Successfully reported this slideshow.
Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in …3

Check these out next

1 of 52 Ad

More Related Content

Slideshows for you (20)


Recently uploaded (20)


  1. 1. Network Security and Hacking Techniques DAY-4
  2. 2. Firewalls We are here Visible IP Address Internal Network PC Servers Linux and windows Host Application Servers Like IDS,Sniffers
  3. 3. What this paper covers? <ul><li>Why you need a firewall? </li></ul><ul><li>What is firewall? </li></ul><ul><li>How does a network firewall interact with OSI and TCP/IP Network models? </li></ul><ul><li>Different types of firewall. </li></ul><ul><li>Different firewall architectures. </li></ul><ul><li>What kind of firewall is best for what infrastructure. </li></ul>
  4. 4. Introduction <ul><li>Benefits of Internet </li></ul><ul><ul><li>Better Communication </li></ul></ul><ul><ul><li>Remote Access </li></ul></ul><ul><ul><li>Immense source of information </li></ul></ul><ul><ul><li>Boosting the efficiency of buisnesses </li></ul></ul><ul><li>Network security a major concern. </li></ul>
  5. 5. Why you need a firewall? <ul><li>What happens when you connect to the Internet? </li></ul><ul><ul><ul><li>Your network becomes part of Internet. </li></ul></ul></ul><ul><ul><ul><li>Possibility of attack by thieves and vandals. </li></ul></ul></ul><ul><li>How do you protect confidential information from those who do not explicitly need to access it? </li></ul><ul><li>How do you protect your network and its resources from malicious users and accidents that originate outside of your network? </li></ul>
  6. 6. Types of Attacks <ul><li>Network Packet sniffers </li></ul><ul><li>IP Spoofing </li></ul><ul><li>Password Attacks </li></ul><ul><li>Distribution of sensitive information to external resources. </li></ul><ul><li>Man-in-the-middle attacks </li></ul><ul><li>Denial of Service Attacks </li></ul><ul><li>Application layer attacks </li></ul>
  7. 7. What is Firewall?
  8. 8. Computer with firewall software
  9. 9. Basic Purpose of a Firewall <ul><li>It blocks incoming data that might contain a hacker attack. </li></ul><ul><li>It hides information about the network by making it seem that all outgoing traffic originates from the firewall rather than the network. This is called Network Address Translation (NAT). </li></ul><ul><li>It screens outgoing traffic to limit Internet use and/or access to remote sites. </li></ul>
  10. 10. Other Features of Firewall <ul><li>Content Filtering </li></ul><ul><li>Virtual Private Networks </li></ul><ul><li>Antivirus Protection </li></ul><ul><li>Demilitarized Zone Firewalls </li></ul>
  11. 11. What can't a firewall do? <ul><li>They cannot provide complete security </li></ul><ul><li>T hey can do nothing to guard against insider threats. </li></ul><ul><li>Employee misconduct or carelessness cannot be controlled by firewalls. </li></ul><ul><li>Policies involving the use and misuse of passwords and user accounts must be strictly enforced. </li></ul>
  12. 12. How does a network firewall interact with OSI and TCP/IP Network models? <ul><li>Network Firewalls operate at different layers to use different criteria to restrict traffic. </li></ul><ul><li>The lowest layer at which a firewall can work is layer three. </li></ul><ul><li>The higher up in the stack layer at which an architecture examines packets, the greater the level of protection the architecture provides, since more information is available upon which to base decisions. </li></ul>
  13. 13. Types of Firewall <ul><li>Static Packet Filter </li></ul><ul><li>Dynamic (stateful) packet filter </li></ul><ul><li>Circuit level Gateway </li></ul><ul><li>Application level Gateway </li></ul><ul><li>Stateful Multilayer Inspection Firewall </li></ul>
  14. 14. Static Packet Filter
  15. 15. Static Packet Filter(contd.) <ul><li>Advantages </li></ul><ul><ul><li>Low cost – now included with many operating systems. </li></ul></ul><ul><li>Disadvantages </li></ul><ul><ul><li>Filters are difficult to configure </li></ul></ul><ul><ul><li>Static packet filter is not state aware . </li></ul></ul><ul><ul><li>Static packet filter does not examine the complete packet. </li></ul></ul>
