Information Security Management

CSE3502
Module – 1: Information Security Devices

• Identify And Access Management (IAM)

• Networks (Wired And Wireless) Devices
• Endpoints/Edge Devices
• Storage Devices
• Servers, Infrastructure Devices (e.g. Routers, Firewall Services)
• Computer Assets, Storage Networks
• Content management, IDS/IPS
 Identifying Unauthorized Devices
• Asset management

 Most organizations today use some form of asset management.

 The challenge with rogue devices is that they are not part of the
management framework.
 The greater the number of unmanaged systems, the greater the risk to the
network.
 Identify Assets
• On-access or real-time detection
• On-demand or scheduled detection
 Asset Inventory Tool
• Automated asset inventory discovery tool -build a
preliminary asset inventory of systems connected to
an organization’s public and private network(s).
• Active tools – scan through network address ranges
• Passive tools – identify hosts based on analyzing
their traffic should be employed
• DHCP Server logging - utilize a system to improve
the asset inventory and help detect unknown systems
through this DHCP information
 Asset Inventory Tool Cont.…
• All equipment acquisitions should automatically update the inventory
system
• Maintain an asset inventory of all systems connected to the network and
the network devices themselves
• The inventory should include every system that has an Internet Protocol
(IP) address on the network
• The asset inventory created must also include data on whether the device is
a portable and/or personal device
• Make sure that asset inventory database is properly protected and a copy
stored in a secure location.
• In addition to an inventory of hardware, organizations should develop an
inventory of information assets that identifies their critical information.
• A department and individual responsible for each information asset should be
identified, recorded, and tracked.
• Further to the asset inventory tool the organisation needs to:
– Deploy network level authentication via 802.1x to limit and control which
devices can be connected to the network.
– Deploy network access control (NAC) to monitor authorized systems so if
attacks occur, the impact can be remediated by moving the untrusted system to
a virtual local area network that has minimal access.
– Create separate VLANs for BYOD (bring your own device) systems or other
untrusted devices.
– Utilize client certificates to validate and authenticate systems prior to
connecting to the private network.
• Mapping of asset attributes and owner-to-MAC address can be stored in a free or
commercial database management system.
• Use tools to pull information from network assets such as switches and routers
regarding the machines connected to the network.
• Effective organizations configure free or commercial network scanning tools to
perform network sweeps on a regular basis
• The asset inventory database and alerting system must be able to identify the
location, department, and other details of where authorized and unauthorized
devices are plugged into the network.
• To evaluate the implementation of Control on a periodic basis, the evaluation
team
– will connect hardened test systems to at least 10 locations on the network, including
a selection of subnets associated with demilitarized zones (DMZs), workstations,
and servers. Two of the systems must be included in the asset inventory database,
while the other systems are not.
– must verify that the systems generate an alert or e-mail notice regarding the newly
connected systems within 24 hours of the test machines being connected to the
network.
– must verify that the system provides details of the location of all the test machines
connected to the network.
– must verify that the system provides information about the asset owner.
– must verify that the test systems are automatically isolated from the production
network within one hour of initial notification and that an e-mail or alert indicating
the isolation has occurred.
– must verify that the connected test systems are isolated from production systems.
 1.2. Testing the Traffic Filtering Devices
• Traffic Filtering - to reduce security threats, organisations
use various devices, technologies and techniques
• institution/organisation - to improve the efficiency of
filtering and increase the level of security in its network
should apply the following recommendations:
– Define traffic-filtering rules
– Select a traffic-filtering technology
– Implement defined rules
– Maintain all the components of the solution
Understanding Firewalls
 Packet-filtering functionality
(stateless firewall)
• A packet filter enables the implementation of control of access to
resources by deciding whether a packet should be allowed to pass,
based on the information contained in the IP packet header.
• Does not analyse the content of the packet (unlike a content
filter), nor does it attempt to determine the sessions to which
individual packets belong, based on the information contained in the
TCP or UDP header, and therefore it does not make any further
decisions in that regard.
• For this reason, the process is also known as stateless packet
inspection
• Stateless firewall devices analyse each packet individually and filter
them based on the information contained in Layers 3 and 4 of the
OSI reference model
 Packet Filters
Filtering Decision is made based on the following information:
• source IP address
• destination IP address
• protocol
• source port number
• destination port number
The advantages of applying packet filters:
• simple implementation
• supported by most routers, so there is no need to invest in new equipment and software
• rarely cause bottlenecks in the area of their application, even at high speeds in Gigabit
networks.
The disadvantages of applying packet filters:
• vulnerability to IP spoofing attacks
• vulnerability to attacks that exploit problems within the TCP/IP specification and the protocol
stack
• problems with filtering packets that are fragmented (causing interoperability and
nonfunctioning of VPN connections)
• no support for the dynamic filtering of some services
• dynamic negotiation about the ports that will be used in communication – passive FTP.
 Stateful packet inspection

