Abstract - Regis Universityacademic.regis.edu/cias/ia/madhu_ARN_Security_Policy... · Web view......

Security Policy Project Thesis

REGIS UNIVERSITY

Academic Research Network Security Policy

Project Thesis

By:

Madhu Akkihebbal Networking Team, SEAD-2005A MSCIT Program

Project Advisor: Daniel Likarish

June 28, 2005

Madhu Akkihebbal 1


Certificate of Authorship

I, hereby certify that all matter presented in this paper are a result of my own research

from various sources such as white papers, research papers, product materials, and

presentation articles.

All the reference material has been listed in the section ‘Bibliography’ and I am

thankful to various authors and subject matter experts for sharing their findings and

knowledge through their papers and other publications.

Madhu AkkihebbalName Signature Date

Madhu Akkihebbal 2


Acknowledgements

First, I would like to fervently thank My Lord & Almighty for giving me the strength to take up this Masters Degree course and complete it.

My wife, Sumana Madhu - your encouragement and support enabled me to pursue this program.

My 7-year-old son, Shashank Madhu – you cooperated throughout the course and cheered me towards completion. I owe you a big one!

My parents, Mangala and AnanthRamiah Akkihebbal - your blessings and sacrifice helped me reach my goal in life.

My Advisor, Dan Likarish – your timely guidance and support helped me in this project work.

Madhu Akkihebbal 3


Advisor Approval Page

Regis UniversitySchool for Professional StudiesMSCIT Program

Student’s Name: ___________________________

Professional Project Title: ____________________

Advisor’s Declaration: I have advised this student through the Professional Project Process and approve of the final document as acceptable to be submitted as fulfillment of requirements for the MSC 696A, 696B and 696C courses. The student has received project approval from Advisory Board and has followed due process in the completion of the project and subsequent documentation.

ADVISOR

Name Signature Date

Madhu Akkihebbal 4


Project Paper Revision HistoryVersion Submitted On Comments1.0 Draft A 27 March 2005 Initial Draft for Review2.0 18 May 2005 -Updated with comments

from Dan-Modified the title of the project paper to reflect the research focus – Security Policy-Added a section on the evaluation of Cisco PIX 501 (Appendix B)-Added a section on ‘Brief History of Firewall Implementations in the RU ARN’

3.0 04 June 2005

18 June – 27 June 2005

- Security Policy Framework introduced.

- Added new sections related to Security Policy.

- Paper Finalization.

Table Of Contents:

Madhu Akkihebbal 5


Project Thesis..................................................................................................1Certificate of Authorship.................................................................................2Acknowledgements.........................................................................................3Advisor Approval Page...................................................................................4Project Paper Revision History.......................................................................5Abstract...........................................................................................................8

Security Requirements................................................................................9The Background: ARN Network Elements...................................................10Firewalls in the Security Apparatus..............................................................10

Firewall Basics..........................................................................................11Packet Filter Firewalls...........................................................................12Stateful Inspection Firewalls.................................................................13Application-Proxy Gateway Firewalls..................................................14Dedicated Proxy Servers.......................................................................15Hybrid Firewall Technologies...............................................................15Network Address Translation...............................................................16Virtual Private Networks.......................................................................16Intrusion Detection Systems.................................................................17

Guidelines To Build RU ARN Firewall Environment..............................19RU ARN Security Policy -- The Framework...............................................21

ARN Security Policy: The Details...........................................................26Policy Document...................................................................................26ARN User Awareness and Education...................................................26Policy Enforcement...............................................................................27Physical Security...................................................................................27Legitimate Users and Threat Perceptions.............................................27High Availability of Systems and Services...........................................28Layered Security: Defense-in-Depth.....................................................31ARN User Responsibility......................................................................32ARN Security: Future Considerations..................................................33

Brief History of Firewall Implementations in the RU ARN.....................38Selection of Firewalls............................................................................39

SonicWALL Firewalls..............................................................................39Acronyms..................................................................................................44Bibliography..............................................................................................45Appendix A...............................................................................................48

An Evaluation of CISCO PIX 501........................................................48

List Of Figures

Madhu Akkihebbal 6


Figure 1. The OSI Model…………………………………………………12Figure 2. A VPN / Firewall Server in the Network …..………………… 17 Figure 3. High Level ARN Architecture Diagram ………………………42Figure 4. ARN Architecture Diagram with PIX 501 ……………………43 List of Tables

Table 1. Components of Security Policy…………………………………20

Madhu Akkihebbal 7


Abstract

Regis University Networking Lab Practicum 2005A is a continuation of the practicum

work from the previous years. New teams have taken up the positions in order to

continue the research, design and implementation. The Networking group has a specific

mandate, of which Firewall implementation is a critical component.

Firewalls are computer security facilities used to control or restrict network connectivity;

they are used to enforce a security policy, and are typically placed between networks with

different security needs. However, it is critical to note that firewalls by themselves do

not guarantee complete network and data security. Additional mechanisms must be

employed along with Firewalls.

This paper highlights the expectations and a high-level plan to achieve those goals.

During the course of the project, its scope has extended such that the paper shall discuss

ARN Security Policy Framework in general and some concrete ideas to pursue

implementation of the policy in the near term, along with some details on firewalls. Also,

some action points for future consideration are also covered.

Madhu Akkihebbal 8


Security Requirements

RU ARN serves a growing academic community. It is vital for Regis’ daily activities.

Thus, security is one of the foremost concerns being addressed as part of the Networking

team activities in the SEAD program.

