As an undergraduate Integrated Information Technology student, I have had the opportunity to take many technology classes,
undergo multiple research projects, and work as a full time IT Manager at the College of Engineering and Computing. Two key experiences,
ITEC 445 and my first semester of cybersecurity research, showed me the constantly increasing need for cybersecurity, as well as
mitigation strategies for said need. Our everyday lives are becoming more and more reliant on Information Technology, and this
need creates the field of Information Security. My in-class and out-of-class experiences greatly enhanced my knowledge on the concept of Information
Security, which is what my research has focused on and why I chose to pursue the GLD Pathway of Research.
As an Integrated Information Technology major, I am required to take multiple hardware and networking classes.
ITEC 445, Advanced Networking, is the second level networking course in the ITEC range of classes. For the second
half of the semester, we were taught various security concepts in virtual labs using Palo Alto Next Generation
Firewalls (NGFWs). Palo Alto is a Networking/Security company that manufactures NGFWs. In short, legacy firewalls
are network appliances that block all traffic by default, rather than a router that allows all traffic by default.
These legacy security appliances can filter traffic up to layer three of the Open Source Interconnection (OSI) model, as shown below. [Fig. 1] NGFWs on
the other hand, can not only filter traffic at all layers, but inspect encrypted traffic as well. Think of legacy
firewalls as regular phones, and NGFWs as smartphones.
The concepts that we learned in class covered initial configuration, interface configuration, security and NAT policies,
App-ID filtering, Content-ID filtering, and URL filtering. Initial and interface configuration included remotely
accessing the NGFW's console, setting up interfaces (virtual ethernet connections), zones (public, private DMZ),
and a basic router to forward local traffic on a class C network. Security and NAT polices included filtering
traffic based on IP address, Network Address Translation (NAT) for access to external networks, and basic forwarding
policies from zone to zone. App-ID filtering, Content-ID filtering and URL filtering were all ways to filter traffic
based on various aspects such as an application group, known malware based on Palo Alto's database, and URLs
(ex. Twitter.com). The topology and zones can be seen in the image below. [Fig. 2]
Dr. Crichigno is an ITT professor who regularly receives funding from the Office of Naval Research for
various cybersecurity projects. I was offered a position to do research under him during the semester
that I was enrolled in ITEC 445. My project partner and I were assigned the topic of SYN Attack Prevention
using Palo Alto NGFWs. This was a great opportunity, as it would utilize a very similar environment that I
was already using in my class at the time.
TCP SYN attacks are “Denial of Service” (DoS) attacks. A denial-of-service attack is an attack on any machine
that functions as a server, hence denial of service, with the intent of bringing down the service that it provides.
A TCP SYN attack uses the 'SYN' flag of the TCP 3-way handshake that is normally sent in the beginning of a TCP
connection, as seen below. [Fig. 3]
I say normally, as the initial communication is supposed to be sent so that a 'SYN-ACK' or, acknowledgement,
can be sent as a reply from the server to establish the connection. In a TCP SYN attack the attacker will flood
a server with SYN packets, preventing most, if any, legitimate traffic from getting through to the server. A
more effective version of this attack is known as a Distributed Denial of Service (DDoS) TCP SYN attack. In
a standard DoS attack the attacker is (usually) overloading a server's connection from a single source. For
example, one IP address. In a DDoS attack, the attacker is doing the same, but from multiple sources. For
example, thousands of spoofed IP addresses.
Our solution to this issue was using “SYN Cookies.” This solution tells the firewall to send a cookie with all SYN-ACK packets.
When the third handshake packet is sent back to the server, it will be checked for the cookie. If it is not present, the packet
will be dropped. This was implemented into a profile that was then applied to a traffic policy, as seen below. [Fig. 4]
The greatest takeaway from both experiences was learning about the constant cyber threat that organizations
and businesses face every day. These groups have become so reliant on technology that cyber crimes are just as bad,
if not worse, compared to physical crimes. Take your bank account, for example. This number is simply a record in a
database, along with thousands of other people's accounts. If someone gains access to the system containing this database,
chances are your money is compromised. Thieves are always looking to steal from others, just as hackers are always attempting
to break into websites, databases, servers, etc. Information Security is the sector of IT that addresses these issues. My GLD
pathway of Research has helped me to better understand Information Security, and prepare me to apply these concepts in the future.