AS V

SEC 3302, Advanced IS Security 1

Course Learning Outcomes for Unit V Upon completion of this unit, students should be able to:

1. Analyze access controls used to secure information systems (IS). 1.1 Assess the effectiveness of an intrusion detection system (IDS). 1.2 Explain the use of a firewall.

4. Evaluate the use of auditing tools.

4.1 Identify information that can be discovered during an IS audit. 4.2 Discuss common types and uses of auditing tools.

Required Unit Resources Chapter 6: Firewalls In order to access the following resource, click the link below. You can access the transcript for the video by clicking on the three dots below the video on the right, then clicking “Open transcript.” Professor Messer. (2021). Firewalls - SY0-601 CompTIA Security+ : 3.3 [Video]. YouTube.

https://www.youtube.com/watch?v=qLb2ioDBofg Unit Lesson

Firewall Security In our last lesson, we covered the transmission of data across the organization. As we found, these are constant transactions associated with each functional area of an organization. There is a test for incoming packets with firewalls known as the pass/deny decision. If the packet is a provable attack packet, the firewall will drop it, but it will be allowed to pass if it is a good packet. This summary is, of course, a very simplified rendition of a very nuanced process with many moving parts. For security, it is important that outgoing as well as incoming packets must be filtered. Why? Well, let’s consider the possibility that something malicious has infiltrated the packets. We would not want that malicious code to be passed along to its intended destination. This is known as ingress and egress filtering. Because a firewall will allow any packets to be passed along that are not considered provable attack packets, some malicious code may get through occasionally. Therefore, we need to harden the targets, or make them less attractive by making them more difficult to access. Essentially, hardening refers to layered measures that tighten security. Networks, systems, firewalls, and hardware can all be hardened in various ways.

UNIT V STUDY GUIDE Firewalls

SEC 3302, Advanced IS Security 2

UNIT x STUDY GUIDE Title

Firewalls provide protection for data on systems and computers, and they make it more difficult for hackers to access the data or insert malware into computers. Scanning, such as is being done by

the man in the photo above, is one way of ensuring that malware does not make it into your computer and cause issues with your data.

(Rawpixelimages, n.d.) Firewall Overload Earlier in the course, we reviewed denial-of-service (DoS) attacks. As we found, this is the time when the network becomes overloaded due to outside attacks, which can halt operations. You can imagine that the system and network are in good shape on Sunday, then employees start complaining on Monday that database errors are displaying when they are trying to open a form. It then gets worse, to the point users can no longer log in to the system. At this time, the network and database have reached capacity and are overloaded. This raises an interesting problem related to the concept of firewall capacity. A company must carefully consider how much firewall capacity they will require, with an eye toward inevitable increases in traffic as the firm grows. In addition to normal traffic, firewall administrators will discover new threats and develop new filtering rules as time passes. Processing work per packet will be increased due to these additional rules. Further, attacks will increase traffic, and the firewall must be able to accommodate the surge without becoming overwhelmed. It should be clear already that firewall issues must be carefully managed. It is a mistake to solely focus on any one area at the expense of the others because that can lead to weaknesses in areas that have been neglected. Firewall Filtering Methods Filtering is a blanket term for a variety of different methods of examining packets. The textbook discusses the most common filtering methods:

• stateful packet inspection filtering, • static packet filtering, • network address translation,

SEC 3302, Advanced IS Security 3

UNIT x STUDY GUIDE Title

• application proxy filtering, • intrusion prevention system filtering, and • antivirus filtering.

While we will discuss some of these methods in the remainder of this lesson, it is important to read Chapter 6 in your textbook to understand all of these filtering methods in detail.

Also keep in mind that, while almost all main border firewalls use stateful packet inspection (SPI) as their primary inspection mechanism, some of the other filtering mechanisms featured in the chapter reading are used as supplements (Boyle & Panko, 2021). The most common filtering mechanism used by main border firewalls in modern corporations is stateful packet inspection (SPI). Whereas other filtering mechanisms may look at a single packet and try to diagnose if it is a bad packet, SPI will look at the state of the connection as a whole. Let’s think of it as a constant conversation between two computers utilizing a program. Connections are in one of the various states, such as opening or ongoing communications states, at any given time. The firewall will examine the connection and respective states to determine which application is sending the packet, what the packet is attempting to accomplish, and which rules may be implicated by the interaction. Some packets try to open a connection, while others attempt to use an approved connection. There are many different conditions and firewall rules which need to be met that will determine if the packet is okay to be transmitted or not. Many of these conditions are covered in Chapter 6 of your textbook, which is this unit’s required reading. Access Control List (ACL) Another important concept in firewall security is the ACL. The default behavior of SPI firewalls will protect the system during connection-opening attempts, yet there will always be some exceptions to the rule where default behavior must be superseded. This is where the ACL will come into play. For example, some website monitoring software has blacklists and whitelists. Blacklists will automatically block a website, while whitelists will automatically allow a website through. For instance, your company may block (blacklist) all Internet Protocol (IP) addresses that are based in China. However, you may want to

