Physical Security and Risk

By Fanuel Vasco Nyirenda

Content
• Using hardware and software security devices
• Defining firewalls
• Firewall technologies
• Firewalls at the application layer Vs network layer
• Scanning services and other firewall features
• Intrusion Detection and Prevention systems
• VPN concentrators
• Understanding problems affecting device security
Using hardware and software security devices
• most security technology solutions are a combination of both
software and hardware
• e.g software embedded within a hardware ROM chip to make the
software harder to attack
• includes some combination of internal and perimeter routers plus
firewall devices
• internal routers provide security by screening traffic to the more vulnerable
parts of a corporate network through a wide array of strategic access lists
A secured network
A secured network
• DMZ can be global Internet addresses or private addresses,
depending on how you configure your firewall, want to access the
HTTP, DNS, email, and other Internet-type corporate servers
• DMZ creates a security zone that allows public traffic but isolated
from the company private network
Defining firewalls
• usually a combination of hardware and software
• hardware part can be a router or a computer or a dedicated piece of
hardware called black box that has two NICs, one connecting to the public
side, and the other one to the private side
• software part is configured to control how the firewall works, scrutinizing
each incoming and outgoing packet and rejecting any suspicious ones
• can allow, permit, deny, encrypt, decrypt, and proxy all traffic between the
public and private parts of a network or between different security domains,
or zones, on a private network
• can be placed on top of an existing OS or be self-contained
• most have default-deny, allowing only specified network connections
Defining firewalls
• Network-Based Firewalls - protects a company’s private network from
public networks
• a combination of hardware and software designed to protect an entire network
of computers instead of just one system
• SOHO networks use less sophisticated firewalls providing all of the functionality
of an enterprise firewall, these devices, may be easier to configure and can still
be deployed safely
• Host-Based Firewalls - a software implementation in your personal
computer
• current Windows client OSs have Windows Firewall, which is a great example of
a host-based solution
• aren’t as secure as a separate hardware-based solution
Firewall technologies
• differ in the way they restrict information flow
• Access Control Lists - lists of conditions that categorize packets acting as first line of defense for
any network that’s connected to the Internet
• are packet filters that packets are compared against, categorized by, and then acted on accordingly as directed
• determines by IP addresses which machines are allowed to use the router and in what direction
• filter unwanted packets when you’re implementing security policies
• ACLs help mitigate;
• IP address spoofing, inbound
• IP address spoofing, outbound
• Denial of service (DoS) TCP SYN attacks
• DoS Smurf attacks
• control which networks will or won’t be advertised when applied to dynamic routing protocols instead of
interfaces
• categorize and queue packets for QoS requiring applications and controlling the types of traffic that can
activate a pricey backup link
• applied to either inbound or outbound traffic on any interface
Firewall technologies
• rules by which packets are processed;
• always compared with each line of the ACL in sequential order
• compared with subsequent lines of the list until a match is made
• an implicit “deny” at the end of each ACL discards a packet that doesn’t match the condition on any of the lines in the
ACL
• main types of ACLs;
• Standard ACLs – uses source IP address in an IP packet as the condition test, permitting or denying an entire suite of
protocols without distinguishing between any of the myriad types of IP traffic like web, Telnet, UDP
• Extended ACLs - evaluate source and destination IP addresses, the protocol field in the Network layer header, and the
port number at the Transport layer header
• enforce highly specific network traffic control conditions
• ACLs must be applied to an interface as well as specific traffic direction
• Inbound ACLs – packets are processed through the ACL before being routed to the outbound interface
• denied packets are discarded before routing process is complete
• Outbound ACLs - packets are routed to the outbound interface and then processed through the ACL before being
queued
• rules to live by when configuring ACLs on interfaces from the Internet into your production network;
• Deny any addresses from your internal networks
• Deny any local host addresses (127.0.0.0/8).
