In: Computer Science
B3.1
Assume that you are working as IT Security head in RLCare hospital. You hospital has 90 employees in two departments which are IP and OP. The hospital had no firewall to secure its network and the entire hospital is in two LANs for each department and both connected separately to internet. However, RLCare hospital has one application proxy for FTP protocol. RLCare hospital has a Server that has all the patient records from IP and OP departments. As per the government rule at most security is to be provided to patient records maintained in hospital.
You have to create a proposal to submit in front of RLCare hospital management for purchasing three new firewalls with 15000 OMR. In the proposal you have to design/draw the new network architecture for the company for improving security with firewalls. Mention the advantages of each design components and its importance in improving security of the company. Also, if possible in your design give higher level of security to the server with available firewalls.
Note: You can assume the type of firewalls that you need for your design. Mention your assumption clearly in the answer.
B3.2
Estimate the impact of a backdoor on choke point security strategy. How you can prevent backdoor in your company.
B3.3
Develop a real example case to show the importance of scalability while selecting firewall product for your company.
B3.1:-proposal to RLCare hospital:
Hello iam a worker of IT security department of your hospital .as
we know we have very poor security systems as per govt rule we have
to increse our network security.
to improve secutiry in our network we have to use a new three best
firewalls for protecting our data.
so iam here mentation some fairewalls which we have to use in our
security network.
1:-Packet filtering firewall
Packet filtering firewalls operate inline at junction points where
devices such as routers and switches do their work. However, these
firewalls don't route packets, but rather they compare each packet
received to a set of established criteria -- such as the allowed IP
addresses, packet type, port number and other aspects of the packet
protocol headers. Packets that are flagged as troublesome are,
generally speaking, unceremoniously dropped -- that is, they are
not forwarded and, thus, cease to exist.
2:-Circuit-level gateway
Using another relatively quick way to identify malicious content,
circuit-level gateways monitor TCP handshakes and other network
protocol session initiation messages across the network as they are
established between the local and remote hosts to determine whether
the session being initiated is legitimate -- whether the remote
system is considered trusted. They don't inspect the packets
themselves, however.
3:-Stateful inspection firewall
State-aware devices, on the other hand, not only examine each
packet, but also keep track of whether or not that packet is part
of an established TCP or other network session. This offers more
security than either packet filtering or circuit monitoring alone
but exacts a greater toll on network performance.
A further variant of stateful inspection is the multilayer
inspection firewall, which considers the flow of transactions in
process across multiple protocol layers of the seven-layer Open
Systems Interconnection (OSI) model.
Now queshion aries that What Are the Benefits of Firewall Security?
Having a personal firewall can quell the jitters you might have about your computer getting attacked. An Internet connection, especially an always-on type like broadband, is the entry point for hackers who want to get to your computer. A firewall polices your connection and is an essential tool in a basic computer security arsenal, along with an anti-virus tool. The book “Network Security First-Step” likens a firewall to an Internet border security officer because of its role in disallowing the wrong things from entering your computer from a network or the Internet.
Monitors Traffic
A firewall monitors all of the traffic entering your computer
network. A two-way firewall does double duty and monitors the
traffic exiting your network as well. Information is sent over
networks in packets. Those packets are what the firewall
investigates to determine if there’s something they contain that's
potentially hazardous to your network’s security. Even you as the
sender could transmit something bad, without knowing it, which is
why it’s important to have a firewall police the contents.
Blocks Trojans
A firewall helps block Trojan horses. These types of intruders
latch onto your computer files, and then when you send out a file,
they go along for the ride to do more damage at the destination.
Trojans are especially dangerous because they silently transmit
what they uncover about you to a Web server. You’re oblivious to
their presence until strange things start happening to your
computer. A firewall blocks them from the outset, before they have
a chance to infect your computer.
Stops Hackers
Having a firewall keeps hackers out of your network. Without
firewall security, a hacker could get a hold of your computer and
make it a part of what’s called a botnet, which is a large group of
computers used to conduct illicit activity, such as spreading
viruses. While hackers represent an extreme group, individuals who
you may not suspect, such as neighbors, can also take advantage of
an open Internet connection you may have. A firewall prevents such
peeping-tom intrusions.
Stops Keyloggers
Having firewall security will reduce the risk of keyloggers
monitoring you. A keylogger is spyware software that cybercriminals
try to put on your computer so they can target your keystrokes.
After they can identify what you're typing in and where, they can
use that information to do the same thing. This knowledge can help
them log in to your private online accounts.
B3.2:-
Choke Point
A choke point is a single point through which all incoming and
outgoing network traffic is funnelled. As all traffic passes
through a choke point it is the natural place to focus monitoring
and control efforts such as Internet firewalls. It is also the
natural place at which to break the connection with the external
network if necessary.
