Firewalls and Security

Ngoc Nguyen

Facts of Internet Systems

vulnerability
Recent denial-of-service attacks on
Amazon, eBay, Yahoo, etc.
31% of key Internet hosts were wide open
to potential attackers.
65% of companies reported security
breaches in three year from 1997 to 1999.

Typical security approaches

Access Control
Cryptography
Intrusion detection systems
Firewalls

Traditional firewalls consist of 3

main architectures
Screening routers.
Proxy servers.
Stateful inspectors.

Screening Routers
Router screens the information, allowing only
approved information to pass through.
Requirements of continually change with more
addresses required to be added to the allowable
address lists.
Dont have user-level authentication protection.
As a result, spoofing which means a packet looks
like an authorized and legal one breaches the
firewall.

Proxy Servers
Employ user-level authentication.
Provide logging and accounting information
( good for detecting intrusions and intrusion
attempts).

Stateful Inspectors
Inspect packets to verify application, user,
and transportation method to investigate the
possibility of harmful viruses hiding in
audio or video packets.
Application must be continually updated to
recognize new viruses or intrusive applets.

Two approaches to enhance

Internet security
Encryption and Firewalls.
Proactive Identification Model (PAIM).

Encryption can provide firewall

protection in several ways:
By encrypting passwords and authentication
procedures, eavesdroppers are not able to copy
passwords for later use in spoofing the system.
Without the correct key, any encrypted data sent
by an intruder would translate into unintelligible
random characters and therefore have no meaning
to the receiving system, i.e., no harmful viruses or
programs can be inserted into the host system.
Any intruder reading corporate data being on an
open network would not be able to gather any
intelligence.

Proactive Identification Model

(PAIM)
As long as the hacker is not creating any
hazardous situation or destroying anything,
seasoned investigators will tell you that it is
much more beneficial to watch the hacker
over time and collect as much data as
possible to develop a good case for the
arrest and prosecution of the hacker in the
courts. (Hancock 2002)

PAIM consists of 3 components

Firewall: has an audit log used to log both
authorized and unauthorized accessing of the
network.
Operating system: has user profiles and audit logs.
User profiles and audit logs are controls which
will provide information on the users or hackers
action. These controls will be used to construct
two graphs.
Fuzzy engine: process information obtained from
the firewall and the operating system in real-time.

PAIM (cont.)
The fuzzy engine will compute two graphs,
template and user action. Then template
graph represents typical actions of a user
(hacker) when carrying out eight steps of
generic hacking methodology. User action
graph represents actual actions of the user
(hacker) on the system.

PAIMs operations
Maps two template and user action graphs to
determine whether a user (hacker) is performing a
hacking attempt if there is a match between two
graphs.
Sends alert message on hacking attempt to the
information security officer at the security
working station.
Collects data from the hackers action for later use
in court prosecution.