Network Security | CISSP For Dummies

Network security is implemented with various technologies including firewalls, virtual private networks (VPNs), intrusion detection systems (IDSes), and remote access authentication mechanisms.

Firewalls

A firewall controls traffic flow between a trusted network (such as a corporate LAN) and an untrusted or public network (such as the Internet). A firewall can comprise hardware, software, or a combination of both hardware and software. The CISSP candidate must understand the various types of firewalls and common firewall architectures.

Firewall types

Currently, the three basic classifications of firewalls are packet-filtering, circuit-level gateway, and application-level gateway.

Instant Answer Three basic types of firewalls are packet-filtering, circuit-level gateway, and application-level gateway.

Packet-filtering

A packet-filtering firewall (or screening router) is one of the most basic (and inexpensive) types of firewalls and is ideally suited for a low-risk environment. A packet-filtering firewall permits or denies traffic based solely on the TCP, UDP, ICMP, and IP headers of the individual packets. It examines the traffic direction (inbound or outbound), the source and destination IP address, and the source and destination TCP or UDP port numbers. This information is compared with predefined rules that have been configured in an access control list (ACL) to determine whether a packet should be permitted or denied. A packet-filtering firewall typically operates at the Network or Transport layer of the OSI model. Some advantages of a packet-filtering firewall are that

It’s inexpensive (can be implemented as a router ACL).
It’s fast and flexible.
It is transparent to users.

Disadvantages of packet-filtering firewalls are that

Access decisions are based only on address and port information.
It has no protection from IP or DNS address spoofing.
It doesn’t support strong user authentication.
Configuring and maintaining ACLs can be difficult.
Logging information may be limited.

A more advanced variation of the packet-filtering firewall is the dynamic packet-filtering firewall. This type of firewall supports dynamic modification of the firewall rule base by using context-based access control (CBAC) or reflexive ACLs, for example.

Circuit-level gateway

A circuit-level gateway controls access by maintaining state information about established connections. When a permitted connection is established between two hosts, a tunnel or virtual circuit is created for the session, thus allowing packets to flow freely between the two hosts without the need for further inspecting individual packets. This type of firewall operates at the Session Layer of the OSI model.

Advantages of this type of firewall include

Speed. (After a connection is established, individual packets aren’t analyzed.)
Support for many protocols.
Easy maintenance.

Disadvantages of this type of firewall include

Dependence on trustworthiness of the communicating users or hosts. (After a connection is established, individual packets aren’t analyzed.)
Limited logging information about individual data packets is available after the initial connection is established.

A stateful inspection firewall is a type of circuit-level gateway that captures data packets at the Network Layer and then queues and analyzes (examines state and context) these packets at the upper layers of the OSI model.

Application-level gateway

An application-level (or Application Layer) gateway operates at the Application Layer of the OSI model, processing data packets for specific IP applications. This type of firewall is generally considered the most secure and is commonly implemented as a proxy server. In a proxy server, no direct communication between two hosts is permitted. Instead, data packets are intercepted by the proxy server, which analyzes the packet’s contents and if permitted by the firewall rules, sends a copy of the original packet to the intended host.

Advantages of this type of firewall include

Data packets aren’t transmitted directly to communicating hosts, thereby masking the internal network’s design and preventing direct access to services on internal hosts.
It can be used to implement strong user authentication in applications.

Disadvantages of this type of firewall include

It reduces network performance because every packet must be passed up to the Application Layer of the OSI model to be analyzed.
It must be tailored to specific applications. (This can be difficult to maintain or update for new or changing protocols.)

Firewall architectures

The basic firewall types that we discuss in the previous sections may be implemented in a firewall architecture as we describe in the following sections. The four basic types of firewall architectures are screening router, dual-homed gateway, screened-host gateway, and screened-subnet.

Screening router

A screening router is the most basic type of firewall architecture employed. An external router is placed between the untrusted and trusted networks, and a security policy is implemented by using ACLs. Although a router functions as a choke point between a trusted and untrusted network, an attacker - after being granted access to a host on the trusted network - may potentially be able to compromise the entire network.

Advantages of a screening router architecture include that it’s

Completely transparent
Relatively simple and inexpensive

Disadvantages of the screening router architecture include that it

Is difficult to configure and maintain
May have difficulty handling certain traffic
Has limited or no logging available
Uses no user authentication
Is difficult to mask the internal network structure
Has a single point of failure
Doesn’t truly implement a firewall choke-point strategy

Still, using a screening router architecture is better than using nothing.

