Security Architecture - 001
MIS 5214 - Section 001 - David Lanter
February 13, 2020 by David Lanter 30 Comments
Joseph Nguyen says
February 16, 2020 at 12:13 am
One of the most interesting topics and can provide a very good defense-in-depth and first inline against threats when combining: main border firewall (Stateful Packet Inspection or SPI), screening border routers, application proxy firewalls (HTTP or SMTP), antivirus, IDS/IPS, internal firewall (static packet filtering) and individual host firewalls (clients and servers).
Good management should include good documentation of policies/rules, procedures, separation of duties, logs alert, maintenance contracts, and SLA.
Junjie Han says
February 18, 2020 at 8:36 pm
You have made a clear list of firewall categories and mentioned information management for firewalls.The primary function of a firewall is isolation.
I’ll add a few firewall Settings for maintaining the system.
1. Record firewall rules and add comments to explain special rules.2.Check firewall rules regularly and optimize firewall performance.3. Organizational firewall rules to maximize speed.
Placing the most commonly used rules at the top and moving the less used rules to the bottom helps speed up the firewall.4. Osmosis test to check the health status of rules.5. Conduct regular automatic security audit.A security audit is a manual or systemically measurable technical assessment of a firewall.Since it consists of a combination of manual and automated tasks, the results of these tasks must be periodically reviewed and documented.
Zeynep Sahin says
February 16, 2020 at 3:32 am
One of the key points that I learn from this chapter is that there are various types of firewalls which can be divided into categories depending on their method of operation and their structure. The six type of firewalls are stateful packet inspection filtering, static packet-filtering firewalls filtering, network address translation, application proxy filtering, intrusion prevention system filtering, and antivirus filtering. Although, all types of firewalls are used to prevent many attacks, it is important to know that Stateful packet Inspection (SPI) is used for primary prevention mechanism by most of the main border firewalls. And, other types of filtering mechanisms are used as supplementary to SPI. Moreover, stateful packet inspection not only offer more security than either packet filtering methods but also balance network performance.
February 16, 2020 at 8:17 pm
Great analysis, Zeynep.
May we also note that SPI is beginning to be challenged by a new type of filtering, which is called intrusion prevention system (IPS) filtering. Intrusion prevention system’s filtering method is capable of detecting and stopping attacks that are more sophisticated than earlier forms of filtering, including SPI, could address.
Percy Jacob Rwandarugali says
February 16, 2020 at 12:26 pm
In this reading, it was enlightening to me that firewalls can self-destruct if flooded with packets, for instance as mentioned in the book, if a firewall becomes overloaded with traffic, it will drop packets it cannot process. By doing this, it creates a self-inflicted denial-of-service attack against the firm. Therefore, it is critical for firms to purchase firewalls with sufficient processing power to handle the traffic they will have to examine. I also learned that there are two types of firewalls; there is Boarder firewall which sits at the boundary between the corporate site and the external internet and an internal firewall that filters traffic passing between different parts of the sites internal network. Network packets coming in the network from the internet are called ingress packets while those going out are called egress packets.
Natalie Dorely says
February 16, 2020 at 5:46 pm
This is amazing, as I was not aware of the possibility of firewalls self-destructing through an overflow of packets. It’s interesting how even when something is meant to serve a good purpose, it’s still important to know how to mitigate the risk of something going wrong with that defense system as well.
Sarah Puffen says
February 18, 2020 at 11:37 am
I thought this was interesting as well. At first when I read that a firewall self-destructing is considered a fail safe I was initially perplexed, but it does make sense. Too much force applied to a network causing it to drop everything is much better than force being applied and letting everything flood though. However, ideally we would like to avoid having to ever experience a network use a fail safe in this aspect.
February 19, 2020 at 12:53 pm
I like your perspective on this, especially when you point out that “Too much force applied to a network causing it to drop everything is much better than force being applied and letting everything flood though.”
I believe this would call for security engineers to procure a firewall sufficient enough to manage their traffic to avoid self destruction.
Imran Jordan Kharabsheh says
February 16, 2020 at 12:44 pm
As I was reading through chapter 6 of the “Corporate Computer Security” textbook which emphasized the characteristics, appropriate circumstances for implementation, and the function of firewalls, I learned a great deal regarding the architectures that organization’s implement in order to have multiple layers of security leading up to internal servers. Among the more interesting aspects of the multi-homed architecture demonstrated in the textbook that I wished to learn more about was the Demilitarized Zone (DMZ). From what I gathered, the DMZ serves the function of being an additional layer of security and the bridge between external connections coming from the internet to internal resources. The DMZ is the only part of the network architecture that can be directly accessed by external users over the internet, hosting the organization’s public facing application servers and the DNS servers (which are each protected by their own proxy firewalls). While some of these applications that are placed in the DMZ might have direct access to sensitive servers on the internal network, it is strictly controlled and limited upon implementation.
