SEC 3302, Advanced IS Security 1

Course Learning Outcomes for Unit V

Upon completion of this unit, students should be able to:

1. Analyze access controls used to secure information systems (IS).
1.1 Assess the effectiveness of an intrusion detection system (IDS).
1.2 Explain the use of a firewall.

4. Evaluate the use of auditing tools.

4.1 Identify information that can be discovered during an IS audit.
4.2 Discuss common types and uses of auditing tools.

Required Unit Resources

Chapter 6: Firewalls

In order to access the following resource, click the link below. You can access the transcript for the video by
clicking on the three dots below the video on the right, then clicking “Open transcript.”

Professor Messer. (2021). Firewalls – SY0-601 CompTIA Security+ : 3.3 [Video]. YouTube.

https://www.youtube.com/watch?v=qLb2ioDBofg

Unit Lesson

Firewall Security

In our last lesson, we covered the transmission of data across the organization. As we found, these are
constant transactions associated with each functional area of an organization. There is a test for incoming
packets with firewalls known as the pass/deny decision. If the packet is a provable attack packet, the firewall
will drop it, but it will be allowed to pass if it is a good packet. This summary is, of course, a very simplified
rendition of a very nuanced process with many moving parts.

For security, it is important that outgoing as well as incoming packets must be filtered. Why? Well, let’s
consider the possibility that something malicious has infiltrated the packets. We would not want that malicious
code to be passed along to its intended destination. This is known as ingress and egress filtering.

Because a firewall will allow any packets to be passed along that are not considered provable attack packets,
some malicious code may get through occasionally. Therefore, we need to harden the targets, or make them
less attractive by making them more difficult to access. Essentially, hardening refers to layered measures that
tighten security. Networks, systems, firewalls, and hardware can all be hardened in various ways.

UNIT V STUDY GUIDE
Firewalls

SEC 3302, Advanced IS Security 2

UNIT x STUDY GUIDE
Title

Firewalls provide protection for data on systems and computers, and they make it more difficult for
hackers to access the data or insert malware into computers. Scanning, such as is being done by

the man in the photo above, is one way of ensuring that malware does not make it into your
computer and cause issues with your data.

(Rawpixelimages, n.d.)

Firewall Overload

Earlier in the course, we reviewed denial-of-service (DoS) attacks. As we found, this is the time when
the network becomes overloaded due to outside attacks, which can halt operations. You can imagine
that the system and network are in good shape on Sunday, then employees start complaining on Monday
that database errors are displaying when they are trying to open a form. It then gets worse, to the point
users can no longer log in to the system. At this time, the network and database have reached capacity
and are overloaded.

This raises an interesting problem related to the concept of firewall capacity. A company must carefully
consider how much firewall capacity they will require, with an eye toward inevitable increases in traffic as the
firm grows. In addition to normal traffic, firewall administrators will discover new threats and develop new
filtering rules as time passes. Processing work per packet will be increased due to these additional rules.
Further, attacks will increase traffic, and the firewall must be able to accommodate the surge without
becoming overwhelmed.

It should be clear already that firewall issues must be carefully managed. It is a mistake to solely focus
on any one area at the expense of the others because that can lead to weaknesses in areas that have
been neglected.

Firewall Filtering Methods

Filtering is a blanket term for a variety of different methods of examining packets. The textbook discusses the
most common filtering methods:

• stateful packet inspection filtering,
• static packet filtering,
• network address translation,

SEC 3302, Advanced IS Security 3

UNIT x STUDY GUIDE
Title

• application proxy filtering,
• intrusion prevention system filtering, and
• antivirus filtering.

While we will discuss some of these methods in the remainder of this lesson, it is important to read Chapter 6
in your textbook to understand all of these filtering methods in detail.

Also keep in mind that, while almost all main border firewalls use stateful packet inspection (SPI) as their
primary inspection mechanism, some of the other filtering mechanisms featured in the chapter reading are
used as supplements (Boyle & Panko, 2021).

The most common filtering mechanism used by main border firewalls in modern corporations is stateful
packet inspection (SPI). Whereas other filtering mechanisms may look at a single packet and try to diagnose
if it is a bad packet, SPI will look at the state of the connection as a whole. Let’s think of it as a constant
conversation between two computers utilizing a program.

Connections are in one of the various states, such as opening or ongoing communications states, at any
given time. The firewall will examine the connection and respective states to determine which application
is sending the packet, what the packet is attempting to accomplish, and which rules may be implicated by
the interaction.

Some packets try to open a connection, while others attempt to use an approved connection. There are many
different conditions and firewall rules which need to be met that will determine if the packet is okay to be
transmitted or not. Many of these conditions are covered in Chapter 6 of your textbook, which is this unit’s
required reading.

Access Control List (ACL)

Another important concept in firewall security is the ACL. The default behavior of SPI firewalls will protect the
system during connection-opening attempts, yet there will always be some exceptions to the rule where
default behavior must be superseded. This is where the ACL will come into play.

For example, some website monitoring software has blacklists and whitelists. Blacklists will automatically
block a website, while whitelists will automatically allow a website through. For instance, your company may
block (blacklist) all Internet Protocol (IP) addresses that are based in China. However, you may want to

SEC 3302, Advanced IS Security 4

UNIT x STUDY GUIDE
Title

evaluate the software of a company based in China. If so, the software company gives you an IP address that
you need to connect to in order to download their software. The network administrator can add the specific IP
address to the whitelist. Most organizations have an approval process for adding an IP address to the
whitelist. Many times, the approval is only temporary.

Along this same line, ACLs have rules that are exceptions to normal firewall rules. As an example, your
general rule may be to deny external connection-opening requests. The ACL may provide a rule that the
connection will be allowed if a specific port is involved.

