Firewalls and Network Security - Information Security Lesson #7 of 12

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good day everyone this is dr. Soper here and today I'll be discussing the seventh topic in our series of lessons on information privacy and security with today's topic focusing on firewalls and network security before we proceed with our examination of firewalls and network security I would first like to take a few moments to discuss some basic concepts and terms associated with computer networks broadly speaking a computer network is a set of communications channels that interconnects computing devices and enables them to exchange data electronically in the simplest form of a network a single client is connected to a single server where a client is a computing device that uses or consumes resources that are made available over a network while a server is a computing device that provides resources or services to other devices over a network the true power of computer networks emerges when many computing devices are able to communicate with each other and for this reason networks are typically characterized by many different clients being connected to many different servers when discussing computer security in the context of networks several other terms besides client and server are commonly used to describe different parts of a network first among these terms is a node which refers to a single conceptual computing device that is connected to the network the next common term is a host which refers to the actual physical computing device which resides at a node a node is therefore more of a logical concept while a host is more of a physical concept it is important to note that computers are not the only possible hosts other physical devices that are connected to the network such as routers and so forth are also considered to be hosts finally we have the term link which refers to a connection between two hosts as with the term node the term link is more of a logical abstract concept since in reality there are many different methods and communications media through which two hosts might be interconnected networks have become increasingly popular over the past several decades because they afford many advantages for example networks enable resource sharing which allows common resources such as shared printers to be used efficiently networks also enable a computational workload to be distributed across multiple machines and can also deliver increased computational reliability insofar as a well-designed network can provide redundancy for many network resources finally networks provide for easy expandability and scalability as its computational workload increases an organization can often simply add additional nodes to the network in order to handle the increased demand for computational resources although networks provide many different advantages networks also have several characteristics that make them vulnerable to attacks by malicious parties the first of these characteristics is anonymity in a networked environment an attacker does not need to be in physical contact with an information system in order to attack it second a networked environment can potentially expose many different points of attack from a security perspective a network is only as strong as its weakest link and weak access controls on a single node can expose the entire network to risk third networks allow computational resource and workload to be shared and this means that more users have access to computational assets thus exposing those assets to greater risk fourth network architecture is often complex since networks are intrinsically more complex than standalone systems there is a greater chance that a security vulnerability will be overlooked in a networked environment finally networks often have unknown boundaries since the boundary of a network can change dynamically it is often difficult to ensure that the entire network is secure this is especially true in wireless networks where unknown nodes can join and leave the network on an ad-hoc basis port scanning is an activity that can be both a blessing and a curse from the perspective of network security broadly speaking a port scanner is a software program that is designed to examine the hosts which reside at one or more IP addresses and record which ports are open on each host along with which known vulnerabilities are present for a network administrator or a security analyst port scanners can be extremely valuable in that they provide a useful way of identifying and evaluating the strengths and weaknesses of a network unfortunately the same port scanner information that can be used by a network administrator or a security analyst to evaluate the security of a network can also be used by a malicious party in order to identify network weaknesses or to assess how or at which point to attack a network high quality port scanner software is freely available to both white hats and black hats alike and as with so many other tools that human beings have created port scanners can be used for good or can be used to cause harm depending upon the goal of the person who is wielding the tool one of the most useful strategies that a network designer can employ in order to control threats from port scanners is to implement a segmented network architecture the general idea with network segmentation is to subdivide the various hosts on a network into a series of protected sub networks or subnets traffic that is travelling to or from any of the nodes on a subnet is then routed to or from the outside world through a single host or if necessary through a small number of hosts since most of the hosts on the network belong to protected subnets using a segmented network architecture ensures that those hosts are not directly visible to the outside world instead the only components of the network that are directly visible from the outside are the small number of hosts ideally just one host through which traffic for all of the protected subnets is being routed in this way the network exposes the fewest points of attack possible to the outside world thus improving overall security and allowing network security personnel to concentrate their efforts firewalls are an absolutely indispensable tool in the battle to secure computer networks a firewall is a hardware or software device or sometimes a combination of the two that is designed to prevent unauthorized outside traffic from crossing the network boundary or accessing hosts on the network it is critical to understand that firewalls can also be used to prevent users inside the network from transmitting