Module 6 Security Technology: Access Controls, Firewalls, and VPNs PDF

Summary

This document provides an overview of security technology, focusing on access controls, firewalls, and VPNs. It covers module objectives, introduces access controls, and details different access control approaches. The content appears as a module from a textbook on information security.

Full Transcript

Module 6
Security Technology: Access
Controls, Firewalls, and VPNs

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 1
 Module Objectives

Upon completion of this material, you should be able to do the following:
8.1 Discuss the role of access control in information systems, and identify and
discuss the four fundamental functions of access control systems.
8.2 Define authentication and explain the three commonly used authentication
factors.
8.3 Describe firewall technologies and the various categories of firewalls.
8.4 Explain the various approaches to firewall implementation.
8.5 Identify the various approaches to control remote and dial-up access by
authenticating and authorizing users.
8.6 Describe virtual private networks (VPNs) and discuss the technology that enables
them.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
 Introduction to Access Controls

Technical controls are essential in enforcing policy for many IT functions not
under direct human control.
When properly implemented, technical control solutions improve an
organization’s ability to balance the objectives of making information readily
available and preserving information’s confidentiality and integrity.
To understand access controls, you must first understand they are focused on
the permissions or privileges that a subject (user or system) has on an object
(resource), including if, when, and from where a subject may access an
object and especially how the subject may use that object.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 3
 Access Control (1 of 2)

Access control is the selective method by which systems specify who may use a
particular resource and how they may use it.
Mandatory access controls (MACs) is a required, structured data classification
scheme that rates each collection of information as well as each user.
Discretionary access controls (DACs) access controls that are implemented at
the discretion or option of the data user.
Nondiscretionary controls access controls that are implemented by a central
authority.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4
 Access Control (2 of 2)

A form of nondiscretionary access controls is called lattice-based access control
(LBAC), in which users are assigned a matrix of authorizations for particular
areas of access.
Some lattice-based controls are tied to a person’s duties and responsibilities;
such controls include role-based access controls (RBACs), associated with the
duties a user performs in an organization, and task-based access controls
(TBACs) which are tied to a particular chore or responsibility.
Attribute-based access controls (ABACs) are an access control approach
whereby the organization specifies the use of objects (resources) based on
some attribute of the user or system.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 5
 Access Control Approaches

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6
 Access Controls

In general, all access control approaches rely on the following four mechanisms,
which represent the four fundamental functions of access control systems:
− Identification: I am a user of the system.
− Authentication: I can prove I’m a user of the system.
− Authorization: Here’s what I can do with the system.
− Accountability: You can track and monitor my use of the system.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7
 Identification

Identification is the access control mechanism that requires the validation and
verification of an unauthenticated entity’s purported identity.
Identifiers can be composite identifiers, concatenating elements—department
codes, random numbers, or special characters—to make them unique.
Most organizations use a single piece of unique information, such as a complete
name or the user’s first initial and surname.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 8
 Authentication

Authentication is the access control mechanism that requires the validation and
verification of an unauthenticated entity’s claimed identity.
Authentication factors are as follows:
− Something you know. (DOB, place of birth, SSN, …)
− Something you have. (password)
− Something you are.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9
 Authorization

Authorization is the access control mechanism that represents the matching of
an authenticated entity to a list of information assets and corresponding access
levels.
Authorization can be handled in one of three ways:
− Authorization for each authenticated user.
− Authorization for members of a group.
− Authorization across multiple systems.
Authorization credentials, also called authorization tickets, are issued by an
authenticator and are honored by many or all systems within the authentication
domain.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10
 Accountability

Accountability (auditability) is the access control mechanism that ensures all
actions on a system—authorized or unauthorized—can be attributed to an
authenticated identity, also known as auditability.
Most often accomplished by means of system logs and database journals, and
the auditing of these records.
Systems logs record specific information.
Logs have many uses.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11
 Biometrics

