C H A P T E R 6
Security Technology
Firewalls • VPNs • IDPS • Cryptographic Tools • Physical Security
Principles of Information Security, 6th Edition | Whitman & Mattord
Learning Objectives
1. Understand firewall types: packet filtering, stateful inspection, application-layer, and NGFW
2. Describe firewall architectures: dual-homed, screened host, screened subnet (DMZ)
3. Explain IDPS types (NIDPS vs HIDPS) and detection methods (signature vs anomaly)
4. Understand VPN transport vs. tunnel modes and protocols: IPSec, SSL, L2TP, PPTP
5. Describe IPSec components: AH (auth only), ESP (encrypt+auth), IKE (key exchange)
6. Explain cryptographic email tools: S/MIME (PKI) and PGP (web of trust)
7. Understand WAF, content filtering, NAC, honeypots, and vulnerability scanners
8. Identify physical security technologies: access control, environmental systems
Chapter 6: Security Technology
Objectives
Security Technology — Defense in Depth Layers
Physical
Locks, mantraps, CCTV, badge readers, HVAC, UPS
Perimeter
Firewalls, DMZ, screening routers, IDS/IPS
Host
HIDS, endpoint AV, OS hardening, log management
Application
WAF, content filtering, web proxy, input validation
Data
Encryption (TLS/IPSec), DLP, access controls, PGP
Technology alone cannot secure an organization — combine with administrative controls (policies, training) and physical controls
Chapter 6: Security Technology
Overview
Firewall Types by Processing Mode
OSI 3–4
Packet Filtering
✓ Fastest; low overhead; built into routers
✗ Stateless; no payload inspection; spoofable
OSI 3–4
Stateful Inspection (SPI)
✓ Tracks connection state table; allows return traffic
✗ No application-layer content inspection
OSI 7
Application / Proxy
✓ Full payload inspection; detects SQLi, XSS
✗ Slowest; protocol-specific; visible to users
OSI 5
Circuit-Level Gateway
✓ Validates TCP handshake; faster than proxy
✗ No payload inspection after connection established
All OSI
Next-Gen Firewall (NGFW)
✓ App ID + user awareness + IPS + SSL inspection
✗ Complex; expensive; processing overhead
Rule base evaluated TOP-TO-BOTTOM — first matching rule wins. Implicit DENY ALL at bottom is best practice.
Chapter 6: Security Technology
Firewall Types
Firewall Architectures — DMZ Design
INTERNET
(Untrusted)
OUTER
FIREWALL
DMZ
Web Server
Mail Relay
DNS Server
INNER
FIREWALL
INTERNAL
NETWORK
(Trusted)
Dual-Homed
One FW, two NICs (external + internal). IP forwarding disabled.
Screened Host
Screening router + bastion host. Two layers of protection.
Screened Subnet
Two firewalls creating a DMZ. BEST PRACTICE architecture.
★ Bastion Host = hardened server in DMZ; stripped of unnecessary services; most likely to be attacked.
Chapter 6: Security Technology
Firewall Architecture
Intrusion Detection & Prevention Systems (IDPS)
IDS — Intrusion Detection System
PASSIVE — detects and alerts only
Does NOT block traffic automatically
Out-of-band: receives copy of traffic
Generates alert for analyst review
Lower risk of disrupting legitimate traffic
Suitable where false positive risk is high
IPS — Intrusion Prevention System
ACTIVE — detects and blocks in real time
INLINE — sits directly in traffic path
Can drop packets, reset connections, block IPs
Automated response; no analyst delay
Risk: false positives block legitimate traffic
Suitable for high-confidence signature rules
★ False Negative (missed attack) is MORE dangerous than False Positive (false alarm) in security contexts.
Chapter 6: Security Technology
IDS vs IPS
NIDPS vs HIDPS — Detection Methods
Network-Based IDPS (NIDPS)
Monitors network segment traffic
Centralized; no host performance impact
Cannot inspect encrypted traffic
NIDS = passive; NIPS = inline blocking
Host-Based IDPS (HIDPS)
Installed on individual endpoints
Monitors system calls, files, registry, logs
Can inspect encrypted traffic (post-decrypt)
Detects insider threats; must deploy on each host
Signature-Based
Matches known attack patterns from database. Low false positives. CANNOT detect zero-days. Must update signatures continuously.
Anomaly-Based
Detects deviations from learned baseline. CAN detect zero-days and novel attacks. Higher false positive rate. Needs learning period.
Specification-Based
Rules define normal behavior for protocols. Lower false positive than anomaly-based. Requires manual specification effort.
