Question

 B3.1

 Assume that you are working as IT Security head in RLCare hospital. You hospital has 90 employees in two departments which are IP and OP. The hospital had no firewall to secure its network and the entire hospital is in two LANs for each department and both connected separately to internet. However, RLCare hospital has one application proxy for FTP protocol. RLCare hospital has a Server that has all the patient records from IP and OP departments. As per the government rule at most security is to be provided to patient records maintained in hospital.

 You have to create a proposal to submit in front of RLCare hospital management for purchasing three new firewalls with 15000 OMR. In the proposal you have to design/draw the new network architecture for the company for improving security with firewalls. Mention the advantages of each design components and its importance in improving security of the company. Also, if possible in your design give higher level of security to the server with available firewalls.

 Note: You can assume the type of firewalls that you need for your design. Mention your assumption clearly in the answer.

 B3.2

 Estimate the impact of a backdoor on choke point security strategy. How you can prevent backdoor in your company.

 B3.3

 Develop a real example case to show the importance of scalability while selecting firewall product for your company.

Answer 1

B3.1:-proposal to RLCare hospital:
Hello iam a worker of IT security department of your hospital .as we know we have very poor security systems as per govt rule we have to increse our network security.
to improve secutiry in our network we have to use a new three best firewalls for protecting our data.
so iam here mentation some fairewalls which we have to use in our security network.
1:-Packet filtering firewall
Packet filtering firewalls operate inline at junction points where devices such as routers and switches do their work. However, these firewalls don't route packets, but rather they compare each packet received to a set of established criteria -- such as the allowed IP addresses, packet type, port number and other aspects of the packet protocol headers. Packets that are flagged as troublesome are, generally speaking, unceremoniously dropped -- that is, they are not forwarded and, thus, cease to exist.

2:-Circuit-level gateway
Using another relatively quick way to identify malicious content, circuit-level gateways monitor TCP handshakes and other network protocol session initiation messages across the network as they are established between the local and remote hosts to determine whether the session being initiated is legitimate -- whether the remote system is considered trusted. They don't inspect the packets themselves, however.

3:-Stateful inspection firewall
State-aware devices, on the other hand, not only examine each packet, but also keep track of whether or not that packet is part of an established TCP or other network session. This offers more security than either packet filtering or circuit monitoring alone but exacts a greater toll on network performance.
A further variant of stateful inspection is the multilayer inspection firewall, which considers the flow of transactions in process across multiple protocol layers of the seven-layer Open Systems Interconnection (OSI) model.

Now queshion aries that What Are the Benefits of Firewall Security?

Having a personal firewall can quell the jitters you might have about your computer getting attacked. An Internet connection, especially an always-on type like broadband, is the entry point for hackers who want to get to your computer. A firewall polices your connection and is an essential tool in a basic computer security arsenal, along with an anti-virus tool. The book “Network Security First-Step” likens a firewall to an Internet border security officer because of its role in disallowing the wrong things from entering your computer from a network or the Internet.

Monitors Traffic
A firewall monitors all of the traffic entering your computer network. A two-way firewall does double duty and monitors the traffic exiting your network as well. Information is sent over networks in packets. Those packets are what the firewall investigates to determine if there’s something they contain that's potentially hazardous to your network’s security. Even you as the sender could transmit something bad, without knowing it, which is why it’s important to have a firewall police the contents.

Blocks Trojans
A firewall helps block Trojan horses. These types of intruders latch onto your computer files, and then when you send out a file, they go along for the ride to do more damage at the destination. Trojans are especially dangerous because they silently transmit what they uncover about you to a Web server. You’re oblivious to their presence until strange things start happening to your computer. A firewall blocks them from the outset, before they have a chance to infect your computer.

Stops Hackers
Having a firewall keeps hackers out of your network. Without firewall security, a hacker could get a hold of your computer and make it a part of what’s called a botnet, which is a large group of computers used to conduct illicit activity, such as spreading viruses. While hackers represent an extreme group, individuals who you may not suspect, such as neighbors, can also take advantage of an open Internet connection you may have. A firewall prevents such peeping-tom intrusions.

Stops Keyloggers
Having firewall security will reduce the risk of keyloggers monitoring you. A keylogger is spyware software that cybercriminals try to put on your computer so they can target your keystrokes. After they can identify what you're typing in and where, they can use that information to do the same thing. This knowledge can help them log in to your private online accounts.

B3.2:-

Choke Point
A choke point is a single point through which all incoming and outgoing network traffic is funnelled. As all traffic passes through a choke point it is the natural place to focus monitoring and control efforts such as Internet firewalls. It is also the natural place at which to break the connection with the external network if necessary.

