Firewall Security Measures - Essay Example

1a Layers 3 and 4 of OSI models uses packet filtering as a firewall security measures, with IP address in the packets, and also the ports, used to filter session that are admitted or otherwise drop. On the other hand, OSI layer 7, which is the application layer uses the packet itself as a data to filter session, and uses a application specific filtering like FTP. 1b It is a good practice that whenever we install a new system, we have to test such system in order to know if the system works seamlessly as we expect. Firewall is not exempted to this rule. We have to test firewalls in order for us to know if it really functions to protect our system from intruders. One good decision for testing a firewall is by hiring a third party penetration tester, which likewise test the whole network system for vulnerabilities. It is best for company to establish a contract with the penetration tester for data protection and likewise for the misunderstood violation of law that may be committed by the penetration tester. Penetration testing should undergo into the two types of penetration, namely the black box penetration testing and the white box penetration testing. In the black box penetration testing, we are simulating a real hacking, wherein only the IP address of the company is known. On the other hand, white box penetration provides tester are provided valuable information of the system like operation system used, the type of network used, the server configuration details, and the firewall itself. This will best bring up the different vulnerabilities of the company’s network system. In the case where we are unable to hire a third party penetration tester, we can however do it on our own. One thing we need to examine in our system is to know what are the open ports that the firewall currently allows. We can use nmap to scan different open ports in our system or use other third party or commercial or freeware port scanner. This scanner will determine open port(s) that hackers may used for intruding the system. Thus, we may know which port(s) are suppose to be open or those that need to block (some ports are need to be open since it is used by the system, i.e. port 80 for web server). We can also used traceroute to determine if a certain unit within the network is traceable outside the firewall of the whole network system. This should not allow intruders to know something (i.e. IP address) about any of the unit inside the network nor that packets are roaming around our systems. The firewall should serve as a front-end security in order to provide “invisibility” to all the units within its perimeter. The next idea is to ping each unit in the network system. We may used third party ping application for large scale ping requests like MegaPing. The idea of the ping is to determine if an IP address it active, or to say that a unit that has such IP address is visible or existing. Firewall should also provide a security measures regarding ping, of whether to allow or not such request to be process by the system firewall. Pinging are sometimes used by hackers in order to randomly know if a unit is existing, and if it does, attacks preside. Likewise, firewall should also not allow ping request from outside the perimeter to a unit inside the network. Units inside are invisible to units outside the firewall perimeter. 1c To ensure the continuing effectiveness of the firewall, a regular random firewall testing should be done since attacking patterns change constantly. In addition, the test must first be authorized and the administrators not notified to ensure normal operations continue at the time of the test. This is to ensure that the security flaws in the existing configuration be identified. 1d Packet filter is the most simple type of firewall that operates on network layer of OSI model. Packet filtering works on a set of rules stored as rulebase, which determines which packet are to allowed within the session, likewise which address are allowed for the communication process. If by default, a rulebase does not permit any session, all packets are drop from the communication. Information included in packet filtering are as follows: The source address of the packet (or the Layer 3 address) and the destination address of the packet (also Layer 3 address). Type of traffic or the specific network protocol (i.e. Ethernet) And possibly some information about the Layer 4 communication sessions (which is why packet filtering are sometimes considered to operate at layer 3 and 4 of OSI model). Stateful inspection, on the other hand, are just superset of packet filter. It also employs the method by which packet filtering works, and an additional of storing the state of the session. For example, a session between 192.168.1.100:1023 and 210.9.88.29:80 was stored as “established” as its state, then the next time this session takes place, it will automatically be allowed. This provides a faster mechanism for filter incoming and outgoing session between server and host system. Stateful inspection firewall also operates at layer 3 and 4, plus layer 7 of the OSI model, which is evident on how stateful inspections consider application within the application layer. One difference of stateful inspection and filter packet is that stateful inspection is useful or applicable only in TCP/IP infrastructure. Application-proxy gateway is a more advanced type of firewall that operates on application layer in combination with the lower layer. The difference of this firewall against the two previous firewalls is that is does require the layer 3 route of incoming and outgoing packets. Application-proxy is a software control firewall, that each packet passed under the software control. Being software controlled firewall, this provides additional features like username and password authentication, source address authentication, hardware or software token authentication and sometimes, biometric authentication. 