1 of 20

C H A P T E R 6

Security Technology

Firewalls • VPNs • IDPS • Cryptographic Tools • Physical Security

Principles of Information Security, 6th Edition | Whitman & Mattord

2 of 20

Learning Objectives

1. Understand firewall types: packet filtering, stateful inspection, application-layer, and NGFW

2. Describe firewall architectures: dual-homed, screened host, screened subnet (DMZ)

3. Explain IDPS types (NIDPS vs HIDPS) and detection methods (signature vs anomaly)

4. Understand VPN transport vs. tunnel modes and protocols: IPSec, SSL, L2TP, PPTP

5. Describe IPSec components: AH (auth only), ESP (encrypt+auth), IKE (key exchange)

6. Explain cryptographic email tools: S/MIME (PKI) and PGP (web of trust)

7. Understand WAF, content filtering, NAC, honeypots, and vulnerability scanners

8. Identify physical security technologies: access control, environmental systems

Chapter 6: Security Technology

Objectives

3 of 20

Security Technology — Defense in Depth Layers

Physical

Locks, mantraps, CCTV, badge readers, HVAC, UPS

Perimeter

Firewalls, DMZ, screening routers, IDS/IPS

Host

HIDS, endpoint AV, OS hardening, log management

Application

WAF, content filtering, web proxy, input validation

Data

Encryption (TLS/IPSec), DLP, access controls, PGP

Technology alone cannot secure an organization — combine with administrative controls (policies, training) and physical controls

Chapter 6: Security Technology

Overview

4 of 20

Firewall Types by Processing Mode

OSI 3–4

Packet Filtering

✓ Fastest; low overhead; built into routers

✗ Stateless; no payload inspection; spoofable

OSI 3–4

Stateful Inspection (SPI)

✓ Tracks connection state table; allows return traffic

✗ No application-layer content inspection

OSI 7

Application / Proxy

✓ Full payload inspection; detects SQLi, XSS

✗ Slowest; protocol-specific; visible to users

OSI 5

Circuit-Level Gateway

✓ Validates TCP handshake; faster than proxy

✗ No payload inspection after connection established

All OSI

Next-Gen Firewall (NGFW)

✓ App ID + user awareness + IPS + SSL inspection

✗ Complex; expensive; processing overhead

Rule base evaluated TOP-TO-BOTTOM — first matching rule wins. Implicit DENY ALL at bottom is best practice.

Chapter 6: Security Technology

Firewall Types

5 of 20

Firewall Architectures — DMZ Design

INTERNET

(Untrusted)

OUTER

FIREWALL

DMZ

Web Server

Mail Relay

DNS Server

INNER

FIREWALL

INTERNAL

NETWORK

(Trusted)

Dual-Homed

One FW, two NICs (external + internal). IP forwarding disabled.

Screened Host

Screening router + bastion host. Two layers of protection.

Screened Subnet

Two firewalls creating a DMZ. BEST PRACTICE architecture.

★ Bastion Host = hardened server in DMZ; stripped of unnecessary services; most likely to be attacked.

Chapter 6: Security Technology

Firewall Architecture

6 of 20

Intrusion Detection & Prevention Systems (IDPS)

IDS — Intrusion Detection System

PASSIVE — detects and alerts only

Does NOT block traffic automatically

Out-of-band: receives copy of traffic

Generates alert for analyst review

Lower risk of disrupting legitimate traffic

Suitable where false positive risk is high

IPS — Intrusion Prevention System

ACTIVE — detects and blocks in real time

INLINE — sits directly in traffic path

Can drop packets, reset connections, block IPs

Automated response; no analyst delay

Risk: false positives block legitimate traffic

Suitable for high-confidence signature rules

★ False Negative (missed attack) is MORE dangerous than False Positive (false alarm) in security contexts.

Chapter 6: Security Technology

IDS vs IPS

7 of 20

NIDPS vs HIDPS — Detection Methods

Network-Based IDPS (NIDPS)

Monitors network segment traffic

Centralized; no host performance impact

Cannot inspect encrypted traffic

NIDS = passive; NIPS = inline blocking

Host-Based IDPS (HIDPS)

Installed on individual endpoints

Monitors system calls, files, registry, logs

Can inspect encrypted traffic (post-decrypt)

Detects insider threats; must deploy on each host

Signature-Based

Matches known attack patterns from database. Low false positives. CANNOT detect zero-days. Must update signatures continuously.

Anomaly-Based

Detects deviations from learned baseline. CAN detect zero-days and novel attacks. Higher false positive rate. Needs learning period.

Specification-Based

Rules define normal behavior for protocols. Lower false positive than anomaly-based. Requires manual specification effort.