  16. 16. Dynamic (stateful) packet filter <ul><li>State awareness </li></ul><ul><li>Aware of the difference between a new and an established connection. </li></ul><ul><li>Advantage: </li></ul><ul><ul><ul><li>State awareness provides measurable performance benefit. </li></ul></ul></ul><ul><li>Disadvantage: </li></ul><ul><ul><ul><li>Susceptible to IP spoofing. </li></ul></ul></ul><ul><ul><ul><li>Only provides for a low level of protection. </li></ul></ul></ul>
  17. 17. Circuit Level Gateway
  18. 18. Circuit Level Gateway(contd.) <ul><li>Advantages: </li></ul><ul><ul><li>Information passed to a remote computer through a circuit level gateway appears to have originated from the gateway. This is useful for hiding information about protected networks. </li></ul></ul><ul><ul><li>Higher level of security than a static or dynamic (stateful) packet filter. </li></ul></ul><ul><li>Disadvantage: </li></ul><ul><ul><li>A circuit level gateway cannot examine the data content of the packets it relays between a trusted network and an untrusted network. The potential exists to slip harmful packets through a circuit level gateway to a server behind the firewall. </li></ul></ul>
  19. 19. Application Level Gateway
  20. 20. Application Level Gateway(contd.) <ul><li>Advantages: </li></ul><ul><ul><li>Filter application specific commands such as http: post and get, etc. </li></ul></ul><ul><ul><li>Inspect the complete packet. </li></ul></ul><ul><ul><li>Highest level of security. </li></ul></ul><ul><li>Disadvantages: </li></ul><ul><ul><li>Vendors must keep up with new protocols. A common complaint of application level gateway users is lack of timely vendor support for new protocols. </li></ul></ul><ul><ul><li>Must be written securely. </li></ul></ul>
  21. 21. Stateful Multilayer Inspection Firewall
  22. 22. Stateful Multilayer Inspection Firewall(contd.) <ul><li>Advantages: </li></ul><ul><ul><li>Does not break the client server model. </li></ul></ul><ul><ul><li>Offer a high level of security. </li></ul></ul><ul><li>Disadvantages: </li></ul><ul><ul><li>The failure to break the client server model creates an unacceptable security risk as the hacker has a direct connection to the protected server. </li></ul></ul><ul><ul><li>They are expensive. </li></ul></ul><ul><ul><li>Due to their complexity are potentially less secure than simpler types of firewalls if not administered by highly competent personnel. </li></ul></ul>
  23. 23. Dual-Homed Host Architecture
  24. 24. Screened Host Architecture
  25. 25. Screened Subnet Architecture
  26. 26. Conclusion <ul><li>Keeping your software patched and running updated antivirus software are very important pieces, but having a firewall block incoming connections in the first place is definitely a wise idea as well. </li></ul><ul><li>No one security solution will solve everything. </li></ul><ul><li>The more lines of defense you have in place, the harder it is for hackers to get in and the safer you will be. </li></ul>
  27. 27. Firewalls <ul><li>Questions </li></ul>
  28. 28. What is Intrusion Detection <ul><li>Intrusion detection systems (IDSs) are designed for detecting, blocking and reporting unauthorized activity in computer networks. </li></ul><ul><li>“ The life expectancy of a default installation of Linux Red Hat 6.2 server is estimated to be less than 72 hours.” </li></ul><ul><li>“ The fastest compromise happened in 15 minutes (including scanning, probing and attacking)” </li></ul><ul><li>“ Netbios scans affecting Windows computers were executed with the average of 17 per day” </li></ul><ul><li>(source: Honeynet Project ) </li></ul>
  29. 29. Motivation for Intrusion Detection Unauthorized Use of Computer Systems Within Last 12 Months (source Indian ISP’s Study)
  30. 30. Definitions <ul><li>Intrusion </li></ul><ul><ul><li>A set of actions aimed to compromise the security goals, namely </li></ul></ul><ul><ul><ul><li>Integrity, confidentiality, or availability, of a computing and networking resource </li></ul></ul></ul><ul><li>Intrusion detection </li></ul><ul><ul><li>The process of identifying and responding to intrusion activities </li></ul></ul>