Dual-homed gateways

Another common firewall architecture is the dual-homed gateway. A dual-homed gateway (or bastion host) is a system with two network interfaces (NICs) that sits between an untrusted and trusted network. A bastion host is a general term often used to refer to proxies, gateways, firewalls, or any server that provides applications or services directly to an untrusted network. Because it’s often the target of attackers, a bastion host is sometimes referred to as a sacrificial lamb.

However, this term is misleading because a bastion host is typically a hardened system employing robust security mechanisms. A dual-homed gateway is often connected to the untrusted network via an external screening router. The dual-homed gateway functions as a proxy server for the trusted network and may be configured to require user authentication. A dual-homed gateway offers a more fail-safe operation than screening routers because by default, data isn’t normally forwarded across the two interfaces. Advantages of the dual-homed gateway architecture include

It operates in a fail-safe mode.
Internal network structure is masked.

Disadvantages of the dual-homed gateway architecture include

Its use may inconvenience users.
Proxies may not be available for some services.
Its use may cause slower network performance.

Screened-host gateways

A screened-host gateway architecture employs an external screening router and an internal bastion host. The screening router is configured so that the bastion host is the only host accessible from the untrusted network (such as the Internet). The bastion host provides any required Web services to the untrusted network, such as HTTP and FTP, as permitted by the security policy. Connections to the Internet from the trusted network are routed via an application proxy on the bastion host or directly through the screening router.

Here are some of the advantages of the screened-host gateway:

It provides distributed security between two devices.
It has transparent outbound access.
It has restricted inbound access.

Here are some disadvantages of the screened-host gateway:

It’s considered less secure because the screening router can bypass the bastion host for certain trusted services.
Masking the internal network structure is difficult.
It can have multiple single points of failure (router or bastion host).

Screened-subnet

The screened-subnet is perhaps the most secure of the currently designed firewall architectures. The screened-subnet employs an external screening router, a dual-homed (or multi-homed) host, and a second internal screening router. This implements the concept of a network DMZ (or demilitarized zone). Publicly available services are placed on bastion hosts in the DMZ.

Advantages of the screened-subnet architecture include that

It’s transparent to end users.
It’s flexible.
Internal network structure can be masked.
It provides defense in depth instead of relying on a single device to provide security for the entire network.

Disadvantages of a screened-subnet architecture include that it

Is more expensive than other firewall architectures
Is more difficult to configure and maintain
Can be more difficult to troubleshoot

Virtual Private Networks (VPNs)

A Virtual Private Network (VPN) creates a secure tunnel over a public network, such as the Internet. Either encrypting or encapsulating the data as it’s transmitted across the VPN creates a secure tunnel. The two ends of a VPN are commonly implemented by using one of the following methods:

Client-to-VPN Concentrator (or Device)
Client-to-Firewall
Firewall-to-Firewall
Router-to-Router

Common VPN protocol standards include Point-to-Point Tunneling Protocol (PPTP), Layer 2 Forwarding Protocol (L2F), Layer 2 Tunneling Protocol
(L2TP), Internet Protocol Security (IPSec), and Secure Sockets Layer (SSL).

Point-to-Point Tunneling Protocol (PPTP)

The Point-to-Point Tunneling Protocol (PPTP) was developed by Microsoft to enable the Point-to-Point Protocol (PPP) to be tunneled through a public network. PPTP uses native PPP authentication and encryption services (such as PAP, CHAP, EAP), which we discuss later in the section “RAS.” It’s commonly used for secure dial-up connections using Microsoft Win9x or NT/2000 clients. PPTP operates at the Data Link Layer of the OSI model and is designed for individual client-server connections.

Layer 2 Forwarding Protocol (L2F)

The Layer 2 Forwarding Protocol (L2F) was developed by Cisco and provides similar functionality as PPTP. As its name implies, L2F operates at the Data Link Layer of the OSI model and permits tunneling of Layer 2 WAN protocols such as HDLC and SLIP.

Layer 2 Tunneling Protocol (L2TP)

The Layer 2 Tunneling Protocol (L2TP) is an IETF standard that combines Microsoft (and others) PPTP and Cisco L2F protocols. Like PPTP and L2F, L2TP operates at the Data Link Layer of the OSI model to create secure VPN connections for individual client-server connections. The L2TP addresses the following end-user requirements:

Transparency: Requires no additional software.
Robust authentication: Supports PPP authentication protocols, Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System (TACACS), smart cards, and one-time passwords.
Local addressing: The VPN entities, rather than the ISP, assign IP addresses.
Authorization: Authorization is managed by the VPN server-side similar to direct dial-up connections.
Accounting: Both the ISP and user perform Accounting.