Approach based on the use of measurable human characteristics/traits to
authenticate identity.
Only fingerprints, retina of the eye, iris of the eye, and DNA are considered truly
unique.
Evaluated on false reject rate, false accept rate, and crossover error rate.
Highly reliable/effective biometric systems are often considered intrusive by
users.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 12
Biometric Recognition Characteristics

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 13
 Ranking of Biometric Effectiveness and
Acceptance (1 of 2)
Biometrics Universality Uniqueness Permanence Collectability Performance Acceptability Circumvention

Face H L M H L H L
Face H H L H M H H
Thermo-
gram
Fingerprint M H H M H M H
Hand M M M H M M M
Geometry
Hand Vein M M M M M M H
Eye: Iris H H H M H H H
Eye: H H M L H L H
Retina

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 14
 Ranking of Biometric Effectiveness and
Acceptance (2 of 2)
Biometrics Universality Uniqueness Permanence Collectability Performance Acceptability Circumvention

DNA H H H L H L L
Odor & H H H L L M L
Scent
Voice M L L M L H L
Signature L L L H L H L
Keystroke L L L M L M M
Gait M L L H L H N

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15
 Knowledge Check Activity 1

The effectiveness of biometric-based controls is measured with the _____, where
the rate of false rejections equals the rate of false acceptances?
a. simultaneous effectiveness ratio
b. cutover error rate
c. crossover error rate
d. crossover measure ratio

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 16
 Knowledge Check Activity 1: Answer

The effectiveness of biometric-based controls is measured with the _____, where the
rate of false rejections equals the rate of false acceptances?
a. simultaneous effectiveness ratio
b. cutover error rate
c. crossover error rate
d. crossover measure ratio

Answer: c. crossover error rate

The crossover error rate (CER), the point at which false reject and false accept rates
intersect, is possibly the most common and important overall measure of accuracy for a
biometric system.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17
 Access Control Architecture Models (1 of 3)

Illustrate access control implementations and can help organizations quickly
make improvements through adaptation.
TCSEC’s Trusted computing base (TCB)
− Part of DoD Rainbow Series pre-2005
− Used to enforce security policy (rules of system configuration)
− Biggest challenges include covert channels
▪ Storage channels
▪ Timing channels

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 18
 Access Control Architecture Models (2 of 3)

ITSEC is an international set of criteria for evaluating computer systems.
− Compares Targets of Evaluation (ToE) to detailed security function specifications.
The Common Criteria
− Considered successor to both TCSEC and ITSEC
Bell-LaPadula Confidentiality Model
− State machine reference model
− Uses “no read up, no write down” principle
Biba Integrity Model
− Designed to prevent corruption of higher integrity entities.
− Based on “no write up, no read down” principle.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19
 Access Control Architecture Models (3 of 3)

Clark-Wilson Integrity Model
− No changes by unauthorized subjects
− No unauthorized changes by authorized subjects
− Maintenance of internal and external consistency
Graham-Denning Access Control Model
− Composed of set of objects, set of subjects, and set of rights
Harrison-Ruzzo-Ullman Model
− Defines method to allow changes to access rights and addition/removal of
subjects/objects
Brewer-Nash Model (Chinese Wall)
− Designed to prevent conflict of interest between two parties
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20
 Firewall Technologies

In information security, a firewall is the combination of hardware and software
that filters or prevents specific information from moving between the untrusted
network (outside) and the trusted network (inside).
May be the following:
− Separate computer system.
− Software service running on existing router or server.
− Separate network containing supporting devices.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 21
 Firewalls Processing Modes

Packet filtering by data packet header information.
Application-layer proxy by higher layer protocols and can include cache
services.
MAC layer firewalls by MAC address.
Hybrids by a combination of the above.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22
 Packet-Filtering Firewalls (1 of 2)