Apart from the threats like viruses, crackers, hackers, intruders, and attacks like

Denial of Service (DOS), it is also important to guard against “Passive Information

Gathering”. This is caused by unintentional information leakage and the perpetrator may

not ever directly come in contact with ARN servers. Depending upon the source of this

leakage, the information may lead to the components used within the ARN physical

infrastructure, the management processes in place, or the operational personnel

organization structure. Such types of passive information gathering can be addressed via

methods like “Penetration Testing”. It is also called as pentesting or active probing. This

is also a part of ethical hacking, which is required to evaluate an organization’s current

security status. Such activities and results related to active probing are easily identified

with the firewall and IDS log files.

NOTE: It is important to understand that ARN is physically separate from Regis Net that

stores all confidential and student information.

ARN may want to adopt such proactive techniques at some point after the current

plans for network implementation are in place. For the moment, primary objective of this

project is to come up with a security policy framework that is relevant for ARN users and

environment, along with a special focus on the new SonicWALL firewall.

Madhu Akkihebbal 9


The Background: ARN Network Elements

The next section deals with technical introduction of various network elements of

ARN such as firewalls, VPN, IDS, etc.

Firewalls in the Security Apparatus

As per one school of thought, Firewalls are one among the most important security

considerations in the network security area. The other essential security features being

Secure Sockets Layer (SSL) with encryption, Antivirus software, Smart cards with one-

time passwords, Java security mechanisms (relatively newer approach) and the new

Intrusion Prevention Systems. Still, the fact is that network security continues to attract

academic research interest, as well industry and government funding. That is mainly due

to ever changing security requirements and continuous improvements in proven

technologies. Latest threats include (but not limited to) Adware, Malware and Spyware.

These kinds of software usually get installed on PCs without the knowledge of the users.

They can collect personal information, cause more pop-ups and/or create a profile of

browsing habits, log the keystrokes, and send it to a remote server. They can also

damage the system or cause unwanted network traffic.

As more nodes are connected via the Internet, attacks on network protocols and host

machines vulnerabilities also increased, and firewalls emerged as effective

countermeasure.

For the SEAD purpose, SonicWALL Firewall products have been chosen to replace

and supplement the existing firewall mechanisms in the RU ARN. It is important to note

that firewalls alone do not help secure any network. We looked at few emerging threats

Madhu Akkihebbal 10


above; in order to secure RU ARN, we must adopt a “Defense-in-Depth” as a policy such

that the risk is managed with multiple defensive strategies.

Firewall Basics

Before we embark on evaluating steps to implement a reliable security policy for

ARN, let us briefly explore some of the basic firewall types. Basic firewalls will operate

on a smaller number of layers [OSI layers, refer Figure [1]]; more advanced firewalls will

cover more number of layers. Evidently, firewalls capable of examining a larger number

of layers are more thorough and effective. Additional layer coverage also increases the

configuration granularity present in the firewall; while layer awareness allows the

firewall to accommodate advanced applications and protocols. Increasing the layers a

firewall can examine also allows the firewall to provide services that are very user-

oriented, such as user authentication. The following diagram provides a high-level view

of the 7 layers of OSI model, which is being addressed in this discussion.

Madhu Akkihebbal 11


Figure 1: The OSI Model

Modern firewalls operate upon the 4 layers such as layer 2, 3, 4 and 7. The following

discussion describes the various types of firewalls and their merits.

Packet Filter Firewalls

The most basic, fundamental type of firewall is called a packet filter. Packet filter

firewalls are essentially routing devices that include access control functionality for

system addresses and communication sessions [Ref.: Wack, J., Cutler, K. & Pole, J [6]].

The access control functionality of a packet filter firewall is governed by a set of

directives collectively referred to as a rule set. They address only layers 2 and 3. Due to

Madhu Akkihebbal 12

7. Application [E-mail, Web Apps]

6. Presentation[HTTP, FTP, DNS]

5. Session[Ports 23 and 80]

4. Transport[UDP, TCP]

3. Network[IP V4 and V6]

2. Data Link[SLIP, PPP]

1. Physical[Coax, RS-232, CAT-5]


the nature of the functionality offered, packet filter firewalls have some limitations such

as –

The logs offer no useful information other than source address, destination

address, and traffic type.

No support for advanced user-authentication schemes.

Vulnerable to attacks and exploits that take advantage of problems within the

TCP/IP specification and protocol stack, such as network layer address spoofing.

Packet filter firewalls are susceptible to security breaches caused by improper

configurations.

Stateful Inspection Firewalls

Stateful inspection firewalls are packet filters that incorporate added awareness of the

OSI model data at Layer 4 [Ref.: Wack, J., Cutler, K. & Pole, J [6]]. Stateful inspection

evolved from the need to accommodate certain features of the TCP/IP protocol suite that

make firewall deployment difficult. When a TCP (connection-oriented transport)

application creates a session with a remote host system, a port is also created on the

source system for the purpose of receiving network traffic from the destination system.

According to the TCP specifications, this client source port will be some number greater

than 1023 and less than 16384. The stateful inspection solution is more secure because

the firewall tracks client ports individually rather than opening all high-numbered ports

for external access.

Madhu Akkihebbal 13


In essence, stateful inspection firewalls add Layer 4 awareness to the standard packet

filter architecture. Stateful inspection firewalls share the strengths and weaknesses of

packet filter firewalls, but due to the state table implementation, stateful inspection

firewalls are generally considered to be more secure than packet filter firewalls.

Application-Proxy Gateway Firewalls

Application-Proxy Gateway firewalls are advanced firewalls that combine lower layer

access control with upper layer (Layer 7, Application Layer) functionality [Ref.: Wack,

J., Cutler, K. & Pole, J [6]].

Application-proxy gateway firewalls do not require a Layer 3 (Network Layer) route

between the inside and outside interfaces of the firewall; the firewall software performs

the routing. In the event the application-proxy gateway software ceases to function, the

firewall system is unable to pass network packets through the firewall system. All

network packets that traverse the firewall must do so under software (application-proxy)

control.

