Network Security

Network security is implemented with various technologies, including firewalls, intrusion detection systems (IDSs) and intrusion prevention systems (IPSs), remote access authentication mechanisms, and Virtual Private Networks (VPNs).

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are sometimes referred to as intrusion detection and prevention systems (IDPS).

Firewalls

A firewall controls traffic flow between a trusted network (such as a corporate LAN) and an untrusted or public network (such as the Internet). A firewall can comprise hardware, software, or a combination of both hardware and software. The CISSP candidate must understand the various types of firewalls and common firewall architectures.

Firewall types

Three basic classifications of firewalls have been established: packet-filtering, circuit-level gateway, and application-level gateway.

Three basic types of firewalls are packet-filtering, circuit-level gateway, and application-level gateway.

Packet-filtering

A packet-filtering firewall (or screening router), one of the most basic (and inexpensive) types of firewalls, is ideally suited for a low-risk environment. A packet-filtering firewall permits or denies traffic based solely on the TCP, UDP, ICMP, and IP headers of the individual packets. It examines the traffic direction (inbound or outbound), the source and destination IP addresses, and the source and destination TCP or UDP port numbers. This information is compared with predefined rules that have been configured in an access control list (ACL) to determine whether a packet should be permitted or denied. A packet-filtering firewall typically operates at the Network Layer or Transport Layer of the OSI model. Some advantages of a packet-filtering firewall are that

It’s inexpensive. (It can be implemented as a router ACL, which is free — the ACL, not the router!)

It’s fast and flexible.

It’s transparent to users.

Disadvantages of packet-filtering firewalls are that

Access decisions are based only on address and port information, rather than more sophisticated information such as context or application.

It has no protection from IP or DNS address spoofing (forged addresses).

It doesn’t support strong user authentication.

Configuring and maintaining ACLs can be difficult.

Logging information may be limited.

A more advanced variation of the packet-filtering firewall is the dynamic packet-filtering firewall. This type of firewall supports dynamic modification of the firewall rule base by using context-based access control (CBAC) or reflexive ACLs — both of which create dynamic access list rules for individual sessions as they are established. For example, an ACL might be automatically created to allow a user working from the corporate network (inside the firewall) to connect to an FTP server outside the firewall in order to upload and download files between her PC and the FTP server. When the file transfer is completed, the ACL is automatically deleted from the firewall.

Circuit-level gateway

A circuit-level gateway controls access by maintaining state information about established connections. When a permitted connection is established between two hosts, a tunnel (or virtual circuit) is created for the session, allowing packets to flow freely between the two hosts without the need for further inspection of individual packets. This type of firewall operates at the Session Layer (Layer 5) of the OSI model.

Advantages of this type of firewall include

Speed (After a connection is established, individual packets aren’t analyzed.)

Support for many protocols

Easy maintenance

Disadvantages of this type of firewall include

Dependence on the trustworthiness of the communicating users or hosts. (After a connection is established, individual packets aren’t analyzed.)

Limited logging information about individual data packets is available after the initial connection is established.

A stateful inspection firewall is a type of circuit-level gateway that captures data packets at the Network Layer and then queues and analyzes (examines the state and context of) these packets at the upper layers of the OSI model.

Application-level gateway

An application-level (or Application Layer) gateway operates at the Application Layer of the OSI model, processing data packets for specific IP applications. This type of firewall is generally considered the most secure and is commonly implemented as a proxy server. In a proxy server, no direct communication between two hosts is permitted. Instead, data packets are intercepted by the proxy server, which analyzes the packet’s contents and — if permitted by the firewall rules — sends a copy of the original packet to the intended host.

Advantages of this type of firewall include

Data packets aren’t transmitted directly to communicating hosts, a tactic that masks the internal network’s design and prevents direct access to services on internal hosts.

It can be used to implement strong user authentication in applications.

Disadvantages of this type of firewall include

It reduces network performance because every packet must be passed up to the Application Layer of the OSI model to be analyzed.

