1 / 43

e lectronic commerce Second edition

e lectronic commerce Second edition. Marilyn Greenstein Miklos Vasarhelyi. Chapter 11. Firewalls. Firewalls. Firewalls Defined TCP/IP and Open Systems Interconnect Components and Typical Functionality of Firewalls Personal Firewalls Network Topology and Demilitarized Zones

donat
Télécharger la présentation

e lectronic commerce Second edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. electronic commerce Second edition Marilyn Greenstein Miklos Vasarhelyi

  2. Chapter 11 Firewalls

  3. Firewalls • Firewalls Defined • TCP/IP and Open Systems Interconnect • Components and Typical Functionality of Firewalls • Personal Firewalls • Network Topology and Demilitarized Zones • Securing the Firewall • Factors to Consider in Firewall Design • In-House Solutions versus Commercial Security Software • Limitations of the Security Prevention Provided by Firewalls • Implications for the Accounting Profession

  4. What are firewalls? Firewalls are a system, or a group of systems, that enforces an access control policy between two networks. Firewalls should have the following characteristics: • All traffic in either direction should be tested by the firewall. • Only authorized traffic as defined by the local security policy is allowed to pass through it. • The firewall system is immune to penetration. Cheswick and Belloven, 1994 From the 2000 CSI/FBI study: • 58% of companies had security incidents from outside perpetrators • 59% reported that their Internet connection was a frequent point of attack. • 78% reported the use of firewalls.

  5. Transmission Control Protocol/Internet Protocol (TCP/IP) The TCP/IP stack includes: • Physical/Network layer • IP layer • Transport layer • Application layer TCP/IP stack involves interfaces with hardware, operating systems and applications.

  6. TCP/IP StackPhysical/Network Layer • Physical/Network layer • Accepts packets and transmits them over the network, mapping each computer’s network interface card (NIC) to a programmed IP address. • Physical Networking protocols include Ethernet, Token Ring, Fiber distribution Data Interface, etc. • Logical networking protocols include Address Resolution Protocol, Reverse Address Resolution Protocol

  7. TCP/IP Stack IP Layer • IP layer • Routes packets across the network, choosing the fastest path • Protocols include Routing Information Protocol (RIP) Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Interior Gateway Routing Protocol (IGRP), etc.

  8. TCP/IP StackTransport Layer • Transport Layer • Manages the virtual session between the two computers: receives packets, organizes them, and sends acknowledgements (ACK) back to the sender, asking for any lost packets. • Manages the transmission/reception of User Datagram Protocol (UDP) packets

  9. TCP/IP StackApplication Layer • Application Layer • Manages the networking applications, formatting data for transmission on the network • For example, Universal Resource Locators (URL) hyperlinks involve HTTP and HTML protocols

  10. Figure 11-1 TCP/IP and OSI models TCP/IP STACK OSI MODEL APPLICATION APPLICATION PRESENTATION SESSION TRANSPORT TRANSPORT INTERNET (IP) NETWORK DATA LINK NETWORK INTERFACE PHYSICAL

  11. What are the inherent security risks of the Internet? • TCP hijacking • IP spoofing • Network sniffing Businesses need to examine the security procedures used by their Internet Service Providers (ISPs).

  12. What are the categoriesof firewalls? • Static firewalls • Default permit • Default deny • Dynamic firewalls • Allow both permit and deny to be established for a given time period • Requires more maintenance • Provides more flexibility

  13. What are the componentsof firewalls? • Chokes • Limit the flow of packets between networks • Decision to pass or block depends on the rules set up by the firewall administrator • Gates • Control point for external connection • Similar to gateway server. • Proxy servers • Take the place of other servers to allow access authorization testing.