Application-proxy gateway firewalls have numerous advantages over packet filter

firewalls and stateful inspection packet filter firewalls. First, application-proxy gateway

firewalls usually have more extensive logging capabilities due to the firewall being able

to examine the entire network packet rather than just the network addresses and ports.

Another advantage is that application-proxy gateway firewalls allow security

administrators to enforce whatever type of user authentication is deemed appropriate for a

Madhu Akkihebbal 14


given enterprise infrastructure. Application-proxy gateways are capable of authenticating

users directly, as opposed to packet filter firewalls and stateful inspection packet filter

firewalls which normally authenticate users based on the network layer address of the

system they reside on. Finally, given that application-proxy gateway firewalls are not

simply Layer 3 devices, they can be made less vulnerable to address spoofing attacks.

Dedicated Proxy Servers

Dedicated proxy servers differ from application-proxy gateway firewalls in that they

retain proxy control of traffic but they do not contain firewall capability. They are

typically deployed behind traditional firewall platforms for this reason. In typical use, a

main firewall might accept inbound traffic; determine which application is being targeted,

and then hand off the traffic to the appropriate proxy server, e.g., an email proxy server.

The proxy server typically would perform filtering or logging operations on the traffic

and then forward it to internal systems.

Hybrid Firewall Technologies

Recent advances in network infrastructure engineering and information security have

caused a blurring of the lines that differentiate the various firewall platforms discussed

earlier. As a result of these advances, firewall products currently incorporate functionality

from several different classifications of firewall platforms. For example, many

Application-Proxy Gateway firewall vendors have implemented basic packet filter

functionality in order to provide better support for UDP (User Datagram) based

applications. Likewise, many packet filter or stateful inspection packet filter firewall

Madhu Akkihebbal 15


vendors have implemented basic application-proxy functionality to offset some of the

weaknesses associated with their firewall platform. In most cases, packet filter or stateful

inspection packet filter firewall vendors implement application proxies to provide

improved network traffic logging and user authentication in their firewalls.

Network Address Translation

Network Address Translation (NAT) technology was developed in response to two

major issues in network engineering and security. First, network address translation is an

effective tool for hiding the network-addressing schema present behind a firewall

environment. In essence, network address translation allows an organization to deploy an

addressing schema of its choosing behind a firewall, while still maintaining the ability to

connect to external resources through the firewall. Second, the depletion of the IP

address space has caused some organizations to use NAT for mapping non-routable IP

addresses to a smaller set of legal addresses, according to RFC 1918.

Virtual Private Networks

Another valuable use for firewalls and firewall environments is the construction of

Virtual Private Networks (VPNs). A virtual private network is constructed on top of

existing network media and protocols by using additional protocols and usually,

encryption. If the VPN is encrypted, it can be used as an extension of the inner, protected

network.

In most cases, virtual private networks are used to provide secure network links across

networks that are not trusted. For example, virtual private network technology is

Madhu Akkihebbal 16


increasingly used in the area of providing remote user access to organizational networks

via the global Internet.

Fig. 2: A VPN / Firewall Appliance in the Network [Diagram reproduced from Page 24 of Bibliography item 6 - NIST Publication]

Intrusion Detection Systems

Intrusion Detection Systems (IDS) are designed to notify and in some cases prevent

unauthorized access to a networked system or resource. Many intrusion detection systems

are also capable of interacting with firewalls in order to bring a reactive element to the

provision of network security services. Firewalls that interact with intrusion detection

systems are capable of responding to perceived remote threats automatically, without the

delays associated with a human response. For example, if an intrusion detection system

detects a denial-of-service attack in progress, it can instruct certain firewalls to

automatically block the source of the attack (albeit, false positives responses can occur).

Madhu Akkihebbal 17


RU ARN has planned to use NETIQ and OPNET (also for modeling and simulation)

products to help in monitoring the network and logging. These are on-going concurrent

projects taken up by other teams; readers are referred to the appropriate documentation

for more details in this regard.

Madhu Akkihebbal 18


Guidelines To Build RU ARN Firewall Environment

Let us look at a high-level approach to planning and implementing firewalls for ARN. For

starters, National Institute of Standards and Technology recommends following thumb rules -

Keep it simple

Use devices as they were intended to be used

Create Defense in Depth

Pay attention to internal threats as well

Based on this, the immediate and on-going objectives for Firewall team are:

1. A clearly defined ARN Security Policy Framework

2. Evaluation and deeper understanding of SonicWALL Firewall products

3. Research and document the dependencies and configuration based on the VPN

components

4. Definition of Firewall controlled network elements and details of configuration and

policies

5. Implementation of Firewall / VPN / IDS entities, etc.

6. Firewall maintenance / upgrade / update plan

7. Documentation and Configuration Management of all phases – configuration, policies,

procedures, upgrades, implementation, etc.

The above form a subset of the security policy requirements. Further details are shown in the

following sections. Different teams of SEAD program handle these tasks on an on-going basis,

upon recommendation of Dan Likarish, Project Lead and Advisor.

Madhu Akkihebbal 19


This page intentionally left blank.

Madhu Akkihebbal 20


RU ARN Security Policy -- The Framework

Foremost importance must be given to the security policy - creating a high-level management

policy statement, conduct a systematic analysis of organization assets and business goals,

examine risks, develop an implementation strategy, crisis management plan, identify security

management team that will enforce the policy.

The ARN Security policy will be revised and adopted over the next few months; appropriate

documentation will be created and distributed to all stakeholders. This thesis sets the initial tone

for a formal ARN security policy. It is expected that subsequent SEAD projects would work on

implementing the security policy and also update the policy as and when required.

Let us explore the components of a security policy. The table below deals with a set of details

expected in formulating, adopting, implanting and enforcing a formal security policy.

Table 1: Components of ARN Security Policy

Component Comments

Objectives What does ARN business need; what data exists; Regis’ rights to systems, data and network

Security Policy Team Who are the key team members? IT, Security experts, Administrators, H.R., Finance, Legal, and Top Management.