Choke points are often criticised as an all-eggs-in-one-basket solution. This concern can be addressed by building some redundancy into the choke point. The key point is that the choke point provides control.
The largest threat to a choke point strategy is if an attacker is able to bypass the choke point. As Firewalls generally act as choke points this is a significant issue, especially given the ease with which SLIP(1) or PPP(2) connections to Internet Service providers can be established.
As choke points can experience high levels of network traffic it is important to ensure that there is sufficient bandwidth available at the choke point to prevent a network traffic bottleneck. Any monitoring and logging software should also be able to cope with the level of network traffic.
impact of back doors attacts on security:-
In the today’s business environment, companies must do everything
in their power to prevent network breaches. With attacks coming
from nearly all sides, it can sometimes be difficult to ensure that
every vector and point of entry is protected.
Recently, there has been an increase in backdoor attacks. Here, we’ll take a look at just what a backdoor attack entails, what makes them such a dangerous risk factor and how enterprises can protect themselves.
The basics of a backdoor attack
According to Trend Micro’s report, “Backdoor Use in Targeted
Attacks,” applications that allow for remote access to computers –
known as backdoors – are often used for targeted attacks. In these
types of breaches, hackers leverage backdoor programs to access the
victim’s network. The benefit of this attack vector is that the
backdoor itself can help cybercriminals break into the
infrastructure without being discovered.
“Often initially used in the second (point of entry) or third (command-and-control [C&C]) stage of the targeted attack process, backdoors enable threat actors to gain command and control of their target network,” report authors Dove Chiu. Shih-Hao Weng and Joseph Chiu wrote. “In fact, research reveals that many of the backdoors used in targeted attacks have been especially designed with the ability to bypass any kind of intrusion detection system (IDS).”
Intrusion strategies in backdoor attacks
Backdoors not only provide a disguised point of entry for hackers,
but can also offer a number of strategies for intrusion. Trend
Micro’s report noted that these include:
Port binding: Utilized before firewalls were commonplace, port
binding involves specific information configurations to reveal
where and how messages are transmitted and delivered within the
network.
Connect-back: Once firewalls were put in place on many networks,
hackers began using the connect-back approach, where backdoors are
leveraged to connect the targeted systems to cybercriminals’
C&C server systems. This also allows for a reverse connection
from the servers to the victim platform through ports not under
firewall protection.
Connect availability use: This strategy involves the use of several
malware samples to not only breach the network, but remain there
undetected for long periods of time. This extends the window
hackers have to steal sensitive data from the target. The first
malware, or “first-line backdoor,” serves as a platform to download
the second sample, the “second-line backdoor,” which performs the
actual theft of information.
Legitimate platform abuse: The report noted that abusing legitimate
platforms has become more common especially as hackers must now
work harder to side-step security systems. Within this strategy,
cybercriminals abuse a valid platform – like a blog, for example –
and utilize it to for the storage of C&C server data.
These are just a few attack strategies that can be carried out with
backdoors. Trend Micro noted that other approaches include common
services protocol or file header abuse, protocol or port listening,
custom DNS lookup use and port reuse.
In addition, Tripwire noted that software isn’t the only system that can have a backdoor. Hardware components including authentication tokens, network appliances, surveillance systems and certain communication infrastructure devices can also have malicious backdoors allow for cybercriminal intrusion.
B3.3:-
How to Build a Massively Scalable
Next-Generation Firewall
Seven measures of scalability, and how
to use them to evaluate NGFWs
If you’re an IT or security manager working in a government agency,
here’s
something you need to know: If you are using non-scalable
appliances
and they max out, administrators will typically turn off security
functions,
opening up the network to increased risks of malware and attacks.
You
probably don’t want to be the one explaining why the network was
not
protected with a scalable next-generation firewall.
In addition to advanced protection, massively scalable
next-generation
firewalls deliver many other benefits, particularly to government
agencies
concerned about maximum performance/protection and the ability
to
get new users up and running quickly. One next-generation firewall
can
replace multiple firewall and intrusion systems, lowering hardware
costs
and operating expenses. A massively scalable next-generation
firewall
can inspect very large files at near “wire speed” to enhance
employee
productivity. What do you need to know about building a
massively
scalable next-generation firewall? Here’s how to get started.
Scalable is not just big or fast. When it comes to advanced
technologies
like Next-Generation Firewalls, you can’t rely on a single measure
like
“Mbps for stateful packet inspection” to tell you how a security
appliance
will perform under real-world conditions.
In this paper, we will discuss seven measures of performance
and
scalability, and how you can use them to select a
Next-Generation
Firewall. We will also outline the kind of technical innovations
needed to
produce a massively scalable Next-Generation Firewall, and take a
quick
look at results from a benchmark test comparing some of the
leading examples.