Packet-filtering firewalls examine the header information of data packets.
Most often based on the combination of the following:
− IP source and destination address.
− Direction (inbound or outbound).
− Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)
source and destination port requests.
Simple firewall models enforce rules designed to prohibit packets with certain
addresses or partial addresses from passing through device.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 23
 IP Packet Structure

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 24
 TCP Packet Structure

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 25
 UDP Packet Structure

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 26
 Packet- Filtering Router

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 27
 Sample Firewall Rules and Format

Source Address Destination Address Service (e.g., HTTP, Action (Allow or Deny)
SMTP, FTP)
172.16.x.x 10.1 0.x.x Any Deny
192.168.x.x 10.10.10.25 HTTP Allow
192.168.0.1 10.10.10.10 FTP Allow

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 28
 Packet-Filtering Firewalls (2 of 2)

Three subsets of packet-filtering firewalls are as follows:
− Static filtering requires that filtering rules be developed and installed within
the firewall.
− Dynamic filtering allows firewall to react to an emergent event and update or
create rules to deal with that event.
− Stateful packet inspection (SPI) are firewalls that keep track of each network
connection between internal and external systems using a state table.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 29
 State Table Entries

Source Source Port Destination Destination Time Total Time Protocol
Address Address Port Remaining (in Seconds)
(in Seconds)
192.168.2.5 1028 10.10.10.7 80 2725 3600 TCP

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 30
 Application Layer Proxy Firewall

A device capable of functioning both as a firewall and an application layer proxy
server.
Since proxy servers are often placed in unsecured areas of the network (e.g.,
DMZ), they are exposed to higher levels of risk from less trusted networks.
Additional filtering routers can be implemented behind the proxy firewall, further
protecting internal systems.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 31
 MAC Layer Firewalls

Designed to operate at the media access control sublayer of a network’s data
link layer.
Make filtering decisions based on specific host computer’s identity.
MAC addresses of specific host computers are linked to access control list
(ACL) entries that identify specific types of packets that can be sent to each
host. All other traffic is blocked.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32
Firewall Types and Protocol Levels

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 33
 Knowledge Check Activity 2

_____ inspection firewalls keep track of each network connection between
internal and external systems.
a. Static
b. Dynamic
c. Stateful
d. Stateless

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 34
 Knowledge Check Activity 2: Answer

_____ inspection firewalls keep track of each network connection between internal and
external systems.
a. Static
b. Dynamic
c. Stateful
d. Stateless

Answer: c. stateful

Stateful inspection firewalls keep track of each network connection between internal and
external systems using a state table. A state table tracks the state and context of each
packet in the conversation by recording which station sent what packet and when.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 35
 Hybrid Firewalls

Combine elements of other types of firewalls, that is, elements of packet filtering
and proxy services, or of packet filtering and circuit gateways.
Alternately, may consist of two separate firewall devices, each a separate
firewall system, but connected to work in tandem.
Enables an organization to make security improvement without completely
replacing existing firewalls.
Include the Next Generation Firewall (NGFW) and Unified Threat Management
(UTM) devices.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 36
 Firewall Architectures

Firewall devices can be configured in several network connection architectures.
Best configuration depends on three factors:
− Objectives of the network.
− Organization’s ability to develop and implement architectures.
− Budget available for function.
Four common architectural implementations of firewalls: Single Bastion Hosts,
Screened Host and Screened Subnet (with demilitarized zone (DMZ)).