Implementation Who are responsible to implement it? What is required to implement it and what is the duration? What is acceptable network behavior? What problems arise and how to deal with them?

Communication/Documentation Details of the policy and implementation. Actions and names assigned to the actions. Command hierarchy.

Madhu Akkihebbal 21


Critical responses scenarios.Education Train all stakeholders about the policy.

Educate the security team and related positions about the policy and the reasoning behind it.Define acceptable behavior, crisis management, change management, and revision policy.

Enforcement Assign names to action. Constant monitoring and reporting.Disaster management and recovery.Root cause analysis and accountability.

Review Living document.Needs and conditions constantly change. Policy must meet new technical challenges and dangers. Review and update regularly.

Generally speaking, security policy may have to consider various factors and for a network of

the magnitude of ARN, it may easily become an overhead of sorts. But, it is critical to scope the

policy such that the focus is not lost. In summary, ARN security policy requirements can be in

listed as following –

Serve as a policy document for the overall ARN security

Educate the users about the security requirements

Enforcement of the security policy – people responsible and the steps involved

Review of ARN status every 6 months against the backdrop of security policy

Physical security

Identify legitimate users (student, teaching community and administration staff) and

allow their access to intended services

Maintain a virus (and worms, et al) free network

Prevent access to hackers, crackers and intruders

Network/Systems Administration - maintain high availability of all systems and services

Madhu Akkihebbal 22


Use of various perimeter and network wide security measures such as firewalls, IDS, etc.

Incident response plan – who are the people responsible to act in case of a threat or an

emergency, what are the necessary actions to be taken by them

Disaster recovery plan – key steps to be taken by ARN authorities in order to recover

from an incident and ensure critical services for business continuity

Defense-in-Depth approach for maximum security

Network configuration management, authorized changes and updates

Use DMZ in order to reduce critical services from being directly accessible from the

external network

EULA – no hacking and not trained for hacking

Consequences of willful compromise of ARN security and threat-mongering

Future considerations – penetration testing, ethical hacking and Intrusion Prevention

Systems (IPS)

Constantly evaluate the security policy and modify as necessary

Policy design and specification is more of an art than a science. At the outset, it is expected

that ARN’s current security policies will provide the initial groundwork to enable us to prove

that SonicWall (chosen firewall for ARN) can perform as per the legacy requirements. Later, the

expansion of SonicWall’s abilities will be combined with a revision of the security/firewall

policies.

It must be noted that policy management is a sensitive area. We must care for the policy

anomalies. For instance, the ordering of filtering rules in a security policy is very crucial in determining

the firewall policy because the firewall packet filtering process is performed by sequentially matching the

Madhu Akkihebbal 23


packet against filtering rules until a match is found. If filtering rules are independent (or completely

disjoint), the ordering of the rules is insignificant. However, it is very common to have filtering rules that

are inter-related. In this case, if the relative rule ordering is not carefully assigned, some rules may be

always screened by other rules producing an incorrect security policy and action. Moreover, when large

number of filtering rules exists in a policy, the possibility of writing conflicting or redundant rules is

relatively high. A firewall policy anomaly is defined as the existence if two or more different filtering

rules that match the same packet.

In general, firewall policy must address following –

Access Control

Assurance – Configuration and policy documents

Availability

Logging


Madhu Akkihebbal 24


ARN Security Policy: The Details

Policy Document

Madhu Akkihebbal 25


This document serves as a preliminary version of ARN security policy. Basically, ARN

management must review and approve this to be considered as an official policy. Having said

that, future SEAD projects have enough scope to pick up some of the action items pointed out in

this document. While some of the concepts noted here (e.g., pen testing, IPS) may not be high

on the ARN priority list, some other details such as formal firewall policy, incident response,

disaster recovery, formal authorities in the ARN hierarchy, legal policies, user awareness and

education, change management, etc. should be addressed on a priority.

ARN User Awareness and Education

ARN security and high-availability is very important to the users and Regis University

business and educational services. In this situation, it is necessary to reach out to all the users

and educate them about the various risks to ARN and how we can all help to maintain secure

network and services.

Since majority of ARN users would be the student community, appropriate measures must be

taken up to educate them and other users of the need to adopt and follow security procedures

very strictly. EULA is another way that some of the security measures will be conveyed to the

users. Propaganda on ARN website, e-mail, etc may be adopted to inform users about the rules

and regulations of using ARN. The same may be used to convey any major policy changes.

Policy Enforcement

ARN management supervises enforcement of security policy. This is an ongoing activity that

helps keep up the ARN security. Network and System administrators, consultants, students and

Madhu Akkihebbal 26


staff – all ARN users are responsible to follow the regulations. Policy can be enforced using

software applications such as firewall ACL, VPN policies, regulations on data and system

access, password rules, configuration management, etc.

Physical Security

It is critical that ARN physical security is maintained along with network and information

security. Physical resources and assets are key to the business. All the technology-based

controls discussed in this document can be circumvented if an attacker gains physical access to

the devices of concern.

ARN shall take appropriate steps to safeguard the systems and devices such that only

authorized personnel and users can physically access the systems. Secure computer rooms, door

locks, identification badges and smart cards, electronic monitoring are some of the techniques

that ARN may apply to ensure physical security.

Legitimate Users and Threat Perceptions

Threats emanate from various sources. It could be a result of human error or failure.

Deliberate acts such as trespass, information extortion, sabotage, vandalism, theft, espionage

should be guarded against. Obsolete technology cannot help in maintaining network and

information security. There are forces of nature such as fire, flood, earthquake, typhoon, and

electrostatic discharge, which could cause havoc. Attacks take advantage of vulnerabilities to

compromise a controlled system. Some examples of attacks include malicious code, hoaxes,

password crack, brute force, Denial-of-Service (DoS), spoofing, spam, mail bombing, phishing,

sniffers, buffer overflow, timing attack, and social engineering based attacks.

