SECURITY DEVICES AND

TECHNOLOGIES
CHAPTER 3

OBJECTIVES:

Apply end protection and management

Plan network protection
Understand firewalls
Firewalls using Microsoft Windows Server and
Open Source Software

OBJ #1
END PROTECTION AND MANAGEMENT
Host and server based security
PC management

HOST & SERVER BASED SECURITY

COMPONENTS & TECHNOLOGIES

Device Hardening
Personal Firewall
Antivirus Software
Operating System Patches
Intrusion Detection and Prevention

DEVICE HARDENING
Device hardening is the most basic controls used to protect data
and systems.
The purpose of device hardening is to eliminate as many security
risks as possible.
It consists of
timely application of patches
careful configuration of system components
removing the most fundamental security vulnerabilities.

Supported by a well-designed and actively managed patch

management process, proper device configuration is the most
effective method of repelling exploits.

PERSONAL FIREWALL
A personal firewall is an application which
controls network traffic to and from a computer,
permitting or denying communications based on
a security policy.
Example of personal firewall are ZoneAlarm,
Outpost, Comodo and etc.

Antivirus Software
Antivirus software is used to prevent, detect, and
remove malware, including computer viruses,
worms, and trojan horses.
Example: Kaspersky, Norton, Panda and etc.

OPERATING SYSTEM PATCHES

A patch is a piece of software designed to fix
problems with, or update a computer program or
its supporting data.
This includes fixing security vulnerabilities and
other bugs, and improving the usability or
performance

INTRUSION DETECTION & PREVENTION

An intrusion detection system (IDS) is software
that automates the intrusion detection process.
An intrusion prevention system (IPS) is software
that has all the capabilities of an intrusion
detection system and can also attempt to stop
possible incidents.
IDPSs are primarily focused on identifying
possible incidents .

PC MANAGEMENT
Desktop Inventory and maintenance
Update Anti-virus definitions
Update HIDS and HIPS signatures

FIVE TIPS FOR DESKTOP INVENTORY

MANAGEMENT
1. Know what you have
what PCs exist
where they are located
who their primary users are.

2. Know when changes occur

Software is installed or removed
hardware configurations are adjusted

3. Measure utilization
understanding how they are being used

4. Plan changes
plan in advance for disposals
Acquisitions
network-wide upgrades

5. Financials
keep track of warranties
maintenance contracts
software licenses

OBJ #2
PLAN NETWORK PROTECTION
Network based security components and
technologies
Security architecture

NETWORK BASED SECURITY COMPONENTS

AND TECHNOLOGIES

Appliance-based Firewalls
Server-based Firewalls
Network-based Intrusion Detection Systems
Virtual Private Network
Trust and Identity

SECURITY ARCHITECTURE
SAFE model
PDIOO

SAFE MODEL
SAFE has SIX security goals:
1. Security and attack mitigation based on policy
2. Security implementation throughout the
infrastructure
3. Secure management and reporting
4. Authentication and authorization of users and
administrators to critical network resources
5. Intrusion detection for critical resources and
subnets
6. Support for emerging networked applications

SAFE MODEL

PDIOO

PLAN

DESIGN

IMPLEMENT

OPERATE

OPTIMIZE

OBJ #3
UNDERSTAND FIREWALLS
Firewall Architecture
Types of Firewall
Technologies employed in building firewalls

INTRODUCTION OF FIREWALL

Program placed at the network gateway server

Device that provides secure connectivity between networks
(internal/external; varying levels of trust)
Used to implement and enforce a security policy for communication
between networks
Separate local network from the Internet
Trusted hosts and
networks

Firewall

Router

Intranet
DMZ

Demilitarized Zone:
publicly accessible
servers and networks

Firewall used to:

Protect the private network applications,
services on the internal network from
unauthorized traffic, and the public network.
Restrict the access of the hosts from private
network and the services of the public network.
Support network address translation helps in
using the private IP addresses and to share a
single Internet connection.

Firewall cannot do
Cannot defend against attacks that do not go through
the firewall.
Cannot tell a security administrator when the firewall
rules are inadequate.
Not a monitoring tool.

FIREWALL ARCHITECTURE

Screened Host
Two Routers with One Firewall
DMZ Screened Subnet
Multi-Firewall DMZ
Two Firewalls, One DMZ
Two Firewalls, Two DMZ

Screening Router
Dual-Homed Host

Screened Host
Function similar to the dual-homed gateway and
bastion host.
Requires two network connections using two
interfaces.
Router -> to perform packet filtering.
Installing an application gateway or a proxy
server can increase security.

Screened Host

Two Routers with One Firewall

Two routers are located on both sides of
screened host / act as firewall.
External router -> to perform initial and static
filtering.
Internal router -> routes the traffic to its
destination computers in secure LAN.

Two Routers with One

Firewall

DMZ Screened Subnet

DMZ is a network residing external to the
internal network and is connected to a firewall.
The firewall within the DMZ screened subnet
setup is also known as three-pronged or trihomed firewall.

DMZ Screened
Subnet

DMZ Screened Subnet

Advantages
Firewall needs one set of configuration rules.
Less cost

Disadvantages
To control traffic both directions; it need these
rules to be complicated.
Performance: Bottleneck.