• improves the packet filtering process by monitoring the state of each

connection established through a firewall device.
• known that the TCP protocol, allows two-way communication and
that TCP traffic is characterized by three phases: establishing the
connection, data transfer, and terminating the connection.
• The state-table contains all currently active connections. Which
contains the following information:
– source IP address;
– destination IP address;
– source port number;
– destination port number;
– TCP sequence numbers;
– TCP flag values.
Advantages of applying stateful firewall devices:
– a higher level of protection compared to stateless firewall devices (greater efficiency
and more detailed traffic analysis)
– detection of IP spoofing and DoS attacks
– more log information compared to packet filters
Disadvantages of applying stateful firewall devices:
– no protection against application layer attacks
– performance degradation of the router on which they are deployed (this depends on the
size of the network and other services run on the router)
– not all of them provide support for UDP, GRE and IPSEC protocols, treating them in
the same way as stateless firewall devices
– no support for user authentication
Deep Packet Inspection - DPI
• The improved version, called stateful protocol analysis, also known as DPI
analysis of data on the application layer.
• include Application Firewall, Application Proxy Gateways and Proxy servers.
• Unlike stateful firewall devices that filter traffic based on the data on layers 3, 4
and 5 of the OSI reference model, these devices also enable traffic filtering
based on the information on the application layer of the OSI reference model
(Layer 7).
 Application Firewall (AF)
• AF devices perform a stateful protocol analysis of the
application layer.
• Support numerous common protocols, such as HTTP, SQL, e-
mail service (SMTP, POP3 and IMAP), VoIP and XML.
• Stateful protocol analysis relies on predefined profiles of
acceptable operating modes for the selected protocol
• Problems may arise if there is a conflict between the operating
mode of a specific protocol, which is defined on the AF
device, and
• the way in which the protocol is implemented in the specific
version of the application or of the operating systems used in
the network
 Stateful Protocol Analysis

• determine whether an e-mail message contains a type of attachment that is

not allowed (e.g., exec files);
• determine whether instant messaging is used via an HTTP port;
• block the connection through which an unwanted command is executed (e.g.,
an FTP put command on the FTP server);
• block access to a page with unwanted active content (e.g., Java);
• identify an irregular sequence of commands exchanged in the
communication between two hosts
• enable the verification of individual commands and the minimum and
maximum length of appropriate command-line arguments
• Main disadvantage of the method of stateful protocol analysis is the
intensive use of AF devices.
 Application Proxy Gateway (APG)
• APG devices also perform an analysis of the traffic flow on the
application layer.
• APG devices contain proxy agents or “intermediaries” in the
communication between two end hosts. In this way, they prevent
direct communication between them
• Based on the filtering rules defined on the APG device, proxy
agents decide whether network traffic will be allowed or not.
• Traffic-filtering decisions can also be made based on the
information contained in the header of an application-layer message
or even based on the content conveyed by that message.
• Proxy agents can require user authentication.
• There are also APG devices with the capability of packet
decryption, analysis and re-encryption, before a packet is forwarded
to the destination host.
 APG devices Deficiencies
• requires a significantly greater utilisation of resources
• As a result, APG devices are not suitable for filtering real-time
applications.
• Another deficiency of these devices is the limitation in the number of
services that can be filtered through them.
• APG devices do not always support the filtering of new applications
or protocols.
• Due to their price, APG devices are commonly used for protecting data
centres or other networks containing publicly available servers that are
of high importance to an organisation.
• In order to reduce the load on APG devices and achieve greater
efficiency, modern networks more frequently use dedicated proxy
servers.
 Dedicated Proxy (DP) Server
• Dedicated Proxy (DP) servers also have a role as “intermediaries” in the
communication between two hosts, although their traffic-filtering
capabilities are significantly lower,
• intended for the analysis of the operation of specific services and
protocols (e.g., HTTP or SMTP).
• Due to their limited traffic-filtering capabilities, DP devices are deployed
behind firewall devices in the network architecture.
• Their main function is to perform specialised filtering of a specific type
of traffic (based on a limited set of parameters) and carry out the logging
operation.
• The execution of these specific activities significantly reduces the load
on the firewall device itself, which is located in front of the DP server.
• The most widely used devices of this type are Web Proxy servers.
WAF
APPLICATION GATEWAY
Dedicated Proxy
 Solutions Combining Traffic Filtering with
Other Technologies