It must be tailored to specific applications. (Such customization can be difficult to maintain or update for new or changing protocols.)

Firewall architectures

The basic firewall types that we discuss in the preceding sections may be implemented by using one of the firewall architectures described in the following sections. The four basic types of firewall architectures are screening router, dual-homed gateway, screened-host gateway, and screened-subnet.

Screening router

A screening router is the most basic type of firewall architecture employed. An external router is placed between the untrusted and trusted networks, and a security policy is implemented by using ACLs. Although a router functions as a choke point between a trusted network and an untrusted network, an attacker — after gaining access to a host on the trusted network — may potentially be able to compromise the entire network.

Advantages of a screening router architecture include these:

It’s completely transparent.

It’s relatively simple to use and inexpensive.

Disadvantages of the screening router architecture include these:

It may have difficulty handling certain traffic.

It has limited or no logging available.

It doesn’t employ user authentication.

It makes masking the internal network structure difficult.

It has a single point of failure.

It doesn’t truly implement a firewall choke-point strategy because it isn’t truly a firewall or a choke-point — it’s a router that passes traffic between two networks (the “private” and “public” network).

Still, using a screening router architecture is better than using nothing.

Dual-homed gateways

Another common firewall architecture is the dual-homed gateway. A dual-homed gateway (or bastion host) is a system that has two network interfaces (NICs) and sits between an untrusted network and a trusted network. A bastion host is a general term often used to refer to proxies, gateways, firewalls, or any server that provides applications or services directly to an untrusted network. Because it’s often the target of attackers, a bastion host is sometimes referred to as a sacrificial lamb.

However, this term is misleading because a bastion host is typically a hardened system that employs robust security mechanisms. A dual-homed gateway is often connected to the untrusted network via an external screening router. The dual-homed gateway functions as a proxy server for the trusted network and may be configured to require user authentication. A dual-homed gateway offers a more fail-safe operation than a screening router does because, by default, data isn’t normally forwarded across the two interfaces. Advantages of the dual-homed gateway architecture include

It operates in a fail-safe mode — if it fails, it allows no access, rather than allowing full access for everyone.

Internal network structure is masked.

Disadvantages of the dual-homed gateway architecture include

Its use may inconvenience users by requiring them to authenticate to a proxy server or by introducing latency in the network.

Proxies may not be available for some services.

Its use may cause slower network performance.

Screened-host gateways

A screened-host gateway architecture employs an external screening router and an internal bastion host. The screening router is configured so that the bastion host is the only host accessible from the untrusted network (such as the Internet). The bastion host provides any required web services to the untrusted network, such as HTTP and FTP, as permitted by the security policy. Connections to the Internet from the trusted network are routed via an application proxy on the bastion host or directly through the screening router.

Here are some of the advantages of the screened-host gateway:

It provides distributed security between two devices, rather than relying on a single device to perform all security functions.

It has transparent outbound access.

It has restricted inbound access.

Here are some disadvantages of the screened-host gateway:

It’s considered less secure because the screening router can bypass the bastion host for certain trusted services.

Masking the internal network structure is difficult.

It can have multiple single points of failure (on the router or bastion host).

Screened-subnet

The screened-subnet is perhaps the most secure of the currently designed firewall architectures. The screened-subnet employs an external screening router, a dual-homed (or multi-homed) host, and a second internal screening router. This implements the concept of a network DMZ (or demilitarized zone). Publicly available services are placed on bastion hosts in the DMZ.

Advantages of the screened-subnet architecture include these:

It’s transparent to end-users.

It’s flexible.

Internal network structure can be masked.

It provides defense in depth instead of relying on a single device to provide security for the entire network.

Disadvantages of a screened-subnet architecture, compared to other firewall architectures, include these:

It’s more expensive.

It’s more difficult to configure and maintain.

It can be more difficult to troubleshoot.