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 37
 Single Bastion Hosts

Commonly referred to as sacrificial host as it stands as sole defender on the
network perimeter.
Usually implemented as a dual-homed host, which contains two network
interface cards (NICs), one connected to external network, one connected to
internal network.
Implementation of this architecture often makes use of network address
translation (NAT), creating another barrier to intrusion from external attackers.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 38
 Reserved Non-Routable Address Range

Classful Usable From To CIDR Mask Decimal Mask
Description Addresses
Class A or 24 ~16.5 million 10.0.0.0 1 0.255.255.255 /8 255.0.0.0
Bit
Class B or 20 ~1.05 million 172.16.0.0 172.31.255.255 /12 or /16 255.240.0.0 or
Bit 255.255.0.0
Class C or 16 ~65,500 192.168.0.0 192.168.255.255 /16 or /24 255.255.0.0 or
Bit 255.255.255.0
IPv6 Space ~65,500 sets of fc00::/7, where the first 7 digits are fixed (1111 11 0x), followed by a
18.45 quintillion 10-digit organization ID, then 4 digits of subnet ID and 16 digits of
(18.45 X 1018) host ID. ([F][C or D]xx:xxxx:xxxx:yyyy:zzzz:zzzz:zzzz:zzzz).

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 39
Dual-Homed Bastion Host Firewall
Architecture

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 40
 Screened Host Architecture

Combines packet-filtering router with separate, dedicated firewall such as an
application proxy server.
Allows router to prescreen packets to minimize traffic/load on internal proxy.
Requires external attack to compromise two separate systems before attack can
access internal data.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 41
Screened Host Firewall Architecture

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 42
 Screened Subnet Architecture (with DMZ)

The dominant architecture used today.
Commonly consists of two or more internal firewalls behind packet-filtering
router with each protecting a trusted network:
− Connections from outside or untrusted network are routed through external
filtering router.
− Connections from outside or untrusted network are routed into and out of
routing firewall to separate the network segment known as DMZ.
− Connections into trusted internal network are allowed only from DMZ bastion
host servers.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 43
Screened Subnet Firewall Architecture with
DMZ

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 44
Second Example of Screened Subnet with
DMZ

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 45
 Screened Subnet Architecture (with DMZ)

Screened subnet performs two functions:
− Protects DMZ systems and information from outside threats.
− Protects the internal networks by limiting how external connections can gain
access to internal systems.
Another facet of DMZs is creation of extranets.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 46
 Selecting the Right Firewall

When selecting the firewall, consider a number of factors:
1. Which type of firewall technology offers the right balance between protection and
cost for the needs of the organization?
2. What features are included in the base price? What features are available at extra
cost? Are all cost factors known?
3. How easy is it to set up and configure the firewall? Does the organization have
staff on hand that are trained to configure the firewall, or would the hiring of
additional employees be required?
4. Can the firewall adapt to the growing network in the target organization?
Most important factor is provision of required protection.
Second most important issue is cost.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 47
 Configuring and Managing Firewalls

The organization must provide for the initial configuration and ongoing
management of firewall(s).
Each firewall device must have its own set of configuration rules regulating its
actions.
Firewall policy configuration is usually complex and difficult.
Configuring firewall policies is both an art and a science.
When security rules conflict with the performance of business, security often
loses.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 48
 Best Practices for Firewalls

All traffic from the trusted network is allowed out.
Firewall device is never directly accessed from the public network.
Simple Mail Transport Protocol (SMTP) data are allowed
to pass through firewall but must go to SMTP server.
Internet Control Message Protocol (ICMP) data are denied.
Telnet access to internal servers should be blocked from the public network.
When Web services are offered outside the firewall, HTTP traffic should be
blocked from reaching internal networks using a DMZ or proxy access.
All data not verifiably authentic should be denied.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 49
 Firewall Rules

Firewalls operate by examining data packets and performing comparison with
predetermined logical rules.
The logic is based on a set of guidelines most commonly referred to as firewall
rules, rule base, or firewall logic.
Most firewalls use packet header information to determine whether specific
packets should be allowed or denied.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 50
 Well-Known Port Numbers

Port Number Protocol
7 Echo
20 File Transfer [Default Data] (FTP)
21 File Transfer [Control] (FTP)
23 Telnet
25 Simple Mail Transfer Protocol (SMTP)
53 Domain Name System (DNS)
80 Hypertext Transfer Prot ocol (HTTP)
110 Post Office Protocol vers ion 3 (POP3)
123 Network Time Protocol (NTP)
161 Simple Network Management Protocol (SNMP)
443 Hypertext Transfer Protocol Secure (HTTPS)
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 51
 Rule Set 1

