Emmalee Jones X433_001 Final COMPSCX433!001 Fundamentals o" #ata Communications and $etwor%in& 'C (er%eley Online )earnin& *ec+nolo&y , n"ormation Mana&ement Firewalls and Computer Security - Table of Contents *a.le o" Contents////////////////////////////////- ntroduction//////////////////////////////////0 3 1istory o" Firewalls///////////////////////////////03 1ow Firewalls 2or%///////////////////////////////3 Pac%et Filters//////////////////////////////////4 State"ul Pac%et Filters//////////////////////////////0 5 Circuit )e6el 7ateways/////////////////////////////00 5 Pro8y Ser6ers/////////////////////////////////0 5 9pplication 7ateways////////////////////////////// 10 $e8t 7eneration Firewalls////////////////////////////0 10 Conclusion//////////////////////////////////0 11 :e"erences//////////////////////////////////00 1- Firewalls and Computer Security 3 Introduction 2+en was &rowin& up; saw a Sandra (ulloc% "ilm called <*+e $et= w+ere a computer pro&rammer &ot mi8ed up in a cy.er!terrorist plot >M#.; 1553?0 *+e terrorists were a.le to erase Sandra (ulloc%=s e8istence t+rou&+ .ac%door entrances into e6ery %ind o" data.ase t+at +eld in"ormation a.out +er0 t+ou&+t t+e mo6ie was &ood; .ut was not sure +ow realistic t+e "acts supportin& t+e plot were0 2ell; a"ter a year o" +eadlines "eaturin& Edward Snowden; t+e $S9 w+istle.lower w+o released in"ormation a.out $S9 data minin&; many corporate data.ases includin& email and Face.oo%; *ar&et and ot+ers stores .ein& +ac%ed "or .an% card in"ormation; and t+e latest cy.er!t+reat; 1eart.leed; wit+ OpenSS) issues w+ic+ lea6e most institutions 6ulnera.le; may.e t+e mo6ie was not t+at "ar"etc+ed >Fin%le; -014?0 Computer security is a concern "or e6eryone; especially t+ose w+o are supposed to %eep t+e networ%s o" t+eir companies sa"e0 One aspect o" computer system security is networ% "irewalls0 *+e paper will discuss +ow "irewalls; "rom .asic to corporate networ%; "unction and e6aluate +ow e""ecti6e t+ey are0 *+e paper will also discuss w+at recent de6elopments are a6aila.le t+at may +elp in t+e "i&+t to %eep networ%s secure0 History of Firewalls *+e term @"irewallA was "irst coined in 14B4 and re"erred to a wall t+at would pro6ide a .arrier to %eep a "ire "rom spreadin& "rom t+e "ire source to t+e rest o" t+e .uildin& >n&ramCForrest; -00-?0 9 computer "irewall is similar to a "irewall in t+at it does attempt to pro6ide a .arrier .etween a computer system and t+e internet0 *+e computer "irewall is also used to try to slow down t+e attac% on t+e computer system "rom malicious pro&rams suc+ as 6iruses and worms and ot+er types o" attac%s as well0 1owe6er; a computer "irewall is di""erent "rom a .arrier "irewall in a structure in t+at a computer "irewall must let some t+in&s t+rou&+ in order "or t+e computer system to communicate wit+ ot+er computer systems0 t can .e compared to a semipermea.le mem.rane wit+in a cell wall >(urn 9 (rain; -00D?0 9 cell needs to Firewalls and Computer Security 4 let nutrients into t+e cell; .ut also %eep +arm"ul items out0 9 computer "irewall must let communication in and out wit+out allowin& +arm to t+e computer system0 n t+e in"ancy o" t+e computer a&e; computer systems were closed systems and did not communicate wit+ ot+er computers >Montecino; -010?0 Most computer systems +ad proprietary operatin& systems; reel to reel tapes; and punc+ed cards >Montecino; -010?0 *+e computers were e8pensi6e and t+e owners wanted to .e a.le to use t+em as muc+ as t+ey could0 StandardiEation in operatin& systems and data input was de6eloped as companies .ecame more pro"icient at .uildin& computers; and wit+ t+e in6ention o" t+e transistor .ased tec+nolo&y in t+e 15B0s >Montecino; -010?0 Communication met+ods were in6ented to allow use o" t+e computers