Intrusion detection and prevention systems (IDSs, IPSs, and IDPSs)

Intrusion detection is defined as real-time monitoring and analysis of network activity and data for potential vulnerabilities and attacks in progress. One major limitation of current intrusion-detection-system (IDS) technologies is the requirement to filter false alarms to prevent the operator (the system or security administrator) from being overwhelmed with data. IDSs are classified in many different ways, including active and passive, network-based and host-based, and knowledge-based and behavior-based.

Active and passive IDS

Commonly known as an intrusion prevention system (IPS) or as an intrusion detection and prevention system (IDPS), an active IDS is a system that’s configured to automatically block suspected attacks in progress without requiring any intervention by an operator. IPS has the advantage of providing real-time corrective action in response to an attack, but it has many disadvantages as well. An IPS must be placed inline along a network boundary; thus the IPS itself is susceptible to attack. Also, if false alarms and legitimate traffic haven’t been properly identified and filtered, authorized users and applications may be improperly denied access. Finally, the IPS itself may be used to effect a Denial of Service (DoS) attack, which involves intentionally flooding the system with alarms that cause it to block connections until no connection or bandwidth is available.

A passive IDS is a system that’s configured to monitor and analyze network traffic activity and alert an operator to potential vulnerabilities and attacks. It can’t perform any protective or corrective functions on its own. The major advantages of passive IDS are that these systems can be easily and rapidly deployed and aren’t normally susceptible to attack themselves.

Network-based and host-based IDS

A network-based IDS usually consists of a network appliance (or sensor) that includes a Network Interface Card (NIC) operating in Promiscuous mode (meaning it listens to, or “sniffs,” all traffic on the network, not just traffic addressed to a specific host) and a separate management interface. The IDS is placed along a network segment or boundary, and it monitors all traffic on that segment.

A host-based IDS requires small programs (or agents) to be installed on the individual systems that are to be monitored. The agents monitor the operating system and write data to log files and/or trigger alarms. A host-based IDS can monitor only the individual host systems on which the agents are installed; it doesn’t monitor the entire network.

Knowledge-based and behavior-based IDS

A knowledge-based (or signature-based) IDS references a database of previous attack profiles and known system vulnerabilities to identify active intrusion attempts. Knowledge-based IDSs are currently more common than behavior-based IDSs. Advantages of knowledge-based systems include

They have lower false-alarm rates than behavior-based IDSs.

Alarms are more standardized and more easily understood than behavior-based IDS alarms.

Disadvantages of knowledge-based systems include

The signature database must be continually updated and maintained.

New, unique, or original attacks may not be detected or may be improperly classified.

A behavior-based (or statistical anomaly-based) IDS references a baseline or learned pattern of normal system activity to identify active intrusion attempts. Deviations from this baseline or pattern cause an alarm to be triggered. Advantages of behavior-based systems include that they

Dynamically adapt to new, unique, or original attacks.

Are less dependent on identifying specific operating system vulnerabilities than knowledge-based IDSs are.

Disadvantages of behavior-based systems include

Higher false alarm rates than knowledge-based IDSs.

An inability to adapt to legitimate usage patterns that may change often and therefore aren’t static enough to implement an effective behavior-based IDS.

Remote access

Remote access is provided through various technologies (such as cable modems and wireless devices) and protocols (such as asynchronous dial-up, ISDN, and xDSL), which we discuss in the section “WAN technologies and protocols,” earlier in this chapter.

Remote access security is provided through various methods and technologies, which we describe in the following sections.

Remote access security methods

Remote access security methods include restricted allowed addresses, caller ID, and callback.

Restricted address: The restricted address method restricts access to the network based on allowed IP addresses, essentially performing rudimentary node authentication, but not user authentication.

Caller ID: The caller ID method restricts access to the network based on allowed phone numbers, thus performing a slightly more secure form of node authentication because phone numbers are more difficult to spoof than IP addresses. However, this method can be difficult to administer for road warriors that routinely travel to different cities.

