Network Security Technologies

1,858 views
1,766 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,858
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
118
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Network Security Technologies

  1. 1. Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University
  2. 2. References <ul><li>Security in Computing, 3 rd Ed. </li></ul><ul><ul><li>Chapter 7 (pgs. 457-479) </li></ul></ul>
  3. 3. Section Overview <ul><li>Firewall Components </li></ul><ul><li>Firewall Architectures </li></ul><ul><li>Network Intrusion Systems </li></ul><ul><li>Honeypots </li></ul>
  4. 4. Internet Firewalls DMZ Internet Internal Network
  5. 5. Firewall Benefits <ul><li>Host Service Protection </li></ul><ul><li>Host Access Control </li></ul><ul><li>Centralized Point of Security </li></ul><ul><li>Enhanced Privacy </li></ul><ul><li>Increased Audit Logging </li></ul><ul><li>Policy Enforcement </li></ul>
  6. 6. Implementation Issues <ul><li>Service Restrictions </li></ul><ul><li>Allowed Service Vulnerabilities </li></ul><ul><li>User Backdoors </li></ul><ul><li>Insider Attacks </li></ul><ul><li>Viruses </li></ul><ul><li>Network Throughput to/from Internet </li></ul><ul><li>Single Point of Failure </li></ul>
  7. 7. Firewall Components <ul><li>Network Policy </li></ul><ul><li>Advanced Authentication </li></ul><ul><li>Packet Filtering </li></ul><ul><li>Application Gateways </li></ul>
  8. 8. Network Policy <ul><li>Service Access Policy </li></ul><ul><ul><li>Extension of Site Security Policy </li></ul></ul><ul><ul><li>Which services are allowed to/from which hosts </li></ul></ul><ul><ul><li>Who is authorized to change policy </li></ul></ul><ul><li>Firewall Design Policy </li></ul><ul><ul><li>How Service Access Policy is implemented </li></ul></ul><ul><ul><li>Either… </li></ul></ul><ul><ul><ul><li>Permit any service unless it is expressly denied </li></ul></ul></ul><ul><ul><ul><li>Deny any service unless it is expressly permitted </li></ul></ul></ul>
  9. 9. Advanced Authentication Unauthenticated Authenticated Using one-time password techniques to allow access via certain services Internet Internal Network
  10. 10. Packet Filtering Routers <ul><li>Allowing/Restricting access based on: </li></ul><ul><ul><li>IP Addresses (source/destination) </li></ul></ul><ul><ul><li>Protocol (TCP/UDP/ICMP) </li></ul></ul><ul><ul><li>TCP/UDP Ports (source/destination) </li></ul></ul><ul><ul><li>ICMP Message Type </li></ul></ul><ul><ul><li>Packet Size </li></ul></ul><ul><ul><li>Router Interface/Direction </li></ul></ul><ul><li>Single and multiple addresses/ports per entry </li></ul><ul><li>Screening Routers </li></ul>
  11. 11. Packet Filtering Options <ul><li>Send the packet </li></ul><ul><li>Reject the packet </li></ul><ul><li>Drop the packet </li></ul><ul><li>Log information about the packet </li></ul><ul><li>Notify administrator (set off an alarm) </li></ul>
  12. 12. Packet Filtering Weaknesses <ul><li>Hard to configure </li></ul><ul><li>Hard to test </li></ul><ul><li>More complex the rules, more performance might be impacted </li></ul><ul><li>No Advanced Authentication support </li></ul>
  13. 13. Application Gateways <ul><li>Service components allowed/denied based on rule set </li></ul><ul><li>Each packet repackaged after examination </li></ul><ul><li>Information hiding </li></ul><ul><li>Robust authentication and logging </li></ul>
  14. 14. Application GW Weaknesses <ul><li>Scalability </li></ul><ul><ul><li>Each service requires it’s own proxy </li></ul></ul><ul><li>Difficult to manage Connectionless Protocols </li></ul><ul><li>Performance </li></ul><ul><ul><li>Each packet gets repackaged </li></ul></ul><ul><li>OS/Service Bugs </li></ul>
  15. 15. Circuit Gateways <ul><li>Similar to Application Gateway </li></ul><ul><li>No packet processing done at the gateway </li></ul>
  16. 16. Stateful Multi-Layer Inspection <ul><li>Inspects raw packets </li></ul><ul><ul><li>Inspection engine intercepts packet at the OSI Network Layer </li></ul></ul><ul><li>Context Aware </li></ul><ul><li>Creates a virtual state for connectionless protocols </li></ul>Source: Checkpoint Software Technologies Ltd.
  17. 17. Firewall Architectures <ul><li>Single Device </li></ul><ul><ul><li>Screening Router </li></ul></ul><ul><ul><li>Dual-Homed Host </li></ul></ul><ul><li>Multi-Device </li></ul><ul><ul><li>Screened Host </li></ul></ul><ul><ul><li>Screened Subnet </li></ul></ul><ul><ul><li>Split-Screened Subnet </li></ul></ul>
  18. 18. Screening Router Internet Internal Network Screening Router
  19. 19. Dual-Homed Gateway Internet Internal Network Proxy Server Info Server
  20. 20. Network Address Translation <ul><li>Not specifically for security ( RFC 1918 ) </li></ul><ul><li>Hides internal network configuration </li></ul><ul><li>1 to 1 allocation </li></ul><ul><ul><li>Static </li></ul></ul><ul><ul><li>Dynamic </li></ul></ul><ul><li>IP Masquerading </li></ul><ul><ul><li>Many internal addresses using 1 external address </li></ul></ul><ul><ul><li>Only internal hosts can initiate a connection </li></ul></ul>
  21. 21. Screened Host Internet Internal Network Bastion Host Internet Server Screening Router
  22. 22. Screened Subnet Internet Internal Network Bastion Host Internet Server Screening Router Screening Router
  23. 23. Split Screened Subnet Internet Internal Network Dual-Homed Proxy Internet Server Screening Router Screening Router Intranet Server
  24. 24. Network Intrusion Detection Internet Internal Network Dual-Homed Proxy Screening Router Screening Router Analysis Station Sensors
  25. 25. IDS Analysis <ul><li>Knowledge based (attack signatures) </li></ul><ul><ul><li>Port Scans </li></ul></ul><ul><ul><li>Denial of Service </li></ul></ul><ul><ul><li>Known Service Attacks </li></ul></ul><ul><ul><li>Spoofing </li></ul></ul><ul><ul><li>Content </li></ul></ul><ul><li>Behavioral based </li></ul>
  26. 26. IDS Weaknesses <ul><li>Very young technology </li></ul><ul><li>False Positives </li></ul><ul><li>False Negatives </li></ul><ul><li>Scalability </li></ul>
  27. 27. Honeypots <ul><li>Sacrificial host used to lure attackers </li></ul><ul><li>Simulates a vulnerable system </li></ul><ul><li>Used to study attacker techniques </li></ul><ul><ul><li>Firewall/IDS traffic logs </li></ul></ul><ul><ul><li>System logs </li></ul></ul><ul><ul><li>File Integrity Checker logs </li></ul></ul><ul><ul><li>Keystroke capturing </li></ul></ul><ul><li>Early Case – “ Berferd ” </li></ul>

×