• Deny any reserved private addresses
• Deny any addresses in the IP multicast address range (224.0.0.0/4)
Firewall technologies
• Port Security - enforces security at Layer 2(MAC addresses) by defining a set of addresses that are allowed
to access a port where a sensitive device is located
• sets unused ports to be available to a preconfigured set of MAC addresses, preventing unauthorized persons from
connecting to a secured switch port
• Demilitarized Zone - a network segment that isn’t public or local but halfway between the two
• standard DMZ setup has two or three network cards; to the Internet, to the network segment where the commonly
targeted servers exist and to your intranet
• remember to administer your DMZ; permit and deny the ports you want
• Protocol Switching – involves using of multiple communication protocols, masking the most vulnerable
one. methods include;
• using a protocol other than TCP/IP on the internal network inside the firewall like IPX
• using TCP/IP on the internal network, a different protocol like IPX in a dead zone between the internal network and the
Internet
• Dynamic Packet Filtering - ability of a router or a firewall to discard packets that don’t meet the right
criteria
• ensures that the packets they forward match sessions initiated on their private side
• dynamic state list or state table keeps track of all communication sessions between stations inside and outside the
firewall
• only packets for valid and current sessions are allowed to pass
Firewall technologies
• Proxy Services - separate packets from internal hosts and external hosts on behalf of the whole
network
• takes client’s request examine it, break it down, and creates a new packet requesting information from
the external server
• exchange occurs between applications at the Application layer of the OSI model
• dissects a packet to scrutinize for invalid data at each and every layer of the OSI model; packet header,
content, attachments for viruses
• degrades overall performance by checking state lists
• types of proxy servers include;
• IP Proxy - hides the internal network IP addresses by exchanging its IP address for the address of any requesting station
• also called Network Address Translation (NAT) proxies
• Web(HTTP) Proxy - handle HTTP requests on behalf of the sending workstation
• workstation’s browser sends the request to the proxy server which changes the From address to its own and sends it to the
Internet web server
• proxy cache server caches a copy of the page locally and delivers to requesting clients locally thereby speeding up web surfing for
commonly accessed pages
• FTP Proxy - uploads and downloads files from a server on behalf of a workstation
• operates in a fashion similar to a web proxy and can filter out undesirable content
• SMTP Proxy - handles Internet email
• packet contents and mail can be automatically searched with material that is not considered secure being blocked
firewall with a DMZ
Protocol switching with and without a dead
zone
hacker denied by a dynamic state list
A packet going to a proxy
Firewalls at the application layer Vs network
layer
• first firewalls operated at the Network layer and were called packet-filter firewalls
• there are two types of Network layer firewalls: stateful and stateless
• stateless – a basic packet filter that doesn’t examine whether a packet is stand-alone or
part of a bigger message stream
• has no idea whether a packet is legitimate or rogue packet trying to sneak by
• susceptible to various DoS attacks and IP spoofing
• uses less memory and best used on an internal network where security threats are lower and there
are few restrictions
• stateful - keeps track of the various data streams passing through it
• prevents network attacks that exploit existing connections, or DoS attacks
• uses the TCP three-way handshake
• logs established connection in the state table
• tend to be a bit slower at establishing connections and faster after connection is established via
stateful packet inspection
Application Layer Firewalls
• more powerful that stateful and stateless firewalls
• they inspect data in the IP header and read data at the Application
layer, letting them know which application layer protocols are in use
such as HTTP, FTP, SMTP
• they are slower because they read more information
• allows setting up proxy rules for multiple applications on the same
firewall
• also handles complex protocols such as H.323, used for VoIP
Scanning services and other firewall features
Default scanning settings
Category Protocol Function
Mail SMTP and POP3 Scans all scannable files in an email
Mail SMTP and POP3 Rejects all messages larger than 15MB
Mail SMTP Rejects messages addressed to more than 100 recipients
Mail SMTP Cleans emails or attachments containing malware, and attaches a notification
that the malware was deleted
Web HTTP Scans all file downloads
Web HTTP Scans web mail sites for AOL, MSN, Google, and Yahoo!