Source Address Source Port Destination Address Destination Port Action
Any Any 10.10.10.0 >1023 Allow

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 52
 Rule Set 2

Source Address Source Port Destination Address Destination Port Action
Any Any 10.10.10.1 Any Deny
Any Any 10.10.10.2 Any Deny
10.10.10.1 Any Any Any Deny
10.10.10.2 Any Any Any Deny

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 53
 Rule Set 3

Source Address Source Port Destination Address Destination Port Action
10.10.10.0 Any Any Any Allow

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 54
 Rule Set 4

Source Address Source Port Destination Address Destination Port Action
Any Any 10.10.10.0 25 Allow

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 55
 Rule Set 5

Source Address Source Port Destination Address Destination Port Action
10.10.10.0 Any Any 7 Allow
Any Any 10.10.10.0 7 Deny

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 56
 Rule Set 6

Source Address Source Port Destination Address Destination Port Action
10.10.10.0 Any 10.10.10.0 23 Allow
Any Any 10.10.10.0 23 Deny

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 57
 Rule Set 7a

Source Address Source Port Destination Destination Port Action
Address
Any Any 10.10.10.4 80 Allow

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 58
 Rule Set 7b

Source Address Source Port Destination Address Destination Port Action
Any Any 10.10.10.5 80 Allow

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 59
 Rule Set 7c

Source Address Source Port Destination Address Destination Port Action
10.10.10.5 Any 10.10.10.8 80 Allow

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 60
 Rule Set 8

Source Address Source Port Destination Address Destination Port Action
Any Any Any Any Deny

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 61
 External Filtering Firewall Inbound Interface
Rule Set
Rule # Source Address Source Port Destination Address Destination Port Action
1 10.10. 10.0 Any Any Any Deny
2 Any Any 10.10. 10.1 Any Deny
3 Any Any 10.10. 10.2 Any Deny
4 10.10. 10.1 Any Any Any Deny
5 10.10. 10.2 Any Any Any Deny
6 Any Any 10.10. 10.0 >1023 Allow
7 Any Any 10. 10. 10.6 25 Allow
8 Any Any 10.10. 10.0 7 Deny
9 Any Any 10.10. 10.0 23 Deny
10 Any Any 10.10. 10.4 80 Allow
11 Any Any Any Any Deny
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 62
External Filtering Firewall Outbound Interface
Rule Set
Rule # Source Address Source Port Destination Address Destination Port Action
1 10.10. 10. 12 Any 10.10. 10. 0 Any Allow
2 Any Any 10.10. 10. 1 Any Deny
3 Any Any 10.10. 10. 2 Any Deny
4 10.10. 10. 1 Any Any Any Deny
5 10.10. 10. 2 Any Any Any Deny
6 10.10. 10. 0 Any Any Any Allow
7 Any Any Any Any Deny

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 63
 Internal Filtering Firewall Inbound Interface
Rule Set
Rule # Source Address Source Port Destination Address Destination Port Action
1 Any Any 10.10.10.3 Any Deny
2 Any Any 10.10.10.7 Any Deny
3 10.10.10.3 Any Any Any Deny
4 10.10.10.7 Any Any Any Deny
5 Any Any 10.10.10.0 >1023 Allow
6 10.10.10.5 Any 10.10.10.8 Any Allow
7 Any Any Any Any Deny

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 64
Internal Filtering Firewall Outbound Interface
Rule Set
Rule # Source Address Source Port Destination Address Destination Port Action
1 Any Any 10.10.10.3 Any Deny
2 Any Any 192.1 68.2.1 Any Deny
3 10.10.10.3 Any Any Any Deny
4 192.168.2.1 Any Any Any Deny
5 Any Any 192.1 68.2.0 >1023 Allow
6 192.168.2.0 Any Any Any Allow
7 Any Any Any Any Deny