Madhu Akkihebbal 27


Since ARN users connect from different parts of the world, it is critical to identify legitimate

users. ARN shall use Single Sign-On (SSO) technique, whereby a single action of user

authentication and authorization can permit a user to access all computers and systems where he

has access permission, without the need to enter multiple passwords. Single sign-on reduces

human error, a major component of systems failure and is therefore highly desirable but difficult

to implement. In future, ARN may consider the use of biometric identification systems.

Techniques such as firewalls, VPNs, and IDS help prevent unwanted, unauthorized traffic. It

is equally important to keep up with the technology. A simple example would be to stay up to

date on the virus definitions. Any number of regulations and devices will not help if the network

and systems are not keeping up with constantly improving technology.

High Availability of Systems and Services

In order to guarantee high availability of services to the users, network administrators and

managers strive to maintain the network. Most network management architectures use the same

basic structure and set of relationships. End stations (managed devices), such as computer

systems and other network devices, run software that enables them to send alerts when they

recognize problems (for example, when one or more user-determined thresholds are exceeded).

Upon receiving these alerts, management entities are programmed to react by executing one,

several, or a group of actions, including operator notification, event logging, system shutdown,

and automatic attempts at system repair.

Some of the popular network management protocols include the Simple Network

Management Protocol (SNMP) and Common Management Information Protocol (CMIP).

Madhu Akkihebbal 28


Management proxies are entities that provide management information on behalf of other

entities.

ARN has adopted various measures for network management and some of the ongoing

projects contribute towards that. These would also bring some level of standardization in the

approach to network management. For instance, ISO has contributed a great deal to network

standardization. Its network management model is the primary means for understanding the

major functions of network management systems. This model covers five conceptual areas:

Performance Management -

Helps measure and make available various aspects of network performance so that

internetwork performance can be maintained at an acceptable level. Some examples of

performance variables include network throughput, user response times, and line utilization.

Data is gathered, and analyzed to determine baseline levels; based on this data, right threshold is

set so that any deviation would require attention.

Configuration Management -

It is about monitoring network and system configuration information, so that the effects of

various versions of hardware and software elements on network operation can be tracked and

managed.

A system may have layered applications or different software components, each of them have

their own version or release numbers. Documents have their own version (revision) numbers.

Users of the document / software and policies are usually expected to work with the latest

approved versions. Some of the ARN users use SharePoint website for some of the

configuration management.

Madhu Akkihebbal 29


It is critical for ARN to identify and manage the network components and applications that

will undergo version changes, and updates. For each of this change, an authorization structure

must be put in place. All changes, big or small, that would apply any to hardware/software or

other ARN resources must be approved by ARN management and / or delegated authority.

Accounting Management - It deals with measurement of network utilization parameters so that individual or group using

on the network can be regulated appropriately. It minimizes network problems and maximizes

the fairness of network access across all users. One example is the NetIQ product used by ARN,

which can integrate, log files from network elements, such as firewalls, etc.

Fault Management -

It helps detect, log, notify users of, and in some cases, automatically fix network problems to

keep the network running effectively. In order to discover problems and find faults, it is

necessary to identify the vulnerabilities. This may be related to both security and non-security

information systems. Usually, penetration testing is employed to identify such vulnerabilities

and problems. Other aspect of this technique is to monitor and resolve user complaints.

Techniques such as help-desk applications help minimize efforts needed to resolve issues such as

learning from past experiences. It also helps understand trend of the problems.

ARN uses Track-It software as a help-desk solution.

Security Management -

Security Management is a technique to control access to network resources according to local

guidelines so that the network is secure and sensitive information is not accessed or modified by

unauthorized people. Access to information is controlled on a "need-to-access" or "need-to-

Madhu Akkihebbal 30


know" basis. Partitioning network resources into authorized and unauthorized areas does this.

Security systems that help manage sensitive network resources (including systems and data)

and determine mappings between sensitive network resources and user sets. It must be

reiterated that ARN is physically separate from Regis Net and thus there is no student data

maintained by ARN. Additionally, ARN marks the De-Militarized Zone (DMZ) and secure zone

(SZ) using firewalls, etc.

Layered Security: Defense-in-Depth

Defense-in-Depth (DiD) principles are based on the principles of layering network and data

security. Shown below are some of the usual methods of technical security. ARN already uses

some of these devices and techniques. Others may be considered in future.

Firewalls – Perimeter security / Access Control Lists (ACL) / Content Filters

IDS – Passive monitoring of network / Alarm in case of intrusion detection

IPS – Combine the actions of firewall and IDS to prevent intrusions

Encryption – Security and privacy of information transferred

Software patches and updates – Helps prevent known issues and problems

Regulation – Users must conform to network and system access policies

PKI schemes – Reliable authentication and accountability schemes

Passwords, and other authentication mechanisms – Individual authentication schemes

Madhu Akkihebbal 31


VPNs – Secure internal network that is accessible from remote places

Honey pots and Honey nets – Lure hackers and threat-mongers into a look-alike

environment in order to trap them or launch a counter-attack

Ethical hacking – Organization learns of its vulnerabilities and loopholes by initiating

hacking on its own that is only to look for potential problems and fix them

Backup / Replication – Data assets must be backed up regularly and/or must be

maintained in different sites using replication or mirroring techniques. This helps in data

availability in case of physical destruction of premises.

ARN User Responsibility

All ARN users (students based in the campus, students online, teaching community,

administrators, management, consultants, etc.) are bound by the prime duty to understand,

and adopt ARN security principles. ARN users must realize the value of a secure ARN

network. In order to maintain high level of productivity through high-availability of services,

it is important that ARN functions with as less problems as possible.

