Home | | Information Security | Security Technology

Chapter: Information Security : Physical Design

Security Technology

A successful organization should have multiple layers of security in place: Physical security, Personal security, Operations security, Communications security, Network security, Information security

Security Technology


1. What is Security?


quality or state of being secure—to be free from danger”


A successful organization should have multiple layers of security in place:


Physical security


Personal security


Operations security


Communications security


Network security


Information security




Physical Design


Physical design of an information security program is made up of two parts:

Security technologies

Physical security



Physical design process:


- Identifies complete technical solutions based on these technologies (deployment, operations and maintenance elements)


-   Design physical security measures to support the technical solution.


2. Firewalls

 A software or hardware component that restricts network communication between two computers or networks.


-   In buildings, a firewall is a fireproof wall that restricts the spread of a fire.

-   Network firewall prevents threats from spreading from one network to another


Prevent specific types of information from moving between the outside world (untrusted networks) and the inside world (trusted networks)


ü The firewall may be a separate computer system, a software servic e running on an existing router all serve r, or a separate network containing a number of supporting devices.


Internet Firewalls

1 What Firewalls do


Protects the resources of an internal network.

Restrict external access.


Log Network activities.


          Intrusion detection




Act as intermediary


Centralized Security Management


Carefully administer one firewall to control internet traffic of many machines.


Internal machines can be administered with less care.



2 Types of Firewalls (General)


Firewalls types can be categorized depending on:


The Function or methodology the firewall use


Whether the communication is being done between a single node and the network, or between two or more networks.


Whether the communication state is being tracked at the firewall or not.


With regard to the scope of filtered communications the done between a single node and the network, or between two or more networks there exist :


Personal Firewalls, a software application which normally filters traffic entering or leaving a single computer.


Network firewalls, normally running on a dedicated network device or computer positioned on the boundary of two or more networks.


3 Firewall categorization methods


The Function or methodology the firewall use


Five processing modes that firewalls can be categorized by are :


·     packet filtering

·     application gateways


·     circuit gateways


·     MAC layer firewalls


·     hybrids


3.1.Packet filtering:

 examine the header information of data packets that come into a network.


a packet filtering firewall installed on TCP/IP based network and determine wether to drop a packet or forward it to the next network connection based on the rules programmed in the firewall.


Packet filtering firewalls scan network data packets looking for violation of the rules of the firewalls database.


Filtering firewall inspect packets on at the network layers.


If the device finds a packet that matches a restriction it stops the packet from traveling from network to another.


filters packet-by-packet, decides to Accept/Deny/Discard packet based on certain/configurable criteria – Filter Rule sets.


Typically stateless: do not keep a table of the connection state of the various traffic that flows through them


Not dynamic enough to be considered true firewalls.


Usually located at the boundary of a network.


Their main strength points: Speed and Flexibility.


There are three subsets of packet filtering firewalls:

 static filtering


dynamic filtering


stateful inspection


static filtering:


requires that the filtering rules coverning how the firewall decides which packets are allowed and which are denied.



ü This type of filtering is common in network routers and gateways.


2. Dynamic filtering


allows the firewall to create rules to deal with event.


This reaction could be positive as in allowing an internal user to engage in a specific activity upon request or negative as in dropping all packets from a particular address


3. Stateful inspection


keep track of each network connection between internal and external systems using a state table.


A state table tracks the state and context of each packet in the conversation by recording which station send , what packet and when.


More complex than their constituent component firewalls


Nearly all modern firewalls in the market today are staful




Stateful Inspection Firewalls


Basic Weaknesses Associated w ith Packet Filters\ Statful


They cannot pre vent attacks that employ application-specific vulnerabilities or functions.


Logging function ality present in packet filter firewalls is limited


-Most packet filter firewalls do not support advanced user authent ication schemes.


Vulnerable to attacks and exploits that take advantage of pro blems within the TCP/IP specification and protocol stack, such as network layer ad dress spoofing.


Susceptible to sec urity breaches caused by improper configurations.



One packet filter can protect an entire network


Efficient (require s little CPU)


Supported by mosst routers



Difficult to config ure correctly


Must consider rule set in its entirety

Difficult to test co mpletely

Performance penalty for complex rulesets

Stateful packet filtering much more expensive


Enforces ACLs at layer 3 + 4, without knowing any application details


Packet Filtering Firewalls


The original firewall


Works at the network level of the OSI




Applies packet filters based on access




Source IP address


Destination IP address


Application or protocol


Source port number


Destination port number


Packet Filtering Firewalls



Application gateways:

is also known as proxy server since it runs special software that acts as a proxy for a service request.

One common example of proxy server is a firewall that blocks or requests for and responses to request for web pages and services from the internal computers of an organization.

The primary disadvantag e of application level firewalls is that they ar e designed for a specific protocols and c annot easily be reconfigured to protect against attacks in other protocols.

Application firewalls work at the application layer.

Filters packets on application data as well as on IP/TCP/UDP fields.

The interaction is controlled at the application layer

A proxy server is an application that mediates traffic between two network segments.

With the proxy acting a s mediator, the source and destination system s never actually“connect”.

Filtering Hostile Code: Proxies can analyze the payload of a packet o f data and make decision as to whether thiis packet should be passed or dropped.

4.Circuit gateways:

operates at the transport layer.


Connections are authorized based on addresses , they prevent direct connections between network and another.


They accomplish this prevention by creating channels connecting specific systems on each side of the firewall and then allow only authorized traffic.


relays two TCP connections (session layer)


imposes security by limiting which such connections are allowed


once created usually relays traffic without examining contents


Monitor handshaking between packets to decide whether the traffic is legitimate


typically used when trust internal users by allowing general outbound connections


SOCKS commonly used for this


Circuit Level Firewalls Example



4.MAC layer firewalls:


ü design to operate at the media access control layer.


Using this approach the MAC addresses of specific host computers are linked to ACL entries that identify the specific types of packets that can be send to each host and all other traffic is blocked.

 5.Hybrids firewalls:


companied the elements of other types of firewalls , example the elements of packet filtering and proxy services, or a packet filtering and circuit gateways.


That means a hybrids firewalls may actually of two separate firewall devices; each is a separate firewall system, but they are connected so that they work together.


Types of Firewalls


Finally, Types depending on whether the firewalls keeps track of the state of network connections or treats each packet in isolation, two additional categories of firewalls exist:


Stateful firewall


Stateless firewall


Stateful firewall


keeps track of the state of network connections (such as TCP streams) traveling across it.

 Stateful firewall is able to hold in memory significant attributes of each connection, from start to finish. These attributes, which are collectively known as the state of the connection, may include such details as the IP addresses and ports involved in the connection and the sequence numbers of the packets traversing the connection.


Stateless firewall


Treats each network frame (Packet) in isolation. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet.


The classic example is the File Transfer Protocol, because by design it opens new connections to random ports.


Advantages of a Firewall


Stop incoming calls to insecure services


such as rlogin and NFS


Control access to other services


Control the spread of viruses


Cost Effective


More secure than securing every




Disadvantages of a Firewall


Central point of attack


Restrict legitimate use of the Internet


Bottleneck for performance


Does not protect the ‘back door’


Cannot always protect against




Cannot prevent insider attacks



Study Material, Lecturing Notes, Assignment, Reference, Wiki description explanation, brief detail
Information Security : Physical Design : Security Technology |

Privacy Policy, Terms and Conditions, DMCA Policy and Compliant

Copyright © 2018-2024 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.