SEC 3302, Advanced IS Security 4

UNIT x STUDY GUIDE Title

evaluate the software of a company based in China. If so, the software company gives you an IP address that you need to connect to in order to download their software. The network administrator can add the specific IP address to the whitelist. Most organizations have an approval process for adding an IP address to the whitelist. Many times, the approval is only temporary. Along this same line, ACLs have rules that are exceptions to normal firewall rules. As an example, your general rule may be to deny external connection-opening requests. The ACL may provide a rule that the connection will be allowed if a specific port is involved. Network Address Translation (NAT) The filtering methods we are looking at in this unit all have a different way of making the pass/deny decision for packets they encounter. In contrast, the NAT method does not actually filter packets, yet it still provides good protection—usually as a secondary source. NAT provides another layer of protection where attackers attempt to gather information about a corporate network. Many times, this gathering expedition uses a tool known as a sniffer. The sniffer is placed outside of a corporate network and attempts to gather IP addresses and port information. After gaining this information, the attacker can send attack packets to those addresses and numbers. One benefit of using NAT is its ability to hide an internal network’s IP address and network design, which reduces the risk of outsiders gaining that information and using it to access the network (Dubrawski, 2010). The graphic below shows a systematic approach to gather the IP address, map the IP address, and then translate the group of devices.

(Yangliy, 2009)

NAT works by replacing the port information and IP addresses with bogus information. While that may sound satisfying enough, it brings up a question—how will a returning response packet know where to go? The answer is that NAT has a translation table, so the original information and bogus information are stored there. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are very important tools for the information technology (IT) network security administrator. An IDS will monitor network traffic—or packets— looking for anything suspicious. This is important because, as we discussed, firewalls will only stop provable attack packets. Logging suspicious activities that get past the firewall is a good way to provide some additional security. Security professionals can configure activity that is serious enough to prompt an alert to someone. These rules can be adjusted as needed.

SEC 3302, Advanced IS Security 5

UNIT x STUDY GUIDE Title

Graphic depiction of a host-based intrusion detection system

(adapted from Rkouere, 2016) The figure above shows the network of the internet, firewall, and devices. The IDS will monitor the transactions that flow past the firewall and notify the IT group of suspicious activity. So, what is the difference between a firewall and an IDS? A firewall will drop a packet that is deemed to be an attack packet. An IDS identifies suspicious packets. They may or may not be actual attack packets. Firewalls have logs as well, but an IDS is a more developed tool. One problem for an IDS is that there is a lot of information coming across the network. As a security professional, you want the right amount of information—not too much or too little. Secondly, an IDS can generate a lot of false positives, and security personnel may start to tune them out after a while. Furthermore, an IDS can be labor-intensive in terms of processing. Multiple tools monitoring your networks and systems can result in latency and lag. IPS filtering is an extension of the IDS tools. An advantage of IPS is that it will actually stop some attacks, rather than just generating alarms. The IPS acts like a firewall in that it will drop attack packets. The IPS will also limit suspicious traffic; this way, DoS attacks are less likely to occur. Different packages have different capabilities. Some IPS tools can block certain logins under certain conditions. In other words, a login may have to wait a certain amount of time before it can attempt to log in again. This is effective because thieves generally look for easy targets. Give them too much grief, and they will go elsewhere. It is also helpful to note that there are many different types of firewall architectures and ways to set up firewalls. The choice really depends on your business and its needs.

SEC 3302, Advanced IS Security 6

UNIT x STUDY GUIDE Title

Demilitarized Zones (DMZ) A popular tactic is to set up a DMZ, which is a subnet that houses all of your outwardly facing servers. Outwardly facing means that they must be accessed externally. Part of firewall management involves strategically planning how to configure your firewall so that it meets the needs of your business and your systems. Sufficient policies have to be developed to guide an adequate security implementation. A good security policy might be to require that any external HTTP connections have to go through the DMZ.