Users must understand the security principles and regulations. If there are doubts and

concerns, they must immediately escalate it to the ARN management. ARN management

reserves the final say in the matters of ARN security. Users must be vigilant and work with

security consciousness. Details such as individual passwords must be kept secret.

End-User License Agreement (EULA) indicates that ARN users are not going to carry out

any type of hacking activity against the ARN. Also, they must certify that they have had no

Madhu Akkihebbal 32


training in hacking. EULA also stresses the consequences of any user involving in untoward

activities that affect ARN in any way. Such user(s) will be prosecuted as per the law and

cyber-regulations. Also, their association with ARN and Regis University in general will be

in jeopardy.

Users must be familiar with the ARN command hierarchy in order to handle any crisis in

the network. Users must be willing to convey any information they know in case of a foul

play with regards to the network.

ARN Security: Future Considerations

ARN must initially focus on adopting the security policy as an official document. There are

quiet a few areas that SEAD community can pick up as follow up projects related to the security

policy and the thesis. Here is a list of areas that needs future attention. ARN management shall

prioritize the future considerations.

1. Expand the security policy to bring more details into the areas of –

ARN Architecture Management

Various Firewalls Policies and Rule Sets

VPN Usage Policies

IDS Policies

Router Configuration Policies

DMZ Policies

Mail and Other Server Usage Policies

Remote Users Policies

Madhu Akkihebbal 33


Policies for Campus Based Students

Standard Authentication Procedures

Fault Management – TrackIt, etc.

Accounting and Auditing Management - OPNET

Performance Management – NetIQ, etc.

Configuration Management – Sharepoint, etc.

NOTE: The last 4 items above are being covered by current SEAD activities.

2. Establish a formal ARN Security Team. This team will be directly answerable to ARN

management. This team will maintain/upgrade the security policy, educate and create

awareness among users, identify people responsible for key activities – system

administration, network configuration, configuration management, etc.

This team also deals with the important task of overseeing the implementation and

enforcement of the security policy.

3. There is a need for a “crisis management” team. This team may be part of the ARN

security team. It will act when there is an attack or some kind of threat to the ARN. The

team will have the authority to take necessary steps to ensure ARN network health is

restored and keep up business continuity. This team will device and communicate the

following plans –

Incident response plan

Disaster Recovery Plan

Business Continuity Plan

4. Explore the possibilities of implementing Intrusion Prevention Systems (IPS) in ARN.

Madhu Akkihebbal 34


5. Another example of new-generation network security devices is Cisco’s Adaptive

Threat Defense. It is the next phase of Cisco’s concept of “Self Defending Network”.

It is said to help to further minimize network security risks by dynamically addressing

threats at multiple layers, enabling tighter control of network traffic, endpoints, users,

and applications. Supposedly, it aims to protect every packet and its flow on a network.

This security portfolio includes devices such as New Intrusion Prevention, Application

Firewall, SSL VPN, and Endpoint Security innovations that could deliver advanced

protection of mission-critical resources.

6. Ensure that all ARN hardware and network devices assets are being used in the right way.

For instance, if there are some Cisco PIX 501 devices lying around, they must be used so

that all assets are put into best use.

7. ARN may consider using biometric identification systems.

8. In order to create a robust, secure ARN; it may be necessary to conduct proactive tests for

the vulnerabilities and weaknesses of ARN. This is termed as penetration testing also

called as ethical hacking. ARN stands to gain a lot if they conduct such test in a

controlled manner, from an external attacker’s perspective.

9. Ensure that ARN security policy is updated on a regular basis or as the need arises. All

relevant users must be made aware of the updates and must follow the changes.

10. In future, when ARN achieves stability, ARN Management may consider the option of

ARN / Regis Network participating in the Abilene Network. Abilene Network is an

Internet2 high-performance backbone network that enables the development of

advanced Internet applications and the deployment of leading-edge network services to

Internet2 universities and research labs across the country. The network has become the

Madhu Akkihebbal 35


most advanced native IP backbone network available to universities participating in

Internet2. The Abilene Network supports the development of applications such as virtual

laboratories, digital libraries, distance education and tele-immersion, as well as the

advanced networking capabilities that are the focus of Internet2. Abilene complements

and peers with other high-performance research networks in the U.S. and internationally

[14]. Participating in Abilene project gives a technological edge for Research work at

Regis as well bring the best of the Internet2 and IPV6 world (including network

bandwidth, high-speed and higher level of security).

Madhu Akkihebbal 36



Madhu Akkihebbal 37


Brief History of Firewall Implementations in the RU ARN

Cisco PIX 501 has been used in ARN in the initial years. In the initial years, PIX 501 has

offered certain service in terms of DHCP service and NAT at certain locations (mainly DTC).

Since PIX is not effective to work with a server farm and also historically it has been very

complex to configure and manage at DTC. Though it provided certain functionalities like packet

filtering, NAT and routing to internal lab, it is said to have many problems.

In this situation, Jeff Brown, a SEAD student (2003-2004) decided to implement an Open-

BSD based firewall for the DTC campus. At that time, this firewall was also necessary to

prevent DoS attacks that occurred frequently. For the record, apart from a functional OpenBSD

based firewall, Jeff also implemented an IPSec based VPN between DTC, ALC, and ILB

campuses.

The plan is to replace OpenBSD firewall using Sonic WALL TZ170 and 3060 at the ARN

production centers, which is the focus of current SEAD-Networking group. At the same time,

since Cisco PIX 501 is not being used in the best way, efforts are focused on towards using it for

VPN access. Note that the discussion of ARN VPN implementation itself is beyond the scope of

this thesis.