1. NAT (Network Address Translation)

• NAT is a technology that enables devices that use private
IP addresses to communicate with devices on the Internet.
• This technology translates private IP addresses, which can
be used by devices within a Local Area Network (LAN),
into publicly available Internet addresses.
• There are three types of NAT translations:
– Dynamic NAT
– Static NAT and
– Port Address Translation PAT.
 Static NAT
• Static NAT implies a translation of just the IP address, where the
post-translation IP addresses are explicitly defined.
 Dynamic NAT
• multitude of hosts with private IP addresses can share an
equal or fewer amount of public IP addresses.
Dynamic NAT
 PAT
• Many-to-one or one-to-many
 2. VPN (Virtual Private Network)
• VPN (Virtual Private Network) technology is used to increase the security of
data transfer through a network infrastructure that does not provide a
sufficient degree of data security.
• It enables the encryption and decryption of network traffic between external
networks and an internal, protected network.
• VPN functionality - available on firewall devices or implemented on VPN
servers that are placed behind firewall devices in the network architecture.
• firewall device cannot perform an inspection, access control or logging of the
network traffic, and therefore cannot scan it for certain security threats.
• VPN service requires the application of certain filtering rules of the firewall
device in order to enable its uninterrupted operation.
• special attention should always be paid to making sure that the appropriate
protocols and the TCP/UDP services that are necessary for the functioning of
the chosen VPN solution are supported.
VPN Architectures
 3. IDP (Intrusion Detection and Prevention)
• Network Intrusion Detection (ID)
– based on monitoring the operation of computer systems or networks and
analysing the processes they perform, which can point to certain incidents.
• Network Intrusion Prevention (IP)
– process of detecting network intrusion events, but also includes the
process of preventing and blocking detected or potential network
incidents.
• Network Intrusion Detection and Prevention systems (IDP)
– based on identifying potential incidents
– logging information about them
– attempting to prevent them
– alerting the administrators responsible for security
– identify problems concerning the adopted security policies
– To document existing security threats and
– To discourage individuals from violating security rules
– IDP systems use various incident detection methods
Primary Classes of Detection Methodology

– 1. Signature-based detection –threats we know

– 2. Anomaly-based detection – changes in
behavior
– 3. Detection based on stateful protocol analysis
Intrusion Detection
System
Configuring Secure Content
Management
 Content Management
• Advent of Web 2.0 technologies and proliferation of file sharing protocols, data
sharing portals, media streaming, etc. by the users expand the attack surface of an
organization. They create enormous opportunities for external threats to exploit
weaknesses.
• Allowing the inbound and outbound connections — as access given to the
employees to initiate or receive traffic — creates issues of employee productivity.
Also contributes to bandwidth issue as connection to public or media streaming
sites consumes an organization’s network bandwidth.
• While allowing legitimate traffic, organizations may not like their employee to
indulge in different forms of entertainment and attractions available online, which
can lead to security threats, data leakage and productivity issues.
• Security has been evolving to address these challenges through a set of practices
and technical solutions under a category which can broadly be classified as ‘Secure
Content Management’ (SCM).
 The Importance of Secure Content
Management
Unrestricted Access - The Risks include:
• Impacted employee productivity
• Liability Exposure
• Hacker Attacks and Privacy Violations
 How Secure Content Management Works
• Securing content starts with controlling access to certain Web sites based
on predetermined criteria.

– At a basic level, user access to Internet content is controlled using the

URL address or the URL content category.
– Basic content management solutions can also examine the way the
content is delivered, such as through Java applets or ActiveX scripts,
and determine access permissions accordingly.

• More advanced content management solutions also provide the ability to

block applications such as instant messaging and peer-to-peer services.
 Site Blocking Versus Content Monitoring
Site Blocking Content Monitoring

list-based or URL-based filters to keyword-blocking approach

identify and block certain Web sites
Some solutions rely on white lists that compares the keyboard data to a user-
allow access to only those sites that defined library of words and phrases.
appear on the list. When a match to one of the blocked
Ex: a retail store might create a white list words or phrases is detected, the solution
containing only the company’s Web site, filters or blocks the data, or in some
shipping Web sites and supplier Web sites. cases even closes the application.
Other solutions use black lists, which The problem with this approach is that it
permit access to all sites except those on can inadvertently block legitimate pages
the black list. based on the fact that they contain one or
The black list approach is more targeted keywords.
preferable for businesses whose
employees need less restrictive Internet
access.
 Site Blocking
• Effectiveness and manageability of site blocking depends on a
number of factors:
– Database size
– Update frequency
– Category organization
• A general limitation of site blocking is that it focuses
exclusively on HTTP-based Web traffic.
• It does not block instant messaging, e-mail attachments,
peer-to-peer applications and other applications that could
contain security threats.
• With a black list approach, the database of Web sites is
organized into categories, such as “violence” or “drugs,” and
network administrators can selectively block categories.
 Content Monitoring
• Armed with this information, advanced content monitoring solutions can
more accurately assess Web sites and consequently more accurately
control blocking.

• Another valuable advantage of content monitoring is the ability to monitor

and filter content not only from Web sites, but also chat rooms, instant
messaging, e-mail attachments and Windows applications.

• More advanced content monitoring solutions not only examine the

individual words on the page, but also evaluate context and other data
such as HTML tags.