IPSec

Internet Protocol Security (IPSec) is an IETF open standard for VPNs that operates at the Network Layer of the OSI model. It’s the most popular and robust VPN protocol in use today. IPSec ensures confidentiality, integrity, and authenticity by using Layer 3 encryption and authentication to provide an end-to-end solution. IPSec operates in two modes:

Transport mode: Only the data is encrypted.
Tunnel mode: The entire packet is encrypted.

The two main protocols used in IPSec are

Authentication Header (AH): Provides integrity, authentication, and non-repudiation
Encapsulating Security Payload (ESP): Provides confidentiality (encryption) and limited authentication

Each pair of hosts communicating in an IPSec session must establish a security association.

A security association (SA) is a one-way connection between two communicating parties; thus, two SAs are required for each pair of communicating hosts. Additionally, each SA only supports a single protocol (AH or ESP). Therefore, if both an AH and ESP are used between two communicating hosts, a total of four SAs is required. An SA has three parameters that uniquely identify it in an IPSec session:

Security Parameter Index (SPI): The SPI is a 32-bit string used by the receiving station to differentiate between SAs terminating on that station. The SPI is located within the AH or ESP header.
Destination IP address: The destination address could be the end station or an intermediate gateway or firewall, but must be a unicast address.
Security Protocol ID: The Security Protocol ID must be either an AH or ESP association.

Key management is provided in IPSec by using the Internet Key Exchange (IKE). IKE is actually a combination of three complementary protocols: the Internet Security Association and Key Management Protocol (ISAKMP), the Secure Key Exchange Mechanism (SKEME), and the Oakley Key Exchange Protocol. IKE operates in three modes: Main Mode, Aggressive Mode, and Quick Mode.

SSL

The Secure Sockets Layer (SSL) protocol (discussed in greater detail in Chapter 8) operates at the Transport Layer of the OSI model. SSL VPNs have rapidly gained widespread popularity and acceptance in recent years due to their ease of use and low cost. An SSL VPN requires no special client hardware or software (other than a Web browser) and little or no client configuration. SSL VPNs provide secure access to Web-enabled applications and thus are somewhat more granular in control - a user is granted access to a specific application rather than to the entire private network. This can also be considered a limitation of SSL VPNs; not all applications will work over an SSL VPN and many convenient network functions (file and print sharing) may not be available over an SSL VPN.

Intrusion detection and prevention systems (IDS and IPS)

Intrusion detection is defined as real-time monitoring and analysis of network activity and data for potential vulnerabilities and attacks in progress. One major limitation of current IDS technologies is the requirement to filter false alarms lest the operator (system or security administrator) be overwhelmed with data. Intrusion detection systems (IDS) are classified in many different ways including active and passive, network-based and host-based, and knowledge-based and behavior-based.

Active and passive IDS

An active IDS (now more commonly known as an intrusion prevention system - IPS) is a system that’s configured to automatically block suspected attacks in progress without any intervention required by an operator. IPS has the advantage of providing real-time corrective action in response to an attack but has many disadvantages as well. An IPS must be placed in-line along a network boundary; thus, the IPS itself is susceptible to attack. Also, if false alarms and legitimate traffic haven’t been properly identified and filtered, authorized users and applications may be improperly denied access. Finally, the IPS itself may be used to effect a Denial of Service (DoS) attack by intentionally flooding the system with alarms that cause it to block connections until no connections or bandwidth are available.

A passive IDS is a system that’s configured to only monitor and analyze network traffic activity and alert an operator to potential vulnerabilities and attacks. It’s not capable of performing any protective or corrective functions on its own. The major advantages of passive IDS are that these systems can be easily and rapidly deployed and are not normally susceptible to attack themselves.

Network-based and host-based IDS

A network-based IDS usually consists of a network appliance (or sensor) with a Network Interface Card (NIC) operating in promiscuous mode and a separate management interface. The IDS is placed along a network segment or boundary and monitors all traffic on that segment.

A host-based IDS requires small programs (or agents) to be installed on individual systems to be monitored. The agents monitor the operating system and write data to log files and/or trigger alarms. A host-based IDS can only monitor the individual host systems on which the agents are installed; it doesn’t monitor the entire network.

Knowledge-based and behavior-based IDS

A knowledge-based (or signature-based) IDS references a database of previous attack profiles and known system vulnerabilities to identify active intrusion attempts. Knowledge-based IDS is currently more common than behavior-based IDS. Advantages of knowledge-based systems include

It has lower false alarm rates than behavior-based IDS.
Alarms are more standardized and more easily understood than behavior-based IDS.