  14. Figure 11-2 Gates, chokes, and default deny filtering TELNET FTP SMTP SMTP SMTP FTP FTP SMTP TELNET HTTP TELNET FTP FTP SMTP HTTP PACKETS Rejected Packets SMTP HTTP SMTP CHOKE GATE DEFAULT DENY Application Level Filtering Rule: Deny everything Except FTP and TELNET Corporate Internal Network FTP FTP TELNET

  15. Firewalls Typical Functionality • Packet filtering: Chokes and gates • Network address translations: • Graphical administration • Application-level proxies • Stateful inspections • Virtual Private networks • Real-time Auditing and Monitoring

  16. Packet Filtering Packet filtering can be performed by a router, a firewall, or both. • Transport Level Filtering: Routers • Verifies authorization for the destination network or host addresses and destination transport connection point • Granularity is the level of detailed filtering provided • Proxies are used to control network traffic at application level. • Traffic filtering is also available at the IP and transport layers.

  17. APPLICATION HTTP desired program LAYER TRANSPORT TCP provides the LAYER or connection UDP NETWORK IP locates destination LAYER IP address & routes message LINK Ethernet physical devices LAYER Application-based filtering- firewall Packet-filtering- routers TCP/IP

  18. What is IP Spoofing? • IP spoofing occurs when an attacker disguises his or her originating host server or router as that of another host or router. • Filtering rules that deny external network packets that originate from internal address are preventative • Audit logs are detective controls

  19. Network Address Translation • Corporations save money on IP addressing costs by reassigning temporary Internet-unique IP addresses to outgoing sessions. • This method protects external parties from learning about internal network structures.

  20. Application LevelProxies • Redundant services that test the request before performing it • May require the user to authenticate themselves before the packets are analyzed. • Proxy server then establishes a session with desired web address and requests the same file(s) as the user request. • Firewall tests for viruses, and risky Java applets before passing the information to the user.

  21. Stateful Inspection • Compares each packet to a state table • Tracks inbound/outbound connections and authorized connections are recorded to a state table • Subsequent, identical connections are allowed without repeated authorization processes • Virus scanning and Java program scanning is more difficult than with application level proxies.

  22. Virtual Private Networks (VPN’s) • Create a secure “tunnel” through untrusted networks. • Usually requires the download of client software to the remote user’s machine. • Connection is secured and authenticated through encrypted messages. • Lower cost when compared to leased, private lines. • Standard and Poor’s example

  23. Real-Time Monitoring and Intrusion Detection Systems • Provide robust auditing and monitoring capabilities • Can send emergency signals to the firewall administrator when a pre-determined threshold of denied access attempts occur. • Denied requests are logged and analyzed. • Intrusion detection systems (IDS) focus on identifying outsider scanning of ports. • 50% of companies currently use IDS devices.

  24. Personal Firewalls • Free firewalls: • Zonealarm.com • Sygate at zdnet.com • Personal firewall functionality: • Programmable times for denying Internet access • Port probing monitors with reports • Ability to deny services from remote users • Tracking of all Internet connections • Ability to filter out requests stemming from denial of services and Trojan horse-type attacks

  25. Network Topology Network Topology refers to the physical architecture of a network system. Server firewalls should not be the ONLY filtering control between internal and external networks. Router filtering should also be utilized. Network topology affects network performance.

  26. Internet Router Ethernet segments Firewall system Router Corporate Internal network

  27. What is a Demilitarized Zone (DMZ)? A DMZ is a sub network that is located between the internal system and the external network. DMZs increase the cost of the firewall system and slow the processing time • Access is controlled but not prevented by firewall technology. • Can lie between two firewalls • Can lie off of a separate segment from one firewall • Can also function as e-Commerce servers, Web servers, FTP servers, etc. • Traffic that originates from the DMZ and destined to internal systems should be limited and controlled.

  28. Internet Filter - Internet Access Router Gateway Systems Demilitarized Zone Filter - Bastion Host Corporate Internal network

  29. Securing the Firewall - Policy • Network Security Access Policy - A high-level policy of network security • services allowed must be defined as well as how they may be used • processes that must be taken to make changes to rule bases must be determined • processes for acceptable exceptions to policy and supporting documentation necessary must be determined • Firewall Design Policy - addresses how the denied services will be restricted and how the allowed services will be permitted

  30. Securing the Firewall Firewall Security should include the following: • Firewall Policy • Firewall Administration • Firewall Services • Internal firewalls • Authentication – individual-level controls • Operating system controls