Adapted from DMZ Network Diagram, by S. Viento, 2007, Wikimedia Commons (https://commons.wikimedia.org/wiki/File:DMZ_network_diagram_2.png). In public domain.

As you can see in the figure above, internet traffic is transferred from the internet and email transactions to the firewall to be relayed to the internal computers and devices. Therefore, it is extremely important to have a secured and up-to-date firewall configuration because of these entry points.

Wrapping Up Firewalls guard site networks and can be utilized to provide a great deal of protection. While they traditionally provided ingress filtering to stop attack packets, they also provided egress filtering to prevent outgoing attacks. Many filtering mechanisms are utilized when setting up a firewall, such as SPI, ACLs, NAT, IDSs, and IPSs, each of which has different capabilities. Businesses setting up firewall security need to assess their systems and what will best protect it from attacks.

References Boyle, R. J., & Panko, R. R. (2021). Corporate computer security (5th ed.). Pearson.

https://online.vitalsource.com/#/books/9780135823354 Dubrawsky, I. (2010). Networking. In C. Walls (Ed.), Embedded software (2nd ed., pp. 287–335).

https://www.sciencedirect.com/science/article/pii/B9780124158221000088

SEC 3302, Advanced IS Security 7

UNIT x STUDY GUIDE Title

Rawpixelimages. (n.d.). Data file protection firewall malware removal concept (ID 79513723 ) [Photograph]. Dreamstime. https://www.dreamstime.com/stock-photo-data-file-protection-firewall-malware-removal- concept-people-using-image79513723

Rkouere. (2016, January 5). Host based intrusion detection system [Graphic]. Wikimedia Commons.

https://commons.wikimedia.org/wiki/File:Host_based_intrusion_detection_system.png Viento, S. (2007). DMZ network diagram 2 [Graphic]. Wikimedia Commons.

https://commons.wikimedia.org/wiki/File:DMZ_network_diagram_2.png Yangliy. (2009, May 1). Network address translation (file 2) [Graphic]. Wikimedia Commons.

https://commons.wikimedia.org/wiki/File:Network_Address_Translation_(file2).jpg

SEC 3302, Advanced IS Security 1

Course Learning Outcomes for Unit V Upon completion of this unit, students should be able to:

1. Analyze access controls used to secure information systems (IS). 1.1 Assess the effectiveness of an intrusion detection system (IDS). 1.2 Explain the use of a firewall.

4. Evaluate the use of auditing tools.

4.1 Identify information that can be discovered during an IS audit. 4.2 Discuss common types and uses of auditing tools.

Required Unit Resources Chapter 6: Firewalls In order to access the following resource, click the link below. You can access the transcript for the video by clicking on the three dots below the video on the right, then clicking “Open transcript.” Professor Messer. (2021). Firewalls - SY0-601 CompTIA Security+ : 3.3 [Video]. YouTube.

https://www.youtube.com/watch?v=qLb2ioDBofg Unit Lesson

Firewall Security In our last lesson, we covered the transmission of data across the organization. As we found, these are constant transactions associated with each functional area of an organization. There is a test for incoming packets with firewalls known as the pass/deny decision. If the packet is a provable attack packet, the firewall will drop it, but it will be allowed to pass if it is a good packet. This summary is, of course, a very simplified rendition of a very nuanced process with many moving parts. For security, it is important that outgoing as well as incoming packets must be filtered. Why? Well, let’s consider the possibility that something malicious has infiltrated the packets. We would not want that malicious code to be passed along to its intended destination. This is known as ingress and egress filtering. Because a firewall will allow any packets to be passed along that are not considered provable attack packets, some malicious code may get through occasionally. Therefore, we need to harden the targets, or make them less attractive by making them more difficult to access. Essentially, hardening refers to layered measures that tighten security. Networks, systems, firewalls, and hardware can all be hardened in various ways.

UNIT V STUDY GUIDE Firewalls

SEC 3302, Advanced IS Security 2

UNIT x STUDY GUIDE Title

Firewalls provide protection for data on systems and computers, and they make it more difficult for hackers to access the data or insert malware into computers. Scanning, such as is being done by

the man in the photo above, is one way of ensuring that malware does not make it into your computer and cause issues with your data.