Madhu Akkihebbal 38


Selection of Firewalls

The selection of a firewall for RU ARN is dependent on the firewall’s ability to meet the

following criterion:

Protocols

Hardware and Operating Systems

Management Interfaces

User Authentication

Encryption

Firewall Validation

Services

For the purpose of RU ARN, SonicWall firewalls have been chosen based on an evaluation of

its characteristics and offerings in the backdrop of the above.

SonicWALL Firewalls

In one of the product evaluations, SonicWall is described as – “It looks like a small black router,

but is in fact a little firewall with NAT & state based filtering that can also defend against SYN

flooding, Ping of death, IP spoofing and filter ActiveX, Java and cookies. (It is) Configured via a

Web browser”.

The SonicWALL Firewall products chosen for the SEAD are – SonicWALL Pro 3060 and TZ

170. These are working in tandem with the VPN products in ARN.

Madhu Akkihebbal 39


While VPNs are effective remote access solution, it is not complete nor does it provide

symbiotic Internet access security. A firewall protects against Internet based theft, destruction or

modification of data by examining all data passing from Internet or WAN to the LAN.

As we saw earlier in this document, in general, firewalls use various techniques to carry out

the operations:

1. NAT (Network Address Translation)

2. Proxy

3. Stateful or "Active Inspection"

SonicWALL firewalls employ Stateful Packet Inspection technique to protect against DoS

attacks, IP spoofing, and other TCP/IP borne attacks.

All SonicWALL Firewall products can be setup and administered over a web-based interface.

Also, they can be managed remotely using SonicWALL’s Global Management Console.

The SonicWALL PRO 3060, part of SonicWALL's PRO Series Internet Security Platform,

delivers complete business continuity for even the most complex networks. Powered by

SonicWALL's next-generation SonicOS operating system and powerful deep packet inspection

architecture, the PRO 3060 provides integrated gateway anti-virus, anti-spy ware, intrusion

prevention and anti-spam capabilities for real-time protection against today's dynamic threats.

The SonicWALL TZ 170, part of SonicWALL's TZ 170 Series, is the ultimate total security

platform for home, small, remote and branch office deployments. With integrated support for

SonicWALL's Gateway Anti-Virus, Anti-Spy ware and Intrusion Prevention Service, the

Madhu Akkihebbal 40


TZ 170 delivers real-time protection against viruses, spy ware, worms, Trojans and other

malicious threats. The TZ 170 also combines built-in anti-spam protection and support for

SonicWALL's Content Filtering Service to provide enhanced productivity and network

utilization.

The following diagram depicts the high level architecture involving firewalls and VPN.

Madhu Akkihebbal 41


VPN

CSD

SW TZ170 CS

ALC

DTC

ILB

FCSW FW Pro3060

Figure 3: High Level ARN Architecture Diagram

Madhu Akkihebbal 42


VPN

CSD

SW TZ170 CS

ALC

DTC

ILB

FCSW FW Pro3060

PIX 501

Computer

SNAPIX501

VPN

Figure 4: ARN Architecture Diagram Showing PIX 501 Usage With VPN

Madhu Akkihebbal 43


AcronymsACL Access Control ListARN Advanced Research NetworkDoS Denial of ServiceDHCP Dynamic Host Configuration ProtocolDMZ De-Militarized ZoneEULA End-User License AgreementHTTP Hyper Text Transfer ProtocolIDS Intrusion Detection SystemIPS Intrusion Prevention SystemNAT Network Address TranslationRU Regis UniversitySSL Secure Sockets LayerSSO Single Sign-OnSZ Secure ZoneTCP/IP Transmission Control Protocol/Internet ProtocolUDP User Datagram ProtocolVPN Virtual Private Network

Madhu Akkihebbal 44


Bibliography

1. Virtual Private Networks for Small and Medium Organizations. Retrieved February 15, 2005,

from https://partners.mysonicwall.com/WhitePaper/DownloadCenter/WhitePapers.asp

2. Protecting and Connecting the Distributed Organization – A Comprehensive Security and

VPN Strategy. Retrieved February 15, 2005, from

https://partners.mysonicwall.com/WhitePaper/DownloadCenter/WhitePapers.asp

3. Ollmann, G. (2004, January). Passive Information Gathering. Retrieved February 20, from

http://offlinehbpl.hbpl.co.uk/misc/mcs/whitepapers/PassiveInformationGathering.pdf

4. Gong, L. & Sandhu, R. (November-December 2000). What Makes Security Technologies

Relevant? Retrieved February 22, 2005 from

http://www.list.gmu.edu/misc_pubs/editorials/00895014.pdf

5. Bennett, T. (1998). Auditing Firewalls: A Practical Guide. Retrieved March 02,

2005 from http://www.itsecurity.com/papers/p5.htm

6. Wack, J., Cutler, K. & Pole, J. (January 2002). Guidelines on Firewalls and Firewall Policy

[NIST Publication]. Retrieved on March 20 from

http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf

7. Mastering Internet Security for Competitive Advantage. Retrieved on February 25, 2005

Madhu Akkihebbal 45

http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf

http://www.itsecurity.com/papers/p5.htm

http://www.list.gmu.edu/misc_pubs/editorials/00895014.pdf

http://offlinehbpl.hbpl.co.uk/misc/mcs/whitepapers/PassiveInformationGathering.pdf