Akshay Shendarkar says
February 16, 2020 at 9:23 pm
You have summarized well the advantages a multi-homed firewall brings by creating different zones, out of which one is the DMZ. The greatest advantage of this feature is that firewall admins can set up policies where traffic coming from internet is allowed to enter only those systems which fall under the DMZ. Not only does it add another layer of security while also, in case there is a cyber attack, it is limited to one particular zone or system. Also, further supporting the DMZ are application based firewalls every server which filter traffic on the basis of services being provided by the server. The only downside is that the configurations can become extremely complex when certain servers which fall in the DMZ might need to access IT components which fall in zones other than DMZ.
Alexander Reichart-Anderson says
February 18, 2020 at 11:38 am
Hi Imran, I am pleased to know that another student finds the firewall structure fascinating and interesting along with me! I always look at MIS in terms of an architect. MIS should be looked at like this because of how information assets, security measures, and users fit into the overall bigger picture. Firewalls specifically come into play under the security measures. My curiosity takes over when I investigate which types of firewalls should go where and how firewall placement could have up and downstream effects for all stakeholders.
February 19, 2020 at 12:41 pm
As you mention in you post “the DMZ serves the function of being an additional layer of security and the bridge between external connections coming from the internet to internal resources.”
Additionally, i think you can place a firewall between the DMZ for extra layer of security incase you have highly sensitive/classified data.
Numneung Koedkietpong says
February 16, 2020 at 1:52 pm
This chapter is about firewalls. The chapter provides information about various types of firewalls and how they work differently. One key point that I took from this chapter is the firewall management. Although organization can use firewalls to protect and detect cyber-attacks, it is important to consider defining firewall policies, putting safeguard controls related to firewalls such as firewall hardening, testing firewalls configuration, change firewall management and restricting the authorization. Additionally, reviewing log is another key point to detect the suspicious traffic pattern. To summarize, there are three main steps which are planning, implementation, and monitoring.
February 16, 2020 at 8:46 pm
Good point, Num.
A key idea to be remembered is that firewalls and antivirus filtering servicers work together closely. Example: When a packet arrives at a firewall, the firewall will check its policy rules base and if the rule for this type of object is to pass the object to an antivirus server, the firewall will do so. This will enable the server to examine the object and search for worms, trojan horses, spam, phishing, rootkits, malicious scripts, and other malware. The object is returned to firewall to be passed on after filtering or the antivirus server passes on the object to the receiver by itself.
February 16, 2020 at 5:42 pm
A key takeaway that I found interesting from this chapter is that there are different types of firewalls that all function differently. Even though the main purpose of the firewalls is to help mitigate risks and prevent threats from infecting the system, each type of firewall functions differently. Honestly, this was not something I was aware of before as I thought there was one type of firewall that served a general-purpose. This is great because with a variety of firewalls allows a myriad of opportunities for outside threats to not successfully break through as the firewalls are tailored to fight against many different attacks..
Peiran Liu says
February 18, 2020 at 12:09 pm
Thank you for pointing out the different types for firewalls. With different firewalls, companies can defend different types of attacks. A general purpose firewall could also work, but it will cost more and might not be as secure as the single purpose firewall.
February 19, 2020 at 12:47 pm
I had the same thought about firewalls as well, it was surprising for me when i read it.
Notably, there are also different firewall architectures that can be used for different purposes within the network, for instance; Bastion hosts, Dual home firewall, screen host and screened subnet.
February 16, 2020 at 8:14 pm
A key fact to be remembered in this chapter is about Unified Threat Management.
Unified Threat Management can be described as an approach to information security where a single hardware or software application provides multiple security functions like intrusion prevention, network firewall, gateway anti-virus, application layer firewall and control, deep packet inspection, web proxy and content filtering, email filtering, data loss prevention, VPN, network tarpit. UTM simplifies information security management by providing a single management and reporting point for the security administrator rather than managing multiple products from different vendors.
However, UTM introduces a single point of failure within IT infrastructure. Also, the UTM approach may go against one of the basic information assurance/security approaches of defense in depth which provides multiple security products with different security management techniques.
February 16, 2020 at 9:39 pm
You have rightly pointed out the various security functionalities provided by UTM devices. However, there are several shortcomings apart from being a single point of failure. In practical world, The UTM devices even though capable for multiple tasks, most of the vendors of these devices will excel in one while fall short in other functionalities. Also, considering the amount of processing UTM does for every packet for multiple inspections, not only does it suffer low performance during phases of heavy traffic but also causes delays or even packet drops. Despite these shortcomings they are still popular as they are used in conjunction with border firewalls to reduce the load on the main firewall as well as provide a means for defense in depth.
