. It too discusses Firewalk and HPING, 2 other tools that can help an attacker determine what a firewall is assuasive to pass.
  
• operating organization detection tools - The only tool mentioned by the text is XProbe, which sends ICMP packets to computers and checks their responses confronting a list of responses from machines with known operating systems. Why do yous desire to know the OS of a reckoner? To exploit known vulnerabilities or protect against such exploits.
  
• vulnerability scanners - The text recommends Nessus, a complimentary plan that does everything we have discussed so far, every bit well every bit having other features. It is effective for scanning a network that is using over the counter software. To browse a network with custom or in-house-adult software, it recommends a "fuzzy" scanner chosen Spike. It features a proxy server that sounds similar a skillful tool for a human in the center set on, as well as being a tool to test the stability of your own web servers and sites. These are both agile scanners, that send traffic into a network to examination it.
  The text mentions two passive scanners, that only lookout the traffic that is already being sent through a network. The two products mentioned are Passive Vulnerability Scanner (PVS) and RNA.
  
• bundle sniffers - A more formal term is network protocol analyzer. The text lists three products. Sniffer is one yous have to buy, Snort is an open source production, and Wireshark is freeware. Have the authors' description of the legal requirements for using this sort of software equally a warning. Do not use them unless all three of the tests on page 337 are met:
• You must be using this on a network your organization owns.
• You must have been authorized past the network owners to do this.
• You must exist doing this with the knowledge and consent of the content owners.
As you might imagine, it is rather difficult to pass all three of these tests.
• wireless security tools- In passing, the text informs you that the IEEE standard that applies to wireless networking is 802.eleven.The text mentions several wireless tools that were named as good choices in 2006. As I type this, it is at present 2014. Allow's update the list for this yr as an consignment.
  

The chapter ends with a discussion of using biometric hallmark equally a means of stopping intrusions. The text discusses them for three pages, ending with the ascertainment that many people practise not use these methods because of user confrontation and refusal to apply them. They are non 100% reliable, every bit the text explains.

Assignment 2: Affiliate 7

1. Read the list of wireless oriented security tools that starts on page 339. Note also the source of the authors' list for those tools.
   
2. Conduct a web search for a more recent listing of wireless diagnostic tools. Make sure that it is from an authoritative source.
3. Submit your listing of tools, specifying what they are skillful for. Cite your source, the publication date of the material, and explain why you lot recollect this is a valid source for this consignment.
   

nugenthincycle.blogspot.com

Source: https://stevevincent.info/CSS111_2014_4.htm

Share this post