Session Number: 9

1
Internet Supply Chain Management ECT 581
Winter 2003
Session Number 9

• Session Date March 4, 2003
• Session Outline
• Administrative Items
• Session Topics
• Firewalls, VPNs Other Security Considerations
  (continued)

2
Additional VPN Considerations What is protocol
tunneling?

• A technique for connecting two networks via a
  third, while totally isolating the connected
  traffic from other traffic in the third network.
• Tunneling works by encapsulating a network
  protocol within packets carried by the second
  network.
• In a tunnel, the data being transferred is
  encrypted and then encapsulated in IP packets.
• The encryption prevents any intercepted packets
  from being understood, thus protecting the
  senders and the recipients identity.
• A VPN is a tunnel over a shared network
  infrastructure such as the Internet.

3
Additional VPN Considerations Protocol Tunneling

• Microsoft has derived PPTP as built-in feature
  in NT Win9X products.
• Layer 2 Tunneling Protocol (L2TP) is an emerging
  standard for tunneling private data over public
  networks.
• L2TP is a built-in feature in 2000 XP server
  products.

4
3 Basic Methods for Creating VPNs

• Network to network.
• Host to network.
• Dial-up ISP to network.

5
Risks of Implementing a VPN

• Security - major issue is determining how much
  security is enough. Any data passing over public
  networks is vulnerable to being viewed and
  modified.
• Availability - at times connections can go down
  and varying availability can cause big problems
  for companies requiring constant communication.
• Reliability - on the private network there is no
  contention from other networks, and reliability
  can be planned for on the Internet, packets are
  constantly being dropped or corrupted.
• Manageability - once a packet traverses from an
  ISP to the Internet backbone, visibility is lost
  if packet visibility is lost, it is difficult to
  locate network problems and provide solutions.
• The most crucial portion of a VPN is the data
  security architecture.

6
Firewalls

• Typically, firewall software is used to protect
  corporate LAN resources with responsibility for
• encrypting messages, and
• encapsulating IP traffic prior to routing.
• Also, a separate network (commonly referred to
  as the demilitarized zone or DMZ is placed
  between Internet router and firewall.
• Some firewall vendors enable integration of the
  DMZ and the firewall.

7
Firewall Architectures (reprise)

• First consideration in designing a firewall is
  to meet the requirements set out in the security
  policy.
• May include port filtering, application
  filtering, and user-based restrictions.
• Firewalls also need to provide a system for
  logging that can be used to monitor the activity
  of internal and external users and intruders.
• A good security rule of thumb is to minimize the
  number of access to points to the private
  network.

8
Firewalls Architecture Strategies
Basic firewall architectures include

• A packet filtering router or host computer.
• A dual-homed gateway.
• A screened host.
• A screen subnet.

9
Firewalls Architecture Strategies (continued)
Two basic components used to construct a
firewall

• A packet filter.
• An application proxy server.

10
Firewalls Architecture Strategies (continued)

• An Internet firewall is most often installed at
  the point where your internal network connects to
  the Internet.
• Any connections to other organizations should
  also go through a firewall. This will protect the
  internal network from the other organization's
  employees and any unwanted users that are also on
  their network.
• By not installing a firewall between your
  network and the other organization's network, you
  are trusting the other organization's network
  security.

11
Firewalls Architecture Strategies (continued)
What can a firewall do?

• A firewall can limit exposure by restricting
  access to services and by partitioning the
  network.
• By disallowing many services (i.e. inbound RPC,
  Telnet and FTP), you can limit the amount of
  damage an intruder can cause.
• By creating a perimeter network for WWW, DNS and
  E-mail servers, you can limit potential damage to
  just the systems in the perimeter network.

12
Firewalls Architecture Strategies (continued)
What can't a firewall do?

• A firewall cannot protect against completely new
  threats. Firewalls are designed to protect
  against known threats. If a new bug is discovered
  or an unanticipated type of attack is used, an
  intruder could compromise your systems.
• Firewalls also cannot protect against attacks
  that go around the firewall, such as social
  engineering attacks and modems on the internal
  network.
• Firewalls also have difficulty controlling
  viruses. Some firewalls can be configured to
  examine MIME and FTP packets, but this
  substantially increases latency.
• Firewalls cannot provide services for non-IP
  network protocols. They are strictly IP-based,
  and can only provide services for protocols
  encapsulated in IP.
• The most difficult part of firewall maintenance
  is keeping the system up to date.

13
A Few Firewall Product Options

• Border Network Technologies - BorderWare
• Checkpoint Software - Firewall-1
• Trusted Information Systems (TIS) - Gauntlet
  Internet Firewall
• Cisco Systems Cisco Secure PIX Firewall

14
PKI - Public Key Infrastructure
PKI purpose establish trust among clients.

• PKI integrates cryptography.
• PKI employs 2-key cryptography system.
• Both key asymmetric (i.e., completely
  different).
• Yet 2 key pair works together to encrypt/decrypt
  info.
• One key public, other key private/secret.
• PKI enables digital signatures.
• Digital signature aids in authentication
  process.
• Senders message is translated into PK encrypted
  hash total.
• Encrypted hash total is sent with the message.
• Recipient decrypts message with senders public
  key deciphers hash.
• Message transmission completed when hash
  totals match (i.e. non-repudiation).

15
PKI - Public Key Infrastructure (continued)
Four Parts in a PKI

• Certificate Authority.
• A directory service.
• Services (businesses/enterprises offering
  services).
• Business users.

16
PKI - Public Key Infrastructure (continued)

• PKI includes cryptographic keys and certificate
  management system.
• PKI function includes
• generation distribution of key pairs.
• publication of public keys.
• ensure that private keys are kept secure.
• ensure that the key holder is who the party
  purports to be.
• PKI Chain of Trust.
• Made up of one or more Certification Authorities
  (CA).
• Each CA digitally signs each certificate makes
  them available in public directories.
• Encrypted hash total is sent with the message.
• Any client of the PKI can access any other
  published key.
• Hierarchy of CAs includes
• Policy approval authority
• Issuing authority.
• Registration authority.
• Authentication authority.

17
PKI - Public Key Infrastructure (continued)
PKI a necessary Ecommerce component.

• Virtual marketplace is growing much faster than
  its physical counterpart.
• Traditional market practices and controls are
  challenged.
• Non-repudiation is essential to conducting
  business via the internet.
• Traditional methods of signing agreements,
  orders, etc. must be produced electronically.
• PKI provides the means for enabling
  non-repudiation.
• Asymmetric encryption (using private keys
  together w/ certificates)
• enables user identification over electronic
  networks.
• enables private communication.
• provides for means to sign electronic docs.
• Administration of certificates keys provided
  for through PKI.

18
Next Session Highlights

• Trends Anticipated Developments
• Exchange system demonstrations.