  31. EXAMPLES Computer Resources Security Policy Floppy disk and hard drive back-up Shredding of printed, unclaimed, sensitive documents Virus scanning software General Rule: Deny access to a specific host computer from internal addresses Exception: Allow selected internal users using strong authentication devices to access this system next Wednesday from 2 - 4 PM Network Service Access Policy How will e-mail requests be directed to a specific e-mail site? How will FTP PUT commands be restricted? Firewall Design Policy

  32. Securing the Firewall: Policy Generation The order of policy formation is important • Start with the Computer resources policies • Then design Network service access policies Clearly stating the procedures for exceptions to be qualified and authorized. • Then design firewall policies How denied services will be restricted How permitted services will be allowed

  33. Securing the Firewall - Administration • The 1998 CSI/FBI reported mismanagement as the number 1 reason for firewall breaches 93% due to firewall weakness and mismanagement • Rule-bases should be periodically reviewed • Administration procedures should be documented and followed. • The number of administrator accounts should be limited and one-time passwords used

  34. Securing the Firewall Services • Only approved vendor software should be used • Unnecessary and potentially dangerous services should not be used: • TELNET and FTP: allow remote users to login • Use strong passwords that are linked to specific terminals/locations with encrypted storage and transmission • Use proxy FTP servers, and DMZs • Monitor connection attempts • Finger Services Authorization and Use Logs: • Deny/block access to these files

  35. Securing the FirewallInternal Firewalls • Internal network topography can include a backbone supporting several subsystems that need their own firewalls. • This modulation of subsystems effectively limits the total areas that are compromised when hackers access one area. • Internal networks protect against internal threats

  36. Securing the Firewall: Operating System Controls • User and group settings • File and directory permissions • Remote file system access • Operating system initialization files • Scheduling of jobs • Other core operating system settings • Trusting relationships • Networking services monitor

  37. Firewall Design Factors • Deny Capability -The firewall should be able to support a “deny all services, except those specifically permitted” policy. • Filtering -The ability to judiciously and dynamically employ filtering techniques, such as permit or deny services, for each host system is crucial to a good firewall design. • Security Policy -Developing a security policy is a precursor to designing and implementing effective firewalls.

  38. Firewall Design Factors - (cont.) • Dynamic - Networking environments are fluid and the firewall design should allow agility. • Authentication - The firewall design should utilize strong authentication devices and be continually updated to incorporate the most advanced and feasible authentication devices that emerge. • Flexible Filtering - The firewall should employ a flexible IP filtering language that can filter on as many attributes as is deemed necessary: source and destination transport connections, IP addresses, and inbound and outbound interfaces.

  39. Firewall Design Factors - (cont.) • Recognize Dangerous Services - It should identify such services and either disable them for outside users or use proxy services in DMZs to reduce exposure from such services. • Filter Dial-in Access -It should be able to filter dial-in access and limit access ports. • Audit Logs -It should log traffic and suspicious activity and should displayed it in an easy to understand format. • Current Version -It should have the most secured version of the operating system installed with any known patches to known problems installed as well

  40. Firewall Design Factors - (cont.) • Good Documentation -The firewall development process should be implemented in a fashion that provides checkpoints and a verifiable log of actions taken during its development, implementation, and maintenance.

  41. Choosing a Firewall Vendor:In-house Solutions vs. Commercial Security Software • The reputation of the vendor. Request references! • Does the software meet the requirements in the network service access policy/firewall design policy? • Does the vendor have 24 hour, 365 days a year support? How reliable is this support? • Does the vendor provide training? • How timely does this vendor release updates/patches? Do they provide support for installing security patches? • How does this software fit in with future networking expansion plans?

  42. Limitations of Security Provided by Firewalls • Firewalls are just one component of security • Firewalls are continually changing • Firewalls can only protect a firm from the type of attacks the firm has included in their policies and rules. • Firewall users need to be aware of risks associated with attached files • Humans may over-rely on their firewall capabilities - this is dangerous!

  43. Implications for the Accounting Profession New opportunities exist in the areas of: • Penetration Testing and Risk Exposure • Provider of Network Solutions • Forensic Accounting • Intrusions Investigation

More Related