(Rawpixelimages, n.d.) Firewall Overload Earlier in the course, we reviewed denial-of-service (DoS) attacks. As we found, this is the time when the network becomes overloaded due to outside attacks, which can halt operations. You can imagine that the system and network are in good shape on Sunday, then employees start complaining on Monday that database errors are displaying when they are trying to open a form. It then gets worse, to the point users can no longer log in to the system. At this time, the network and database have reached capacity and are overloaded. This raises an interesting problem related to the concept of firewall capacity. A company must carefully consider how much firewall capacity they will require, with an eye toward inevitable increases in traffic as the firm grows. In addition to normal traffic, firewall administrators will discover new threats and develop new filtering rules as time passes. Processing work per packet will be increased due to these additional rules. Further, attacks will increase traffic, and the firewall must be able to accommodate the surge without becoming overwhelmed. It should be clear already that firewall issues must be carefully managed. It is a mistake to solely focus on any one area at the expense of the others because that can lead to weaknesses in areas that have been neglected. Firewall Filtering Methods Filtering is a blanket term for a variety of different methods of examining packets. The textbook discusses the most common filtering methods:

• stateful packet inspection filtering, • static packet filtering, • network address translation,

SEC 3302, Advanced IS Security 3

UNIT x STUDY GUIDE Title

• application proxy filtering, • intrusion prevention system filtering, and • antivirus filtering.

While we will discuss some of these methods in the remainder of this lesson, it is important to read Chapter 6 in your textbook to understand all of these filtering methods in detail.

Also keep in mind that, while almost all main border firewalls use stateful packet inspection (SPI) as their primary inspection mechanism, some of the other filtering mechanisms featured in the chapter reading are used as supplements (Boyle & Panko, 2021). The most common filtering mechanism used by main border firewalls in modern corporations is stateful packet inspection (SPI). Whereas other filtering mechanisms may look at a single packet and try to diagnose if it is a bad packet, SPI will look at the state of the connection as a whole. Let’s think of it as a constant conversation between two computers utilizing a program. Connections are in one of the various states, such as opening or ongoing communications states, at any given time. The firewall will examine the connection and respective states to determine which application is sending the packet, what the packet is attempting to accomplish, and which rules may be implicated by the interaction. Some packets try to open a connection, while others attempt to use an approved connection. There are many different conditions and firewall rules which need to be met that will determine if the packet is okay to be transmitted or not. Many of these conditions are covered in Chapter 6 of your textbook, which is this unit’s required reading. Access Control List (ACL) Another important concept in firewall security is the ACL. The default behavior of SPI firewalls will protect the system during connection-opening attempts, yet there will always be some exceptions to the rule where default behavior must be superseded. This is where the ACL will come into play. For example, some website monitoring software has blacklists and whitelists. Blacklists will automatically block a website, while whitelists will automatically allow a website through. For instance, your company may block (blacklist) all Internet Protocol (IP) addresses that are based in China. However, you may want to

SEC 3302, Advanced IS Security 4

UNIT x STUDY GUIDE Title

evaluate the software of a company based in China. If so, the software company gives you an IP address that you need to connect to in order to download their software. The network administrator can add the specific IP address to the whitelist. Most organizations have an approval process for adding an IP address to the whitelist. Many times, the approval is only temporary. Along this same line, ACLs have rules that are exceptions to normal firewall rules. As an example, your general rule may be to deny external connection-opening requests. The ACL may provide a rule that the connection will be allowed if a specific port is involved. Network Address Translation (NAT) The filtering methods we are looking at in this unit all have a different way of making the pass/deny decision for packets they encounter. In contrast, the NAT method does not actually filter packets, yet it still provides good protection—usually as a secondary source. NAT provides another layer of protection where attackers attempt to gather information about a corporate network. Many times, this gathering expedition uses a tool known as a sniffer. The sniffer is placed outside of a corporate network and attempts to gather IP addresses and port information. After gaining this information, the attacker can send attack packets to those addresses and numbers. One benefit of using NAT is its ability to hide an internal network’s IP address and network design, which reduces the risk of outsiders gaining that information and using it to access the network (Dubrawski, 2010). The graphic below shows a systematic approach to gather the IP address, map the IP address, and then translate the group of devices.