Disadvantages of knowledge-based systems include

Signature database must be continually updated and maintained.
New, unique, or original attacks may not be detected or may be improperly classified.

A behavior-based (or statistical anomaly-based) IDS references a baseline or learned pattern of normal system activity to identify active intrusion attempts. Deviations from this baseline or pattern cause an alarm to be triggered. Advantages of behavior-based systems include that they

Dynamically adapt to new, unique, or original attacks
Are less dependent on identifying specific operating system vulnerabilities

Disadvantages of behavior-based systems include

Higher false alarm rates than knowledge-based IDS
Usage patterns that may change often and may not be static enough to implement an effective behavior-based IDS

Remote access

Remote access is provided through various technologies (such as cable modems and wireless devices) and protocols (such as asynchronous dial-up, ISDN, xDSL), as we discuss in the earlier section “WAN technologies and protocols.”

Remote access security is provided through various methods and technologies as we describe in the following sections.

Remote access security methods

Remote access security methods include restricted allowed addresses, caller ID, and callback.

Restricted address

The restricted address method restricts access to the network based on allowed IP addresses, essentially performing rudimentary node authentication but not user authentication.

Caller ID

The caller ID method restricts access to the network based on allowed phone numbers, thus performing a slightly more secure form of node authentication because phone numbers are more difficult to spoof than IP addresses. However, this method can be difficult to administer for road warriors that routinely travel to different cities.

Callback

The callback method restricts access to the network by requiring a remote user to first authenticate to the remote access service (RAS) server. The RAS server then disconnects and calls the user back at a preconfigured phone number. Like caller ID, this method can be difficult to administer for road warriors.

Instant Answer One limitation of callback is that it can be easily defeated by using call forwarding.

Remote access security technologies

Remote access security technologies include RAS servers that utilize various authentication protocols associated with PPP, RADIUS, and TACACS.

RAS

Remote access service (RAS) servers utilize the Point-to-Point Protocol (PPP) to encapsulate IP packets and establish dial-in connections over serial and ISDN links. PPP incorporates the following three authentication protocols:

PAP: The Password Authentication Protocol (PAP) uses a two-way hand-shake to authenticate a peer to a server when a link is initially established. PAP transmits passwords in clear text and provides no protection from replay or brute force attacks.
CHAP: The Challenge Handshake Protocol (CHAP) uses a three-way handshake to authenticate both a peer and server when a link is initially established and, optionally, at regular intervals throughout the session. CHAP requires both the peer and server to be preconfigured with a shared secret that must be stored in plain text. The peer uses the secret to calculate the response to a server challenge by using an MD5 one-way hash function. MS-CHAP, a Microsoft enhancement to CHAP, allows the shared secret to be stored in an encrypted form.
EAP: The Extensible Authentication Protocol (EAP) adds flexibility to

PPP authentication by implementing various authentication mechanisms including MD5-challenge, S/Key, generic token card, digital certificates, and so on. EAP is implemented in many wireless networks.

RADIUS

The Remote Authentication Dial-In User Service (RADIUS) protocol is an open-source, UDP-based client-server protocol. Defined in RFC 2058 and RFC 2059, RADIUS provides authentication and accountability. A user provides username/password information to a RADIUS client by using PAP or CHAP.

The RADIUS client encrypts the password and sends the username and encrypted password to the RADIUS server for authentication. Note: Passwords exchanged between the RADIUS client and RADIUS server are encrypted, but passwords exchanged between the PC client and the RADIUS client are not necessarily encrypted @md if using PAP authentication, for example. However, if the PC client happens to also be the RADIUS client, all password exchanges are encrypted regardless of the authentication protocol being used.

Diameter

The Diameter protocol is the next-generation RADIUS protocol. Diameter overcomes several RADIUS shortcomings. For instance, it uses TCP rather than UDP, supports IPSec or TLS, and larger address space. Diameter is defined by RFC 3588.

TACACS

The Terminal Access Controller Access Control System (TACACS) is a UDP-based access control protocol, originally developed for the MILNET, which provides authentication, authorization, and accountability (AAA). The original TACACS protocol has been significantly enhanced, primarily by Cisco, as XTACACS (no longer used) and TACACS+ (the most common implementation of TACACS). TACACS+ is TCP-based (port 49) and supports practically any authentication mechanism (PAP, CHAP, MS-CHAP, EAP, token cards, Kerberos, and so on). The basic operation of TACACS+ is similar to RADIUS, including the caveat about encrypted passwords between client and server. The major advantages of TACACS+ are its wide support of various authentication mechanisms and granular control of authorization parameters.