Beruflich Dokumente
Kultur Dokumente
Access Control
Mandatory access controls (MACs) - lattice-based access control Nondiscretionary controls - role-based Controls & task-based controls
Firewalls
Firewalls can be categorized by processing mode, development era, or structure.
packet-filtering firewalls
IP source and destination address Direction (inbound or outbound) Protocol (for firewalls capable of examining the IP protocol layer) Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests (for firewalls capable of examining the TCP/UPD layer)
There are three subsets of packet-filtering firewalls: static filtering, dynamic filtering, and stateful inspection.
Application Gateways
The application firewall is also known as a proxy server since it runs special software that acts as a proxy for a service request.
Circuit Gateways
operates at the transport layer
Creating tunnels connecting specific processes or systems on each side of the firewall, and then allowing only authorized traffic,
Firewall Architectures
The configuration that works best for a particular organization depends on three factors: The objectives of the network,
SOCKS Servers
SOCKS is the protocol for handling TCP traffic via a proxy server.
place the filtering requirements on the individual workstation rather than on a single point of defense (and thus point of failure).
organizations are much more willing to live with potential risk than certain failure.
Simple Mail Transport Protocol (SMTP) data is allowed to enter through the firewall, but is routed to a well-configured SMTP gateway to filter and route messaging traffic securely. All Internet Control Message Protocol (ICMP) data should be denied. Known as the ping service, ICMP is a common method for hacker reconnaissance and should be turned off to prevent snooping.
Telnet (terminal emulation) access to all internal servers from the public networks should be blocked. At the very least, Telnet access to the organizations Domain Name System (DNS) server should be blocked to prevent illegal zone transfers and to prevent attackers from taking down the organizations entire network. If internal users need to access an organizations network from outside the firewall, the organization should enable them to use a Virtual Private Network (VPN) client or other secure system that provides a reasonable level of authentication.
When Web services are offered outside the firewall, HTTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture. That way, if any employees are running Web servers for internal use on their desktops, the services are invisible to the outside Internet.
Firewall Rules
that which is not permitted is prohibited, - expressly permitted rules
Content Filters
A content filter is a software filtertechnically not a firewall reverse firewalls, content filter has two components: rating and filtering.
The rating is like a set of firewall rules for Web sites and is common in residential content filters. The rating can be complex, with multiple access control settings for different levels of the organization, or it can be simple, with a basic allow/ deny scheme like that of a firewall.
The filtering is a method used to restrict specific access requests to the identified resources, which may be Web sites, servers, or whatever resources the content filter administrator configures.
Remote Access
Kerberos
uses symmetric key encryption to validate keeps a database containing the private keys of clients and servers also generates temporary session keys, which are private keys given to the two parties in a conversation.
Kerberos consists of three interacting services, all of which use a database library:
1. Authentication server (AS), which is a Kerberos server that authenticates clients and servers. 2. Key Distribution Center (KDC), which generates and issues session keys.
3. Kerberos ticket granting service (TGS), which provides tickets to clients who request services. In Kerberos a ticket is an identification card for a particular client that verifies to the server that the client is requesting services and that the client is a valid member of the Kerberos system and therefore authorized to receive services. The ticket consists of the clients name and network address, a ticket validation starting and ending time, and the session key, all encrypted in the private key of the server from which the client is requesting services.
The SESAME technology offers sophisticated single sign-on with added distributed access control features and cryptographic protection of interchanged data. SESAME is similar to Kerberos, but has a lot of extensions to Kerberos. one important extension is it supports role based access control using PAS (Privilege Arribute Server)
http://www.cs.nyu.edu/~wanghua/course/security/final/present ation.html
a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures.
Virtual Private Network Consortium (VPNC) defines three VPN technologies: Trusted VPNs,
Encapsulation of incoming and outgoing data, Encryption of incoming and outgoing data Authentication of the remote computer and, perhaps, the remote user as well.
Transport Mode
Tunnel Mode