sensitive information beyond the network boundary or accessing unsecured or unauthorized resources over the net work from a broader point of view the purpose of a firewall is to protect and isolate a local network or subnet from an outside network a firewall works by inspecting each inbound or outbound data packet and determining whether those packets should be discarded modified or allowed to pass through in their current form put another way firewalls are designed to keep bad things out of a local network or subnet well simultaneously keeping valuable or sensitive data from escaping to the outside world what constitutes a bad thing or vulnerable or sensitive data is determined by the organization that operates the firewall and is formally defined using a firewall security policy when properly implemented firewalls can be extremely effective in reducing or eliminating many Network threats the foundation of a successful firewall implementation is not only the firewall itself but also the security policy which guides and regulates the way in which the firewall will behave a firewall security policy is a set of rules that a firewall relies upon to determine which traffic should be allowed to pass through a network boundary a network boundary then might be a border between subnets within an organization or it might define the boundary between an organization's computer networks and those of the outside world security policies for modern firewalls are almost infinitely configurable in order to accommodate the specific circumstances or needs that an organization may have a simple example of a firewall security policy might be for the firewall to block all access from the outside while allowing all access to the outside a slightly more sophisticated purity policy might allow access from the outside only for certain predefined activities or only for traffic being sent to certain subnets hosts applications users or so forth further a firewall may have a default security policy one example of a default security policy is known as a default permit wherein anything that is not expressly prohibited is allowed from an information security perspective a much more desirable default firewall security policy would be a default deny in which anything that is not expressly allowed is denied one way of helping us to better understand how firewalls operate within the milu of network communications is to consider the OSI reference model the OSI reference model defines a layered network communications protocol which describes all of the tasks necessary for computers to communicate over a network ranging from very low level tasks such as electrical signaling to very high level tasks such as formatting information for human consumption the OSI model consists of seven different layers with each successively higher layer utilizing an abstract view of the layer directly below it put another way the details of how lower layers actually work are hidden from higher layers conversely each lower layer fully encapsulate the higher layer above it visually the encapsulation of successively higher layers by lower layers within the OSI model is similar to Russian matryoshka dolls the OSI model itself is a conceptual model that is it was never actually implemented on a wide scale nevertheless the model allows us to you see all of the activities required for inter computer communication the lowest layer in the OSI protocol stack is the physical layer and it is at this layer that the actual communication of information across a physical medium such as a copper wire occurs the second layer in the OSI protocol stack is the data link layer which is responsible for dividing data into blocks and for ensuring reliable data transfer and delivery across the network the third layer is the network layer and it is at this layer that hosts addressing and data routing are handled above the network layer we have the transport layer which is responsible for error checking and correction and for ensuring reliable data flow the fifth layer in the OSI protocol stack is the session layer which is responsible for handling and controlling the connections between computing devices next we have the presentation layer which handles issues associated with the appearance of data by translating between network data formats and application data formats finally the seventh layer in the OSI protocol stack is the application layer and it is within this layer that application programs communicate with and use network resources one useful way of remembering the OSI layers in order is through the sentence please do not touch Steve's pet alligator which maps directly to physical Data Link Network transport session presentation and application now that we know about all of the various activities that are required in order for computers to communicate with each other we are better equipped to understand how firewalls fit into the broader picture of network communication namely firewalls parade at the network and transport layers that is layers three and four within the OSI reference model a packet filtering gateway which is also sometimes referred to as a screening router is a relatively simple type of firewall packet filtering gateways regulate network boundary access either by examining the source and destination IP addresses for each packet or by examining the type of transport protocol for each packet examples of which might include HTTP FTP CalNet and so forth since many of these communications protocols are assigned to standard port numbers packet filtering gateways can often filter data simply by considering the ports to which data are being directed regardless of whether a packet filtering gateway is examining IP addresses or port numbers packets that are deemed to be unacceptable in light of the firewalls security policy will be filtered out or discarded for example a security policy might be established which allows HTTP traffic to pass through the network boundary while telnet traffic is blocked or discarded note that packet filtering gateways are the simplest type of firewall but they are also commonly the most effective type of firewall unlike a packet filtering gateway a stateful inspection firewall operates by considering the state or context of the packets that it evaluates one way of thinking about this activity is that stateful inspection firewalls remember at least for a brief period of time the network activities of the hosts associated with the packets that the firewall is examining the underlying goal of a stateful inspection firewall in performing these activities is to try to identify hosts that represent a