Network Security Technologies
Upcoming SlideShare
Loading in...5
×
 

Network Security Technologies

on

  • 1,806 views

 

Statistics

Views

Total Views
1,806
Views on SlideShare
1,805
Embed Views
1

Actions

Likes
1
Downloads
103
Comments
0

1 Embed 1

http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Network Security Technologies Network Security Technologies Presentation Transcript

  • Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University
  • References
    • Security in Computing, 3 rd Ed.
      • Chapter 7 (pgs. 457-479)
  • Section Overview
    • Firewall Components
    • Firewall Architectures
    • Network Intrusion Systems
    • Honeypots
  • Internet Firewalls DMZ Internet Internal Network
  • Firewall Benefits
    • Host Service Protection
    • Host Access Control
    • Centralized Point of Security
    • Enhanced Privacy
    • Increased Audit Logging
    • Policy Enforcement
  • Implementation Issues
    • Service Restrictions
    • Allowed Service Vulnerabilities
    • User Backdoors
    • Insider Attacks
    • Viruses
    • Network Throughput to/from Internet
    • Single Point of Failure
  • Firewall Components
    • Network Policy
    • Advanced Authentication
    • Packet Filtering
    • Application Gateways
  • Network Policy
    • Service Access Policy
      • Extension of Site Security Policy
      • Which services are allowed to/from which hosts
      • Who is authorized to change policy
    • Firewall Design Policy
      • How Service Access Policy is implemented
      • Either…
        • Permit any service unless it is expressly denied
        • Deny any service unless it is expressly permitted
  • Advanced Authentication Unauthenticated Authenticated Using one-time password techniques to allow access via certain services Internet Internal Network
  • Packet Filtering Routers
    • Allowing/Restricting access based on:
      • IP Addresses (source/destination)
      • Protocol (TCP/UDP/ICMP)
      • TCP/UDP Ports (source/destination)
      • ICMP Message Type
      • Packet Size
      • Router Interface/Direction
    • Single and multiple addresses/ports per entry
    • Screening Routers
  • Packet Filtering Options
    • Send the packet
    • Reject the packet
    • Drop the packet
    • Log information about the packet
    • Notify administrator (set off an alarm)
  • Packet Filtering Weaknesses
    • Hard to configure
    • Hard to test
    • More complex the rules, more performance might be impacted
    • No Advanced Authentication support
  • Application Gateways
    • Service components allowed/denied based on rule set
    • Each packet repackaged after examination
    • Information hiding
    • Robust authentication and logging
  • Application GW Weaknesses
    • Scalability
      • Each service requires it’s own proxy
    • Difficult to manage Connectionless Protocols
    • Performance
      • Each packet gets repackaged
    • OS/Service Bugs
  • Circuit Gateways
    • Similar to Application Gateway
    • No packet processing done at the gateway
  • Stateful Multi-Layer Inspection
    • Inspects raw packets
      • Inspection engine intercepts packet at the OSI Network Layer
    • Context Aware
    • Creates a virtual state for connectionless protocols
    Source: Checkpoint Software Technologies Ltd.
  • Firewall Architectures
    • Single Device
      • Screening Router
      • Dual-Homed Host
    • Multi-Device
      • Screened Host
      • Screened Subnet
      • Split-Screened Subnet
  • Screening Router Internet Internal Network Screening Router
  • Dual-Homed Gateway Internet Internal Network Proxy Server Info Server
  • Network Address Translation
    • Not specifically for security ( RFC 1918 )
    • Hides internal network configuration
    • 1 to 1 allocation
      • Static
      • Dynamic
    • IP Masquerading
      • Many internal addresses using 1 external address
      • Only internal hosts can initiate a connection
  • Screened Host Internet Internal Network Bastion Host Internet Server Screening Router
  • Screened Subnet Internet Internal Network Bastion Host Internet Server Screening Router Screening Router
  • Split Screened Subnet Internet Internal Network Dual-Homed Proxy Internet Server Screening Router Screening Router Intranet Server
  • Network Intrusion Detection Internet Internal Network Dual-Homed Proxy Screening Router Screening Router Analysis Station Sensors
  • IDS Analysis
    • Knowledge based (attack signatures)
      • Port Scans
      • Denial of Service
      • Known Service Attacks
      • Spoofing
      • Content
    • Behavioral based
  • IDS Weaknesses
    • Very young technology
    • False Positives
    • False Negatives
    • Scalability
  • Honeypots
    • Sacrificial host used to lure attackers
    • Simulates a vulnerable system
    • Used to study attacker techniques
      • Firewall/IDS traffic logs
      • System logs
      • File Integrity Checker logs
      • Keystroke capturing
    • Early Case – “ Berferd ”