Callback: The callback method restricts access to the network by requiring a remote user to first authenticate to the remote access service (RAS) server. The RAS server then disconnects and calls the user back at a preconfigured phone number. As with caller ID, this method can be difficult to administer for road warriors.

One limitation of callback is that it can be easily defeated by using call forwarding.

Remote access security technologies

Remote access security technologies include RAS servers that utilize various authentication protocols associated with PPP, RADIUS, and TACACS.

RAS: Remote access service (RAS) servers utilize the Point-to-Point Protocol (PPP) to encapsulate IP packets and establish dial-in connections over serial and ISDN links. PPP incorporates the following three authentication protocols:

• PAP: The Password Authentication Protocol (PAP) uses a two-way handshake to authenticate a peer to a server when a link is initially established. PAP transmits passwords in cleartext, and provides no protection from replay or brute force attacks.

• CHAP: The Challenge Handshake Protocol (CHAP) uses a three-way handshake to authenticate both a peer and a server when a link is initially established and, optionally, at regular intervals throughout the session. CHAP requires both the peer and the server to be preconfigured with a shared secret that must be stored in cleartext. The peer uses the secret to calculate the response to a server challenge by using an MD5 one-way hash function. MS-CHAP, a Microsoft enhancement to CHAP, allows the shared secret to be stored in an encrypted form.

• EAP: The Extensible Authentication Protocol (EAP) adds flexibility to PPP authentication by implementing various authentication mechanisms, including MD5-challenge, S/Key, generic token card, digital certificates, and so on. EAP is implemented in many wireless networks.

See Chapters 4 and 8 for more on tokens and digital certificates.

RADIUS: The Remote Authentication Dial-In User Service (RADIUS) protocol is an open-source, UDP-based, client-server protocol, which provides authentication and accountability. A user provides username/password information to a RADIUS client by using PAP or CHAP.

The RADIUS client encrypts the password and sends the username and encrypted password to the RADIUS server for authentication.

Note: Passwords exchanged between the RADIUS client and the RADIUS server are encrypted, but passwords exchanged between the PC client and the RADIUS client aren’t necessarily encrypted — if using PAP authentication, for example. However, if the PC client happens to also be the RADIUS client, all password exchanges are encrypted, regardless of the authentication protocol being used.

See Chapter 4 for more information about RADIUS.

Diameter: The Diameter protocol is the next-generation RADIUS protocol. Diameter overcomes several RADIUS shortcomings. For instance, it uses TCP rather than UDP, supports IPSec or TLS, and has a larger address space than RADIUS.

See Chapter 4 for more on Diameter.

TACACS: The Terminal Access Controller Access Control System (TACACS) is a UDP-based access control protocol (originally developed for the MILNET), which provides authentication, authorization, and accountability (AAA). The original TACACS protocol has been significantly enhanced, primarily by Cisco, as XTACACS (no longer used) and TACACS+ (the most common implementation of TACACS). TACACS+ is TCP-based (port 49) and supports practically any authentication mechanism (PAP, CHAP, MS-CHAP, EAP, token cards, Kerberos, and so on). The basic operation of TACACS+ is similar to RADIUS, including the caveat about encrypted passwords between client and server. The major advantages of TACACS+ are its wide support of various authentication mechanisms and granular control of authorization parameters.

See Chapter 4 for a more complete discussion of TACACS.

Virtual Private Networks (VPNs)

A Virtual Private Network (VPN) creates a secure tunnel over a public network, such as the Internet. Either encrypting or encapsulating the data as it’s transmitted across the VPN creates a secure tunnel. The two ends of a VPN are commonly implemented by using one of the following methods:

Client-to-VPN-Concentrator (or Device)

Client-to-Firewall

Firewall-to-Firewall

Router-to-Router

Common VPN protocol standards include Point-to-Point Tunneling Protocol (PPTP), Layer 2 Forwarding Protocol (L2F), Layer 2 Tunneling Protocol (L2TP), Internet Protocol Security (IPSec), and Secure Sockets Layer (SSL).