2a i. 193.63.48.1 ii. renders as in applicable due to the ftp application not supported by NAT iii. 193.63.48.2 iv. 193.63.48.1 2b 2c The address translation would be configured dynamically and overloaded. The clients in the internal network will be translated in the available registered IP addresses and since the company has only eight registered addresses, multiple clients will use the same registered IP address with the addition of their assigned port addresses, this allows a single IP address to be used by multiple clients. 2d i) The advantage of placing the VPN server outside the internal network is that the full capacity of the VPN server is realized. Placing the VPN on one if the internal host would defeat its purpose. Being outside the internal network will enable the VNP to protect it with its firewall and other security features and connect it to other networks in the internet. 2d ii) Having the IDS in point B will reduce its capabilities in detecting intrusions since the IDS will only detect intrusions in the network which otherwise could be prevented by the firewall and VPN after it. If it is placed in point A the IDS could detect intrusion in internal network signifying a breach in the firewall or VPN. 3a One problem of an FTP application is due to the NAT translation that occurs within firewall, and due to the ports it uses. Some FTP applications are not supported by NAT in the firewall. 3b TCP 192.168.16.2 192.168.16.200 ESTABLISHED TCP 192.168.16.2 192.168.16.200 LISTENING TCP 192.168.16.2 192.168.16.201 LISTENING TCP 192.168.16.2 192.168.16.201 ESTABLISHED 3c Denial-of-Service, or DoS, is an attack used by hackers in order for the companies server system became inoperable by requesting too many operations that the server may suddenly succumb into exhaustion, and thus halt. This DoS attacks are actually hard to counter-measure since hacker use a seem to be valid addresses that our firewall recognize. This is called IP Spoofing; deceiving our server with a request from a valid address which is in fact being spoof by the hacker in random generation. Most companies, especially those that are heavily dependent on ecommerce give up into a compromised black mail in order for the hacker to stop the attack and thus lend the server in operation again. 4a Secret key is usually used in symmetric-key signatures, wherein a user chose a secret key in order to encrypt the message. Then, by means of mediator, whom everyone trust, the mediator decrypts the message and relay it to the actual recipient. One disadvantage of symmetric-key encryption is that it requires sharing of secret key, wherein each person must trust the other to guard the pair’s secret key. Thus, this also lead to another disadvantage of being impractical in large companies since the frequency of secret key is the combination of pairs in the company. In public-key cryptography, users require two keys: one for publishing to the public which the public can use for encrypting the message to be sent to A, and a private key by which the A can used to decrypt the message. One advantage of this is its elimination of a shared secret key. Another is that, it can established message relay between two entity without requiring both to share the same key. 4b Nmap is a utility that is used to scan open ports on the system. These may be helpful for administrator in order to check what ports are currently vulnerable to attacks. However, this may also be a utilty that is a nightmare to an administrator and a sweet dreams for a hackers. Hackers actually rely to nmap before in order to scan ports where they can peep in. Because of these, nmap became a utility also for hackers. Thus, uin order to prevent such vulnerability detection made by hackers, nmap are being monitored by Intrusion Detection System. The IDS determines is a program is sending a packet for each port on the system, and thus block each packet in order to deny requests. This helps the system to be discrete in the ports it uses to communicate with other systems. 4c Perimeter firewall became weak now due to the fact the hacking patterns are dynamically changing. A deeper and more collaborative firewall solution should be deploy for a more secure system. Filtering alone in perimeter are proved to be weak due to fact that there any many false packets that are not allowed by the firewall system. This now move a motion to change the way we implement security; not only to use perimeter firewall but rather use a more sophisticated network hiding solution within the network system. 