Chapter 6: Security Technology
IDPS Types & Detection
Virtual Private Networks (VPNs)
VPN MODES
TRANSPORT MODE
IP Header
(visible)
Payload (ENCRYPTED)
Encrypts PAYLOAD ONLY — original IP header visible. Used for host-to-host VPN.
TUNNEL MODE
New IP Header
ENCRYPTED (orig header + payload)
Encrypts ENTIRE original packet — new header added. Used for site-to-site VPN. Original IPs hidden.
Site-to-Site VPN
IPSec tunnel — permanently connects two office networks
Remote Access VPN
SSL/TLS or IPSec — employees connecting from home
Extranet VPN
Connect partner / supplier / customer networks securely
Clientless SSL VPN
Browser-based HTTPS portal — no client install required
Chapter 6: Security Technology
VPN Modes
IPSec Protocol Suite
AH — Authentication Header
PROVIDES:
✓ Data integrity (hash of packet)
✓ Data origin authentication
✓ Anti-replay protection
DOES NOT PROVIDE:
✗ Confidentiality (NO encryption)
Authenticates ENTIRE IP packet including outer header
ESP — Encapsulating Security Payload
PROVIDES:
✓ Confidentiality (encryption)
✓ Data integrity
✓ Data origin authentication
DOES NOT PROVIDE:
✗ Does not protect outer IP header in transport mode
Most commonly used IPSec protocol — provides both encryption and auth
IKE — Internet Key Exchange
PROVIDES:
✓ Negotiates Security Associations (SAs)
✓ Manages cryptographic keys
✓ Uses UDP port 500
DOES NOT PROVIDE:
✗ Not directly used for data protection
SA = one-way logical connection defining algorithms and keys. Two SAs needed per tunnel.
Chapter 6: Security Technology
IPSec
Secure Protocol Reference — Ports & Functions
Protocol
Port
Secures
Replaces / Notes
HTTPS
443/TCP
HTTP web traffic
HTTP (80)
SSH
22/TCP
Remote admin + SFTP
Telnet (23)
SFTP
22/TCP
File transfer
FTP (21)
FTPS
990/TCP
File transfer over TLS
FTP (21)
SMTPS
465/587
Email submission
SMTP (25)
IMAPS
993/TCP
Email retrieval
IMAP (143)
POP3S
995/TCP
Email retrieval
POP3 (110)
LDAPS
636/TCP
Directory services
LDAP (389)
SNMPv3
161-162/UDP
Net device mgmt
SNMPv1/v2
TLS 1.0 and 1.1 are DEPRECATED (RFC 8996) — use TLS 1.2 minimum; TLS 1.3 preferred. PPTP is WEAK — avoid.
Chapter 6: Security Technology
Secure Protocols
Cryptographic Email — S/MIME vs PGP
S/MIME
Trust Model:
Hierarchical PKI — Certificate Authorities
Certificate:
X.509 certificates
Enterprise Use:
Standard in corporate environments
Built Into:
Outlook, Apple Mail, Thunderbird
Standards:
IETF RFC 5751
Provides:
Confidentiality, Integrity, Authentication, Non-repudiation
PGP / OpenPGP
Trust Model:
Web of Trust — decentralized, peer validation
Certificate:
PGP key pairs (public/private)
Common Use:
Individual, open-source, tech communities
Tools:
GPG (GNU Privacy Guard), Enigmail
Standards:
IETF RFC 4880 (OpenPGP)
Provides:
Confidentiality, Integrity, Authentication, Non-repudiation
Chapter 6: Security Technology
S/MIME & PGP
WAF, Content Filtering & Web Security
Web Application Firewall (WAF)
Protects web apps from OWASP Top 10 attacks
⚠ SQL Injection (SQLi)
⚠ Cross-Site Scripting (XSS)
⚠ Cross-Site Request Forgery (CSRF)
⚠ Broken authentication / sessions
⚠ Security misconfiguration
Deployment modes: Transparent inline | Reverse proxy (most common) | Out-of-band (monitor only)
URL / Content Filtering
Blocks websites by category (adult, gambling, malware, social media). Enforces AUP. Can inspect decrypted HTTPS.
Web Proxy Server
Intermediary for client web requests. Caches content, filters URLs, logs activity, scans downloads. Forward proxy = client-to-Internet.
Network Access Control (NAC)
Pre-admission: checks patch level, AV status before granting access. Post-admission: continuous monitoring. Non-compliant → quarantine.
Honeypot / Honeynet
Decoy systems attracting attackers. Any traffic = suspicious. Honeynets simulate full networks. Legal: must isolate from production.
Chapter 6: Security Technology
WAF & Web Security
Vulnerability Scanning & Penetration Testing
COMMON SECURITY ASSESSMENT TOOLS
Nmap
Port Scanner
Discovers open ports, services, OS. TCP SYN/Connect, UDP scans.
