Chapter 6 Firewall and VPN
What is a supplicant?
A entity that seeks a resource.
Circuit gateway firewall mode
Operates at session layer prevent direct connections between one network and another Accomplished by creating tunnels connecting specific processes or systems on each side of the firewall, and allow only authorized traffic in the tunnels
Tunnel mode VPN
Organization establishes two perimeter tunnel servers These servers act as encryption points, encrypting all traffic that will traverse unsecured network Primary benefit to this model is that an intercepted packet reveals nothing about true destination system Example of tunnel mode VPN: Microsoft's Internet Security and Acceleration (ISA) Server
What are the four common architectural implementation of firewalls?
Packet filtering routers, screened hosted firewalls (bastion host), dual- homed firewalls and screened subnet firewalls (DMZ).
What are the five processing modes for categorizing Firewall?
Packet filtering, application gateways, circuit gateways, MAC layer firewalls.
What is packet filtering firewall mode?
Firewall that examines the header information of data packets. A simple firewall model enforces rules designed to prohibit packets with certain addresses or partial addresses.
What is identification?
A mechanism whereby an unverified entity that seeks access to a resource proposes a label by which they are know to the system.
What are three ways Authorization can be handled?
Authorization for each authenticated user. Authorization for members of a group. Authorization across multiple systems.
Dual-homed host firewalls
Bastion host contains two network interface cards (NICs): one connected to external network, one connected to internal network Implementation of this architecture often makes use of network address translation (NAT), creating another barrier to intrusion from external attackers
Hybrid firewalls mode
Combine elements of other types of firewalls; i.e., elements of packet filtering and proxy services, or of packet filtering and circuit gateways Alternately, may consist of two separate firewall devices; each a separate firewall system, but connected to work in tandem
Screened host firewalls Architectures
Combines packet filtering router with separate, dedicated firewall such as an application proxy server Allows router to prescreen packets to minimize traffic/load on internal proxy Separate host is often referred to as bastion host Can be rich target for external attacks and should be very thoroughly secured Also known as a sacrificial host
MAC layer firewalls mode
Designed to operate at the media access control layer of OSI network model Able to consider specific host computer's identity in its filtering decisions MAC addresses of specific host computers are linked to access control list (ACL) entries that identify specific types of packets that can be sent to each host; all other traffic is blocked
Application gateway firewall mode
Frequently installed on a dedicated computer; also known as a proxy server Web servers can avoid direct user traffic - Proxy servers access web servers on behalf of external clients Since proxy server is often placed in unsecured area of the network (e.g., DMZ), it is exposed to higher levels of risk from less trusted networks
What is a firewall?
Prevent specific types of information from moving between the outside world(untrusted network) and the inside word (trusted network). Separate computer, software service running on existing router or server, and a separate network containing supporting devices.
Virtual Private Networks (VPNs)
Private and secure network connection between systems; uses data communication capability of unsecured and public network Securely extends organization's internal network connections to remote locations beyond trusted network
Screened subnet Architectures performs two functions:
Protects DMZ systems and information from outside threats Protects the internal networks by limiting how external connections can gain access to internal systems
Packet filtering routers Architectures
Routers can be configured to reject packets that organization does not allow into network Drawbacks include a lack of auditing and strong authentication, complex ACLs, degrade network performance
What are three subset of packet filtering firewalls?
Static filtering, Dynamic filtering and stateful inspection.
What are authentication factors?
Supplicant knows passwords and pass phrases. Supplicant has a smart card, synchronous tokens, or asynchronous tokens. Supplicant relies upon individual characteristics. or strong authentication.
Authorization
The matching of an authenticated entity to a list of information assets and corresponding access levels.
Authentication
The process of validating a supplicant's purported identity.
Accountability (auditability)
This ensures the user that all actions on a system that are authorized or unauthorized can be attributed to an authenticated identity.
Transport mode for VPN
Transport mode Data within IP packet is encrypted, but header information is not Allows user to establish secure link directly with remote host, encrypting only data contents of packet Two popular uses: End-to-end transport of encrypted data Remote access worker connects to office network over Internet by connecting to a VPN server on the perimeter
What are the two mode for VPN
Transport mode and tunnel mode:
Three VPN technologies
Trusted VPN Secure VPN Hybrid VPN (combines trusted and secure)
What are ways to keep accountability?
Usually accomplished by means of system logs, and database journals, and the auditing of these records.
What are identifiers for a supplicant?
composite identifiers, concatenating elements-departments codes, random number, or special characters or numbers to make them unique.
Screened subnet firewall Architectures
dominant architecture used today Commonly consists of two or more internal bastion hosts behind packet filtering router, with each host protecting trusted network: Connections from outside (untrusted network) routed through external filtering router Connections from outside (untrusted network) are routed into and out of routing firewall to separate network segment known as DMZ Connections into trusted internal network allowed only from DMZ bastion host servers