February 16, 2020 at 9:32 pm
This chapter gave a very detailed explanation about the various uses, services and features as well as the evolution of the firewall in IT security world. This was exemplified by the article detailing about the latest Windows host based firewall. This firewall not only provides different layers of security depending upon which network the user is connected but also provides a feature where the user gets multiple security options depending upon his location e.g. coffee shop, home, office environment. This firewall also provides integration with Active Directory services; hence management of the firewall policy can be done by the security administrator for one centralized group under which this user falls under. Not only does it provide centralized management of policies, custom groups can be created for specific users for whom specific security rules need to be set. This greatly reduces manual labor work as users don’t need to be given individual security policies. These latest features go on to show the evolution in firewall technology from its primitive days where its main function was to perform only packet filtering.
February 17, 2020 at 3:14 am
I agree with your point regarding the differences and advantages of host-based firewalls over network-based firewalls. I just wanted to add a few features about host-based firewalls. Traditional network-based firewalls are hardware based, but host based firewalls are software based, and network firewall doesn’t know about the vulnerabilities on a machine and host based firewall is best to provide security for OS end system. However, only host-based firewalls may not be enough for larger networks, in this case, both host and network-based firewalls should be implemented to meet security requirement.
Christopher James Lukens says
February 16, 2020 at 9:54 pm
One section of chapter six that i find important is firewall management. Without proper firewall management the firewalls seem like they are effective but in reality aren’t necessarily stopping certain attacks and aren’t effective as they could be. Proper fire wall management starts back at the policy level to define the how the engineers should implement the fire wall to ensure proper usage. Each policy gets translated into an Access control list rule that correlates back to the defined policy. After the firewall is configured there needs to be fire wall testing to make sure the fire wall is blocking the correct traffic and no vulnerabilities are left exposed. After testing is done firewall logs need to be monitored and analyzed to make sure the administrator is aware of the traffic and no anomalies occur undetected.
February 17, 2020 at 3:26 am
You made good points regarding the firewall management. While firewalls are used to prevent security breaches, if they aren’t configured and used properly, they may become a major vulnerability for a network system. In addition to your points, there also are policy auditing, patching and updates, maintenance activities, updating rules should be performed regularly to ensure firewall is operating effectively as network usage increases and new features are added.
February 16, 2020 at 10:43 pm
The firewall passes any unprovable packets.This means that the suspicious packets may also pass through the firewall.This is a weakness of the firewall and requires special attention.In egress filtering, the firewall filters packets leaving the network.This prevents the reply to the probe packet from leaving the network.The Egress filter may even prevent employees and compromised hosts from sending documents containing the company’s intellectual property out to the company.Egress filter: run an access control list on the firewall to block all outgoing traffic, and then allow only traffic that is permitted by the company’s security policy.
February 16, 2020 at 11:52 pm
While going through Chapter Six of Boyle and Panko on Firewalls, I was intrigued by the overall complexity and diversity with firewalls. There are several types of firewalls with different capabilities and specifications. The one aspect that truly pulled me in was packet filtering and inspecting. Firewalls examine and and inspect the “packets” of files, data, and information that cross their boundary. This is a very necessary and important feature to ensure the security of those information assets and their users. The security of firewalls follows many different standards including encryption and password protection.
February 18, 2020 at 12:55 am
I enjoyed reading through your thoughts on what you found most intriguing from chapter 6 of the Corporate Computer Security textbook, as it helped generalize some of the major concepts that were covered. Going off of what you said, I found that among the more interesting ways that Firewalls examine and inspect the data passing through it is through ingress and egress filtering. It’s also important to note that organizations often place various specialized firewalls leading in to all of their network resources.
February 16, 2020 at 11:58 pm
One key takeaway from this chapter is that efficient planning and constant management is the only way to have an effective firewall. Policies must be defined, and implementation (and vulnerability testing) can be determined based off a given policy. A crucial aspect of understanding the threat environment is reading the firewall logs to find any unusual patterns in traffic. This should be done at least daily, if not a couple times a day, by the firewall admin in order to successfully maintain the firewall and keep up with any new threats.
February 17, 2020 at 10:57 am
I agree with you. Firewall policy is very important to consider as the first step to implement it. In this way, it helps to config the firewall setting appropriately. Also, reviewing firewall logs is another good point to detect the malicious traffic and learn the pattern of attacks.
February 17, 2020 at 12:09 am
A one key point I want to mention is NAT, network address translation. Network address translation is a method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. It is a way to provide companies more IP addresses to use. In companies, besides giving more IP addresses, a NAT firewall can also provide protection when hackers from the outside try to track back to the user by using the IP address. When the hacker traces to the company’s IP address, NAT firewall will block it and user will be save.
February 18, 2020 at 11:45 am
I think Network Addresses Translation has potential issues with security and congestion too. Thousands of people can still surf behind one IP public address behind the enterprise firewall, but it would deny the enterprise visibility regarding the experience of their users.
You must be logged in to post a comment.