SlideShare a Scribd company logo

Ch06-NetworkSecurity2-firewall-tunneling-IDS.ppt

Download as PPT, PDF
G
gocokir267

Azure Firewall

Internet
1 of 31
CIS3360: Security in Computing Chapter 6 : Network Security II - Firewall, Tunneling, Intrusion Detection Cliff Zou Spring 2012
Firewall 2
Firewalls  A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.  A network firewall is similar to firewalls in building construction, because in both cases they are intended to isolate one "network" or "compartment" from another. 3
Firewall Policies  To protect private networks and individual machines from the dangers of the greater Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies. 4 Trusted internal network Firewall policies Untrusted Internet
Policy Actions  Packets flowing through a firewall can have one of three outcomes:  Accepted: permitted through the firewall  Dropped: not allowed through with no indication of failure  Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was rejected  Policies used by the firewall to handle packets are based on several properties of the packets being inspected, including the protocol used, such as:  TCP or UDP  the source and destination IP addresses  the source and destination ports  the application-level payload of the packet (e.g., whether it contains a virus). 5
Blacklists and White Lists  Two fundamental approaches to creating firewall policies (or rulesets)  Blacklist approach (default-allow)  All packets are allowed through except those that fit the rules defined specifically in a blacklist.  Pros: flexible in ensuring that service to the internal network is not disrupted by the firewall  Cons: unexpected forms of malicious traffic could go through  Whitelist approach (default-deny)  Packets are dropped or rejected unless they are specifically allowed by the firewall  Pros: A safer approach to defining a firewall ruleset  Cons: must consider all possible legitimate traffic in rulesets 6
Firewall Types • packet filters (stateless) – If a packet matches the packet filter's set of rules, the packet filter will drop or accept it • "stateful" filters – it maintains records of all connections passing through it and can determine if a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. • application layer – It works like a proxy it can “understand” certain applications and protocols. – It may inspect the contents of the traffic, blocking what it views as inappropriate content (i.e. websites, viruses, vulnerabilities, ...) 7
Stateless Firewalls  A stateless firewall doesn’t maintain any remembered context (or “state”) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously. 8 Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80 Client Server Firewall
Stateless Restrictions  Stateless firewalls may have to be fairly restrictive in order to prevent most attacks. 9 Trusted internal network SYN Seq = y Port=80 Allow outbound SYN packets, destination port=80 Drop inbound SYN packets, Allow inbound SYN-ACK packets, source port=80 Client Attacker (blocked) Firewall
Statefull Firewalls  Stateful firewalls can tell when packets are part of legitimate sessions originating within a trusted network.  Stateful firewalls maintain tables containing information on each active connection, including the IP addresses, ports, and sequence numbers of packets.  Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to a connection initiated from within the internal network. 10
Statefull Firewall Example  Allow only requested TCP connections: 11 Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Allow outbound TCP sessions, destination port=80 Client SYN-ACK Seq = y Port=80 Attacker (blocked) Established TCP session: (128.34.78.55, 76.120.54.101) 128.34.78.55 76.120.54.101 Firewall state table Server Firewall
 TCP-based connections are easy to check  TCP SYN packet  UDP-based traffic is not so clear  There is no UDP connection set up  Treat a UDP session starts when a legitimate UDP packet is allowed through the firewall (such as from inside to outside)  Session is defined by (source IP, source port, dest IP, dest port) 12
Network Security 7-13 Application-level Firewall  Filters packets on application data as well as on IP/TCP/UDP fields.  Example: allow select internal users to telnet outside. host-to-gateway session gateway-to-remote host session application gateway router and filter 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway. r Example: block user access to know porn websites m Check if the Web URL is in a “black-list”
Firewall on Windows and Linux  On Linux, Iptables is used to provide firewall function  http://en.wikipedia.org/wiki/I ptables 14  On Windows, use “control panel” “Windows Firewall”
Tunnels  The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP connection, he can often see the complete contents of the payloads in this session.  One way to prevent such eavesdropping without changing the software performing the communication is to use a tunneling protocol.  In such a protocol, the communication between a client and server is automatically encrypted, so that useful eavesdropping is infeasible. 15
Tunneling Prevents Eavesdropping  Packets sent over the Internet are automatically encrypted. 16 Server Client Tunneling protocol (does end-to-end encryption and decryption) Payloads are encrypted here TCP/IP TCP/IP Untrusted Internet
