Access Controls, Firewalls,

and VPNs
SECURITY TECHNOLOGY: MODULE 8
 Learning Objectives

• Upon completion of this material, you should be able to:

• Discuss the role of access control in information systems, and identify and
discuss the four fundamental functions of access control systems

Study Outcomes
• Define authentication and explain the three commonly used authentication
Factors

• Describe firewall technologies and the various categories of firewalls

• Define virtual private networks (VPNs) and discuss the technology that
enables them

• Identify and describe the categories and models of intrusion detection and
prevention systems
 Access Control

• Access control: A selective method by which systems specify who

may use a particular resource and how they may use it.

Access Controls
• Mandatory access controls (MACs): A required, structured data
classification scheme that rates each collection of information as well
as each user.

• Discretionary access controls (DACs): Access controls that are

implemented at the discretion or option of the data user.

• Nondiscretionary controls: Access controls that are implemented by a

central authority.
 Access Controls cont.

• In general, all access control approaches rely on the following four

mechanisms, which represent the four fundamental functions of
access control systems:

Access Controls
• Identification: I am a user of the system.

• Authentication: I can prove I’m a user of the system.

• Authorization: Here’s what I can do with the system.

• Accountability: You can track and monitor my use of the system.

 Authentication

• Authentication: The access control mechanism that requires the validation and verification of an
unauthenticated entity’s purported identity.

Authentication
• Authentication factors.

• Something you know.

• Password: a private word or a combination of characters that only the user should know.

• Passphrase: a series of characters, typically longer than a password, from which a virtual password is
derived.
 Authentication cont.

• Something you have

• Dumb card: ID or ATM card with magnetic stripe
• Smart card: contains a computer chip that can verify and validate

Authentication
information
• Synchronous tokens
• Asynchronous tokens
• Something you are
• Relies upon individual characteristics
• Strong authentication
 Firewalls

• In information security, a combination of hardware and software that filters or prevents

specific information from moving between the outside (untrusted) network and the inside
(trusted) network.

Firewalls
• May be:

• Separate computer system.

• Software service running on existing router or server.

• Separate network containing supporting devices.

 Packet-Filtering Firewalls

• Packet-filtering firewalls examine the header information of data

packets.

• Most often based on the combination of:

Firewalls
• IP source and destination address.

• Direction (inbound or outbound).

• Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source

and destination port requests.

• Simple firewall models enforce rules designed to prohibit packets

with certain addresses or partial addresses from passing through the
device.
 Application Layer Proxy Firewall

• A device capable of functioning both as a firewall and an application

layer proxy server.

Firewalls
• Since proxy servers are often placed in unsecured area of the
network (e.g., DMZ), they are exposed to higher levels of risk from
less trusted networks.

• Additional filtering routers can be implemented behind the proxy

firewall, further protecting internal systems.
 MAC Layer Firewalls

• MAC layer firewalls

• Designed to operate at media access control sublayer of network’s data link

layer.

Firewalls
• Make filtering decisions based on specific host computer’s identity.

• MAC addresses of specific host computers are linked to access control list
(ACL) entries that identify specific types of packets that can be sent to each
host; all other traffic is blocked.
 Hybrid Firewalls

• Hybrid firewalls

• Combine elements of other types of firewalls, that is, elements of packet

filtering and proxy services, or of packet filtering and circuit gateways.

• Alternately, may consist of two separate firewall devices; each a separate

Firewalls
firewall system, but connected to work in tandem.

• Enables an organization to make security improvement without completely

replacing existing firewalls.

• Include the Next Generation Firewall (NGFW) and Unified Threat

Management (UTM) devices.
 Selecting the Right Firewall

• When selecting the firewall, consider the following factors:

• Which type of firewall technology offers the right balance between

protection and cost for the needs of the organization?

• What features are included in the base price? What features are available at extra cost?

Firewalls
Are all cost factors known?

• How easy is it to set up and configure the firewall? Does the organization
have staff on hand that are trained to configure the firewall, or would the
hiring of additional employees be required?

• Can the firewall adapt to the growing network in the target organization?

• Most important factor is provision of required protection

• Second most important issue is cost

 Virtual Private Networks (VPNs)

• Private and secure network connection between systems; uses data

communication capability of unsecured and public network.

• Securely extends organization’s internal network connections to remote locations.

• Three VPN technologies defined:

VPNs
• Trusted VPN

• Secure VPN

• Hybrid VPN (combines trusted and secure)

 Virtual Private Networks (VPNs) cont.

