Embed Size (px)
DESCRIPTION
Citation preview
Network SecurityNetwork SecurityTechnologiesTechnologies
CS490 - Security in Computing
Copyright © 2005 by Scott Orr and the Trustees of Indiana University
ReferencesReferences
Security in Computing, 3Security in Computing, 3rdrd Ed. Ed. Chapter 7 (pgs. 457-479)Chapter 7 (pgs. 457-479)
Section OverviewSection Overview
Firewall ComponentsFirewall Components
Firewall ArchitecturesFirewall Architectures
Network Intrusion SystemsNetwork Intrusion Systems
HoneypotsHoneypots
Internet FirewallsInternet Firewalls
DMZDMZ
InternetInternetInternalInternalNetworkNetwork
Firewall BenefitsFirewall Benefits
Host Service ProtectionHost Service Protection Host Access ControlHost Access Control Centralized Point of SecurityCentralized Point of Security Enhanced PrivacyEnhanced Privacy Increased Audit LoggingIncreased Audit Logging Policy EnforcementPolicy Enforcement
Implementation IssuesImplementation Issues
Service RestrictionsService Restrictions Allowed Service VulnerabilitiesAllowed Service Vulnerabilities User BackdoorsUser Backdoors InsiderInsider Attacks Attacks VirusesViruses Network Throughput to/from InternetNetwork Throughput to/from Internet Single Point of FailureSingle Point of Failure
Firewall ComponentsFirewall Components
Network PolicyNetwork Policy Advanced AuthenticationAdvanced Authentication Packet FilteringPacket Filtering Application GatewaysApplication Gateways
Network PolicyNetwork Policy
Service Access PolicyService Access Policy Extension of Site Security PolicyExtension of Site Security Policy WhichWhich services are allowed to/from services are allowed to/from whichwhich hosts hosts Who is authorized to change policyWho is authorized to change policy
Firewall Design PolicyFirewall Design Policy HowHow Service Access Policy is implemented Service Access Policy is implemented Either…Either…
PermitPermit any service unless it is expressly denied any service unless it is expressly denied DenyDeny any service unless it is expressly permitted any service unless it is expressly permitted
Advanced AuthenticationAdvanced Authentication
UnauthenticatedUnauthenticated AuthenticatedAuthenticated
Using one-time password techniquesUsing one-time password techniquesto allow access via certain servicesto allow access via certain services
InternetInternet Internal NetworkInternal Network
Packet Filtering RoutersPacket Filtering Routers
Allowing/Restricting access based on:Allowing/Restricting access based on: IP Addresses (source/destination)IP Addresses (source/destination) Protocol (TCP/UDP/ICMP)Protocol (TCP/UDP/ICMP) TCP/UDP Ports (source/destination)TCP/UDP Ports (source/destination) ICMP Message TypeICMP Message Type Packet SizePacket Size Router Interface/DirectionRouter Interface/Direction
Single and multiple addresses/ports per Single and multiple addresses/ports per entryentry
ScreeningScreening Routers Routers
Packet Filtering OptionsPacket Filtering Options
Send the packetSend the packet Reject the packetReject the packet Drop the packetDrop the packet Log information about the packetLog information about the packet Notify administrator (set off an Notify administrator (set off an
alarm)alarm)
Packet Filtering WeaknessesPacket Filtering Weaknesses
Hard to configureHard to configure Hard to testHard to test More complex the rules, more More complex the rules, more
performance might be impactedperformance might be impacted No Advanced Authentication supportNo Advanced Authentication support
Application GatewaysApplication Gateways
Service components allowed/denied based Service components allowed/denied based on rule seton rule set
Each packet repackaged after examinationEach packet repackaged after examination Information hidingInformation hiding Robust authentication and loggingRobust authentication and logging
Application GW WeaknessesApplication GW Weaknesses
ScalabilityScalability Each service requires it’s own Each service requires it’s own proxyproxy
Difficult to manage Connectionless Difficult to manage Connectionless ProtocolsProtocols
PerformancePerformance Each packet gets repackagedEach packet gets repackaged
OS/Service BugsOS/Service Bugs
Circuit GatewaysCircuit Gateways
Similar to Application GatewaySimilar to Application Gateway No packet processing done at the No packet processing done at the
gatewaygateway
Stateful Multi-Layer Stateful Multi-Layer InspectionInspection
Inspects Inspects rawraw packets packets Inspection engine intercepts packet at Inspection engine intercepts packet at
the OSI Network Layerthe OSI Network Layer Context AwareContext Aware Creates a Creates a virtual statevirtual state for for
connectionless protocolsconnectionless protocols
Source: Source: Checkpoint SoftwareTechnologies Ltd.
Firewall ArchitecturesFirewall Architectures
Single DeviceSingle Device Screening RouterScreening Router Dual-Homed HostDual-Homed Host
Multi-DeviceMulti-Device Screened HostScreened Host Screened SubnetScreened Subnet Split-Screened SubnetSplit-Screened Subnet
Screening RouterScreening Router
InternetInternetInternalInternalNetworkNetwork
ScreeningScreeningRouterRouter
Dual-Homed GatewayDual-Homed Gateway
InternetInternet InternalInternalNetworkNetwork
ProxyProxyServerServer
InfoInfoServerServer
Network Address Network Address TranslationTranslation
Not specifically for security (Not specifically for security (RFC 1918RFC 1918)) Hides internal network configurationHides internal network configuration 1 to 1 allocation1 to 1 allocation
StaticStatic DynamicDynamic
IP MasqueradingIP Masquerading Many internal addresses using 1 external Many internal addresses using 1 external
addressaddress Only internal hosts can initiate a connectionOnly internal hosts can initiate a connection
Screened HostScreened Host
InternetInternet InternalInternalNetworkNetwork
BastionBastionHostHost
InternetInternetServerServer
ScreeningScreeningRouterRouter
Screened SubnetScreened Subnet
InternetInternetInternalInternalNetworkNetwork
BastionBastionHostHost
InternetInternetServerServer
ScreeningScreeningRouterRouter
ScreeningScreeningRouterRouter
Split Screened SubnetSplit Screened Subnet
InternetInternetInternalInternalNetworkNetwork
Dual-HomedDual-HomedProxyProxy
InternetInternetServerServer
ScreeningScreeningRouterRouter
ScreeningScreeningRouterRouter
IntranetIntranetServerServer
Network Intrusion DetectionNetwork Intrusion DetectionInternetInternet
InternalInternalNetworkNetwork
Dual-HomedDual-HomedProxyProxy
ScreeningScreeningRouterRouter
ScreeningScreeningRouterRouter
AnalysisAnalysisStationStation
SensorsSensors
IDS AnalysisIDS Analysis
Knowledge based (attack signatures)Knowledge based (attack signatures) Port ScansPort Scans Denial of ServiceDenial of Service Known Service AttacksKnown Service Attacks SpoofingSpoofing ContentContent
Behavioral basedBehavioral based
IDS WeaknessesIDS Weaknesses
Very young technologyVery young technology False PositivesFalse Positives False NegativesFalse Negatives ScalabilityScalability
HoneypotsHoneypots
Sacrificial host used to lure attackersSacrificial host used to lure attackers Simulates a vulnerable systemSimulates a vulnerable system Used to study attacker techniquesUsed to study attacker techniques
Firewall/IDS traffic logsFirewall/IDS traffic logs System logsSystem logs File Integrity Checker logsFile Integrity Checker logs Keystroke capturingKeystroke capturing
Early Case – “Early Case – “BerferdBerferd””