Secure Shell (SSH)  A secure interactive command session:  The client connects to the server via a TCP session.  The client and server exchange information on administrative details, such as supported encryption methods and their protocol version, each choosing a set of protocols that the other supports.  Example: check ssh client software to see what are supported.  The client and server initiate a secret-key exchange to establish a shared secret session key, which is used to encrypt their communication (but not for authentication). This session key is used in conjunction with a chosen block cipher (typically AES, 3DES) to encrypt all further communications. 17
 The server sends the client a list of acceptable forms of authentication, which the client will try in sequence.  Password based authentication  Public-key authentication method  Client sends the server its public key  The server then checks if this key is stored in its list of authorized keys. If so, the server encrypts a challenge using the client’s public key and sends it to the client  The client decrypts the challenge with its private key and responds to the server, proving its identity 18
IPSec  IPSec defines a set of protocols to provide confidentiality and authenticity for IP packets  Authentication Header (AH)  provide connectionless integrity and data origin authentication for IP datagrams  provides protection against replay attacks  No confidentiality (packets are still unencrypted)  Encapsulating Security Payload (ESP)  provide confidentiality, data-origin authentication, connectionless integrity, and limited traffic-flow confidentiality.  Port numbers are encrypted, poses challenge for NAT  http://en.wikipedia.org/wiki/IPsec 19
20 Digital signature
21
Virtual Private Networking (VPN)  Virtual private networking (VPN) is a technology that allows private networks to be safely extended over long physical distances by making use of a public network, such as the Internet, as a means of transport.  VPN provides guarantees of data confidentiality, integrity, and authentication, despite the use of an untrusted network for transmission.  There are two primary types of VPNs, remote access VPN and site-to-site VPN. 22
Types of VPNs  Remote access VPNs allow authorized clients to access a private network that is referred to as an intranet.  E.g., UCF VPN. Computer has internal IP when connected.  Set up a VPN endpoint, network access server (NAS)  Clients install VPN client software on their machines.  Site-to-site VPN solutions are designed to provide a secure bridge between two or more physically distant networks.  Before VPN, organizations wishing to safely bridge their private networks purchased expensive leased lines to directly connect their intranets with cabling. 23
Intrusion Detection Systems  Intrusion  Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking resources)  Intrusion detection  The identification through intrusion signatures and report of intrusion activities  Intrusion prevention  The process of both detecting intrusion activities and managing automatic responsive actions throughout the network 24
IDS Components  IDS manager compiles data from the IDS sensors to determine if an intrusion has occurred.  If an IDS manager detects an intrusion, then it sounds an alarm. 25 Untrusted Internet IDS Manager IDS Sensor router router router IDS Sensor Firewall
Possible Alarm Outcomes  Alarms can be sounded (positive) or not (negative) 26 Intrusion Attack No Intrusion Attack Alarm Sounded No Alarm Sounded True Positive False Positive True Negative False Negative Bad (miss attack) Bad (reject normal)
The Base-Rate Fallacy  true-positive rate is conflict with false-negative rate.  There is a trade-off  If # of intrusions << # of all events, the effectiveness of an intrusion detection system can be reduced.  In particular, the effectiveness of some IDSs can be misinterpreted due to a statistical error known as the base-rate fallacy.  This type of error occurs when the probability of some conditional event is assessed without considering the “base rate” of that event. 27
Base-Rate Fallacy Example  Suppose an IDS has 1% chance of false positives, and 1% of false negatives. Suppose further…  An intrusion detection system generates 1,000,100 log entries.  Only 100 of the 1,000,100 entries correspond to actual malicious events.  Among the 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative.  Among the 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives!  Thus, there will be 10,099 alarms sounded, 10,000 of which are false alarms. That means false alarm rate is roughly 99%! 28
Types of Intrusion Detection Systems  Rule-Based Intrusion Detection  Rules and signatures identify the types of actions that match certain known profiles for an intrusion attack  Alarm raised can indicate what attack triggers the alarm  Problem: Cannot deal with unknown attacks  Statistical Intrusion Detection  Statistical representation (profile) of the typical ways that a user acts or a host is used  Determine when a user or host is acting in highly unusual, anomalous ways.  Alarm when a user or host deviates significantly from the stored profile for that person or machine  Problem: High false positive rate, cannot tell which attack triggers the alarm 29
Port Scanning  Purpose: Attackers need to know where a potential target is  TCP scan: use OS system call to check if TCP connection can be set up on a target machine on any port  Example scanner: nmap  See how nmap works on department eustis machine!  SYN scan: low-level TCP program to send out SYN packet without intent to finish the TCP connection setup  On receiving SYN/ACK, issues a RST packet to terminate 30
Port Scanning  Two port scanning mode:  Vertical scan: target numerous destination ports on a singular host (e.g., nmap)  Horizontal scan: target the same port on many target hosts, effectively looking for a specific vulnerability  E.g., worm  E.g., attacker conduct reconnaissance before real attack 31