5a IP Spoofing is a step of attack that actually exploits the trust relationship between clients and server. Since firewalls examine IP address for legitimacy, a hacker try to deceive firewalls by spoofing addresses that are sent to the firewalls. And if the address spoof by the hacker is listed on the trusted address of the firewall, then it is possible to established a session between the hacker and a unit inside the firewall perimeter. This is also used for DoS attack since the only concern of the attacker is to consume the bandwidth and resources of the victim, and thus need not worry about completing a handshake and transaction. IP spoofing different address also helps prolong the attack and likewise hard to trace and block connection since it came from different and changing addresses. 5b A hybrid attack is a password cracking attack that uses a combination of dictionary and numerical characters in order to generate passwords to penetrate password authenticated systems. Now, in the case of entering the display at the football match, this is probably due to the weak password used by administrator that operates on the display, and thus hackers easily gain access to the display control by using a hybrid attack. 5c There are different forms of phishing that are currently used by hackers in today’s Internet era. From the document entitled “The Phishing Guide”, made by Gunter Ollman, Professional Services Director of Next Generation Security Software (NGS) – Insight Security Research or the NISR, there are three main forms of attacks: (1) social engineering factors, (2) phishing message delivery, and (3) phishing attack vectors. These strategies can be further outlined into the following: 1. Social Engineering Factors 2. Phishing Message Delivery 2.1. Email and Spam 2.2. Web-based Delivery 2.3. IRC and Instant Messaging 2.4. Trojaned Hosts 3. Phishing Attack Vectors 3.1. Man-in-the-Middle attacks 3.2. URL Obfuscation attacks 3.3. Cross-site scripting attacks 3.4. Preset Session attacks 3.5. Observing Customer Data 3.6. Client-side vulnerability exploitation The trends of successful phishing attacks may be a mixture of the above-mentioned strategies for phishing. For example, from the empirical study of Jagatic, et. al. (2005), they have form a social network map of university students for creating a forged phishing email appearing to be from a friend. They have found out that 72% of the users have responded to email, which is actually meant for phishing. Another successful form of phishing that is in trend today is the URL Obfuscation attack, by which phishers simply changes the actual URL or address. In another study conducted by Dhamiji, et. al. (2006), the Bank of West (www.bankofwest) have been obfuscated to www.bankofvvest.com (double ‘v’ instead of single ‘w’). The rogue site of Bank of West appears as if it is the legitimate site by showing an exact replica of the site. Because of the deceptions made by these attackers, law enforcement agencies are very much concern, specifically on the personal data privacy. Phishing is actually an identity theft, which is hereby unlawful. Likewise, not only law agencies are concerned with this issue but rather or moreover the company or service provider itself, due to the fact that some clients lost their trust to the company. There are different counter measures that Gunter have presented in his article regarding phishing. Some of these are already in effect to the different firms to avoid possible attacks of phishing to their clients. One of these methods includes customer awareness to the webpages itself. These will let the client be aggressive on securing his privacy regarding online transactions. Another strategy is through email personalization, such as using “Dear Mr. Smith” instead of “Our valued customer”, in order to avoid unsolicited emails links to be activated. Likewise, from the suggestion of Braekow and Urbas, banks should monitor their client transaction like locations and amounts (i.e. transactions on another location with withdrawal up to zero balance seems to be suspicious). Banks may employ quotas regarding withdrawal. These are only some of the features that a firm may implement in their website that solicits personal data. These firms must deploy such feature in the server-side architecture of their online transactions. 6 The first stage for internet hacking is to select an address and determine if this address is currently active by means of ping. Then, nslookup may help identify what type of operating system thus the target have. Determinig the operating system used would help them create scripts based on the operating system (i.e. VBScripts for Microsoft Windows). By sending different packets, this may help establish the connection between firewalls. Also, using Trojan attacks, these hackers run script that would lend then control over the target computer. 7a Telnet and ftp are no longer considered suitable for remote administration due to the fact that these sessions are not supported main by NAT. Thus, most of the remote administration have used ssh to access computers remotely. 7b Denial-of-Service, or DoS, is an attack used by hackers in order for the companies server system became inoperable by requesting too many operations that the server may suddenly succumb into exhaustion, and thus halt. This DoS attacks are actually hard to counter-measure since hacker use a seem to be valid addresses that our firewall recognize. This is called IP Spoofing; deceiving our server with a request from a valid address which is in fact being spoof by the hacker in random generation. Most companies, especially those that are heavily dependent on ecommerce give up into a compromised black mail in order for the hacker to stop the attack and thus lend the server in operation again. 