Chapter 6: Security Technology

IDPS Types & Detection

8 of 20

Virtual Private Networks (VPNs)

VPN MODES

TRANSPORT MODE

IP Header

(visible)

Payload (ENCRYPTED)

Encrypts PAYLOAD ONLY — original IP header visible. Used for host-to-host VPN.

TUNNEL MODE

New IP Header

ENCRYPTED (orig header + payload)

Encrypts ENTIRE original packet — new header added. Used for site-to-site VPN. Original IPs hidden.

Site-to-Site VPN

IPSec tunnel — permanently connects two office networks

Remote Access VPN

SSL/TLS or IPSec — employees connecting from home

Extranet VPN

Connect partner / supplier / customer networks securely

Clientless SSL VPN

Browser-based HTTPS portal — no client install required

Chapter 6: Security Technology

VPN Modes

9 of 20

IPSec Protocol Suite

AH — Authentication Header

PROVIDES:

✓ Data integrity (hash of packet)

✓ Data origin authentication

✓ Anti-replay protection

DOES NOT PROVIDE:

✗ Confidentiality (NO encryption)

Authenticates ENTIRE IP packet including outer header

ESP — Encapsulating Security Payload

PROVIDES:

✓ Confidentiality (encryption)

✓ Data integrity

✓ Data origin authentication

DOES NOT PROVIDE:

✗ Does not protect outer IP header in transport mode

Most commonly used IPSec protocol — provides both encryption and auth

IKE — Internet Key Exchange

PROVIDES:

✓ Negotiates Security Associations (SAs)

✓ Manages cryptographic keys

✓ Uses UDP port 500

DOES NOT PROVIDE:

✗ Not directly used for data protection

SA = one-way logical connection defining algorithms and keys. Two SAs needed per tunnel.

Chapter 6: Security Technology

IPSec

10 of 20

Secure Protocol Reference — Ports & Functions

Protocol

Port

Secures

Replaces / Notes

HTTPS

443/TCP

HTTP web traffic

HTTP (80)

SSH

22/TCP

Remote admin + SFTP

Telnet (23)

SFTP

22/TCP

File transfer

FTP (21)

FTPS

990/TCP

File transfer over TLS

FTP (21)

SMTPS

465/587

Email submission

SMTP (25)

IMAPS

993/TCP

Email retrieval

IMAP (143)

POP3S

995/TCP

Email retrieval

POP3 (110)

LDAPS

636/TCP

Directory services

LDAP (389)

SNMPv3

161-162/UDP

Net device mgmt

SNMPv1/v2

TLS 1.0 and 1.1 are DEPRECATED (RFC 8996) — use TLS 1.2 minimum; TLS 1.3 preferred. PPTP is WEAK — avoid.

Chapter 6: Security Technology

Secure Protocols

11 of 20

Cryptographic Email — S/MIME vs PGP

S/MIME

Trust Model:

Hierarchical PKI — Certificate Authorities

Certificate:

X.509 certificates

Enterprise Use:

Standard in corporate environments

Built Into:

Outlook, Apple Mail, Thunderbird

Standards:

IETF RFC 5751

Provides:

Confidentiality, Integrity, Authentication, Non-repudiation

PGP / OpenPGP

Trust Model:

Web of Trust — decentralized, peer validation

Certificate:

PGP key pairs (public/private)

Common Use:

Individual, open-source, tech communities

Tools:

GPG (GNU Privacy Guard), Enigmail

Standards:

IETF RFC 4880 (OpenPGP)

Provides:

Confidentiality, Integrity, Authentication, Non-repudiation

Chapter 6: Security Technology

S/MIME & PGP

12 of 20

WAF, Content Filtering & Web Security

Web Application Firewall (WAF)

Protects web apps from OWASP Top 10 attacks

⚠ SQL Injection (SQLi)

⚠ Cross-Site Scripting (XSS)

⚠ Cross-Site Request Forgery (CSRF)

⚠ Broken authentication / sessions

⚠ Security misconfiguration

Deployment modes: Transparent inline | Reverse proxy (most common) | Out-of-band (monitor only)

URL / Content Filtering

Blocks websites by category (adult, gambling, malware, social media). Enforces AUP. Can inspect decrypted HTTPS.

Web Proxy Server

Intermediary for client web requests. Caches content, filters URLs, logs activity, scans downloads. Forward proxy = client-to-Internet.

Network Access Control (NAC)

Pre-admission: checks patch level, AV status before granting access. Post-admission: continuous monitoring. Non-compliant → quarantine.

Honeypot / Honeynet

Decoy systems attracting attackers. Any traffic = suspicious. Honeynets simulate full networks. Legal: must isolate from production.

Chapter 6: Security Technology

WAF & Web Security

13 of 20

Vulnerability Scanning & Penetration Testing

COMMON SECURITY ASSESSMENT TOOLS

Nmap

Port Scanner

Discovers open ports, services, OS. TCP SYN/Connect, UDP scans.