Web FTP Scans all file transfers
Web HTTP and FTP Skips scanning of files larger than 50MB; can also enable deferred scanning
Web HTTP and FTP Cleans files in which malware is detected; deletes files that cannot be cleaned
Content Filtering
• means blocking data based on the content of the data rather than the source of the data
• commonly used to filter email and website access
• used to prevent against hateful material or pornography
• also important in places like schools
• ways to filter content;
• Attachment (such as EXE files)
• Bayesian
• Content-encoding
• Email headers
• Language
• Phrases
• Proximity of words to each other
• URLs
• Signature Identification - use signatures to identify a virus and remove it
• network attacks have signatures as well e.g router getting hit by large numbers of SYN requests. an
inundation of SYN traffic is a signature of a SYN flood
• Context Awareness - take into consideration the context in which traffic is arriving at the
firewall
• can detect different applications, users, and devices —not just IP addresses
• tracks how applications are used across a range of devices e.g tracks and/or prevents the posting or
sharing of videos on Facebook using an iPhone, PC, or other device
• enables companies to enforce policies, like not allowing a specific group of employees to access games
on iPads
• Virtual Wire vs Routed – is when firewall is connected between a trusted and untrusted
section of a network
• Virtual wire firewall interfaces do not need IP addresses
• Security zones are defined on the physical interfaces of the virtual wire pair and neither routing nor
switching is done, except deep packet inspection and enforcement of firewall policy
• Zones - individual areas of the network that are configured with
specific trust level
• Firewalls regulate the flow of traffic between zones
• the higher the trust level, the less scrutiny you place on data coming from a
computer in that zone
• Internet Explorer deals with four zones each configured with different
security level; Internet, Local Intranet, Trusted Sites, and Restricted Sites
• IE has three default security levels for the Internet: High, Medium, and Low
with “High” meaning low trust
• Security level can be customized to specify behavior for .NET framework
components, ActiveX controls and plug-ins, downloads, scripting, user
authentication, and several other options
Virtual wire
Internet Options Security tab
Custom security settings
Intrusion Detection and Prevention systems
• IDS performs detective work
• IDS is an auditing tool that tracks network activities in order to see if someone has been trespassing
• Sometimes combined with firewalls
• use two ways to detect attacks or intrusions; signature based or misuse-detection and anomaly-
detection IDS
• misuse-detection(MD-IDS) – works by looking for fingerprints indicating strange or abusive use of the
network
• anomaly-detection(AD-IDS) - watches for anything out of the ordinary, discovers fingerprints where
there shouldn’t be any
• learns by keeping track of and building a history of network activities for norms to compare unusual activity
• has three elements on the same device, or implemented on multiple devices;
• sensors – detect events
• console – to control and configure the sensors and monitor events
• database – records the events
MD-IDS system in action
common types of IDS implementations
• Network-Based IDS – a device attached to the network via a machine like a switch
or directly via a tap
• capable of attaching to the network both outside and inside the firewall
• IDS detects an intrusion either passively or actively;
• Passive responses include;
• Logging – records information which is used to stop future attacks of the same type
• Notification - sends an alert to one or more administrators
• Shunning - ignores the attack
• Active responses include;
• Changing Network Configuration - closes the port either temporarily or permanently
• may close out legitimate traffic
• Terminating Sessions - forces all sessions to close and restart. delays legitimate traffic
• Deceiving the Attacker - tricks the bad guy into thinking their attack is really working when it’s not
• system logs information about the attack and methods used
• uses honeypot or group of servers (called honeynets) to which the hacker is directed to keep their interest
long
common types of IDS implementations
• Host-Based IDS – runs on one computer to detect abnormalities on
that system alone by monitoring applications, system logs, and event
logs
• typically implemented on servers
• Protocol-Based IDS – monitors traffic for one protocol on one server
• Application protocol-Based IDS – monitors traffic for a group of
servers running the same application such as SQL
• Hybrid IDS – combines one or more IDS technologies
IDS connected to the network
Honeypot
Vulnerability Scanners
