Information Privacy and Security

Topic 07:
Firewalls and Network Security
Computer Networks
 A computer network is set of communications channels that interconnects computing
devices and enables them to exchange data electronically
 The simplest network connects a single client to a single server:

 More typically, networks interconnect many clients and many servers

 Basic terminology:
 Node
 A single, conceptual computing device connected to the network
 Host
 The actual physical computing device involved in a node
 Link
 A connection between two hosts
2
Network Vulnerabilities
 Several characteristics make networks vulnerable to attack, including:
1. Anonymity
2. Many points of attack
3. Resource and workload sharing
4. System complexity
5. Unknown boundary

3
Port Scanning
 A port scanner is a software program that is designed to examine one or
more IP addresses and record which ports are open and which known
vulnerabilities are present

 A network administrator or security analyst can use a port scanner to

evaluate the strengths and weaknesses of a network
 An attacker can also use a port scanner to assess how or at which point to attack a
network

 High-quality port scanners are freely available to both white-hats and black-
hats alike!
4
Segmenting Networks
 One way of controlling threats from port scanners is to implement a segmented network architecture
 In a segmented network, many hosts belong to protected sub-networks that are not directly visible to the outside
world

5
Firewalls
 A firewall is a device (hardware, software, or both) that is designed to:
 Prevent unauthorized outside users from accessing a network or workstation
 Prevent inside users from transmitting sensitive information or accessing unsecured
resources
 A firewall protects a local network (or sub-network) from the outside global
network
 Firewalls work by inspecting each inbound or outbound packet and determining
whether it should be blocked or allowed to pass through
 Firewalls keep “bad things” out, but can also be used to keep sensitive data in
 Properly implemented firewalls can reduce or eliminate many network
threats

6
Firewall Security Policies
 A firewall security policy is a set of rules that a firewall relies upon to determine which
traffic should be allowed to pass through a network boundary

 Examples of firewall security policy rules:

 Block all access from the outside, allow all access to the outside
 Allow access from the outside:
 Only for certain activities
 Only for certain sub-networks, hosts, applications, or users

 Firewalls may have a default security policy:

 Default permit
 Anything that is not expressly prohibited is allowed
 Default deny
 Anything that is not expressly allowed is denied
7
OSI Reference Model
 The OSI reference model is a layered network communications protocol
 Each successively higher layer utilizes an abstract view of the layer directly below it
 Each lower layer fully encapsulates the higher layer above it
 The OSI model is a conceptual model (it was never actually implemented on a wide scale)
 The model shows all of the activities required for inter-computer communication

OSI Layer Name Activity

7 Application User-level data are generated
6 Presentation Standardized data appearance
5 Session Logical connection among parts
4 Transport Error checking and correction, ensuring reliable data flow
3 Network Handles addressing, determines how to route data
2 Data Link Divides data into blocks, ensuring reliable data transfer and delivery
1 Physical Actual communication across physical medium, electrical signaling

 How to remember the OSI layers in order: “Please Do Not Touch Steve’s Pet Alligator”
 Maps to “Physical, Data link, Network, Transport, Session, Presentation, Application”
8
Packet Filtering Gateways
 A packet filtering gateway (or screening router) is a type of firewall that
regulates network boundary access by:
 Examining the source and/or destination IP address for each packet
 Examining the type of transport protocol for each packet (e.g., HTTP, FTP, telnet, etc.)
 Port filtering

 Packets that are not acceptable in light of the firewall’s security policy are
discarded

 Packet filtering gateways are the simplest and often most effective type of
firewall
9
Packet Filtering Gateway

10
Stateful Inspection Firewalls
 Unlike a packet filtering gateway, a stateful inspection firewall considers the
state or context of the packets that it evaluates
 Stateful inspection firewalls “remember” the network activities of hosts

 The goal of a stateful inspection firewall is to Identify hosts that represent a

threat by accumulating evidence against them
 If the negative evidence against a host exceeds a threshold established by the
firewall’s security policy, the host can be blocked

11
Stateful Inspection Firewall

12
Application Proxy Gateways
 An application proxy gateway (or bastion host) is a type of firewall that runs
pseudo-applications which mimic the proper behavior of real applications
 These pseudo-applications examine the contents of the packets traveling between
applications inside the network boundary and application users outside of the
network boundary

 The application proxy gateway can filter out unacceptable protocol

commands or other malformed commands while they are in transit
between an application and a user
 Command filtering is bidirectional

13
Application Proxy Gateway

14
Circuit-Level Gateways
 A circuit-level gateway is a type of firewall that enables one network to
become a virtual extension of another network

 Incoming / outgoing packets are examined to determine whether they are

being sent to / received from the target network
 If so, packets are decrypted or encrypted as necessary
 If not, packets are routed through the “normal” firewall

 Circuit-level gateways can be used to implement virtual private networks

(VPNs)

15
Circuit-Level Gateway

16
Guard Firewalls
 A guard is an advanced type of firewall that examines the contents of
packets while they are in transit across the network boundary
 The guard can modify the contents of packets or drop packets altogether

 Guards are conceptually similar to application proxy firewalls, but are much
more sophisticated
 A guard can be programmed to perform any sort of packet filtering, scanning, or
modification that is deemed necessary

17
Personal Firewalls
 In contrast to a firewall that is implemented as a separate hardware device,
a personal firewall is a firewall that is implemented as a software program

 Personal firewalls are installed on computing devices and inspect inbound

or outbound network traffic to determine whether it should be blocked or
allowed to pass through

 Personal firewalls can be used to protect home computers and other

personal computing devices from outside attackers, viruses, and other types
of malware

18
Encryption and Network Security
 Encryption is the most powerful single tool for protecting network security.
Network encryption techniques include:
 Link encryption
 End-to-end encryption
 Virtual private networks (VPNs)
 Secure shell (SSH) encryption
 Transport Layer Security (TLS)
 IP security protocol (IPSec)
 Signed code
 Encrypted Email

19
Six Truths about Firewalls
1. Firewalls can protect an environment only if they control the entire perimeter
2. Firewalls do not protect data outside of the perimeter
3. From the outside, firewalls are the most visible component of a network, and are hence
attractive targets for attack
4. Firewalls must be properly configured, and their configuration settings must be
periodically evaluated and updated
5. Firewall systems should not contain any tools that could help an attacker who
penetrates the firewall in subsequent exploits
6. Firewalls exert only narrow control over the content that they allow to cross the
network boundary

20
Network Address Translation
 Hosts inside of a network boundary often expose their IP addresses to the
outside world in order to enable communication
 A clever attacker can use the IP addresses of the hosts in a network to infer the
network’s typological layout and architecture

 A firewall can implement network address translation (NAT) in order to hide

the structure of an internal network from the outside world
 The IP address of packets originating from an internal host are replaced with the IP
address of the firewall as they leave the network
 External hosts thus send replies to the firewall’s IP address, rather than to the IP address of the
internal host
 The IP address of incoming packets are similarly translated back into the internal
host’s real IP address
21
Network Address Translation

22
Establishing a Network Security Perimeter
 The goal of network architecture design and implementing firewalls should
be to establish a security perimeter which surrounds and protects internal
information assets
 A properly designed network security perimeter will minimize the number of outside
points of attack

 Additional security perimeters can be established around internal sub-

networks in order to further strengthen security
 Analogous to a city with multiple layers of gates and walls
 Less valuable assets should be kept closer to the outer network boundary, while more
valuable assets should be protected by multiple rings of network security

23
Multiple Network Security Perimeters

24