Choke points are often criticised as an all-eggs-in-one-basket solution. This concern can be addressed by building some redundancy into the choke point. The key point is that the choke point provides control.

The largest threat to a choke point strategy is if an attacker is able to bypass the choke point. As Firewalls generally act as choke points this is a significant issue, especially given the ease with which SLIP(1) or PPP(2) connections to Internet Service providers can be established.

As choke points can experience high levels of network traffic it is important to ensure that there is sufficient bandwidth available at the choke point to prevent a network traffic bottleneck. Any monitoring and logging software should also be able to cope with the level of network traffic.

impact of back doors attacts on security:-
In the today’s business environment, companies must do everything in their power to prevent network breaches. With attacks coming from nearly all sides, it can sometimes be difficult to ensure that every vector and point of entry is protected.

Recently, there has been an increase in backdoor attacks. Here, we’ll take a look at just what a backdoor attack entails, what makes them such a dangerous risk factor and how enterprises can protect themselves.

The basics of a backdoor attack
According to Trend Micro’s report, “Backdoor Use in Targeted Attacks,” applications that allow for remote access to computers – known as backdoors – are often used for targeted attacks. In these types of breaches, hackers leverage backdoor programs to access the victim’s network. The benefit of this attack vector is that the backdoor itself can help cybercriminals break into the infrastructure without being discovered.

“Often initially used in the second (point of entry) or third (command-and-control [C&C]) stage of the targeted attack process, backdoors enable threat actors to gain command and control of their target network,” report authors Dove Chiu. Shih-Hao Weng and Joseph Chiu wrote. “In fact, research reveals that many of the backdoors used in targeted attacks have been especially designed with the ability to bypass any kind of intrusion detection system (IDS).”

Intrusion strategies in backdoor attacks
Backdoors not only provide a disguised point of entry for hackers, but can also offer a number of strategies for intrusion. Trend Micro’s report noted that these include:

Port binding: Utilized before firewalls were commonplace, port binding involves specific information configurations to reveal where and how messages are transmitted and delivered within the network.
Connect-back: Once firewalls were put in place on many networks, hackers began using the connect-back approach, where backdoors are leveraged to connect the targeted systems to cybercriminals’ C&C server systems. This also allows for a reverse connection from the servers to the victim platform through ports not under firewall protection.
Connect availability use: This strategy involves the use of several malware samples to not only breach the network, but remain there undetected for long periods of time. This extends the window hackers have to steal sensitive data from the target. The first malware, or “first-line backdoor,” serves as a platform to download the second sample, the “second-line backdoor,” which performs the actual theft of information.
Legitimate platform abuse: The report noted that abusing legitimate platforms has become more common especially as hackers must now work harder to side-step security systems. Within this strategy, cybercriminals abuse a valid platform – like a blog, for example – and utilize it to for the storage of C&C server data.
These are just a few attack strategies that can be carried out with backdoors. Trend Micro noted that other approaches include common services protocol or file header abuse, protocol or port listening, custom DNS lookup use and port reuse.

In addition, Tripwire noted that software isn’t the only system that can have a backdoor. Hardware components including authentication tokens, network appliances, surveillance systems and certain communication infrastructure devices can also have malicious backdoors allow for cybercriminal intrusion.

B3.3:-

How to Build a Massively Scalable
Next-Generation Firewall
Seven measures of scalability, and how
to use them to evaluate NGFWs
If you’re an IT or security manager working in a government agency, here’s
something you need to know: If you are using non-scalable appliances
and they max out, administrators will typically turn off security functions,
opening up the network to increased risks of malware and attacks. You
probably don’t want to be the one explaining why the network was not
protected with a scalable next-generation firewall.
In addition to advanced protection, massively scalable next-generation
firewalls deliver many other benefits, particularly to government agencies
concerned about maximum performance/protection and the ability to
get new users up and running quickly. One next-generation firewall can
replace multiple firewall and intrusion systems, lowering hardware costs
and operating expenses. A massively scalable next-generation firewall
can inspect very large files at near “wire speed” to enhance employee
productivity. What do you need to know about building a massively
scalable next-generation firewall? Here’s how to get started.
Scalable is not just big or fast. When it comes to advanced technologies
like Next-Generation Firewalls, you can’t rely on a single measure like
“Mbps for stateful packet inspection” to tell you how a security appliance
will perform under real-world conditions.
In this paper, we will discuss seven measures of performance and
scalability, and how you can use them to select a Next-Generation
Firewall. We will also outline the kind of technical innovations needed to
produce a massively scalable Next-Generation Firewall, and take a quick
look at results from a benchmark test comparing some of the
leading examples.