• determine if security holes exist in the network
• Nessus - a propriety scanning program that requiring a commercial license
• normally is executed from the command line because it’s included in batch files to automate its operation
on a schedule
• output is reported in formats such as; plain text, HTML, and XML
• operates by performing a port scan, identifying such weaknesses as;
• Unsecured access to sensitive data on a system
• Misconfigurations like open mail relay and missing patches
• Password issues such as the use of default passwords, common passwords, and blank passwords on system accounts
• NMAP(Network Mapper) - originally intended to simply identify devices on the network for the
purpose of creating a network diagram
• Performs port scanning
• Identifies versions of network services in operation on the network
• Identifies operating systems
• can be used from the command line as well as with web-based interfaces to be controlled remotely
Unified Threat Management (UTM)
• UTM devices perform multiple security functions within the same appliance
• Network firewalling
• Network intrusion prevention
• Gateway antivirus
• Gateway anti-spam
• VPN
• Content filtering
• Load balancing
• Data leak prevention
• On-appliance reporting
• has an advantage that administering multiple systems is no longer necessary
• creates a single point of failure
VPN concentrators
• create remote access for virtual private networks either for users
logging in remotely or for a large site-to-site VPN
• allow higher data throughput and provide encryption using IPsec or SSL
• Cisco VPN concentrators support from 100 users up to 10,000
simultaneous remote-access connections
• supports authentication via Microsoft’s Active Directory; Kerberos;
Remote Authentication Dial In User Service (RADIUS); Rivest, Shamir,
and Adleman (RSA); and digital certificates
• provide a built-in authentication server that allows implementation of
ACLs
VPN concentrator in a network
Understanding problems affecting device
security
• includes physical security and corresponding logical security
structures, restricting access, and the types of protocols to be used on
your network or not
Physical Security
• Physical Barriers - keeps unauthorized people from physically getting to your
equipment
• multiple barrier system could have a perimeter security system controlling access to the
building, a secured door to the computer room, and security door to the server room
• Security Zones – involves segmenting physical access to the computers requiring
RFID badges in order for employees to be allowed access to buildings
• may need a safety clearance and/or certification before access to computers is granted
• Mantraps - series of two doors with a small room between them
• user is authenticated at the first door and then allowed into the room
• a guard visually identifying the person and then they are allowed through the second door
• Network Closets – stores infrastructure devices and should be locked as securely
as the server room through mechanisms such as cipher doors or proximity locks
Physical Security
• Video Monitoring – enables visual monitoring of an area 24 hours
• common deployment options include; IP cameras and CCTV systems
• IP cameras - used for both surveillance of the facility and for facilitating collaboration
• CCTV systems - analog closed circuit television(CCTV) cameras record directly to a medium
such as video tape or hard drive
• Door Access Controls - used to prevent physical access to important
infrastructure devices
• Proximity Readers/Key Fob – are door controls that read a card from a short distance and
are used to control access to sensitive rooms
• provide a log of all entries and exits
• card contains the user information required to authenticate and authorize user entry to a room
• key fob is small hardware device with built-in authentication mechanisms for controlling access to
network services and information
• can support multifactor authentication
Physical Security
• Biometrics - operate using characteristic [something that you are (fingerprint, iris
scan)] and behavioral factors [something that you do (signature analysis)]
• dual-factor authentication requires two factors to be tested while multi-factor tests more
than two factors characteristics or behaviours
• presents issues of false positives and false negatives - a user that should not be allowed
access being allowed access and an authorized individual is denied passage by mistake
• Keypad/Cypher Locks - requires a user to know a key code
• lock can have a set time for opening the door as well as a battery standby system
• has three types of alarm systems; indicating door is breached, revealing someone tried to
guess the code and indicating that entry was made under duress/pressure/force
• Security Guard - offers flexibility in reacting to whatever that occurs