• VPN must accomplish:

• Encapsulation of incoming and outgoing data

• Encryption of incoming and outgoing data

VPNs
• Authentication of remote computer and perhaps remote user as well

• In most common implementation, it allows the user to turn Internet

into a private network.
 Intrusion Detection and Prevention Systems

• An intrusion occurs when an attacker attempts to gain entry into or disrupt the normal operations
of an organization’s information systems.

Intrusion
• Intrusion prevention consists of activities that deter an intrusion.

• Intrusion detection consists of procedures and systems that identify system intrusions.

• Intrusion reaction encompasses actions an organization undertakes

when intrusion event is detected.
 Intrusion Detection and Prevention Systems
cont.

• Intrusion correction activities complete restoration of operations to a normal state and seek to
identify source and method of intrusion.

Intrusion
• Intrusion detection systems detect a violation of its configuration and
activate alarm.

• Many IDPSs enable administrators to configure systems to notify them directly of trouble via e-
mail or pagers.

• Systems can also be configured to notify an external security service

organization of a “break-in.”
 Types of IDPSs

• Network-based IDPS (NIDPS)

• Resides on a computer or an appliance connected to a segment of an

organization’s network; looks for indications of attacks

IDPs
• When examining packets, an NIDPS looks for attack patterns within network
Traffic

• Installed at specific place in the network where it can monitor traffic going
into and out of a particular network segment

• To determine whether attack has occurred/is under way, compare measured

activity to known signatures in knowledge base
 Types of IDPSs cont.

• Wireless NIDPS

• Monitors and analyses wireless network traffic

• Issues associated with it include physical security, sensor range, access point and wireless switch
locations, wired network connections, cost, AP, and wireless switch locations

IDPs
• Network behaviour analysis systems

• Identify problems related to the flow of traffic

• Types of events commonly detected include denial-of-service (DoS) attacks, scanning, worms,
unexpected application services, and policy violations

• Offer intrusion prevention capabilities that are passive, inline, and both passive and inline
 Types of IDPSs cont.

• Host-based IDPS (HIDPS)

• Resides on a particular computer or server (host) and monitors activity only on that system

• Benchmarks and monitors the status of key system files and detects when intruder creates,

IDPs
modifies, or deletes files

• Advantage over NIDPS: can access encrypted information traveling over network and make
decisions about potential/actual attacks

• Most HIDPSs work on the principle of configuration or change

management
 IDPS Detection Methods

• Signature-based detection (or knowledge-based detection or misuse detection)

• Examines network traffic in search of patterns that match known signatures

IDPs
• Widely used because many attacks have clear and distinct signatures

• Problem with this approach is that new attack patterns must continually be added to the IDPS’s
database of signatures.
 IDPS Detection Methods cont.

• Anomaly-based detection (or behaviour-based detection)

• Anomaly-based detection collects statistical summaries by observing traffic

known to be normal

IDPs
• When measured activity is outside the baseline parameters or clipping level, IDPS sends an alert
to the administrator

• IDPS can detect new types of attacks

• Requires much more overhead and processing capacity than signature-based

Detection

• May generate many false positives

 IDPS Detection Methods cont.

• Stateful protocol analysis

• SPA: process of comparing known normal/benign protocol profiles against

observed traffic

IDPs
• Stores and uses relevant data detected in a session to identify intrusions
involving multiple requests /responses; allows IDPS to better detect
specialized, multisession attacks (also called deep packet inspection)

• Drawbacks: analytical complexity, heavy processing overhead, may fail to

detect intrusion unless protocol violates fundamental behaviour, may interfere
with normal operations of the protocol
 IDPS Detection Methods cont.

• Log file monitors

• Log file monitor (LFM) is similar to NIDPS

• Reviews log files generated by servers, network devices, and even other IDPSs for patterns and

IDPs
signatures

• Patterns that signify an attack may be much easier to identify when the entire network and its
systems are viewed as a whole

• Requires considerable resources since it involves the collection, movement,

storage, and analysis of large quantities of log data
 Summary

• Access control is a process by which systems determine if and how to

admit a user into a trusted area of the organization.

• All access control approaches rely on identification, authentication,

Summary
authorization, and accountability.

• A firewall is any device that prevents a specific type of information from moving between the
outside network, known as the untrusted network, and the inside network, known as the trusted
network.

• Firewalls can be categorized into four groups: packet filtering, MAC layers, application gateways,
and hybrid firewalls.
 Summary cont.

• VPNs enable remote offices and users to connect to private networks securely over public

Summary
networks.

• Intrusion detection system (IDPS) detects violation of its configuration and activates alarm.

• Selecting IDPS products that best fit an organization’s needs is

challenging and complex.
CREATED BY

KRISTEN HOFF