Firewall basics

Blocks dangerous communications from spreading across network, either from outside into a network or within the network.
Can be dedicated hardware, part of router or integrated with OS.
Compares addressing and protocol information of datagram to rules setup in firewall’s software.
If datagram comes from a hacker and the rules say block unknown then the firewall rejects datagram silently or closes the connection.
Advanced firewalls can block traffic based on type of application e.g. media players or BitTorrent clients.

Personal firewalls

Often installed as part of OS.
Only protects computer (and attached devices) it is installed on.
Useful for mobile computers connecting to various networks.

Other firewalls

Firewall software can be downloaded for free or purchased.
Should only one firewall at a time to prevent degradation of system performance.
Should always have one firewall running.

VPN basics

Virtual Private Network – private network across untrusted network such as the internet. Uses include:

• Securely connect isolated LANs across internet
• Allow mobile users to across corporate network via the internet
• Control access within intranet environment

Implemented using dedicated hardware and software.
VPN client – installed on device & responsible for connecting to the VPN to send & receive information securely.
VPN server – part of dedicated network device on perimeter of organisation’s network. Server software authenticates users and routes traffic.
VPN software creates secure tunnel between VPN client and VPN server across any network. Information transmitted is encrypted.

Securing the tunnels

Encryption – usually performed by client and server software.
Authenticity and integrity – methods used to ensure authenticity:

• Hashes
• Digital signatures
• Message Authentication Codes (MACs)
  • Appended to messages, act as authenticator.
  • Similar to digital signature but has is encrypted and decrypted using same secret key (symmetric encryption)

VPN protocols – three main forms in use:

• PPTP (Point to Point Tunnelling Protocol)
  • Limited to 255 connections per server
  • PPTP standard did not adopt common form of authentication or encryption
  • Sometimes resulted in incompatible software
  • Replaced by L2TP
• L2TP (Layer 2 Tunnelling Prototol)
  • Adaptation of L2F VPN protocol
  • Combines features of PPTP and L2TP
• IPSec (Internet Protocol Security)
  • Most widely supported protocol
  • Uses well-know and trusted technologies

Security risks of VPN

• Security of remote machines
  • Remote machine attaching to corporate network may be misused by another user, may be infected by a virus of malware
  • Must be secure – up to date patches, antivirus software etc
• Security of VPN implementation
  • Errors in implementation of protocols may present security risks by hackers
  • Incorrect design of VPN solution may introduce security vulnerabilities
• Security of interoperation
  • Using various providers of software and hardware may result in problems
• Security of network availability
  • Internet cannot guarantee delivery of information

Intrusion Detection System (IDS)

Usually dedicated hardware or software divided into two types by their responsibilities:

• Network Intrusion Detection System (NIDS)
  • Monitors data passing over network
• Host Intrusion Detection System (HIDS)
  • Monitors data to & from a computer

IDS can support a network firewall.
Firewall should be closed to all traffic except that know to organisation e.g. web, email, FTP.
IDS can then scan traffic passing through firewall for potential attacks with NIDS. A HIDS can also be used to check for threats from within such as malware on an infected computer.
Intrusion detection is passive – monitors and informs.
Can also be reactive, can inform admins as well as attempt to stop intrusion by blocking further packets being sent from source IP. Also referred to as Intrusion Prevention or Protection Systems (IPS).
Weaknesses

• Can be too sensitive – falsely reporting intrusions caused by misconfiguration or buggy software
• Not sensitive enough – slow proceeding attacks, low traffic generation
• Signature IDS – relies on supplier to issue regular updates

How an IDS works in practise

Use one of two techniques:

• Anomaly detection
  • Requires model of normal network behaviour of users and applications
  • Assumption of attack is that behaviour is not normal
  • Detects unknown attacks by looking for patterns that deviate from normal
  • Disadvantage that some legitimate activity could be flagged as suspicious
• Misuse detection
  • Requires set of attack patterns or signatures to compare against network activity
  • Mis-match between users’ activities and one of the signatures, system will flag an attack
  • Minimises flagging of legitimate user activity
  • Disadvantage – only able to identify attack against know signature

Honeypots

Isolated website, computer or network resource used for deflect attacks in order to study them.
Can be used to record activity and study behaviour.

Resources

http://eandt.theiet.org/magazine/2013/08/cyber-securitys-new-hard-line.cfm