Cameron McDuffie

Information Security

As an undergraduate Integrated Information Technology student, I have had the opportunity to take many technology classes, undergo multiple research projects, and work as a full time IT Manager at the College of Engineering and Computing. Two key experiences, ITEC 445 and my first semester of cybersecurity research, showed me the constantly increasing need for cybersecurity, as well as mitigation strategies for said need. Our everyday lives are becoming more and more reliant on Information Technology, and this need creates the field of Information Security. My in-class and out-of-class experiences greatly enhanced my knowledge on the concept of Information Security, which is what my research has focused on and why I chose to pursue the GLD Pathway of Research.

As an Integrated Information Technology major, I am required to take multiple hardware and networking classes. ITEC 445, Advanced Networking, is the second level networking course in the ITEC range of classes. For the second half of the semester, we were taught various security concepts in virtual labs using Palo Alto Next Generation Firewalls (NGFWs). Palo Alto is a Networking/Security company that manufactures NGFWs. In short, legacy firewalls are network appliances that block all traffic by default, rather than a router that allows all traffic by default. These legacy security appliances can filter traffic up to layer three of the Open Source Interconnection (OSI) model, as shown below. [Fig. 1] NGFWs on the other hand, can not only filter traffic at all layers, but inspect encrypted traffic as well. Think of legacy firewalls as regular phones, and NGFWs as smartphones.

Figure 1. The OSI Model. At Layer 3, Protocol Data Units are 'Packets'

The concepts that we learned in class covered initial configuration, interface configuration, security and NAT policies, App-ID filtering, Content-ID filtering, and URL filtering. Initial and interface configuration included remotely accessing the NGFW's console, setting up interfaces (virtual ethernet connections), zones (public, private DMZ), and a basic router to forward local traffic on a class C network. Security and NAT polices included filtering traffic based on IP address, Network Address Translation (NAT) for access to external networks, and basic forwarding policies from zone to zone. App-ID filtering, Content-ID filtering and URL filtering were all ways to filter traffic based on various aspects such as an application group, known malware based on Palo Alto's database, and URLs (ex. Twitter.com). The topology and zones can be seen in the image below. [Fig. 2]

Figure 2. Lab Topology used in ITEC 445. NGFW located at the center of 4 zones behind the external router (203.0.113.1).

Dr. Crichigno is an ITT professor who regularly receives funding from the Office of Naval Research for various cybersecurity projects. I was offered a position to do research under him during the semester that I was enrolled in ITEC 445. My project partner and I were assigned the topic of SYN Attack Prevention using Palo Alto NGFWs. This was a great opportunity, as it would utilize a very similar environment that I was already using in my class at the time.

TCP SYN attacks are “Denial of Service” (DoS) attacks. A denial-of-service attack is an attack on any machine that functions as a server, hence denial of service, with the intent of bringing down the service that it provides. A TCP SYN attack uses the 'SYN' flag of the TCP 3-way handshake that is normally sent in the beginning of a TCP connection, as seen below. [Fig. 3]

I say normally, as the initial communication is supposed to be sent so that a 'SYN-ACK' or, acknowledgement, can be sent as a reply from the server to establish the connection. In a TCP SYN attack the attacker will flood a server with SYN packets, preventing most, if any, legitimate traffic from getting through to the server. A more effective version of this attack is known as a Distributed Denial of Service (DDoS) TCP SYN attack. In a standard DoS attack the attacker is (usually) overloading a server's connection from a single source. For example, one IP address. In a DDoS attack, the attacker is doing the same, but from multiple sources. For example, thousands of spoofed IP addresses.

Figure 3. The three way handshake of a TCP connection consisting of SYN, SYN-ACK, and ACK.

Our solution to this issue was using “SYN Cookies.” This solution tells the firewall to send a cookie with all SYN-ACK packets. When the third handshake packet is sent back to the server, it will be checked for the cookie. If it is not present, the packet will be dropped. This was implemented into a profile that was then applied to a traffic policy, as seen below. [Fig. 4]

Figure 4. The protection profile applied to a traffic policy, with the default rates accepted in accordance with SYN cookies.

The greatest takeaway from both experiences was learning about the constant cyber threat that organizations and businesses face every day. These groups have become so reliant on technology that cyber crimes are just as bad, if not worse, compared to physical crimes. Take your bank account, for example. This number is simply a record in a database, along with thousands of other people's accounts. If someone gains access to the system containing this database, chances are your money is compromised. Thieves are always looking to steal from others, just as hackers are always attempting to break into websites, databases, servers, etc. Information Security is the sector of IT that addresses these issues. My GLD pathway of Research has helped me to better understand Information Security, and prepare me to apply these concepts in the future.