threat by accumulating evidence against them if the negative evidence that has been accumulated against a particular host exceeds a threshold that has been established by the firewalls security policy then the stateful inspection firewall may block all traffic directed to or from the offending host as an example imagine that an outside host begins transmitting a series of requests to an organization's network which in rapid succession inquire into whether certain ports are open on a specific machine the first request for example might check whether port one is open the second request might check whether port two is open the third request might check whether port three is open and so forth because a stateful inspection firewall maintains a memory of the activities of different hosts it may identify this series of requests as an attempt by the outside host to conduct a port scanning attack once the number of port inquiries from the same host exceeds an established threshold value the stateful inspection firewall can then block or discard all future requests from the outside host an application proxy gateway which is sometimes known as a bastion host is a type of firewall that runs sudo applications which mimic the proper behavior of real applications one of the primary motivations underlying the use of application proxy gateways is that many application programs do not properly implement established communications protocols and may therefore generate incorrectly formatted requests or may be --have in a dangerous or unexpected manner if they receive an improperly formatted request the pseudo applications on the application proxy gateway can examine the actual contents of data packets travelling across a network boundary and in so doing can filter out unacceptable protocol commands or other malformed commands while they are in transit note that such command filtering is bi-directional that is an application proxy gateway can filter both incoming and outgoing traffic as an example an outside attacker might intentionally send a large number of improperly formatted HTTP requests to an organization's web server if the web servers HTTP processing software is not sufficiently well designed to handle these improperly formatted requests then the server may crash or behave in an otherwise unexpected manner by filtering out or reformatting the improperly formatted HTTP requests before they reach the webserver the application proxy gateway can prevent the server from crashing or exhibiting unexpected behavior a circuit level gateway is a type of firewall that enables one network to be virtually connected to or become a virtual extension of another network a circuit level gateway works by examining incoming and outgoing packets in order to determine whether those packets are being sent to or received from the target network with the source and destination IP addresses of each packet typically being used to make this determination packets that are identified as being sent to or received from the target network will be encrypted or decrypted as necessary with the purpose of this encryption being to make a secure end-to-end connection between the two networks packets that are not being sent to or received from the target network will be routed through the organization's normal fie wall for appropriate further processing note that circuit level gateways can be used to implement Virtual Private Networks or VPNs as an example of a circuit level gateway imagine that an organization has two offices located in two different cities and wants to connect the office networks together to improve efficiency the local network for each office will have been assigned a subnet address to create an extended network that interconnects the two office networks each location could implement a circuit level gateway using the other locations subnet address in this way any network traffic that is being sent from one office to the other will be automatically encrypted and decrypted at the boundary of each offices local network thus ensuring that the traffic will be secured as it travels across network links that are not under the organization's control a guard is an advanced type of firewall that examines the contents of data packets while they are in transit across a network boundary based upon what it discovers inside of the packets that it examines a guard firewall might modify the contents or addresses of the packets allow the packets to pass through the network boundary without modification or drop the packets altogether guard firewalls are conceptually similar to application proxy firewalls insofar as both types of firewalls are designed to examine the contents of data packets rather than simply examining their source or destination IP addresses or port numbers despite the similarity guard firewalls are much more sophisticated than application proxy firewalls unlike other types of firewalls that rely upon comparatively simple rules to guide their behavior a guard is almost infinitely can figureA Boleyn be programmed to perform any sort of packet filtering scanning or modification that is deemed necessary in contrast to a firewall that is implemented as a separate Hardware device a personal firewall is a type of firewall that is implemented in the form of a software program in the modern era many personal computing devices are continually connected to networks that are beyond the control of the users or owners of those computing devices it is often not reasonable or cost-effective in these situations for an individual to purchase and configure a separate hardware based firewall device especially in the context of mobile computing where an individual might regularly join and use many different wireless networks to provide a layer of protection against the outside world personal firewall software can be installed on computing devices for the purpose of inspecting inbound and outbound network traffic and determining whether it should be blocked modified or allowed to pass through when properly configured personal firewalls can be used to protect home computers and other network connected computing devices from outside attackers viruses and other malware to remain effective however such software based firewalls must be updated on a regular basis encryption is the single most powerful tool for protecting data while they are in transit over a network many different tools and techniques have therefore been developed which utilize encryption in the context of network communications first among these is link encryption in link encryption data are encrypted just before they are transmitted over a communications