Upload
brandon-hubbard
View
227
Download
1
Embed Size (px)
Citation preview
Network Security
• At this point, we are looking to secure all of the computers in "our" network from outside and inside attack.– If a machine is compromised, we would like to
avoid it compromising the rest of network or at least contain/minimize the damage.
Where to start?
• First internal security, by looking at the computers– What category do they fall into?
• personal, business workstation, server, sensitive systems.
– That determines which computer need access to other computers (ie servers to workstations, etc).
– From there we can isolate computers on our network from each other
• limiting access and limiting damage
Layer security pieces
• Once the "computers" are sorted, then layer the security to maximize protection.– Firewalls on top (and where needed for more
security)– filtering with routers, so parts of the internal
network that don't need to "talk" to each other, don't.
– IDS and Monitoring to make sure attempts to breach security are not successful.
VLANS in summary
• VLANs combine shared hubs, switching, routing, and network management– remove physical boundaries on switches– Better control of broadcasts domains
• VLANs are invisible to end users• Offer significant cost and performance benefits
in switched LANS– better use of switches– easy to add or move network stations– tighten security
Routers
• Packet routing, forwarding and filtering, and vlans– Once a set of computer is classified, they can
go into vlans. – The router can be configured so that packets
can't be routed between two vlans– Or packets can be forwarded between the
vlans as needed.• Newer routers can also route based on types of
packets as well (ICMP, TCP, UDP, etc).
Proxy
• Proxy servers– Allow a client to access a server through a
intermediate computer.• The proxy server is secured and it excepts
requests for access to a server (or even the internet), then makes the request to server.
• The proxy server is allowed to talk to server, while the client is not allowed to talk to the server directly.
– Many firewalls with NAT work as type of Proxy.
Firewall
• Definition: A system that can not be broken in to.– It monitors traffic, and "protects" the
computer.• Configured so that only certain inbound and
outbound ports are "open"• i.e. blocking port 6000, means that nothing can
remotely talk to that port and the computer can't use that port to talk to a remote machine.
– Can be configured for only outbound or only inbound as well.
Firewall Categories
• Packet filtering gateway– Simple firewall, works like router filtering, but
at a higher OSI layer.
• Stateful inspection firewalls– Maintains more information about network
connections
• Personal firewalls (software firewalls)– Normally on users computers
Networks firewalls
• Packet Filtering– Not only IP addresses like routers, but ports, and
types of packets, such as allowing only TCP, while blocking UDP and all ICMP packets.
– NFS are blocked, but not ssh packets.
• Firewalls may provide Network Address Translation (NAT)
• May Provide Zones of security– Unrestricted access, Protected zones (called DMZs)
and no access.
Stateful
• Included in most high end firewall and many person firewalls as well.– Since each packet of data has no context
• the packet may fragmented as well.
– It’s difficult to figure out what packet of data is doing. Is it an attack?
• A classic attack is to fragment up a packet, so it’s hard to detect an attack signature.
• Also remember packets may arrive in any order, the receiving computer (with TCP) will order them correctly.
• So stateful firewall will track the sequence of packets in order to “thwart” this type of attack.
software firewalls
• Good for personal computers– Limited by the O/S and what the computer is doing– Provide little protection from DoS attacks.
• Very good for adding more protection to a single machine, in conjunction with an upstream hardware firewall .
• For department or enterprise firewalls– A computer (several computers) is tasked as a firewall and does
nothing else.
• Many security experts recommend using a hardware firewall appliance with software firewalls whenever possible.
Why use firewalls?
• Three aspects referred to as the CIA: Confidentiality, Integrity, and Availability– Confidentiality: protect data/ information you
want private.– Integrity: Make sure data/computer has not be
tampered with– Availability: So an remote attack does not
bring down the computer.
Zones of Security
• Firewalls can be configured for zones of security.– An area where there is no protection
• for personal/home computers– An area where machines can be accessed from the
internet, but only certain ports (called DMZ)• for web, ftp, DNS, VPN servers, etc.
– An area where there no inbound access• For workstations etc. No one needs to access them from the
internet.– An area where there is no inbound and outbound
access• "Sensitive" computers
Zones of Security (2)
• Each zone can be configured with the necessary security
• Each zone can also be protected for other zones.– A server zone: Allow no inbound access from
the internet, No inbound traffic from the unprotected zone and the DMZ, but all connections from workstations.
NAT
• Network Address translation– The internal computers have a 10.x.x.x or 192.168.x.x
IP numbers– When a packet is sent from a computer to the
"internet", the firewall receives the packet, changes the packet to it's address, then sends it to the internet and waits for a response
• Also changes the source port number as well.
– When a response is received the firewall forwards the packet onto the computer.
• NAT can be a separate appliances or used in other devices (including routers and firewalls)
NAT
• Since the firewall acts as the go between, the internal computer is protected.
• Side effect is that you only need a limited number of real IP numbers, while using the 10.x.x.x IP set for the internal network.
• Firewall configured to have real IP numbers on machines accessed from the outside, such as web servers.
NAT issues
• NAT works great if all network applications follow the OSI model standards.– Of course there are many app’s that don’t.– Example: FTP
• The IP and Port number are in the layer 7 data of packet. Big problem.
– Ftp has two modes Active and Passive.• In passive mode, which is for firewalls, the server sends
it’s IP number and a port number for the client to make a connection for file transfers.
– Since the IP number and port are in the layer 7 data, the NAT must read and change the IP and Port number the “world” sees.
What Firewalls can’t do
• Don’t protect data outside the perimeter• Don’t protect computer to computer attack inside
of the firewall, Except between zones. – If it doesn’t pass through the firewall, then it can’t offer
any protection.
• Don’t necessary protect open ports.– If port 80 is open to the outside world, then the
firewall can’t protect it against every attack.• Some attacks will look like normal traffic.
• And firewalls themselves are also targets of attacks.
Example web site security
SOURCE: INTERSHOP
How are web sites constructed?
TIER 1TIER 2Server
TIER 3Applications
TIER 4Database
VPN
• VPN: virtual private network– A method to provide a secure connection
between two networks over an insecure line
– A VPN client connects to the VPN server. All networking from the client is directed to the server, which acts as the network gateway.
• So your network traffic is behind the firewall and you can access every like normal.
VPN (2)
• A VPN client connects to the VPN server.– All networking from the client is directed to the
server, which acts as the network gateway.• So the client functions as if it was behind a firewall
and could access everything like normal.
– Example• Employee goes on a business trip. Connect up to
an unsecured network. Connects to the VPN server (via the client) and now has a secure connection to "work" over the unsecured network.
VPN Issues
• Split Tunneling– Traffic to the “protected” network goes through the
VPN connection– Everything else goes out the default route– Much more efficient but not as secure.
• When a user is working from say a hotel and VPNs to campus/office– Only traffic to the campus goes over the VPN– So now if there is an attacker in the hotel, they can for
the laptop, attack it and now have direct access into the campus/office via the comprised laptop.
• Remember VPN servers are deployed behind the firewall.
• In the VPN lecture, we look at how VPN the encrypted tunnel is created using either IPSEC or SSL/TLS.
• Then other defensive measures can be used in conjunction with firewalls– IDS/NIPS– Smoke and mirrors defensives
References
• Easttom, “Computer Security Fundamentals”, Prentice Hall
• Bueno, Pedro. “Defending Dynamic Web Sites: A Simple Case Study About the Use of Correlated Log Analysis in Forensics”. http://isc.sans.org
• Comer, Douglas. “Internetworking with TCP/IP”. Volume 1