from http://www.sun.com/executives/sunjournal/v1n2/feature2.html

8. Al-Shaer, S.E. & Hamed, H.H. Design and Implementation of Firewall Policy Advisor Tools.

Retrieved on March 3, 2005 from

http://facweb.cs.depaul.edu/research/TechReports/TR04-011.pdf

9. Cooper, P.S. (February 1996). Network Security Management With Firewalls [DOE

Information Security Conference Presentations]. Retrieved on March 6 2005 from

http://doe-is.llnl.gov/ConferenceProceedings/DOECompSec96/firewall.pdf

10. IT Security Cookbook. (January 2002). Retrieved on March 10, 2005 from

http://www.boran.com/security/it12-firewall.html

11. Cisco PIX Firewall and VPN Configuration Guide, Version 6.2. Retrieved on April 25, 2005

from

http://www.cisco.com/en/US/products/sw/secursw/ps2120/

products_configuration _ guide_chapter09186a00800eb729.html#wp1032843

12. Network Management Basics (February 2002). Retrieved on June 2, 2005 from

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/nmbasics.htm#xtocid6

Madhu Akkihebbal 46

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/nmbasics.htm#xtocid6

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb729.html#wp1032843

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb729.html#wp1032843

http://www.boran.com/security/it12-firewall.html

http://doe-is.llnl.gov/ConferenceProceedings/DOECompSec96/firewall.pdf

http://facweb.cs.depaul.edu/research/TechReports/TR04-011.pdf

http://www.sun.com/executives/sunjournal/v1n2/feature2.html


13. Cisco Self-Defending Network. Retrieved on June 6, 2005 from

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns413/networking_solutions_packag

e.html

14. Abilene Network. Retrieved on June 15, 2005 from

http://abilene.internet2.edu/about/index.html

15. Whitman, M.E, & Mattord. Principles of Information Security. Second Edition. 2005.

Thomson Course Technology.

Madhu Akkihebbal 47

http://abilene.internet2.edu/about/index.html

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns413/networking_solutions_package.html

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns413/networking_solutions_package.html


Appendix A

An Evaluation of CISCO PIX 501

ARN has invested in Cisco PIX 501 in the past. While this device has been used in some

campuses (DTC) for packet filtering, etc., there were some issues. OpenBSD based firewall

replaced PIX 501 more than a year ago. Also, ARN production centers will be supported by

Sonic WALL firewalls this year. The idea is to be able to re-deploy Cisco PIX 501 for some

other use, say VPN access.

The following description focuses on the abilities and features of Cisco PIX 501 device. Some

of the following discussion are excerpts from the product literature available on the Cisco

website.

PIX 501 as a DHCP Server:

The DHCP server within the PIX Firewall is typically used within a SOHO environment with

a PIX 501 or PIX 506 unit. Connecting to the PIX Firewall are PC clients and other network

devices (DHCP clients) that establish network connections that are either insecure (unencrypted)

or secure (encrypted using IPSec) to access an enterprise or corporate network. As a DHCP

server, the PIX Firewall provides network configuration parameters to the DHCP clients through

the use of DHCP.

Using the firewall 6.1 version or higher, PIX 501 can handle up to a maximum number of 128

DHCP Client Addresses (with a 50-user license).

PIX 501 as a DHCP Client

DHCP client support within the PIX Firewall is designed for use within a small office, home

office (SOHO) environment using a PIX Firewall that is directly connected to a DSL or cable

Madhu Akkihebbal 48


modem that supports the DHCP server function.

With the DHCP client feature enabled on a PIX Firewall, the PIX Firewall functions as a

DHCP client to a DHCP server allowing the server to configure the outside interface with an IP

address, subnet mask, and optionally a default route. Use of the DHCP client feature to acquire

an IP address from a generic DHCP server is not supported. Also, the PIX Firewall DHCP client

does not support failover configurations.

PIX 501 Support for VoIP Terminals and Phones

In a small enterprise environment, Cisco CallManager may control Cisco IP phones. In such

an environment, PIX Firewall DHCP server can supports specialized functions such as:

Cisco IP Phones download their configuration from a TFTP server. PIX 501 can handle

DHCP option 150 request and provide the IP addresses of a list of TFTP servers

PIX 501 can also handle DHCP option 66, defined in RFC 2132 (DHCP Options and

BOOTP Vendor Extensions), gives the IP address or the host name of a single TFTP

server.

PIX 501 as Easy VPN Remote Device

PIX Firewall version 6.2 lets you use PIX Firewall as an Easy VPN Remote device when

connecting to an Easy VPN Server, such as a Cisco VPN 3000 Concentrator or a PIX Firewall.

This functionality, sometimes called a "hardware client," allows the PIX Firewall to establish a

VPN tunnel to the Easy VPN Server. Hosts running on the LAN behind the PIX Firewall can

connect through the Easy VPN Server without individually running any VPN client software.

We need to explore if this functionality is also good to work in RU ARN with a VPN server that

Madhu Akkihebbal 49


is not a Cisco product.

In can act in two modes:

Client mode—In this mode, VPN connections are initiated by traffic, so resources are

only used on demand. In client mode, the PIX Firewall applies Network Address

Translation (NAT) to all IP addresses of clients connected to the inside (higher security)

interface of the PIX Firewall. To use this mode, you must also enable the DHCP server

on the inside interface.

Network extension mode—In this mode, VPN connections are kept open even when not

required for transmitting traffic. This option does not apply NAT to any IP addresses of

clients on the inside (higher security) interface of the PIX Firewall.

PIX 501 with Improved ACL Feature

TurboACL is a feature introduced with PIX Firewall version 6.2 that improves the average

search time for access control lists containing a large number of entries. The TurboACL feature

causes the PIX Firewall to compile tables for ACLs and this improves searching of long ACLs.

One can enable this feature for the entire PIX Firewall and then disable it for specific ACLs,

or enable it only for specific ACLs. For short ACLs, TurboACL does not improve performance.

A TurboACL search, no matter how short the ACL, requires about the same amount of time as a

regular ACL search of from twelve to eighteen entries. For this reason, even when enabled, the

TurboACL feature is only applied to ACLs with nineteen or more entries.

Madhu Akkihebbal 50

Abstract - Regis Universityacademic.regis.edu/cias/ia/madhu_ARN_Security_Policy... · Web view......

Documents

Transcript of Abstract - Regis Universityacademic.regis.edu/cias/ia/madhu_ARN_Security_Policy... · Web view......