link and are decrypted immediately after arrival as opposed to link encryption in end-to-end encryption data are encrypted and at the highest levels of the network protocol stack this ensures that data remain protected even if they must travel through several intermediary hosts before reaching their final destination in a virtual private network or VPN communications between a network and remote host that is a host that is located outside of the firewall are encrypted thus establishing virtual link encryption between the host and the network further system administrators and other advanced users might rely upon secure shell or SSH encryption to provide an encrypted and authenticated path between remote host and the system shell or operating system command interpreter in the context of Internet technologies transport layer security or TLS and its predecessor Secure Sockets Layer or SSL can be used to provide server and client authentication and to allow for an encrypted communications channel to be established between a server and the client TLS is currently the most widely used secure communications protocol on the Internet an emerging network security protocol is the IP security protocol or IPSec this protocol is part of IP version 6 and defines a standard method for handling encrypted network data at the Internet Protocol layer in the signed code paradigm a party uses a digital signature to sign code transmitted over the network that is intended to be run on a client machine if the signing party is trustworthy then the signed code is presumed to come from an authentic trustworthy source finally we have encrypted email in which email messages are encrypted to protect the confidentiality of their content while they are in transit over the network by default email messages are not cryptid and could therefore potentially be read by all of the hosts through which they pass on route to their recipients a large amount of misinformation about firewall technologies has been circulating for quite some time and for that reason I would like to take a moment to highlight six truths about firewalls first firewalls can protect a local network environment only if they control the entire perimeter of the network if traffic is able to enter or exit the network in any way without passing through a firewall then the entire network is exposed second firewalls do not protect data that are outside of the network perimeter once data have traveled beyond the boundary of the network they are no longer under the control or protection of the firewall third as viewed from the outside firewalls are the most visible component of a network and are hence attractive targets for attack in a well-designed network architecture firewalls are often the only visible hosts that can be seen by a malicious party who is outside of the network in these situations the firewall this represents the only point of attack fourth firewalls must be properly configured and their configuration settings must be periodically evaluated and updated network security is a constantly evolving domain and firewalls must be actively maintained in order to handle new threats and security concerns as they arise fifth firewall systems should not contain any tools that could help an attacker carry out subsequent exploits if she is able to penetrate the firewall for this reason software tools such as compilers linkers and so forth should not be installed on firewall devices finally firewalls generally exert only a limited degree of control a over the content that they allow to cross the network boundary other means of verifying and enforcing the accuracy and correctness of data must therefore be used inside the network perimeter hosts inside of a network boundary often expose their IP addresses to the outside world in order to enable communication with external hosts unfortunately clever malicious parties can use the IP addresses of the hosts on a network in order to infer the network's topological layout and architecture a firewall can implement network address translation or NAT in order to hide the topology or structure of an internal network from the outside world when network address translation is properly implemented the IP address of packets originating from an internal host is replaced with the IP address of the firewall as the packets leave the network external hosts will thus send replies to the firewalls IP address rather than to the IP address of the internal host itself the IP address of incoming packets will then be similarly translated by the firewall back into the internal hosts real IP address in this way the real IP address of the internal host is never exposed or made visible to the outside world the big picture goal of network architecture design and implementing firewalls should be to establish a security perimeter which surrounds and protects internal information assets this concept is analogous to building a wall around a castle the wall serves not only as a means of keeping Marauders away but also as a means of keeping valuable assets such as children and animals from leaving the castle grounds without permission a properly designed network security perimeter should also minimize the number of outside points of attack continuing our previous example it would be much easier to defend a castle that has just one gate then it would be to defend a castle with many gates another useful strategy is to establish multiple security perimeters around internal subnets in order to further strengthen security this would be analogous to a castle or a fortress that employs multiple layers of gates and walls when using this approach less valuable assets should be kept closer to the outer network boundary while more valuable assets should be protected by multiple rings of network security in this way even if the outer defenses are breached one or more strong barriers will still remain between the malicious intruders and an organization's most valuable information assets well my friends thus ends our overview of firewalls and network security I hope that you learn something interesting in this lesson and until next time have a great day

Info

Channel: Dr. Daniel Soper

Views: 420,901

Rating: undefined out of 5

Keywords: Firewall (Software Genre), Information Security (Software Genre), Network Security (Organization Sector), port scanning, firewall security policies, OSI Model (Literature Subject), packet filtering, stateful inspection, application proxies, Computer Security (Industry), circuit gateway, personal firewall

Id: XEqnE_sDzSk

Channel Id: undefined

Length: 34min 41sec (2081 seconds)

Published: Tue Oct 22 2013