Firewalls and Security

1
Firewalls and Security

• Ngoc Nguyen

2
Facts of Internet Systems vulnerability

• Recent denial-of-service attacks on Amazon, eBay,
  Yahoo, etc.
• 31 of key Internet hosts were wide open to
  potential attackers.
• 65 of companies reported security breaches in
  three year from 1997 to 1999.

3
Typical security approaches

• Access Control
• Cryptography
• Intrusion detection systems
• Firewalls

4
Traditional firewalls consist of 3 main
architectures

• Screening routers.
• Proxy servers.
• Stateful inspectors.

5
Screening Routers

• Router screens the information, allowing only
  approved information to pass through.
• Requirements of continually change with more
  addresses required to be added to the allowable
  address lists.
• Dont have user-level authentication protection.
  As a result, spoofing which means a packet looks
  like an authorized and legal one breaches the
  firewall.

6
Proxy Servers

• Employ user-level authentication.
• Provide logging and accounting information ( good
  for detecting intrusions and intrusion attempts).

7
Stateful Inspectors

• Inspect packets to verify application, user, and
  transportation method to investigate the
  possibility of harmful viruses hiding in audio or
  video packets.
• Application must be continually updated to
  recognize new viruses or intrusive applets.

8
Two approaches to enhance Internet security

• Encryption and Firewalls.
• Proactive Identification Model (PAIM).

9
Encryption can provide firewall protection in
several ways

• By encrypting passwords and authentication
  procedures, eavesdroppers are not able to copy
  passwords for later use in spoofing the system.
• Without the correct key, any encrypted data sent
  by an intruder would translate into
  unintelligible random characters and therefore
  have no meaning to the receiving system, i.e., no
  harmful viruses or programs can be inserted into
  the host system.
• Any intruder reading corporate data being on an
  open network would not be able to gather any
  intelligence.

10
(No Transcript)
11
Proactive Identification Model (PAIM)

• As long as the hacker is not creating any
  hazardous situation or destroying anything,
  seasoned investigators will tell you that it is
  much more beneficial to watch the hacker over
  time and collect as much data as possible to
  develop a good case for the arrest and
  prosecution of the hacker in the courts.
  (Hancock 2002)

12
PAIM consists of 3 components

• Firewall has an audit log used to log both
  authorized and unauthorized accessing of the
  network.
• Operating system has user profiles and audit
  logs. User profiles and audit logs are controls
  which will provide information on the users or
  hackers action. These controls will be used to
  construct two graphs.
• Fuzzy engine process information obtained from
  the firewall and the operating system in
  real-time.

13
PAIM (cont.)

• The fuzzy engine will compute two graphs,
  template and user action. Then template graph
  represents typical actions of a user (hacker)
  when carrying out eight steps of generic hacking
  methodology. User action graph represents actual
  actions of the user (hacker) on the system.

14
(No Transcript)
15
PAIMs operations

• Maps two template and user action graphs to
  determine whether a user (hacker) is performing a
  hacking attempt if there is a match between two
  graphs.
• Sends alert message on hacking attempt to the
  information security officer at the security
  working station.
• Collects data from the hackers action for later
  use in court prosecution.

16
(No Transcript)