Nessus / Qualys
Vulnerability Scanner
Finds known CVEs, misconfigs, default creds, missing patches.
OWASP ZAP / Nikto
Web App Scanner
Tests for OWASP Top 10: SQLi, XSS, CSRF in web applications.
Wireshark
Network Sniffer
Captures and analyzes network packets in real time or from pcap file.
John / Hashcat
Password Auditor
Cracks password hashes — tests for weak passwords in the environment.
Metasploit
Exploitation Framework
Tests exploitability of identified vulnerabilities in pen testing.
ALL scanning and penetration testing requires WRITTEN AUTHORIZATION. Unauthorized testing violates CFAA and similar laws.
Chapter 6: Security Technology
Scanning & Pen Testing
Physical Security Technologies
ACCESS CONTROL
ENVIRONMENTAL CONTROLS
Know
PIN / Keypad:
Numeric code — easily shared or observed; weakest factor
Have
Smart Card / RFID:
Embedded chip or contactless card; can be lost/cloned
Are
Biometric:
Fingerprint, iris, facial — highest assurance; difficult to transfer
Phys
Mantrap (Air Lock):
Two-door entry requiring ID between; prevents tailgating
Phys
Cable Lock:
Kensington lock — deters opportunistic laptop theft
Phys
Faraday Cage:
Blocks EM signals — prevents wireless eavesdropping / TEMPEST
HVAC
Maintains 64–80°F and 40–55% humidity. Prevents hardware failure, static discharge, and condensation damage.
UPS (Uninterruptible Power Supply)
Battery backup for brief outages + clean power (no spikes/sags). Critical for servers and network equipment.
Fire Suppression
Clean agent systems (FM-200, Inergen) preferred for electronics — suppresses fire without water damage.
Power Distribution
Redundant power feeds, PDUs, generators. N+1 or 2N redundancy standards for data centers.
Chapter 6: Security Technology
Physical Security
IDPS Evaluation — True/False Positives & Negatives
TRUE POSITIVE
IDPS correctly identifies an actual attack as malicious
DESIRED — Alert is valid. Attack detected.
Analyst investigates and responds to real threat
TRUE NEGATIVE
IDPS correctly identifies legitimate traffic as benign
DESIRED — No false alarm. Normal traffic flows.
No action needed; system working correctly
FALSE POSITIVE
IDPS incorrectly flags legitimate traffic as an attack
NUISANCE — Alert fatigue; wasted analyst time
Excessive false positives cause analysts to ignore alerts
FALSE NEGATIVE
IDPS fails to detect an actual attack
⚠ MOST DANGEROUS — Attack succeeds undetected
Security breach occurs without detection or response
Chapter 6: Security Technology
Detection Accuracy
VPN Protocols Comparison
IPSec
Layer 3
Transport & Tunnel
★★★★★
Industry standard for site-to-site. Uses IKE for key exchange. AH + ESP.
SSL/TLS
Layer 4–7
Tunnel (clientless)
★★★★★
Remote access via browser. HTTPS-based. No client required. TLS 1.3 preferred.
L2TP/IPSec
Layer 2
Tunnel
★★★★☆
L2TP creates tunnel; IPSec encrypts. Widely supported. Slightly slower than pure IPSec.
OpenVPN
Layer 3–7
Tunnel
★★★★★
Open-source. SSL/TLS key exchange. UDP 1194 default. Cross-platform. Highly configurable.
PPTP
Layer 2
Tunnel
★☆☆☆☆
⚠ WEAK — legacy Microsoft. MS-CHAPv2 vulnerabilities. AVOID in production.
Protocol
Layer
Mode
Strength
Notes
Chapter 6: Security Technology
VPN Protocols
Security Monitoring Technologies
SIEM
Security Information & Event Management
Aggregates logs from all security devices into a centralized platform. Correlates events across sources. Detects attack patterns spanning multiple systems. Examples: Splunk, IBM QRadar, Microsoft Sentinel.
Network Flow Analysis
NetFlow / sFlow / IPFIX
Analyzes metadata about network connections (who talked to whom, when, how much) without capturing full packets. Detects anomalous traffic patterns, data exfiltration, and C2 communications.
Threat Intelligence
CTI Feeds & STIX/TAXII
External feeds of indicators of compromise (IoCs): malicious IPs, domains, file hashes. Integrated into firewalls, SIEM, and IDPS. STIX/TAXII are standard formats for sharing threat intelligence.
Vulnerability Management
Continuous Assessment Program
Regular automated scanning (Nessus, Qualys) combined with patch management and risk-based remediation prioritization. CVE/CVSS scoring guides remediation priority.