7c In terms of security, the only existing solution for data and transaction validity is in the form of cryptography. And there are many existing algorithms that are currently deployed in different ecommerce site. Example of these are the RSA and biometric keys used to authenticate sessions. 8a With the existing legal framework regarding digital crimes, only few are actually brought into jurisdiction. This is mainly due to the framework that Internet relies upon. It is totally untraceable of whoever commits the attack due to the fact that Internet covers a global scope with billions of internet users. Likewise, the protocol that exists today and other security measures itself hinders traceability of the attacker. Another reason is also attributed to the different regional law regarding digital crimes that exists today. Some attackers actually resides on a region wherein law against digital crime is weakly enforced, and thus avoiding law enforced by the region where the victim is located. 8b One rule for the school to follow is to have a subnet for their purchase connection in order for the address to accommodate more computer within their network. Likewise, based on RFC 2827, the school should employ an IP source address spoofing in order to avoid denial of service attacks. The standard IPv4 should also be used in addressing their computer in conformance to RFC 3330 8c Another firewall configuration that may be applied is the support for virtual local are network, which provides a more manageable chunks of networked computers. Support for IDS or Intrusion Detection System would also help provides a better configuration regarding attack defence. 8d Unstructured threats are threat posed upon by untalented and inexperience hackers that are just motivated by their curiosity of what they can see. Attacks made by unstructured threats are simply concern of viewing other data or sometimes settings and configurations. On the other hand, structured threats are committed by experience hackers that keep calculations in concerns, and has the technical knowledge with the system design. This threats can penetrate deeper into the victim’s system, and can repeat its offence anytime they want. Thus, this pose a greater precaution to the system administrator since this attackers does not simply wants viewing your system data but may also wants to destroy your system. 9a In order to create an IPSec tunnel, we have to specify the transport virtual router even into default interface tunnel ipsec:Aottawa2boston transport-virtual-router default Then specify the IP address of the tunnel interface using ip address and specifying both the local and peer endpoint using tunnel -identity subnet . Lastly, specify both the interface for both source and destination addresses. 9b Host-to-host, also called as transport mode VPN consists of two hosts or peers wherein a ‘public’ network connects these peers. NAT is not needed on this type of VPN. On the other hand, network-to-network, or tunnel mode VPN requires at least two networks, and a gateway is used for NAT for hiding private addresses of private networks. Conflict regarding IP address is also eliminated. The gateway between each network on a tunnel mode VPN is considered to be a peer, and is connected to a ‘public’ network by which VPN is implemented. Network-to-network VPN makes it handy between network site secure without accommodation to workstations or servers. 9c The virus may be detected by the IDS since the use of ping and sending its packet 1 second after each packet sent may seems malicious to the system. And in conjunction with the Vulnerability Assessment Scanning, the virus is detected through the ports that is used by the IRC message sent to the chat server. References: Braekow, Oliver and Urbas, Eytan. “Keep Phishers aways from your pond”. Retrieved from https://www.cyberguard.com/news_room/webinars/keeppishers.pdf, May 28, 2006. Dhamija, Rachna, et. al. “Why Phishing Works”. Retrieved from http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf, May 28, 2006. Jakobsson, Markus. “Modeling and Preventing Phishing Attacks.” Retrieved from www.informatics.indiana.edu/markus/papers/phishing_jakobsson.pdf, May 28, 2006. Johnson, Christopher. “Linux 2.6 Kernel IPSec VPN”. Retrieved from http:// network.gouldacademy.org/randomfiles/linux_workshop04/dirigo.net/linux_2.6_ipsec_vpns.pdf, May 28, 2006. Ollman, Gunter. “The Phishing Guide: Understanding and Preventing Phishing Attacks”. Retrieved from http:// www.ngssoftware.com/papers/NISR-WP-Phishing.pdf, May 28, 2006. Tanenbaum, Andrew S. Computer Networks, 4th ed. Pearson Education (Asia) Pte. Ltd, Jurong, Singapore. 2003. Wack, John, et. al. “Guide to Firewall Selection and Policy Recommendations”. Retrieved form http:// www.securitymanagement.com/library/Nist_firewall0102.pdf, May 28, 2006. Zeltser, Lenny, et. al. “Inside Network Perimeter Security: Stateful Firewalls”. Retrieved from http:// www.quepublishing.com, May 28, 2006. Read More