PIV Systems – Threat Environment

The PIV System is defined to enhance security and trust in identity credentials, but no practical system can guarantee perfect security. This section discusses known technical threats to PIV authentication mechanisms, especially the CHUID authentication mechanism.

Methods of attack are described in general terms, and this is not an exhaustive list of possible attacks. Attackers often succeed by exploiting overlooked or newly [..]

Computer Security – Definitions

Application-Proxy Gateway Firewall: An advanced firewall that combines lower layer access control with upper layer functionality, and includes a proxy agent that acts as an intermediary between two hosts that wish to communicate with each other.

Boundary Router: A router located at the organization’s boundary with an untrusted external network. In the context of this document, a boundary router is configured to be a packet filter firewall.

Circuit-Level Gateway: A form of [..]

Firewall planning | General Recommendations

The following recommendations for firewall planning and implementation will help administrators plan for firewall placement and implement their firewall policies:

• Placement and Deployment
  • Place a packet-filtering firewall at the edge of each discrete network in the organization.[..]

Firewalls | Deploy and Manage

Deploy
Once testing is complete and all issues have been resolved, the next phase of the firewall planning and implementation model is deployment, which should be done in accordance with organization policies.

Before deploying the firewall, administrators should notify users or owners of potentially affected systems of the planned deployment, and instruct them who to notify if they encounter any problems.Any changes required to other equipment, such as changing default routes, should [..]

Firewall Planning

The planning phase for choosing and implementing a firewall can begin only after an organization has determined that a firewall is needed to enforce the organization’s security policy. This typically occurs following a risk assessment of the overall system.

A risk assessment includes :

• the identification of threats and vulnerabilities in the information system;
• the potential impact or magnitude of harm that a loss of confidentiality, integrity, or availability would have on the [..]

Firewalls | Policies Based on Applications

Most early firewall work involved simply blocking unwanted or suspicious traffic at the network boundary. Inbound application proxies take a different approach—they let traffic destined for a particular server into the network, but capture that traffic in a server that processes it like a port-based firewall.

The application proxy approach provides an additional layer of security for incoming traffic by validating some of the traffic before it reaches the desired [..]

TCP and UDP,ICMP and IPSEC PROTOCOLS

TCP and UDP

TCP and UDP are used by applications. An application server typically listens at a fixed TCP or UDP port, while application clients typically use any of a wide range of ports—and as with other aspects of firewall rulesets, deny by default policies should be used for incoming TCP and UDP traffic.

Less stringent policies are generally used for outgoing TCP and UDP traffic because most organizations permit their users [..]

Firewall policies | IP Addresses and Characteristics

Firewall policies should only permit appropriate source and destination IP addresses to be used. Specific recommendations for IP addresses include:

• Traffic with invalid source or destination addresses should always be blocked, regardless of the firewall location. Examples of relatively common invalid IPv4 addresses are 127.0.0.1 (also known as the localhost address) and 0.0.0.0 (interpreted by some operating systems as a localhost or a broadcast address). These have no legitimate use on [..]

Architecture with Multiple Layers of Firewalls

There is no limitation on where a firewall can be placed in a network. While firewalls should be at the edge of a logical network boundary, creating an “inside” and “outside” on either side of the firewall, a network administrator may wish to have additional boundaries within the network and deploy additional firewalls to establish such boundaries.

The use of multiple layers of firewalls is quite common to provide defense-in-depth. For [..]

Network Layouts with Firewalls

The figure below shows a typical network layout with a hardware firewall device acting as a router. The unprotected side of the firewall connects to the single path labeled “WAN,” and the protected side connects to three paths labeled “LAN1,” “LAN2,” and “LAN3.” The firewall acts as a router for traffic between the Wide Area Network (WAN) path and [..]