Log Management
Centralized Log Collection & Retention
Collects, normalizes, and stores logs from servers, firewalls, endpoints. Required for forensic investigation and regulatory compliance (HIPAA, PCI DSS, SOX). Retention: typically 1–7 years.
Endpoint Detection & Response (EDR)
Next-gen endpoint security
Continuous monitoring of endpoint activity. Behavioral analytics detect malware, ransomware, and fileless attacks. Records telemetry for threat hunting and forensic investigation. Examples: CrowdStrike, Carbon Black.
Chapter 6: Security Technology
Security Monitoring
Quick Reference — Key Concepts & Distinctions
Packet Filtering vs Stateful Inspection
Packet filtering: stateless, headers only, Layer 3–4. Stateful: tracks connection state table, allows return traffic.
IDS vs IPS
IDS = passive (detect+alert, out-of-band). IPS = active inline (detect+block). Both together = IDPS.
Transport Mode vs Tunnel Mode
Transport: encrypts payload only, original IP header visible. Tunnel: encrypts entire original packet, new header added (site-to-site).
IPSec AH vs ESP
AH: authentication + integrity only (NO encryption). ESP: encryption + authentication + integrity. ESP is more commonly used.
S/MIME vs PGP
S/MIME: X.509 PKI certificates, enterprise email clients. PGP: web of trust model, GPG implementation, open-source use.
False Positive vs False Negative
False positive = legitimate traffic flagged as attack (alert fatigue). False negative = attack missed entirely (MOST DANGEROUS).
WAF vs NGFW
WAF protects web apps specifically (HTTP/S, OWASP Top 10). NGFW is general-purpose with app awareness. WAF = deeper web protection.
VA vs Penetration Test
VA: finds and reports vulnerabilities (no exploitation). Pen test: actively exploits to demonstrate impact. Both require written auth.
Chapter 6: Security Technology
Key Distinctions
Exam Tips & Common Question Areas
1
Firewall OSI layers: Packet Filter = 3–4 | Stateful = 3–4 | Application/Proxy = 7 | Circuit-Level = 5 | NGFW = all layers
2
DMZ = screened subnet = two firewalls. Zone order: Internet (untrusted) → Outer FW → DMZ (public servers) → Inner FW → Internal (trusted)
3
IDS passive (out-of-band, alerts only). IPS active inline (blocks traffic). False Negative = MOST DANGEROUS (attack undetected)
4
IPSec: AH = auth/integrity ONLY (no encryption). ESP = encryption + auth. IKE = key exchange, UDP 500. Tunnel mode = site-to-site VPN
5
Transport mode = encrypts payload, original IP header visible. Tunnel mode = encrypts entire original packet, new IP header added
6
S/MIME = X.509 PKI, enterprise email. PGP = web of trust, GPG. Both provide: confidentiality, integrity, authentication, non-repudiation
7
PPTP = WEAK (avoid). L2TP needs IPSec for encryption. TLS 1.0/1.1 deprecated. Honeypot must be isolated; any traffic to it is suspicious.
8
Pen testing and scanning require WRITTEN AUTHORIZATION. Unauthorized scanning violates Computer Fraud & Abuse Act (CFAA).
Chapter 6: Security Technology
Exam Tips
Chapter 6 Summary — Key Takeaways
1
Firewalls filter traffic by rule base (top-to-bottom, first match wins, implicit deny all). Types: Packet Filter (L3–4) → Stateful (L3–4) → Application Proxy (L7) → NGFW (all).
2
Best-practice architecture = Screened Subnet (DMZ): Internet → Outer FW → DMZ (public servers) → Inner FW → Internal. Bastion hosts sit in DMZ.
3
IDPS: IDS = passive (alert only); IPS = active inline (blocks). NIDPS = network segment; HIDPS = per host. False Negative = most dangerous (attack missed).
4
Detection: Signature-based (known attacks, low FP, no zero-days); Anomaly-based (zero-days, higher FP, needs baseline learning period).
5
VPN Modes: Transport (payload only encrypted) vs Tunnel (entire packet encrypted, used for site-to-site). IPSec AH = auth only; ESP = encrypt+auth.
6
Secure protocols: HTTPS=443, SSH=22, SFTP=22, SMTPS=465/587, IMAPS=993. TLS 1.0/1.1 deprecated. PPTP = WEAK. L2TP needs IPSec.
7
S/MIME = X.509 PKI, enterprise email. PGP = web of trust, GPG. Both provide CIA + non-repudiation for email.
8
All scanning/pen testing requires written authorization (CFAA). Honeypots must be isolated. Physical controls: mantrap, biometrics, UPS, HVAC, clean-agent fire suppression.
Principles of Information Security, 6th Edition | Whitman & Mattord | Chapter 6: Security Technology