Why Scalability Is Important
Better Security: Traditional firewalls scan packet headers and apply rules to forward or block
the packets. Next-Generation Firewalls do far more work: They inspect packet payloads, apply
advanced malware detection and intrusion prevention techniques, perform content filtering, decrypt
Secure Sockets Layer (SSL) traffic, control application traffic, and prevent employees from using
non-business Web applications.
These activities greatly improve security, but they require much more processing power. When
non-scalable appliances “max out,” administrators typically turn off some security functions.1
This opens up the network to malware and attacks.
Lower Costs: One enterprise Next-Generation Firewall can replace multiple firewall and intrusion
prevention systems. This consolidation reduces hardware and software license expenses, as well
as deployment and administration costs.
Higher productivity: When utilization rises, most Next-Generation Firewalls are forced to buffer
network packets and inspect them in memory. This slows network performance and hurts employee
productivity. A massively scalable Next-Generation Firewall can inspect even very large files at near
“wire speed,” so employee productivity is not affected.

Seven Measures of Performance and Scalability, and When to Use Them
Performance and scalability cannot be boiled down to a single measure for Next-Generation
Firewalls. The following are seven measures to use when selecting the right solution for your
environment. These measures are often (although not always) available in vendor data sheets
and in the reports of independent benchmark tests.
1. Performance with stateful packet inspection.
Firewalls that perform stateful packet inspection inspect packet headers, track the state
of network connections (such as TCP streams), and apply rules to block or forward packets.
Maximum throughput with stateful packet inspection, measured in Mbps or Gbps, was
a meaningful measure of performance for traditional stateful packet inspection firewalls.
However, it doesn’t reflect the workload of Next-Generation Firewalls with their extra security
capabilities. It should be given very little weight unless an appliance is going to be used
in an environment with minimal security requirements.

2. Performance with deep packet inspection.
Deep packet inspection (DPI) involves inspecting the application content or “payload” of network
packets, as well as the headers. Most of the extra security capabilities of Next-Generation
Firewalls, such as malware detection, intrusion prevention, SSL decryption, content filtering
and application control, are based on DPI.
Maximum throughput with deep packet inspection, measured in Mbps or Gbps, is a much more
meaningful indicator of Next-Generation Firewall performance than throughput with stateful
packet inspection.
3. New connections per second.
In enterprise environments, millions of connections are created and dropped every minute.
New connections per second measures the ability of a firewall to promptly handle new user
traffic. In some ways, it is analogous to measuring acceleration: If many remote users log
in at once, can the appliance pick up speed and handle them right away, or will it stall
and slow down network performance?
New connections per second is an important measure to consider if you have a large number
of network users, particularly if they connect and log out frequently. Be aware, however, that
some vendors publish connections-per-second statistics with DPI turned off. That test setting
does not simulate real-world conditions.
4. Simultaneous connections with DPI enabled.
Maximum number of simultaneous connections, measured in thousands or millions, represents
the number of network sessions that the Next-Generation Firewall can handle at peak times.
Obviously, this is an important measure for large enterprises with large numbers of network users.
Again, beware of vendors that publish measurements of connections with DPI turned off.
5. Performance with SSL decryption.
SSL traffic is widely used by banks, online retailers and cybercriminals to shield Web traffic
from inspection. The ability to decrypt, scan and reassemble SSL-encrypted packets is one
of the key security advantages of Next-Generation Firewalls, but it is very resource-intensive.
If you have SSL traffic crossing your network boundary, then SSL decryption performance,
measured in Mbps or Gbps, is a key metric for understanding how the Next-Generation Firewall
will behave under real-world conditions. A related metric is how many simultaneous connections
can be decrypted and inspected.

6. Latency with DPI enabled.
Firewalls with proxy-based designs can have high throughput but still force users to wait for
large files to be buffered in memory, inspected and reassembled. So latency with DPI enabled,
measured in milliseconds, is an important measure for anticipating how firewall performance
will or won’t affect end-user productivity. It is particularly important for application response
times when large files are transmitted.
7. Maximum file size.
Many firewalls place a limit on the size of files they can inspect — typically 100 MB. This
is because they need to buffer files in memory but don’t have enough memory to handle large
files. Therefore, these files must either be quarantined, which is bad for end-user productivity,
or passed through without inspection, which is bad for security.
The file-size limit is particularly important if you have users who receive or send large files
such as zip files, audio and video files, ISO images, and CAD/CAM design files.