all t+e time; and to allow communication .etween computers0 One o" t+e "irst communication met+ods de6eloped was t+e 9d6anced :esearc+ ProFects 9&ency $etwor% >9:P9$E*?0 t was one o" t+e worldGs "irst operational pac%et switc+in& networ%s "or military use >Mo+amed; -010?0 *+is led to t+e de6elopment o" t+e nternet >Mo+amed; -010?0 9s computer systems .ecame more standard and open t+rou&+ networ%s and "loppy dis%s; t+e "irst computer malicious so"tware soon appeared0 t +as continuously appeared since >Hetter; -005?0 *o .e a.le to protect computer systems "rom t+e malicious so"tware; new so"tware and +ardware were de6eloped as "irewalls >n&ramCForrest; -00-?0 *+ere are multiple &roups t+at claim to +a6e de6eloped t+e "irst "irewall; .ut most security e8perts a&ree t+at Je"" Mo&ul; (rian :eid; and Paul Ii8ie ori&inated t+e idea wit+ a &ateway de6eloped at #i&ital EJuipment >1i&&ins; -00D?0 nitial "irewalls were de6eloped as part o" t+e communication eJuipment as routers0 :outers were used as a "irewall .etween communication de6ices; actin& li%e a .arrier0 *+e "irst initial "irewall per"ormed pac%et "ilterin& >n&ramCForrest; -00-?0 9s new t+reats in t+e "orm o" malicious so"tware increased; so did additional "irewall met+ods to try to com.at t+e t+reats >n&ramCForrest; -00-?0 Firewalls added new "eatures suc+ as pro8y ser6ers; Firewalls and Computer Security 3 state"ul pac%et "ilters; circuit le6el &ateways; and application &ateways >n&ramCForrest; -00-?0 *+e di""icult tas% "or networ% security e8perts is to stay one step a+ead o" t+e +ac%ers tryin& to access t+eir systems0 *+is is true w+et+er it .e &o6ernment; includin& military; or corporations; education institutions; and personal computers wit+ des%tops; laptops; p+ones and &amin& systems0 *+e years -103 and -014 +a6e not .een 6ery %ind to networ% security e8perts0 *+ere +a6e .een internal t+reats; wit+ t+e most notorious .ein& Edward Snowden w+o wor%ed "or t+e $S9; and e8ternal t+reats suc+ as t+e +ac%in& o" t+e *ar&et customer credit card data and; t+e latest .ein& 1eart.leed >Fin%le; -014?0 1eart.leed a""ected almost e6ery computer system in ways t+at most people do not e6en realiEe0 Patc+es +ad to .e dispensed and implemented "or t+e a""ected 6ersion o" OpenSS) "or e6ery application t+at used t+at 6ersion o" open source so"tware0 For instance; Juniper Iirtual Pri6ate $etwor%; w+ic+ most %now as a 6ersion o" IP$; +ad to .e updated to %eep computer systems sa"e >Fin%le; -014?0 How Firewalls Work *+e computer industry +as standardiEed to .ecome more e""icient and cost e""ecti6e >Montecino; -010?0 *+e computer industry +as e8panded to include many mec+anical de6ices t+at we use in our daily li6es0 For instance; cars run on computers "or electronic i&nition; antiloc% .ra%es; cruise control; and remote door and trun% openers0 Ot+er de6ices run .y a computer include a toaster; a re"ri&erator; a &reetin& card; and a (lu!ray player0 Many o" t+ese de6ices t+at use computer c+ips +a6e an operatin& system and pro&rams to ma%e t+em wor%0 9 lot o" t+ese de6ices can +a6e t+e so"tware updated t+rou&+ a "irmware update0 Most o" t+ese de6ices used to .e closed systems; .ut now most are nternet aware and run t+e ris% o" .ein& +ac%ed0 *+e computer industry +as standardiEed on two main operatin& systems; Microso"t 2indows and '$X; )inu8 .ein& a 6ariant o" '$X >Computer; -104?0 9pple iOS uses a 6ariant o" '$X; and t+e 9ndroid operatin& system is a 6ariant o" )inu80 *+is ma%es it easier to create new products; .ut also pro6ides t+e same "ramewor% to anyone tryin& to .rea% into t+ese computer systems0 *+is standardiEation ma%es it "aster to .rin& a product to t+e mar%et; so t+is is 6iewed as an accepta.le ris%0 Companies do not Firewalls and Computer Security B +a6e to start "rom scratc+; instead usin& e8istin& computer tec+nolo&y to create a new product0 *+ese standards pro6ide patterns t+at allow "or repeata.le results0 *+is is t+e &oal o" most products; actions can .e repeata.le upon user reJuest0 *+is is no di""erent "or t+e data communication industry w+ere t+e patterns allow "or repeata.le results0 9ll t+e standards in t+e data communication industry can .e .ro%en down into .inary patterns o" Eeroes and ones t+at allow "or repeata.le results0 *+ese are t+e same standards and patterns t+at +ac%ers use to try to access or su.6ert a computer system; and are also t+e same standards and patterns t+at are used to de6eloped "irewalls to protect a computer system0 *+e more patterns a "irewall can c+ec% "or; t+e +arder it is "or a +ac%er to &ain access to a computer system to su.6ert it0 Firewalls are computer so"tware applications t+at eit+er run on a computer de6ice; li%e a des%top or laptop; or run on speci"ically desi&ned +ardware t+at is tuned "or its speci"ic tas%s0 Most laptops and des%tops run wit+ some "orm o" "irewall i" t+ey connect to t+e nternet0 Many o" t+ese products are a6aila.le as part o" t+e operatin& system or as open source so"tware0 *+e unsettlin& t+in& is t+at as users o" t+is %ind o" so"tware; we rely on t+e companies or people w+o pro6ide it to +a6e properly tested it0 n most cases we would not %now +ow to create or independently per"orm a test to see i" it is wor%in& correctly0 *+is +as come to li&+t wit+ t+e 1eart.leed de.acle0 *+ose w+o made t+e c+an&e to t+e so"tware did not properly test t+e c+an&e to t+e OpenSS) so"tware .e"ore it was o""ered to all companies and users0 *+is illustrates t+at t+e companies t+at we rely on may not properly test eit+er0 n t+is case; t+is s+ould +a6e .een done t+rou&+ proper re&ression testin& w+ere any c+an&e to so"tware; speci"ically 6ery important so"tware suc+ as OpenSS); would reJuire a "ull retest o" t+e so"tware0 For +ome use; new so"tware and +ardware is a6aila.le "or +i&+ le6els o" security wit+ newer modemCrouters0 9n e8ample o" t+is is t+e Century)in% C10009 "rom 9ctiontec w+ic+ pro6ides many o" t+e "eatures o" an e8pensi6e "irewall suc+ as state"ul pac%et inspections; denial o" ser6ice protection; Firewalls and Computer Security 4 intrusion detection and 2P9 and 2EP wireless encryption >9ctiontec; -014?0 1ome users used to +a6e only one computer lin%ed to a dial!up connections; .ut t+en came +i&+er speed connections t+at .rou&+t modems t+at allowed "or multiple de6ices to .e connected0 *+ese now need to .e protected0 Corporations and institutions need a +i&+er le6el o" "irewall capa.ility0 *+ese companies and institutions need security to protect company data and personal data t+at t+ey +a6e access to0 *+is includes colle&e transcripts; FCO scores; .an% accounts; Social Security num.ers; accounts recei6a.le .alances; pri6ate product in"ormation; medical in"ormation; control tra""ic li&+ts; control tower in"ormation "or planes; military eJuipment includin& drones and missiles; and spacecra"t0 Many o" t+ese processes used to .e paper!.ased controlled or t+ey were wit+in closed systems t+at could not .e easily su.6erted0 Society in &eneral needs to "eel t+at t+is in"ormation is protected to ensure sta.ility0 E6eryone wants to +a6e t+e assurance t+at t+eir 401K electronic data will not .e at ris% "rom computer +ac%ers or internal employees0 *+e le6el o" support "or "irewalls "or one o" t+ese institutions needs to .e tied to t+e ris% associated wit+ t+e compromise o" t+e data0 " t+e +i&+ modemCrouter "or +ome use +as t+e latest "irewall "eatures; t+ose "eatures at a minimum s+ould .e at all t+ese institutions also0 *+is would include pac%et "ilters; state"ul pac%et "ilters; pro8y ser6ers; circuit le6el &ateways; and