Network Address Translation (NAT)

The filtering methods we are looking at in this unit all have a different way of making the pass/deny decision
for packets they encounter. In contrast, the NAT method does not actually filter packets, yet it still provides
good protection—usually as a secondary source.

NAT provides another layer of protection where attackers attempt to gather information about a corporate
network. Many times, this gathering expedition uses a tool known as a sniffer. The sniffer is placed outside of
a corporate network and attempts to gather IP addresses and port information. After gaining this information,
the attacker can send attack packets to those addresses and numbers. One benefit of using NAT is its ability
to hide an internal network’s IP address and network design, which reduces the risk of outsiders gaining that
information and using it to access the network (Dubrawski, 2010). The graphic below shows a systematic
approach to gather the IP address, map the IP address, and then translate the group of devices.

(Yangliy, 2009)

NAT works by replacing the port information and IP addresses with bogus information. While that may sound
satisfying enough, it brings up a question—how will a returning response packet know where to go? The
answer is that NAT has a translation table, so the original information and bogus information are stored there.

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are very important tools for the
information technology (IT) network security administrator. An IDS will monitor network traffic—or packets—
looking for anything suspicious. This is important because, as we discussed, firewalls will only stop provable
attack packets. Logging suspicious activities that get past the firewall is a good way to provide some
additional security. Security professionals can configure activity that is serious enough to prompt an alert to
someone. These rules can be adjusted as needed.

SEC 3302, Advanced IS Security 5

UNIT x STUDY GUIDE
Title

Graphic depiction of a host-based intrusion detection system

(adapted from Rkouere, 2016)

The figure above shows the network of the internet, firewall, and devices. The IDS will monitor the
transactions that flow past the firewall and notify the IT group of suspicious activity.

So, what is the difference between a firewall and an IDS? A firewall will drop a packet that is deemed to be an
attack packet. An IDS identifies suspicious packets. They may or may not be actual attack packets. Firewalls
have logs as well, but an IDS is a more developed tool.

One problem for an IDS is that there is a lot of information coming across the network. As a security
professional, you want the right amount of information—not too much or too little. Secondly, an IDS can
generate a lot of false positives, and security personnel may start to tune them out after a while. Furthermore,
an IDS can be labor-intensive in terms of processing. Multiple tools monitoring your networks and systems
can result in latency and lag.

IPS filtering is an extension of the IDS tools. An advantage of IPS is that it will actually stop some attacks,
rather than just generating alarms. The IPS acts like a firewall in that it will drop attack packets. The IPS
will also limit suspicious traffic; this way, DoS attacks are less likely to occur. Different packages have
different capabilities.

Some IPS tools can block certain logins under certain conditions. In other words, a login may have to wait a
certain amount of time before it can attempt to log in again. This is effective because thieves generally look
for easy targets. Give them too much grief, and they will go elsewhere. It is also helpful to note that there are
many different types of firewall architectures and ways to set up firewalls. The choice really depends on your
business and its needs.

SEC 3302, Advanced IS Security 6

UNIT x STUDY GUIDE
Title

Demilitarized Zones (DMZ)

A popular tactic is to set up a DMZ, which is a subnet that houses all of your outwardly facing servers.
Outwardly facing means that they must be accessed externally.

Part of firewall management involves strategically planning how to configure your firewall so that it meets the
needs of your business and your systems. Sufficient policies have to be developed to guide an adequate
security implementation. A good security policy might be to require that any external HTTP connections have
to go through the DMZ.

Adapted from DMZ Network Diagram, by S. Viento, 2007, Wikimedia Commons
(https://commons.wikimedia.org/wiki/File:DMZ_network_diagram_2.png). In public domain.

As you can see in the figure above, internet traffic is transferred from the internet and email transactions to
the firewall to be relayed to the internal computers and devices. Therefore, it is extremely important to have a
secured and up-to-date firewall configuration because of these entry points.

Wrapping Up

Firewalls guard site networks and can be utilized to provide a great deal of protection. While they traditionally
provided ingress filtering to stop attack packets, they also provided egress filtering to prevent outgoing
attacks. Many filtering mechanisms are utilized when setting up a firewall, such as SPI, ACLs, NAT, IDSs, and
IPSs, each of which has different capabilities. Businesses setting up firewall security need to assess their
systems and what will best protect it from attacks.

References

Boyle, R. J., & Panko, R. R. (2021). Corporate computer security (5th ed.). Pearson.

https://online.vitalsource.com/#/books/9780135823354

Dubrawsky, I. (2010). Networking. In C. Walls (Ed.), Embedded software (2nd ed., pp. 287–335).

https://www.sciencedirect.com/science/article/pii/B9780124158221000088

SEC 3302, Advanced IS Security 7

UNIT x STUDY GUIDE
Title

Rawpixelimages. (n.d.). Data file protection firewall malware removal concept (ID 79513723 ) [Photograph].
Dreamstime. https://www.dreamstime.com/stock-photo-data-file-protection-firewall-malware-removal-
concept-people-using-image79513723

Rkouere. (2016, January 5). Host based intrusion detection system [Graphic]. Wikimedia Commons.

https://commons.wikimedia.org/wiki/File:Host_based_intrusion_detection_system.png

Viento, S. (2007). DMZ network diagram 2 [Graphic]. Wikimedia Commons.

https://commons.wikimedia.org/wiki/File:DMZ_network_diagram_2.png

Yangliy. (2009, May 1). Network address translation (file 2) [Graphic]. Wikimedia Commons.

https://commons.wikimedia.org/wiki/File:Network_Address_Translation_(file2).jpg