Point-to-Point Tunneling Protocol (PPTP)

The Point-to-Point Tunneling Protocol (PPTP) was developed by Microsoft to enable the Point-to-Point Protocol (PPP) to be tunneled through a public network. PPTP uses native PPP authentication and encryption services (such as PAP, CHAP, and EAP), which we discuss in the section “RAS,” earlier in this chapter. PPTP is commonly used for secure dial-up connections, using Microsoft Win9x or NT/2000 clients. PPTP operates at the Data Link Layer (Layer 2) of the OSI model and is designed for individual client-server connections.

Layer 2 Forwarding Protocol (L2F)

The Layer 2 Forwarding Protocol (L2F) was developed by Cisco and provides similar functionality to PPTP. Like its name implies, L2F operates at the Data Link Layer of the OSI model and permits tunneling of Layer 2 WAN protocols such as HDLC and SLIP.

Layer 2 Tunneling Protocol (L2TP)

The Layer 2 Tunneling Protocol (L2TP) is an IETF standard that combines Microsoft (and others’) PPTP and Cisco L2F protocols. Like PPTP and L2F, L2TP operates at the Data Link Layer of the OSI model to create secure VPN connections for individual client-server connections. The L2TP addresses the following end-user requirements:

Transparency: Requires no additional software.

Robust authentication: Supports PPP authentication protocols, Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System (TACACS), smart cards, and one-time passwords.

Local addressing: The VPN entities, rather than the ISP, assign IP addresses.

Authorization: Authorization is managed by the VPN server-side, similar to direct dial-up connections.

Accounting: Both the ISP and the user perform AAA accounting.

IPSec

Internet Protocol Security (IPSec) is an IETF open standard for VPNs that operates at the Network Layer (Layer 3) of the OSI model. It’s the most popular and robust VPN protocol in use today. IPSec ensures confidentiality, integrity, and authenticity by using Layer 3 encryption and authentication to provide an end-to-end solution. IPSec operates in two modes:

Transport mode: Only the data is encrypted.

Tunnel mode: The entire packet is encrypted.

The two main protocols used in IPSec are

Authentication Header (AH): Provides integrity, authentication, and non-repudiation

Encapsulating Security Payload (ESP): Provides confidentiality (encryption) and limited authentication

Each pair of hosts communicating in an IPSec session must establish a security association.

A security association (SA) is a one-way connection between two communicating parties; thus, two SAs are required for each pair of communicating hosts. Additionally, each SA supports only a single protocol (AH or ESP). Therefore, using both an AH and an ESP between two communicating hosts will require a total of four SAs. An SA has three parameters that uniquely identify it in an IPSec session:

Security Parameter Index (SPI): The SPI is a 32-bit string used by the receiving station to differentiate between SAs terminating on that station. The SPI is located within the AH or ESP header.

Destination IP address: The destination address could be the end station or an intermediate gateway or firewall, but it must be a unicast address.

Security Protocol ID: The Security Protocol ID must be either an AH or ESP association.

Key management is provided in IPSec by using the Internet Key Exchange (IKE). IKE is actually a combination of three complementary protocols: the Internet Security Association and Key Management Protocol (ISAKMP), the Secure Key Exchange Mechanism (SKEME), and the Oakley Key Exchange Protocol.

SSL

The Secure Sockets Layer (SSL) protocol (discussed in greater detail in Chapter 8) operates at the Transport Layer (Layer 4) of the OSI model. SSL VPNs have rapidly gained widespread popularity and acceptance in recent years because of their ease of use and low cost. An SSL VPN requires no special client hardware or software (other than a web browser), and little or no client configuration. SSL VPNs provide secure access to web-enabled applications and thus are somewhat more granular in control — a user is granted access to a specific application, rather than to the entire private network. This granularity can also be considered a limitation of SSL VPNs; not all applications will work over an SSL VPN, and many convenient network functions (file and print sharing) may not be available over an SSL VPN.