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 65
 Content Filters

A software program or hardware/software appliance that allows administrators
to restrict content that comes into or leaves a network.
Essentially a set of scripts or programs restricting user access to certain
networking protocols/Internet locations.
Primary purpose is to restrict internal access to external material.
Most common content filters restrict users from accessing non-business Web
sites or deny incoming spam.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 66
 Protecting Remote Connections

Installing Internetwork connections requires leased lines or other data channels;
these connections are usually secured under the requirements of a formal
service agreement.
When individuals seek to connect to an organization’s network, a more flexible
option must be provided.
Options such as virtual private networks (VPNs) have become more popular
due to the spread of Internet.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 67
 Remote Access

Unsecured, dial-up connection points represent a substantial exposure to
attack.
Attacker can use a device called a war dialer to locate dial-up connection points.
War dialer is an automatic phone-dialing program that dials every number in a
configured range and records the number if modem picks up.
Some technologies (Kerberos, RADIUS systems, TACACS, CHAP password
systems) have improved the authentication process.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 68
 RADIUS, Diameter, and TACACS

Systems that authenticate user credentials for those trying to access an
organization’s network via dial-up.
Remote Authentication Dial-In User Service (RADIUS) centralizes responsibility
for user authentication in a central RADIUS server.
Diameter is an emerging alternative derived from RADIUS.
Terminal Access Controller Access Control System (TACACS) validates user’s
credentials at centralized server (like RADIUS), based on client/server
configuration.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 69
 RADIUS Configuration

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 70
 Kerberos

Provides secure third-party authentication.
Uses symmetric key encryption to validate individual users to various network
resources.
Keeps database containing private keys of clients/servers.
Consists of three interacting services:
− Authentication server (AS).
− Key Distribution Center (KDC).
− Kerberos ticket granting service (TGS).

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 71
 Kerberos Login

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 72
 Kerberos Request for Services

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 73
 SESAME

Secure European System for Applications in a Multivendor Environment
(SESAME) is similar to Kerberos.
− User is first authenticated to authentication server and receives token.
− Token is then presented to a privilege attribute server as proof of identity to
gain privilege attribute certificate.
− Uses public key encryption; adds sophisticated access control features;
more scalable encryption systems; improved manageability; auditing
features; and options for delegation of responsibility for allowing access.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 74
 Virtual Private Networks (VPNs) (1 of 2)

Private and secure network connection between systems which uses data
communication capability of unsecured and public network.
Securely extends organization’s internal network connections to remote
locations.
Three VPN technologies defined are as follows:
− Trusted VPN.
− Secure VPN.
− Hybrid VPN (combines trusted and secure).

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 75
 Virtual Private Networks (VPNs) (2 of 2)

VPN must accomplish the following:
− Encapsulation of incoming and outgoing data.
− Encryption of incoming and outgoing data.
− Authentication of remote computer and perhaps remote user as well.
In most common implementation, it allows the user to turn Internet into a private
network.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 76
 Transport Mode VPNs

Data within IP packet is encrypted but header information is not.
Allows user to establish secure link directly with remote host, encrypting only
data contents of packet.
Two popular uses are as follows:
− End-to-end transport of encrypted data.
− Remote access worker connects to office network over Internet by
connecting to a VPN server on the perimeter.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 77
 Transport Mode VPN

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 78
 Tunnel Mode VPNs

Establishes two perimeter tunnel servers to encrypt all traffic that will traverse
unsecured networks.
Entire client package encrypted and added as data portion of packet from one
tunneling server to another.
Primary benefit to this model is that an intercepted packet reveals nothing about
the true destination system.
Example of tunnel mode VPN: Microsoft’s Internet Security and Acceleration
(ISA) Server.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 79
 Tunnel Mode VPN

