Think about a firewall and a virtual private network (VPN). As more systems go cloud-based, do you think the need for firewalls will increase or decrease their dependency on V

SEC 3301, Security Application Development 1

Course Learning Outcomes for Unit V Upon completion of this unit, students should be able to:

3. Explain the best practices for securing an application and database. 3.1 Explain how to secure hardware and software through access controls. 3.2 Examine which network traffic should be filtered using firewalls and VPNs.

Required Unit Resources Module 8: Security Technology: Access Controls, Firewalls, and VPNs Unit Lesson The main goal for information security is to secure the network, which infuses hardware, software, and people within the organization. The how, who, what, where, when, and why are conducted through a thorough investigation and evaluation of what assets need to be protected and who has authorization to access the data in the information system. Not everyone needs to have access to all information assets; this is especially true for all managers at different levels of the organization. In the previous unit, you learned about risk management, and the goal here is to eliminate those risks through the use of an authorized acceptable level. Within the planning process of the strategic development, the chief information security officer (CISO) must determine who is authorized, what access level is granted, and what hardware asset is assigned. This is the first step in the protection of all technology infrastructures in the organization. There are several access control enablers, which the system administrators are authorized to use to grant end users access to hardware and software with which they are entrusted. There are four basic access controls within the grasp of the system administrator. These access control enablers are mentioned below (Whitman & Mattord, 2022).

1. Discretionary access controls (DAC): The user is in control of determining who is allowed to share resources within a peer-to-peer network. The user can provide temporary or permanent access to other users to the shared resources.

2. Nondiscretionary access controls (NDAC): Certain users who share the same interest are authorized access to information resources for certain groups.

3. Mandatory access controls (MAC): Users are given access to data that has a classification scheme, so users have limited control of the information in the resources.

4. Attribute-based access control (ABAC): This is a new approach developed by the National Institute of Standards and Technology (NIST) that utilizes attributes such as name, address, zip code, and age to determine what information data is authorized to be released to the user.

Four access control functions ensure that you are an authorized user to access the needed resources within the organization. The four access control functions are briefly described below (Whitman & Mattord, 2022).

1. Identification: You are the authorized user of the system. 2. Authentication: You have proof to access the use of the system (something you know, something you

have, and something you are). 3. Authorization: You have certain access within the system. 4. Accountability: Management can track and monitor your use of the system.

UNIT V STUDY GUIDE Implementing Security through Access Controls

SEC 3301, Security Application Development 2

UNIT x STUDY GUIDE Title

Biometric access control is dependent on recognition, and there are different biometric authentication technologies, which are shown below (Whitman & Mattord, 2022).

1. Fingerprint comparison of the supplicant’s actual fingerprint to a stored fingerprint 2. Palm print comparison of the supplicant’s actual palm print to a stored palm print 3. Hand geometry comparison of the supplicant’s actual hand to a stored measurement 4. Facial recognition using a photographic ID card, in which a human security guard compares the

supplicant’s face to a photo 5. Facial recognition using a digital camera, in which a supplicant’s face is compared to a stored image 6. Retinal print comparison of the supplicant’s actual retina to a stored image 7. Iris pattern comparison of the supplicant’s actual iris to a stored image

These forms of access control functions deal with human access control measures. The nonhuman access control is either hardware, software, or both depending on the desired security controls for the information assets. Firewalls in software- or hardware-based networks, routers, and intrusion detection and prevention systems (IDPS) provide the hardware asset protection within the information technology (IT) infrastructure. The rest of this lesson will concentrate on these hardware protection devices. Typically, when speaking of biometrics, four human characteristics are generally considered unique. Two of the characteristics have to do with the eyes—both the retina and iris. The other two consist of fingerprints and DNA. There are other types of biometrics being used, but they all are evaluated on three basic criteria: false reject, false accept rate, and crossover error rate (CER). Many biometric systems that are exceptionally reliable are often considered obtrusive by users and the system’s effectiveness on security. The goals for both effectiveness and acceptability are to find a balance between providing the requisite level of security and minimizing authentic users’ frustrations. The table below shows both the acceptability and effectiveness of general biometric capabilities in terms of (H) high rating, (M) medium rating, and (L) low rating.

Biometrics Universality Uniqueness Permanence Collectability Performance Acceptability Circumvention

Face H L M H L H L Face Thermogram

H H L H M H H

Fingerprint M H H M H M H Hand Geometry

M M M H M M M

Hand Vein M M M M M M H Eye: Iris H H H M H H H Eye: Retina H H M L H L H DNA H H H L H L L Odor & Scent

H H H L L M L

Voice M L L M L H L Signature L L L H L H L Keystroke L L L M L M M Gait M L L H L H M

Figure 1. Ranking of Biometric Effectiveness and Acceptance (Whitman & Mattord, 2022) Security access control architecture models, the Trusted Computer System Evaluation Criteria (TCSEC), and Biba and ZTA all evaluate access controls and can help organizations quickly make improvements through adaptation. TCSEC is reliant on a trusted computing base (TCB) for a security policy to be enforceable. Biba is based on the premise that higher levels of integrity are more worthy of trust than lower ones, and ZTA focuses on authentication of users, assets, and resources. These three, as well as others listed by the textbook authors, are all focused on security access control (Whitman & Mattord, 2022).