• must be trained with a response to every conceivable eventuality
• can use discriminating judgment in a situation, which an automated system cannot
A three-layer security model
Mantrap
Logical Security Configurations
• achieved by having a solid firewall, and an IDS or IPS
Network divided into security zones
Routers dividing a network into security
zones
Risk-Related Concepts
• Disaster Recovery - disaster is an emergency that goes beyond the normal response of
resources caused by;
• Technological disasters (device failures)
• Manmade disasters (arson, terrorism, sabotage)
• Natural disasters (hurricanes, floods, earthquakes)
• severity of financial and reputational damage is determined by time taken to recover from the disaster
• properly designed disaster recovery plan (DRP) minimizes the effect of a disaster
• DRP is implemented when an emergency occurs and includes the steps to restore functions and
systems so the organization can resume normal operations
• DRPs goal is to prevent property damage and prevent loss of life
• Business Continuity - deals with identifying the impact of any disaster and ensuring that a
viable recovery plan for each function and system is implemented
• ensures that mission-critical systems are recovered first and luxuries as time allows
• business impact analysis is a document describing the impact each system has on the ability of the
organization to stay operational is determined
• lists the critical and necessary business functions, their resource dependencies, and their level of criticality to the
overall organization
Risk-Related Concepts
• Battery Backups/UPS - supplies power from a battery backup when a
loss of power is detected
• provide power long enough to either shut the system down gracefully or turn
on a power generator
• First Responders – first person to discover a data breach or other
security incident
• Data Breach – a risk that the organization should always be prepared
to address
Risk-Related Concepts
• End User Awareness and Training - users should be trained in how to respond to every
eventuality
• following teams should be assembled and trained before a disaster;
• Damage assessment team
• Legal team
• Media relations team
• Recovery team
• Relocation team
• Restoration team
• Salvage team
• Security team
• tabletop exercise is an informal brainstorming session that encourages participation from business
leaders and other key employees and the participants agree to a particular disaster scenario upon which
they will focus
• Single Point of Failure - all single points of failure should be identified
• process identifies critical assets and nodes, and is followed by providing redundancy
Risk-Related Concepts
• Critical Nodes - individual or grouped systems without which the organization cannot operate
• dictate need for redundancy
• Critical Asset - need to be identified and an action plan developed that recognizes their
importance
• Redundancy – is when a secondary component, system, or device that takes over when the
primary unit fails for a critical mission system
• systems include; redundant servers, redundant routers, redundant internal hardware, and even redundant
backbones
• Redundant Array of Independent Disks (RAID) is a technology that allows for automatic recovery from a
hard drive failure I a system
• RAID forms are;
• RAID-0 (disk striping) – writes the data across multiple drives and it does not provide fault tolerance
• RAID-1 (mirroring) – uses two disks and writes a copy of the data to both disks, providing fault tolerance in the case of a
single drive failure
• RAID-5 (stripped with parity) - requires at least three drives. writes the data across all drives and then parity information is
also written across all drives
RAID-0
RAID-1
RAID-5
Risk-Related Concepts
• Adherence to Standards and Policies - policies and standards communicate to employees the
behavior expected from them in various situations
• Vulnerability Scanning – are scans designed to identify any existent security vulnerabilities
• a scanner probes for security weaknesses including misconfigurations, out-of-date software, missing
patches, and open ports
• Nessus is and example of a proprietary vulnerability scanner
• Penetration Testing - simulates an attack on a system, network, or application to discover
security holes that may have gone unnoticed
• strategies for testing include;
• Blind Test – testing team is provided with limited knowledge of the network systems and devices using
publicly available information (requires more effort by the testing team)
• Double-Blind Test – is like a blind test except organization’s security team does not know that an attack
is coming
• Target Test - both the testing and the organization’s security teams are given maximum information
about the network and the type of test that will occur
Nessus window (vulnerability scanner)