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 80
 Knowledge Check Activity 3

In _____ mode, the data within an IP packet is encrypted, but the header
information is not.
a. tunnel
b. transport
c. public
d. symmetric

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 81
 Knowledge Check Activity 3: Answer

In _____ mode, the data within an IP packet is encrypted, but the header information is
not.
a. tunnel
b. transport
c. public
d. symmetric

Answer: c. transport

In transport mode, the data within an IP packet is encrypted, but the header information
is not. This allows the user to establish a secure link directly with the remote host,
encrypting only the data contents of the packet. The downside of this implementation is
that packet eavesdroppers can still identify the destination system.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 82
 Remote Access in the Age of COVID-19

During the COVID-19 pandemic, the need to remotely access information and the
corresponding need to secure and support remote communications took on a new
significance. Organizations that never thought about allowing employees to work
remotely found themselves forced to revisit their entire approach to the issue.
Many organizations succeeded in implementing remote access, using VPNs or other
mechanisms to enable employees to access needed information and keep their
businesses afloat.
Many businesses may yet fail as they struggle to engage customers, employ their
workers, and earn a profit.
The organizations that remain after the pandemic has subsided will have learned a
painful but valuable lesson about enabling remote work.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 83
 Summary (1 of 4)

Access control is a process by which systems determine if and how to admit a user into
a trusted area of the organization.
Mandatory access controls offer users and data owners little or no control over access
to information resources. MACs are often associated with a data classification scheme
in which each collection of information is rated with a sensitivity level. This type of
control is sometimes called lattice-based access control.
Nondiscretionary access controls are strictly enforced versions of MACs that are
managed by a central authority, whereas discretionary access controls are
implemented at the discretion or option of the data user.
All access control approaches rely on identification, authentication, authorization, and
accountability.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 84
 Summary (2 of 4)

Authentication is the process of validating an unauthenticated entity’s purported identity. The
three widely used types of authentication factors are something a person knows, something a
person has, and something a person is or can produce.
Strong authentication requires a minimum of two authentication mechanisms drawn from two
different authentication factors.
Biometrics is the use of a person’s physiological characteristics to provide authentication for
system access.
Security access control architecture models illustrate access control implementations and can
help organizations quickly make improvements through adaptation. Some models, like the
trusted computing base, ITSEC, and the Common Criteria, are evaluation models used to
demonstrate the evolution of trusted system assessment. Models such as Bell–LaPadula and
Biba ensure that information is protected by controlling the access of one part of a system on
another.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 85
 Summary (3 of 4)

A firewall is any device that prevents a specific type of information from moving
between the outside network, known as the untrusted network, and the inside
network, known as the trusted network.
Firewalls can be categorized into four groups: packet filtering, MAC layers,
application gateways, and hybrid firewalls.
Packet-filtering firewalls can be implemented as static filtering, dynamic filtering,
and stateful packet inspection firewalls.
The three common architectural implementations of firewalls are single bastion
hosts, screened hosts, and screened subnets.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 86
 Summary (4 of 4)

Firewalls operate by evaluating data packet contents against logical rules. This
logical set is most commonly referred to as firewall rules, a rule base, or firewall
logic.
Content filtering can improve security and assist organizations in improving the
manageability of their technology.
Dial-up protection mechanisms help secure organizations that use modems for
remote connectivity. Kerberos and SESAME are authentication systems that
add security to this technology.
Virtual private networks enable remote offices and users to connect to private
networks securely over public networks.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 87
 Self-Assessment

Now that you have learned about firewalls, describe what you believe to be the
true value of the firewall to a larger organization?
What do you think of the ongoing discussion about the deperimeterization of the
network (see page 331 of your textbook)? If this turns out to be a watershed
development, how will it affect the move to ‘zero trust architecture’ (as described
at page 304)?

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 88