  31. 31. Why Is Intrusion Detection Necessary? Prevent Detect React/ Survive Security principles: layered mechanisms
  32. 32. Different Types of IDSs <ul><li>Application based </li></ul><ul><li>Host based </li></ul><ul><li>Network based. </li></ul>
  33. 33. Different Types of IDSs <ul><li>Application IDS </li></ul><ul><ul><li>Watch application logs </li></ul></ul><ul><ul><li>Watch user actions </li></ul></ul><ul><ul><li>Stop attacks targeted against an application </li></ul></ul><ul><li>Advantages </li></ul><ul><ul><li>Encrypted data can be read </li></ul></ul><ul><li>Problems </li></ul><ul><ul><li>Positioned too high in the attack chain (the attacks reach the application) </li></ul></ul>
  34. 34. Different Types of IDSs <ul><li>Host IDS </li></ul><ul><ul><li>Watch kernel operations </li></ul></ul><ul><ul><li>Watch network interface </li></ul></ul><ul><ul><li>Stop illegal system operations </li></ul></ul><ul><ul><li>Drop attack packets at network driver </li></ul></ul><ul><li>Advantages </li></ul><ul><ul><li>Encrypted data can be read </li></ul></ul><ul><ul><li>Each host contributes to the detection process </li></ul></ul><ul><li>Problems </li></ul><ul><ul><li>Positioned too high in the attack chain (the attacks reach the network driver) </li></ul></ul>
  35. 35. Different Types of IDSs <ul><li>Network IDS </li></ul><ul><ul><li>Watch network traffic </li></ul></ul><ul><ul><li>Watch active services and servers </li></ul></ul><ul><ul><li>Report and possibly stop network level attacks </li></ul></ul><ul><li>Advantages </li></ul><ul><ul><li>Attacks can be stopped early enough (before they reach the hosts or applications) </li></ul></ul><ul><ul><li>Attack information from different subnets can be correlated </li></ul></ul><ul><li>Problems </li></ul><ul><ul><li>Encrypted data cannot be read </li></ul></ul><ul><ul><li>Annoyances to normal traffic if for some reason normal traffic is dropped </li></ul></ul>
  36. 36. An Adaptive IDS Architecture FW Quick and dirty Real-time IDS Best-effort in real-time Backend IDS Thorough and slow (scenario/trend) Dynamic Cost-sensitive Decision Making Detection Models
  37. 37. Different Ways to put IDS on network <ul><li>HUB </li></ul>
  38. 38. Different Ways to put IDS on network <ul><li>TAP </li></ul>
  39. 39. Circuit Diagrams of Taping 100Mb Ethernet Switch
  40. 40. Circuit Diagrams of Taping 1Gb Ethernet Switch
  41. 41. Circuit Diagrams of Taping 1Gb Ethernet Switch
  42. 42. SNORT <ul><li>Open Source </li></ul><ul><li>Just about any platform(Including windows) </li></ul><ul><li>Many plugins and external modules. </li></ul><ul><li>Frequent rules updates. </li></ul>
  43. 43. Snort Plugins <ul><li>Databases </li></ul><ul><ul><li>mySQL </li></ul></ul><ul><ul><li>Oracle </li></ul></ul><ul><ul><li>Postgresql </li></ul></ul><ul><ul><li>unixODBC </li></ul></ul><ul><li>Spade (Statistical Packet Anomaly Detection engine) </li></ul><ul><li>FlexResp (Session response/closing) </li></ul><ul><li>XML output </li></ul><ul><li>TCP streams (stream single-byte reassembly) </li></ul>
  44. 44. Snort Add-ons <ul><li>Acid(Analysis Console for Intrusion Detection) - PHP </li></ul><ul><li>Guardian – IPCHAINS rules modifier.(Girr – remover) </li></ul><ul><li>SnortSnarf - HTML </li></ul><ul><li>Snortlog – syslog </li></ul><ul><li>“ Ruleset retreive” – automatic rules updater. </li></ul><ul><li>Snorticus – central multi-sensor manager – shell </li></ul><ul><li>LogSnorter – Syslog > snort SQL database information adder. </li></ul><ul><li>+ a few win32 bits and pieces. </li></ul>
  45. 45. Acid + Snort <ul><li>Acid is a Cert project. </li></ul><ul><li>Pretty simple PHP3 to mySQL </li></ul><ul><li>Quite customizable. </li></ul><ul><li>Simple GUI for casual browsing. </li></ul>
  46. 46. Snort Web Access - ACID <ul><li>Main Console </li></ul>
  47. 47. Snort Web Access - ACID
  48. 48. Snort Web Access - ACID <ul><li>Securityfocus </li></ul><ul><li>Whitehats </li></ul><ul><li>CVE </li></ul>
  49. 49. Snort Web Access - ACID <ul><li>Rule details </li></ul>
  50. 50. Snort Web Access - ACID <ul><li>Incident details </li></ul>
  51. 51. Snort Web Access - ACID <ul><li>Incident details </li></ul>
  52. 52. END