application &ateways as illustrated in t+e "ollowin& dia&ramL Firewalls and Computer Security D llustration 1L Firewall llustration >*+endral; -010? Packet Filters Pac%et "ilters were t+e initial "irewall "or networ%s0 #i&ital EJuipment Corporation >#EC? created one o" t+e "irst "ilters0 Pac%et "ilters c+ec% t+e pac%ets to ma%e sure t+at t+ey "ollow t+e "ilterin& rules0 9ny pac%et t+at does not matc+ t+e rules would .e dropped or reFected; and automatically an error messa&e would .e sent to t+e sender0 *+is would .loc% any pac%ets t+at loo%ed li%e transmission pro.lems; .ut also any possi.le malicious so"tware t+at did not "ollow t+e communication standard "or a pac%et "or t+e transmission protocol0 Most communication comin& o6er t+e nternet is in t+e *ransmission Control Protocol >*CP? and 'ser #ata&ram Protocol >'#P? protocols >C+apman; 155-?0 Pac%et "ilterin& wor%s wit+ t+e "irst t+ree layers o" t+e OS re"erence model and t+e "irst two o" t+e *CPCP model; as illustrated in t+e "ollowin& dia&ramL Firewalls and Computer Security 5
llustration -L OS )e6els >PC'serin"o; -014? Pac%et "ilterin& c+ec%s rules wit+ patterns t+at t+e pro&ram re6iews "or t+e data comin& in "or communication0 t may c+ec% "or certain addresses or ports to .loc% t+in&s; suc+ as telnet only allowin& SS1 communication >C+apman; 155-?0 *+is is done mostly .y c+ec%in& t+e source and destination P addresses0 Pac%et Filterin& was &ood tec+nolo&y in 15D0s and .eyond .ecause it was 6ery "ast to run and easy to setup >Miessler; -104?0 t is still a mainstay in "irewalls today0 *+ere are two ways o" +andlin& rules "or t+e "ilterin&0 First; allow all tra""ic unless t+ere is a rule and; second; deny all tra""ic unless t+ere is a rule0 #enyin& all tra""ic is sa"er .ut reJuires a considera.le amount o" wor% and maintenance >*+a%ur; -014?0 Some o" t+e issues wit+ Pac%et Filter Firewalls is t+at t+ey are suscepti.le to P Firewalls and Computer Security 10 Spoo"in&; t+ere is lac% o" state awareness; and t+ere is di""iculty can .e di""icultly creatin& rules >*+a%ur; -014?0 *+ere are also limitations in t+at it only c+ec%s eac+ pac%et as an indi6idual piece o" in"ormation; it does not compare it a&ainst ot+ers pac%ets to &et a .i&&er picture o" t+e communication0
Stateful Packet Filters State"ul pac%et "ilters; or Circuit )e6el 7ateways; were t+e ne8t &eneration o" "irewall tec+nolo&y a"ter pac%et "ilters0 *+e state"ul "irewall tec+nolo&y was de6eloped in 15D5 at 9*,* (ell )a.oratory >Cisco; -014?0 State"ul pac%et "ilters read multiple pac%ets comparin& t+em to see i" t+e pac%ets .elon& to&et+er0 *+is +elps to pre6ent t+e @#enial o" Ser6iceA attac% on a computer site w+ere t+e site is "looded wit+ erroneous pac%ets >Cisco; -014?0 State"ul pac%et "ilters wor% at t+e )ayer 4 and )ayer 3 o" t+e OS dia&ram in llustration -0 State"ul "ilters are easy to setup and run; wit+ little o6er+ead to t+e networ% >Cisco; -014?0 State"ul "ilters operate only at t+e networ% layerM t+ere"ore; it only e8amines P and *CP +eaders0 *+e issues wit+ state"ul pac%et "ilters are t+e same as pac%et "ilters e8cept "or awareness o" its state >*+a%ur; -014?0 Circuit Level Gateways Circuit le6el &ateways c+ec% i" t+e transport layer connection is 6alid >9llison; -014?0 *+is is per"ormed at t+e transport layer "or t+e OS dia&ram in illustration 10 *+is is done .y c+ec%in& a ta.le o" 6alid connections; and is completed .e"ore ma%in& t+e connection0 Circuit le6el &ateways act as a pro8y; concealin& t+e networ% "rom e8ternal 6iew0 Circuit le6el &ateways are relati6ely ine8pensi6e .ut do not loo% at t+e pac%ets t+emsel6es0 *+e circuit le6el &ateway is li%e a pac%et "ilter; .ut wit+ t+e addition o" 6eri"ication o" t+e proper +ands+a%e o" *CP and t+e session in"ormation used in t+e