Multi-Firewall DMZ
The use of firewalls between the LANs and the
Internet is mandatory.
Problem:
Increase security -> decreases the speed of the
network.

Solution:
Multiple firewalls

Two Firewalls, One DMZ

One firewall controls the traffic flow between the
DMZ and the Internet and then other regulates
traffic flow between the secured LAN and the
DMZ
The second firewall acts as a failover firewall if
the first fails, the second provide as a backup
and uninterrupted services to the enterprise
network.

Two Firewalls, One DMZ

Two Firewalls, One DMZ

Advantages:
Traffic in three networks can be regulated

Disadvantages:
Working with more than firewall raises issues
such as the support to NAT, Kerberos, IPsec, etc.

Two Firewalls, Two DMZ

An increase in the number of firewalls increase
the complexity but makes DMZ deployment
flexible.
Enables to employ separate DMZ to different
parts of network -> allow load balancing of
traffic load.
The tow firewalls are both compatible models to
enable backup.

Two Firewalls, Two DMZ

Screening Router
Simplest way to provide security.
Installing a router that performs packet filtering
between the client systems and the Internet.
The router define the path of the flow of data
through the interfaces using ACL.

Screening Router

Dual-Homed Host
Dual-homed host is a personal computer that connects
to the network with security provided by a firewall.
The PC has additional security with the configuration
of firewalls between the operating system and the NIC.
Limitation:
If the PC problems weaken the security provided by the
firewalls.
Cannot resist the password breaking attempts because
the PC only have a single layer of protection.

Dual-Homed Host

TYPES OF FIREWALL

IP Packet Filter Firewall

Circuit-Level Gateways
Network level Firewall
Application level Firewall

IP PACKET FILTER FIREWALL

Facilitates to create its own set of rules to either
discard or accept traffic over network connection
Packet filters usually permit or deny network
traffic based on:

The address of sources and destination

Protocols TCP, UDP or ICMP
Source and destination ports
Flag TCP header if the packet is a connect request
Direction of the packet inbound / outbound
Which physical interface the packet is traversing

IP PACKET FILTER FIREWALL

IP packet filters are stateless - doesnt
remember the packet that was previously
processed.
More vulnerable to spoofing source IP
addresses and the acknowledgement bit in the IP
packet header can be easily forged by intruders

NETWORK LEVEL FIREWALL

Operated at network level
Inspect the packet header and filtration of traffic
based on:
IP address Source / Destination / Port /
Services
Protocols
Domain name sources

By default built into many network devices

routers.

NETWORK LEVEL FIREWALL

CIRCUIT-LEVEL GATEWAYS
Works at the session layer in the OSI model, which means that
more information is required before packets are allowed or denied.
It monitor TCP handshaking between packets to determine
whether a requested session is legitimate (genuine/legal).
Access is determined based on: address, DNS domain name, or
DNS username.
Special client software must be installed on the workstation.
Circuit-level gateways can bridge different network
protocols, for example, IPX to IP.
Our username is checked and granted (decided/approved) access
before the connection to the router is established.
Disadvantages: do not filter the individual packets

CIRCUIT-LEVEL GATEWAYS

APPLICATION LEVEL FIREWALL

Also known proxies
Application specific
Able to filter at the application layer.

APPLICATION LEVEL FIREWALL

TECHNOLOGIES EMPLOYED IN BUILDING

FIREWALLS
Static packet filtering
Dynamic packet filtering
Proxy

STATIC PACKET FILTERING

Also known as Stateless Packet Filtering
It can totally block the transfer of data packets
from subnet to other networks.
Filter based on:

IP header information.
TCP/UDP port number in use.
Fragmentation flags like ACK and SYN
Filtering suspicious inbound packets.

Difficult to configure but easy to execute

DYNAMIC PACKET FILTERING

Also known as Stateful Packet Filtering.
Maintain a record defining the status of the
connection.
The tracking of TCP connections is done starting
from the three-way handshake (SYN, SYN/ACK,
and ACK) and starts at each TCP transmission
and ends with the last packet being transmitted.
Along with the rule base, it consists of a state
table that records all active connections.

PROXY SERVER
Works as shield, protecting and hiding the
computer from the outside network.
Increasing the performance of network.

PROXY SERVER

PROXY SERVER
Internal host request to process a website.
The request enters the proxy server. It examines the header
and packet content based on the rule base.
Server reconstructs the data packet with a different source
IP address.
The proxy server transmits the packet to the target address
that conceals the actual end user who made the request.
If data packet is returned, it is again sent to the proxy
server to check with rule base.
The returned packet is reconstructed by the proxy server
and is sent to the source computer.

Proxy Server vs Packet Filtering

Proxy Server

Packet Filtering

Also known as application proxies

Also known as screening

Scan entire data packets

Scans only packet headers

Unsolicited data packets are

reconstructed by the server

Unsolicited data packets are discarded

Proxy server acts as a mediator

between Internet and internal hosts

Packet reside in a kernel and examine

every traversed across the Internet

Server failure ceases entire

network communication

If a packet filter fails, all the

packet are redirected to the
internal host