Thursday, December 2, 2010

“Are Firewalls or Virtual Private Networks enough for Information Security?”

Nov 27, 2010.

 “Are Firewalls or Virtual Private Networks enough for Information Security?”
Today, “Security” is at top priority from any perspective. It may be concerned with the national security after 9/11 or it may be the threats we are facing with the increase in our dependability on the internet network as a means to get connected with each other. Since, information is easily accessed and distributed with the help of internet; we tend to depend on it more than anything else. Every individual and organization is connected with the internet to perform their day to day work. Since, we would be on the same network “internet” when we are connected; the private data an individual or an organization possesses has a great risk to be compromised.  Therefore, we need to have our information secured that may affect an individual, an organization or the whole nation and the national security.
A grim picture of the nation's cyber security could be presented by a report ordered by President Obama which was released in May 2009. It says, “The architecture of the Nation's digital infrastructure, based largely upon the Internet, is not secure or resilient”. The report concludes. “Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations” (The White House). Hence, more money should be invested by Government on Research and Development (R & D) of new technology and infrastructures where information security is the number one priority.  
According to Committee on National Security (CNSS), Information Security is the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information (Whiteman, Michael E). Information security could be implemented by planning for security, creating Information Security Policies, maintaining Physical Security, securing technology as Firewalls, Virtual Private Networks (VPNs), Intrusion Detection Tools, Access Control, Cryptography etc and constantly maintaining the information security demands. Among these, let us figure out how important Firewalls and VPNs are for confidentiality, integrity and availability of information (Whiteman, Michael E).
A Firewall may be a separate computer system, a software service running on an existing router or server, or a separate network containing a number of supporting devices that prevents specific types of information from moving between the outside world, known as the untrusted network (for example, the Internet), and the inside world, known as the trusted network (Whiteman, Michael E). Companies need to define their Network Security Policy before they can install Firewall as it contains the set of rules which allows certain traffic to enter the company and others which they would block as according to the Security Policy rules (Firewalls and Virtual Private Networks, Page 186). Hence, Firewalls filters network traffic according to the Security Policy of the company. 
According to processing mode of the Firewalls, it can be classified in to three basic categories: Packet Filters, Proxy Servers and Stateful Packet Filters. Packet Filter Firewalls inspects each packet for user-defined filtering rules to determine whether to pass or block it. It makes decisions based on Network Layer and Transport Layer and they are least secure of all Firewalls because the ports and addresses could be spoofed and the hacker could be granted an access to the network once the connection is established (Firewalls and Virtual Private Networks, Page 187).
Proxy Servers, on the other hand is an application that redirects user’s requests to the actual services based on an organization’s Security Policy and all the communications between a user and the actual server occurs through the Proxy Server (Firewalls and Virtual Private Networks, Page 188).  Application Gateway is a proxy server that provides access control at application layer and is able to examine traffic in detail; it is considered the most secure type of Firewall. It can provide IP address hiding functionality from trusted network to the outer world and minimizes the probability of hackers getting in to our network. Circuit-Level Gateways, which operates on transport layer, is a proxy server that validates Transfer Control Protocol (TCP) and User Datagram Protocol (UDP) sessions before allowing a connection or circuit through Firewall (Firewalls and Virtual Private Networks, Page 188). It is not as secured as an Application Gateway because once a connection is established in transport layer; any application can run across that connection.
(Source: Firewalls and Virtual Private Networks, Page 187)
Stateful Packet Filters keep track of each network connection between internal and external systems using a state table. When a Stateful Packet filtering gateway receives a data packet, it checks the packet against the known state of the session and if it deviates from the expected session state, the gateway blocks the rest of the session. The vulnerability of this type of Firewall is that it could slower the Firewall and eventually the network connection, if there is Denial-of-service (DoS) and Distributed Denial-of-Service (DDoS) attacks from the hackers and probably freeze the firewall and the network (Whiteman, Michael E.).
Firewall Architecture is the manner in which firewall components are arranged to provide effective security. We can setup Dual-Homed Host Firewall, Screened Host Firewall or Screened Subnet Firewall, also called Demilitarized Zone (DMZ) for the confidentiality, integrity and availability of the information, according to our needs.
A Web Application Firewall (WAF) is designed to protect Web applications against common attacks such as Cross-Site Scripting and SQL injection. WAF can detect whether an application is not behaving the way it was designed to, and it enables us to write specific rules to prevent that kind of attack from reoccurring (Brandel Wed). They are designed specifically to protect the web applications rather than focusing mainly on the network.
Although, we discussed many Firewalls that could protect our information from being compromised, John Arquilla, a professor of defense analysis at the Naval Post Graduate School in Monterey, California, sees security with Firewall, differently. He says “As any good hacker will tell you, there are no Firewalls. The master hackers walk through these Firewalls the way you and I walk through a room. So our level of security is very poor. We're a vastly under-encrypted society and military. The only way to provide some reasonable modicum of security is to recognize that the bad guys will always get in, and so you have to encrypt, encrypt, encrypt so that they don't know what they have when they do get in”. According to Arquilla, only about 10 percent of network traffic - both on civilian and military networks - is currently being encrypted. “It is the single issue of greatest importance that gets the least attention” (Marshall, Patrick). Therefore, we need to encrypt the data and even if the hackers enter our system, they would not be able to get the information out of the data they would have an access.
More importantly, upcoming research and scientific breakthrough on Position-Based Quantum Cryptography could even more help confidentiality, integrity and availability of information. “There is a lot of need for position-based cryptography," says Prof. Rafail Ostrovsky, a computer scientist and researcher at University of California, Los Angeles (UCLA). "The new discovery here is how to exchange a key relying on quantum physics” (Messmer, Ellen). Quantum Cryptography makes use of quantum systems to do cryptographic tasks and it is almost impossible to disprove a mathematical equation, unless there is an error. If it could be implemented in any practical use then it would solve a lot of security issues from the broad perspective (Messmer, Ellen). Therefore, Government should also invest money on research and development so that, new security technologies that have potential, as Quantum Cryptography could come up in speed and reduce loss of money in trillions of dollars due to information being compromised. Investment on research and development could have a serious positive impact on our economy as well.
Let us again come back to the technologies we have and implementing daily. The next security technology we have is Virtual Private Networks (VPNs). Unlike Private Networks, Virtual Private Networks provides a secure connection between senders over a public non-secured network such as the internet. A secured connection is generally associated with the private networks. It uses data encryption to prevent unauthorized users from accessing data. It uses tunneling process to transport the encrypted data across the internet (Firewalls and Virtual Private Networks). There are four tunneling protocols used to establish VPNs: Point-to-Point Tunneling Protocol (PPTP), Layer 2 Forwarding (L2F), Layer 2 Tunneling Protocol (L2TP) and IP Security (IPSec) Protocol Suit. L2TP, operates at the data link layer. PPTP was developed by Microsoft and a group of network equipment vendors including Ascend Communications and 3Com. L2F is a proprietary protocol that was developed by Cisco Systems.
Although, VPNs are cost effective there are flaws on the tunneling protocol we use to create them. Security researchers have reported that Microsoft PPTP has a number of weaknesses that could allow someone to compromise the very security it is intended to provide. These weaknesses could allow an attacker to discover the password you use to connect to the VPN server (your OIT Windows password), and to decrypt your traffic as it crosses the network between your VPN client and the VPN server (The Office of Information Technology, Princeton University). Common VPN flaws are VPN fingerprinting, insecure storage of authentication credentials by VPN clients, username enumeration vulnerabilities, offline password cracking, man-in-the-middle attacks, lack of account lockouts, poor default configurations, poor guidance and documentation (Hills, Roy). As a normal user, we believe that creating VPNs for the organization adds security but, the fact is that we are not. We need to constantly upgrade our knowledge about security and take appropriate actions.
Recently, a new VPN flaw was identified that can expose user’s IP address behind the VPN. This is a serious problem. The problem is being reported by researchers for the VPNs that uses Microsoft’s PPTP protocol over (Internet Protocol Version 6) IPv6, the newest version of the core Internet Protocol. Organizations, governments and enterprises are slowly getting off IPv6 and going back to IPv4. Researchers identified this flaw but it is likely that we are unaware of so many flaws which the hackers are silently taking the advantage off. Therefore, VPNs may serve as a means of security but, it is not the end in itself for the confidentiality, integrity and availability of information.
Finally, I would like to put a light on the fact that either putting up firewalls or creating a Virtual Private Networks (VPNs) doesn’t ensure the security of information. Security, on the first hand, is a continuous process and needs to be considered a top priority by any individual, organization or the whole nation for the national security. I believe more and more courses on “Information Security” should be taught on Colleges and Universities and every organization should seriously take security as one of the department apart from the IT Department. As we go more advanced in technology, more security issues are likely to be evolved and we need to be prepared to be able to tackle them. Security Awareness is very important which could lead towards good security practices in our daily lives. I always believed that we should follow our intuitions and instincts before doing something or before taking any actions while using technological devices. If every individual is aware of security and uses their knowledge in everyday life then the organization is more likely to be secured. If every people know what they are doing then most of the security problems would be solved. Most of the systems are hacked because the level of security education of some individuals is not up to the mark and the whole organization or system gets compromised. Therefore, every individuals need to constantly practice Information Security and make Information Security, their way of life for the confidentiality, integrity and availability of the information.