SEC 3301, Security Application Development 3

UNIT x STUDY GUIDE Title

The Information Technology System Evaluation Criteria (ITSEC) is much like the TCSEC. The ITSEC is an international set of criteria for evaluating computer systems focused on targets of evaluation (ToE). It is used in comparison to detailed security function specifications providing system functionality and penetration testing assessments. Firewalls have been around for a long time; no one knows when or from where the term originated. However, we know this about a firewall—it prevents a fire from breaching the wall. As an example, a firewall between two buildings prevents a fire from jumping to the next building, or a firewall in a car separates the passengers from the engine heat, fumes, gases, and other components. In simple terms, a firewall prevents unwanted information from entering the network but allows authorized information to move freely in or out of the firewall. Firewalls are classified into different categories as listed below.

• Packet-filtering firewalls examine the header information of the packet. • Application layer proxy firewalls protect the web server. • Media access control (MAC) layer firewalls operate at the Layer 2 (data link) level of the open-source

interface. • Hybrids contain a combination of the firewalls mentioned above.

Most organizations utilize packet-filtering firewalls, which control network access by monitoring incoming and outgoing information or data packets. This type of firewall looks for the packet filter that matches a set of predefined rules and policies. When a packet reaches the firewall, the packet is either accepted or not accepted based on the rules and policies of the firewall. This packet filter checks for the source and destination Internet Protocol (IP) address, and if both of the IP addresses match, then it is passed. Note that the packet filters also look at the User Datagram Protocol (UDP) as well as the Transmission Control Protocol (TCP). There are three sub-elements for the packet-filtering firewall, which are listed below.

1. The static packet filtering requires rules to be developed and installed in the firewall. 2. The dynamic packet filtering requires a unique packet with a unique source, destination, and port

address to be granted access. 3. The stateful packet inspection can accelerate incoming packets that contain a response from the

internal requests from the network (Whitman & Mattord, 2022). Application layer proxy firewalls are commonly known as proxy servers or reverse proxy servers. As the name implies, these firewalls look at the application layer headers. Its usage provides the ability to use web servers and to allow or deny connections from inside the network out to the internet and to permit or deny connections from the internet into the network. The proxy server utilizes a registered domain uniform resource locator (URL), which protects or masks the identity of the web server. The basic proxy configuration has two network interfaces, one for end-user connections and the other to access websites from the internet. The application layer proxy firewall is frequently found in the unsecured area of a network called the demilitarized zone (DMZ) (Whitman & Mattord, 2022). MAC layer firewalls allow or deny connections on the user’s computer by the unique identity through the media access card or network interface card (NIC). This should not be confused with the mandatory access controls mentioned in previous paragraphs. The MAC layer operates within the open-source interface Layer 1, which is physical, and Layer 2, which is a data link.

Reference Whitman, M. E., & Mattord, H. J. (2022). Principles of information security (7th ed.). Cengage Learning.

SEC 3301, Security Application Development 4

UNIT x STUDY GUIDE Title

Suggested Unit Resources In order to access the following resources, click the links below. The following PowerPoint presentations will summarize and reinforce the information from Modules 8 in your textbook. Module 8 PowerPoint presentation (PDF version of the Module 8 PowerPoint presentation) Below is a video on firewalls located in the Films on Demand database within the CSU Online Library. NewsHour Productions (Producer). (2003). Internet "tsunami warning," firewalls, and other protection

programs (Segment 2 of 2) [Video]. In Computer worms and viruses. Films on Demand. https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=https://fod.infobase.com/PortalPl aylists.aspx?wID=273866&xtid=33538&loid=23951

To view a transcript of this video, click on the “Transcript” tab near the top right corner of the page. Learning Activities (Nongraded) Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. Research Online Conducting your own research to further your learning and understanding can help you become a stronger student and can help you to see what areas interest you. Additionally, you may find resources that can help you complete your assignments. Consider searching the Academic OneFile database of the CSU Online Library using the following phrase: “computer access controls, firewalls, biometrics, and TCSEC.” Please note: When searching, remove the commas and capitalization, and use the top search box with "Subject" selected from the dropdown. Once the results generate, use these search options to refine the results: “Peer Reviewed Journals” and "Custom Date Range" between 2022 and the present to ensure that articles are scholarly and less than 5 years old. Then, select and read two articles. Access the Academic OneFile database. Check Your Knowledge Answer the questions for the Module 8 Review Questions and Exercises. These questions will help you assess whether or not you have mastered the unit content. Can you answer them without looking back in the textbook? Answers for Module 8 Review Questions and Exercises