Nessus / Qualys

Vulnerability Scanner

Finds known CVEs, misconfigs, default creds, missing patches.

OWASP ZAP / Nikto

Web App Scanner

Tests for OWASP Top 10: SQLi, XSS, CSRF in web applications.

Wireshark

Network Sniffer

Captures and analyzes network packets in real time or from pcap file.

John / Hashcat

Password Auditor

Cracks password hashes — tests for weak passwords in the environment.

Metasploit

Exploitation Framework

Tests exploitability of identified vulnerabilities in pen testing.

ALL scanning and penetration testing requires WRITTEN AUTHORIZATION. Unauthorized testing violates CFAA and similar laws.

Chapter 6: Security Technology

Scanning & Pen Testing

14 of 20

Physical Security Technologies

ACCESS CONTROL

ENVIRONMENTAL CONTROLS

Know

PIN / Keypad:

Numeric code — easily shared or observed; weakest factor

Have

Smart Card / RFID:

Embedded chip or contactless card; can be lost/cloned

Are

Biometric:

Fingerprint, iris, facial — highest assurance; difficult to transfer

Phys

Mantrap (Air Lock):

Two-door entry requiring ID between; prevents tailgating

Phys

Cable Lock:

Kensington lock — deters opportunistic laptop theft

Phys

Faraday Cage:

Blocks EM signals — prevents wireless eavesdropping / TEMPEST

HVAC

Maintains 64–80°F and 40–55% humidity. Prevents hardware failure, static discharge, and condensation damage.

UPS (Uninterruptible Power Supply)

Battery backup for brief outages + clean power (no spikes/sags). Critical for servers and network equipment.

Fire Suppression

Clean agent systems (FM-200, Inergen) preferred for electronics — suppresses fire without water damage.

Power Distribution

Redundant power feeds, PDUs, generators. N+1 or 2N redundancy standards for data centers.

Chapter 6: Security Technology

Physical Security

15 of 20

IDPS Evaluation — True/False Positives & Negatives

TRUE POSITIVE

IDPS correctly identifies an actual attack as malicious

DESIRED — Alert is valid. Attack detected.

Analyst investigates and responds to real threat

TRUE NEGATIVE

IDPS correctly identifies legitimate traffic as benign

DESIRED — No false alarm. Normal traffic flows.

No action needed; system working correctly

FALSE POSITIVE

IDPS incorrectly flags legitimate traffic as an attack

NUISANCE — Alert fatigue; wasted analyst time

Excessive false positives cause analysts to ignore alerts

FALSE NEGATIVE

IDPS fails to detect an actual attack

⚠ MOST DANGEROUS — Attack succeeds undetected

Security breach occurs without detection or response

Chapter 6: Security Technology

Detection Accuracy

16 of 20

VPN Protocols Comparison

IPSec

Layer 3

Transport & Tunnel

★★★★★

Industry standard for site-to-site. Uses IKE for key exchange. AH + ESP.

SSL/TLS

Layer 4–7

Tunnel (clientless)

★★★★★

Remote access via browser. HTTPS-based. No client required. TLS 1.3 preferred.

L2TP/IPSec

Layer 2

Tunnel

★★★★☆

L2TP creates tunnel; IPSec encrypts. Widely supported. Slightly slower than pure IPSec.

OpenVPN

Layer 3–7

Tunnel

★★★★★

Open-source. SSL/TLS key exchange. UDP 1194 default. Cross-platform. Highly configurable.

PPTP

Layer 2

Tunnel

★☆☆☆☆

⚠ WEAK — legacy Microsoft. MS-CHAPv2 vulnerabilities. AVOID in production.

Protocol

Layer

Mode

Strength

Notes

Chapter 6: Security Technology

VPN Protocols

17 of 20

Security Monitoring Technologies

SIEM

Security Information & Event Management

Aggregates logs from all security devices into a centralized platform. Correlates events across sources. Detects attack patterns spanning multiple systems. Examples: Splunk, IBM QRadar, Microsoft Sentinel.

Network Flow Analysis

NetFlow / sFlow / IPFIX

Analyzes metadata about network connections (who talked to whom, when, how much) without capturing full packets. Detects anomalous traffic patterns, data exfiltration, and C2 communications.

Threat Intelligence

CTI Feeds & STIX/TAXII

External feeds of indicators of compromise (IoCs): malicious IPs, domains, file hashes. Integrated into firewalls, SIEM, and IDPS. STIX/TAXII are standard formats for sharing threat intelligence.

Vulnerability Management

Continuous Assessment Program

Regular automated scanning (Nessus, Qualys) combined with patch management and risk-based remediation prioritization. CVE/CVSS scoring guides remediation priority.