Works Cited:
Brandel Wed, By Mary. "Web App Firewalls: How to Evaluate, Buy and Implement" 10 June 2009. Web. 02 Dec. 2010. <>.

"Firewalls and Virtual Private Networks." 185-207. Web. 1 Dec. 2010. <>. This is the PDF format of a book found online on Google: Type "Firewalls and Virtual Private Networks" to get the online version of the book.

Fisher, Dennis. "New VPN Flaw Can Expose Users' IP Addresses | Threatpost." Threatpost | The First Stop for Security News. 21 June 2010. Web. 02 Dec. 2010. <>.

Hills, Roy. "Common VPN Security Flaws." 25 Jan. 2005. Web. 02 Dec. 2010. <>.

Marshall, Patrick. "Cybersecurity." CQ Researcher 20.8 (2010): 169-192. CQ Researcher. Web. 2 Dec. 2010. <>.

Messmer, Ellen. "Position-based Quantum Cryptography: A Scientific Breakthrough?" Network World. 03 Aug. 2010. Web. 02 Dec. 2010. <>.

The Office of Information Technology, Princeton University. "OIT PPTP VPN Service." OIT Network Systems. 29 July 2010. Web. 02 Dec. 2010. <>.

The White House. "Cyberspace Policy Review." Cyberspace Policy Review. The White House, May 2009. Web. 27 Nov. 2010. <>.

Whiteman, Michael E., and Herbert J. Mattord. Principles of Information Security. Third ed. Book.