creation o" t+e connection >*+a%ur; -014?0 Firewalls and Computer Security 11 Proxy Servers Pro8y Ser6ers mas% t+e internal address o" t+e internal net o" t+e company or institution; lendin& protection0 Simple pro8y ser6ers are not application aware .ut c+an&e all addresses0 *+ere is some security in usin& a pro8y .ecause it protects in"ormation a.out t+e internal networ% "rom lea6in& t+e internal networ%0 ssues wit+ pro8y ser6ers include slowin& down t+e communication .etween t+e e8ternal and internal systems and .ein& a possi.le .ottlenec% "or communication >*+a%ur; -014?0 Application Gateways *+is is t+e most sop+isticated o" t+e "irewalls and pro6ides t+e .est protection0 9n application &ateway acts as a pro8y .etween t+e internal networ% and t+e e8ternal networ%; +idin& t+e internal address name0 t is di""erent "rom a circuit le6el &ateway in t+at its pro8ies are speci"ic to t+e applications and t+e pro8ies e8amine t+e pac%et; w+ic+ can .e used to "ilter at t+e application layer o" t+e OS le6els in illustration 10 See an e8ample o" an application &ateway in t+e "ollowin& illustrationL llustration 3L 9pplication 7ateway >Oracle; -013? Firewalls and Computer Security 1- Some o" t+e ad6anta&es o" application &ateways is state awareness o" ser6ices; stron& application pro8y; .u""er to o6errun attac%s; .etter lo&&in& o" incomin& and out&oin& tra""ic; and t+e +i&+est le6el o" security >*+a%ur; -014?0 *+e disad6anta&es are t+e comple8ity o" settin& t+is &ateway up and t+e tunin& t+at must .e done to ma%e sure t+e &ateway does not .ecome a .ottlenec% >*+a%ur; -014?0 Next Generation Firewalls *+e ne8t step in "irewalls are called t+e @ne8t &enerationA "irewalls0 Current ne8t &eneration "irewalls are .ein& de6eloped to do w+at is called @deep pac%et inspectionA >(reeden; -014?0 #eep pac%et inspection loo%s at application patterns to try to stop intrusion .y understandin& t+e patterns0 1ac%ers are usin& some sort o" pattern to try to intrude into a networ%; t+en an application and; e6entually; t+e data.ase >(reeden; -014?0 *+is de6elopment will not .e easy .ecause it can put t+e networ% security specialist at odds wit+ t+e application de6eloper0 t will increase t+e time it ta%es to de6elop application so"tware .ecause t+e de6eloper will +a6e to +elp t+e networ% analyst understand t+e application patterns0 " t+e two &roups do not wor% to&et+er; t+ere will .e times w+en t+e application appears not to wor%; .ut in reality it is Fust t+e "irewall not usin& t+e ri&+t pattern and; t+us; .loc%in& actual users o" t+e applications0 " t+e "irewall product +as t+e a.ility to learn t+e patterns; t+at could +elp s+orten t+e time"rame to accomplis+ t+e rule esta.lis+ment0 Conclusion $etwor% security will continue to .e a +ot issue as lon& as +ac%ers continue to .rea% into computer systems0 Many companies and institutions do not +a6e t+e proper resources to .e a.le to protect t+eir computer systems properly0 9s cloud capa.ilities continue to impro6e it; would not .e unusual to see many smaller companies and institutions mo6e t+eir applications to a cloud .ased tec+nolo&y to ta%e ad6anta&e o" networ% security e8pertise t+at t+ey cannot a""ord to maintain >Iiolino; -014? 0 9lso; as computers continue to .ecome more power"ul; 1-D encryption will not .e enou&+ to protect pri6ate communications0 Encryption will +a6e to impro6e to a new le6el >Je""; -013?0 n addition; companies and institutions will +a6e to add additional layers o" security to protect t+eir most 6ital assets0 Firewalls and Computer Security 13 Firewalls will .e Fust one part o" t+e security0 *+e companies and institutions mi&+t add encryption at rest "or critical data; so t+at e6en i" t+e networ% is .reac+ed t+e data will still +a6e some "orm o" protection >EMC; -014?0