(Yangliy, 2009)

NAT works by replacing the port information and IP addresses with bogus information. While that may sound satisfying enough, it brings up a question—how will a returning response packet know where to go? The answer is that NAT has a translation table, so the original information and bogus information are stored there. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are very important tools for the information technology (IT) network security administrator. An IDS will monitor network traffic—or packets— looking for anything suspicious. This is important because, as we discussed, firewalls will only stop provable attack packets. Logging suspicious activities that get past the firewall is a good way to provide some additional security. Security professionals can configure activity that is serious enough to prompt an alert to someone. These rules can be adjusted as needed.

SEC 3302, Advanced IS Security 5

UNIT x STUDY GUIDE Title

Graphic depiction of a host-based intrusion detection system

(adapted from Rkouere, 2016) The figure above shows the network of the internet, firewall, and devices. The IDS will monitor the transactions that flow past the firewall and notify the IT group of suspicious activity. So, what is the difference between a firewall and an IDS? A firewall will drop a packet that is deemed to be an attack packet. An IDS identifies suspicious packets. They may or may not be actual attack packets. Firewalls have logs as well, but an IDS is a more developed tool. One problem for an IDS is that there is a lot of information coming across the network. As a security professional, you want the right amount of information—not too much or too little. Secondly, an IDS can generate a lot of false positives, and security personnel may start to tune them out after a while. Furthermore, an IDS can be labor-intensive in terms of processing. Multiple tools monitoring your networks and systems can result in latency and lag. IPS filtering is an extension of the IDS tools. An advantage of IPS is that it will actually stop some attacks, rather than just generating alarms. The IPS acts like a firewall in that it will drop attack packets. The IPS will also limit suspicious traffic; this way, DoS attacks are less likely to occur. Different packages have different capabilities. Some IPS tools can block certain logins under certain conditions. In other words, a login may have to wait a certain amount of time before it can attempt to log in again. This is effective because thieves generally look for easy targets. Give them too much grief, and they will go elsewhere. It is also helpful to note that there are many different types of firewall architectures and ways to set up firewalls. The choice really depends on your business and its needs.

SEC 3302, Advanced IS Security 6

UNIT x STUDY GUIDE Title

Demilitarized Zones (DMZ) A popular tactic is to set up a DMZ, which is a subnet that houses all of your outwardly facing servers. Outwardly facing means that they must be accessed externally. Part of firewall management involves strategically planning how to configure your firewall so that it meets the needs of your business and your systems. Sufficient policies have to be developed to guide an adequate security implementation. A good security policy might be to require that any external HTTP connections have to go through the DMZ.

Adapted from DMZ Network Diagram, by S. Viento, 2007, Wikimedia Commons (https://commons.wikimedia.org/wiki/File:DMZ_network_diagram_2.png). In public domain.

As you can see in the figure above, internet traffic is transferred from the internet and email transactions to the firewall to be relayed to the internal computers and devices. Therefore, it is extremely important to have a secured and up-to-date firewall configuration because of these entry points.

Wrapping Up Firewalls guard site networks and can be utilized to provide a great deal of protection. While they traditionally provided ingress filtering to stop attack packets, they also provided egress filtering to prevent outgoing attacks. Many filtering mechanisms are utilized when setting up a firewall, such as SPI, ACLs, NAT, IDSs, and IPSs, each of which has different capabilities. Businesses setting up firewall security need to assess their systems and what will best protect it from attacks.

References Boyle, R. J., & Panko, R. R. (2021). Corporate computer security (5th ed.). Pearson.

https://online.vitalsource.com/#/books/9780135823354 Dubrawsky, I. (2010). Networking. In C. Walls (Ed.), Embedded software (2nd ed., pp. 287–335).

https://www.sciencedirect.com/science/article/pii/B9780124158221000088

SEC 3302, Advanced IS Security 7

UNIT x STUDY GUIDE Title

Rawpixelimages. (n.d.). Data file protection firewall malware removal concept (ID 79513723 ) [Photograph]. Dreamstime. https://www.dreamstime.com/stock-photo-data-file-protection-firewall-malware-removal- concept-people-using-image79513723

Rkouere. (2016, January 5). Host based intrusion detection system [Graphic]. Wikimedia Commons.

https://commons.wikimedia.org/wiki/File:Host_based_intrusion_detection_system.png Viento, S. (2007). DMZ network diagram 2 [Graphic]. Wikimedia Commons.

https://commons.wikimedia.org/wiki/File:DMZ_network_diagram_2.png Yangliy. (2009, May 1). Network address translation (file 2) [Graphic]. Wikimedia Commons.

https://commons.wikimedia.org/wiki/File:Network_Address_Translation_(file2).jpg