Log Management

Centralized Log Collection & Retention

Collects, normalizes, and stores logs from servers, firewalls, endpoints. Required for forensic investigation and regulatory compliance (HIPAA, PCI DSS, SOX). Retention: typically 1–7 years.

Endpoint Detection & Response (EDR)

Next-gen endpoint security

Continuous monitoring of endpoint activity. Behavioral analytics detect malware, ransomware, and fileless attacks. Records telemetry for threat hunting and forensic investigation. Examples: CrowdStrike, Carbon Black.

Chapter 6: Security Technology

Security Monitoring

18 of 20

Quick Reference — Key Concepts & Distinctions

Packet Filtering vs Stateful Inspection

Packet filtering: stateless, headers only, Layer 3–4. Stateful: tracks connection state table, allows return traffic.

IDS vs IPS

IDS = passive (detect+alert, out-of-band). IPS = active inline (detect+block). Both together = IDPS.

Transport Mode vs Tunnel Mode

Transport: encrypts payload only, original IP header visible. Tunnel: encrypts entire original packet, new header added (site-to-site).

IPSec AH vs ESP

AH: authentication + integrity only (NO encryption). ESP: encryption + authentication + integrity. ESP is more commonly used.

S/MIME vs PGP

S/MIME: X.509 PKI certificates, enterprise email clients. PGP: web of trust model, GPG implementation, open-source use.

False Positive vs False Negative

False positive = legitimate traffic flagged as attack (alert fatigue). False negative = attack missed entirely (MOST DANGEROUS).

WAF vs NGFW

WAF protects web apps specifically (HTTP/S, OWASP Top 10). NGFW is general-purpose with app awareness. WAF = deeper web protection.

VA vs Penetration Test

VA: finds and reports vulnerabilities (no exploitation). Pen test: actively exploits to demonstrate impact. Both require written auth.

Chapter 6: Security Technology

Key Distinctions

19 of 20

Exam Tips & Common Question Areas

1

Firewall OSI layers: Packet Filter = 3–4 | Stateful = 3–4 | Application/Proxy = 7 | Circuit-Level = 5 | NGFW = all layers

2

DMZ = screened subnet = two firewalls. Zone order: Internet (untrusted) → Outer FW → DMZ (public servers) → Inner FW → Internal (trusted)

3

IDS passive (out-of-band, alerts only). IPS active inline (blocks traffic). False Negative = MOST DANGEROUS (attack undetected)

4

IPSec: AH = auth/integrity ONLY (no encryption). ESP = encryption + auth. IKE = key exchange, UDP 500. Tunnel mode = site-to-site VPN

5

Transport mode = encrypts payload, original IP header visible. Tunnel mode = encrypts entire original packet, new IP header added

6

S/MIME = X.509 PKI, enterprise email. PGP = web of trust, GPG. Both provide: confidentiality, integrity, authentication, non-repudiation

7

PPTP = WEAK (avoid). L2TP needs IPSec for encryption. TLS 1.0/1.1 deprecated. Honeypot must be isolated; any traffic to it is suspicious.

8

Pen testing and scanning require WRITTEN AUTHORIZATION. Unauthorized scanning violates Computer Fraud & Abuse Act (CFAA).

Chapter 6: Security Technology

Exam Tips

20 of 20

Chapter 6 Summary — Key Takeaways

1

Firewalls filter traffic by rule base (top-to-bottom, first match wins, implicit deny all). Types: Packet Filter (L3–4) → Stateful (L3–4) → Application Proxy (L7) → NGFW (all).

2

Best-practice architecture = Screened Subnet (DMZ): Internet → Outer FW → DMZ (public servers) → Inner FW → Internal. Bastion hosts sit in DMZ.

3

IDPS: IDS = passive (alert only); IPS = active inline (blocks). NIDPS = network segment; HIDPS = per host. False Negative = most dangerous (attack missed).

4

Detection: Signature-based (known attacks, low FP, no zero-days); Anomaly-based (zero-days, higher FP, needs baseline learning period).

5

VPN Modes: Transport (payload only encrypted) vs Tunnel (entire packet encrypted, used for site-to-site). IPSec AH = auth only; ESP = encrypt+auth.

6

Secure protocols: HTTPS=443, SSH=22, SFTP=22, SMTPS=465/587, IMAPS=993. TLS 1.0/1.1 deprecated. PPTP = WEAK. L2TP needs IPSec.

7

S/MIME = X.509 PKI, enterprise email. PGP = web of trust, GPG. Both provide CIA + non-repudiation for email.

8

All scanning/pen testing requires written authorization (CFAA). Honeypots must be isolated. Physical controls: mantrap, biometrics, UPS, HVAC, clean-agent fire suppression.

Principles of Information Security, 6th Edition | Whitman & Mattord | Chapter 6: Security Technology