Upload
clement-jennings
View
218
Download
2
Tags:
Embed Size (px)
Citation preview
1
Defining Network Security
Security is prevention of unwanted information transfer
• What are the components?– ...Physical Security
– …Operational Security
– …Human Factors
– …Protocols
2
Areas for Protection
• Privacy
• Data Integrity
• Authentication/Access Control
• Denial of Service
3
Regulations and Standards
• Computer Crime Laws
• Encryption
• Government as “Big Brother”
4
Security
Threat, Value and Cost Tradeoffs
• Identify the Threats
• Set a Value on Information
• Add up the Costs (to secure)
Cost < Value * Threat
5
Threats
• Hackers/Crackers (“Joyriders”)
• Criminals (Thieves)
• Rogue Programs (Viruses, Worms)
• Internal Personnel
• System Failures
6
Network Threats
• IP Address spoofing attacks
• TCP SYN Flood attacks
• Random port scanning of internal systems
• Snooping of network traffic
• SMTP Buffer overrun attacks
7
Network Threats (cont.)
• SMTP backdoor command attacks
• Information leakage attacks via finger, echo, ping, and traceroute commands
• Attacks via download of Java and ActiveX scripts
• TCP Session Hijacking
• TCP Sequence Number Prediction Attacks
8
Threat, Value and Cost Tradeoffs
• Operations Security
• Host Security
• Firewalls
• Cryptography: Encryption/Authentication
• Monitoring/Audit Trails
9
Host Security
• Security versus Performance & Functionality
• Unix, Windows NT, MVS, etc
• PCs
• “Security Through Obscurity”
10
Host Security (cont)
• Programs
• Configuration
• Regression Testing
11
Network Security
• Traffic Control
• Not a replacement for Host-based mechanisms
• Firewalls and Monitoring, Encryption
• Choke Points & Performance
12
Access Control
• Host-based:– Passwords, etc.
– Directory Rights
– Access Control Lists
– Superusers
• Network-based:– Address Based
– Filters
– Encryption
– Path Selection
13
Network Security and Privacy
• Protecting data from being read by unauthorized persons.
• Preventing unauthorized persons from inserting and deleting messages.
• Verifying the sender of each message.
• Allowing electronic signatures on documents.
14
FIREWALLS
• Prevent against attacks
• Access Control
• Authentication
• Logging
• Notifications
15
Types of Firewalls
• Packet Filters– Network Layer
• Stateful Packet Filters– Network Level
• Circuit-Level Gateways– Session Level
• Application Gateways– Application Level
Presentation
Transport
Network
Session
Data Link
Physical
Application
16
Packet Level
• Sometimes part of router
• TAMU “Drawbridge”
Campus
ROTW
RouterDrawbridge
17
Circuit Level
• Dedicated Host
• Socket Interfaces
ROTW
Local FW
18
Application Level
• Needs a dedicated host
• Special Software most everywhere
telnet
ROTW
Firewall
19
Firewall Installation Issues
DNS
Router
FTP Web Mail
INTERNET
20
Firewall Installation Issues
• DNS Problems
• Web Server
• FTP Server
• Mail Server
• Mobile Users
• Performance
21
Address Transparency
• Need to make some addresses visible to external hosts.
• Firewall lets external hosts connect as if firewall was not there.
• Firewall still performs authentication
22
Network Address Translation
10.0
.0.0
128.
194.
103.
0
FirewallInternet
Gateway
23
Network Address Translation
ftpd
TCP
IP
Data Link
Hardware
ftp
TCP
IP
Data Link
Hardware
proxy ftp
TCP
IP
Data Link
Hardware
gw control
Host A: Internal HostGateway HostHost B: External Host
DatagramA GW DatagramA B
24
IP Packet Handling
• Disables IP Packet Forwarding
• Cannot function as a insecure router
• eg. ping packets will not be passed
• Fail Safe rather than Fail Open
• Only access is through proxies
25
DNS Proxy Security
finance.xyz.com marketing.xyz.comsales.xyz.com
Eagle Gatewayeagle.xyz.com
DNSd
INTERNET
External DNS Server
26
INTERNET
Virtual Private Tunnels
Hello
Hello
Hello
Hello
Hello
Hello!@@%* !@@%* !@@%*
Encapsulate
Authenticate
Encrypt
Decapsulate
Authenticate
Decrypt
Creates a “ Virtual Private Network “
27
VPN Secure Tunnels
• Two types of Tunnels supported– SwIPe and IPsec tunnels
• Encryption– DES, triple DES and RC2
• Secret key used for used for authenticatio and encryption
• Trusted hosts are allowed to use the tunnel on both ends
28
Designing DMZ’s
INTERNET
Web
FTP
DMZ
ScreeningRouter
CompanyIntranet
29
Firewall Design Project
Wide Area RouterDallas
Raptor RemoteHawk Console
INTERNET
Mail Server
San Jose
Raptor Eagle
File Server
InternetRouter
30
Monitoring
• Many tools exist for capturing network traffic.
• Other tools can analyze captured traffic for “bad” things.
• Few tools are real-time.
31
Summary
• Security must be comprehensive to be effective.
• Remember threat, value, cost when implementing a system.
• Security is achievable, but never 100%.
• Make your system fault tolerant.