Why Scalability Is Important
Better Security: Traditional firewalls scan packet headers and
apply rules to forward or block
the packets. Next-Generation Firewalls do far more work: They
inspect packet payloads, apply
advanced malware detection and intrusion prevention techniques,
perform content filtering, decrypt
Secure Sockets Layer (SSL) traffic, control application traffic,
and prevent employees from using
non-business Web applications.
These activities greatly improve security, but they require much
more processing power. When
non-scalable appliances “max out,” administrators typically turn
off some security functions.1
This opens up the network to malware and attacks.
Lower Costs: One enterprise Next-Generation Firewall can replace
multiple firewall and intrusion
prevention systems. This consolidation reduces hardware and
software license expenses, as well
as deployment and administration costs.
Higher productivity: When utilization rises, most Next-Generation
Firewalls are forced to buffer
network packets and inspect them in memory. This slows network
performance and hurts employee
productivity. A massively scalable Next-Generation Firewall can
inspect even very large files at near
“wire speed,” so employee productivity is not affected.
Seven Measures of Performance and Scalability, and When to Use
Them
Performance and scalability cannot be boiled down to a single
measure for Next-Generation
Firewalls. The following are seven measures to use when selecting
the right solution for your
environment. These measures are often (although not always)
available in vendor data sheets
and in the reports of independent benchmark tests.
1. Performance with stateful packet inspection.
Firewalls that perform stateful packet inspection inspect packet
headers, track the state
of network connections (such as TCP streams), and apply rules to
block or forward packets.
Maximum throughput with stateful packet inspection, measured in
Mbps or Gbps, was
a meaningful measure of performance for traditional stateful packet
inspection firewalls.
However, it doesn’t reflect the workload of Next-Generation
Firewalls with their extra security
capabilities. It should be given very little weight unless an
appliance is going to be used
in an environment with minimal security requirements.
2. Performance with deep packet inspection.
Deep packet inspection (DPI) involves inspecting the application
content or “payload” of network
packets, as well as the headers. Most of the extra security
capabilities of Next-Generation
Firewalls, such as malware detection, intrusion prevention, SSL
decryption, content filtering
and application control, are based on DPI.
Maximum throughput with deep packet inspection, measured in Mbps or
Gbps, is a much more
meaningful indicator of Next-Generation Firewall performance than
throughput with stateful
packet inspection.
3. New connections per second.
In enterprise environments, millions of connections are created and
dropped every minute.
New connections per second measures the ability of a firewall to
promptly handle new user
traffic. In some ways, it is analogous to measuring acceleration:
If many remote users log
in at once, can the appliance pick up speed and handle them right
away, or will it stall
and slow down network performance?
New connections per second is an important measure to consider if
you have a large number
of network users, particularly if they connect and log out
frequently. Be aware, however, that
some vendors publish connections-per-second statistics with DPI
turned off. That test setting
does not simulate real-world conditions.
4. Simultaneous connections with DPI enabled.
Maximum number of simultaneous connections, measured in thousands
or millions, represents
the number of network sessions that the Next-Generation Firewall
can handle at peak times.
Obviously, this is an important measure for large enterprises with
large numbers of network users.
Again, beware of vendors that publish measurements of connections
with DPI turned off.
5. Performance with SSL decryption.
SSL traffic is widely used by banks, online retailers and
cybercriminals to shield Web traffic
from inspection. The ability to decrypt, scan and reassemble
SSL-encrypted packets is one
of the key security advantages of Next-Generation Firewalls, but it
is very resource-intensive.
If you have SSL traffic crossing your network boundary, then SSL
decryption performance,
measured in Mbps or Gbps, is a key metric for understanding how the
Next-Generation Firewall
will behave under real-world conditions. A related metric is how
many simultaneous connections
can be decrypted and inspected.
6. Latency with DPI enabled.
Firewalls with proxy-based designs can have high throughput but
still force users to wait for
large files to be buffered in memory, inspected and reassembled. So
latency with DPI enabled,
measured in milliseconds, is an important measure for anticipating
how firewall performance
will or won’t affect end-user productivity. It is particularly
important for application response
times when large files are transmitted.
7. Maximum file size.
Many firewalls place a limit on the size of files they can inspect
— typically 100 MB. This
is because they need to buffer files in memory but don’t have
enough memory to handle large
files. Therefore, these files must either be quarantined, which is
bad for end-user productivity,
or passed through without inspection, which is bad for
security.
The file-size limit is particularly important if you have users who
receive or send large files
such as zip files, audio and video files, ISO images, and CAD/CAM
design files.