Recommended

Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].pptBachaSirata
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)Bhargu Bhargavi
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's TypesHem Pokhrel
 
IT8005_EC_Unit_III_Securing_Communication_Channels
IT8005_EC_Unit_III_Securing_Communication_ChannelsIT8005_EC_Unit_III_Securing_Communication_Channels
IT8005_EC_Unit_III_Securing_Communication_ChannelsPalani Kumar
 
Firewalls
FirewallsFirewalls
FirewallsDeevena Dayaal
 
Network security
Network securityNetwork security
Network securitySidiq Dwi Laksana
 
WT - Firewall & Proxy Server
WT - Firewall & Proxy ServerWT - Firewall & Proxy Server
WT - Firewall & Proxy Servervinay arora
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.pptRaj Kumar
 

Recommended

Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].pptBachaSirata
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)Bhargu Bhargavi
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's TypesHem Pokhrel
 
IT8005_EC_Unit_III_Securing_Communication_Channels
IT8005_EC_Unit_III_Securing_Communication_ChannelsIT8005_EC_Unit_III_Securing_Communication_Channels
IT8005_EC_Unit_III_Securing_Communication_ChannelsPalani Kumar
 
Firewalls
FirewallsFirewalls
FirewallsDeevena Dayaal
 
Network security
Network securityNetwork security
Network securitySidiq Dwi Laksana
 
WT - Firewall & Proxy Server
WT - Firewall & Proxy ServerWT - Firewall & Proxy Server
WT - Firewall & Proxy Servervinay arora
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.pptRaj Kumar
 
Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Radhika Talaviya
 
Introduction to Cyber security module - III
Introduction to Cyber security module - IIIIntroduction to Cyber security module - III
Introduction to Cyber security module - IIITAMBEMAHENDRA1
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2sweta dargad
 
Firewalls and packet filters
Firewalls and packet filtersFirewalls and packet filters
Firewalls and packet filtersMOHIT AGARWAL
 
WLAN:VPN Security
WLAN:VPN SecurityWLAN:VPN Security
WLAN:VPN Security@zenafaris91
 
A firewall is a network security device.
A firewall is a network security device.A firewall is a network security device.
A firewall is a network security device.abidhassan225
 
Firewalls
FirewallsFirewalls
FirewallsUniversity of Central Punjab
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet BawaPuneet Bawa
 
FIREWALL
FIREWALLFIREWALL
FIREWALLswati463221
 
Network Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfNetwork Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfDr. Shivashankar
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Firewall configuration
Firewall configurationFirewall configuration
Firewall configurationNutan Kumar Panda
 
Firewall
FirewallFirewall
Firewallthinkahead.net
 
Insights of vpn
Insights of vpnInsights of vpn
Insights of vpnHarshika Rana
 
Firewall
Firewall Firewall
Firewall Amuthavalli Nachiyar
 
Firewall protection
Firewall protectionFirewall protection
Firewall protectionVC Infotech
 
Firewall
FirewallFirewall
FirewallKenny2012
 
Ch05 Network Defenses
Ch05 Network DefensesCh05 Network Defenses
Ch05 Network DefensesInformation Technology
 
firrewall and intrusion prevention system.pptx
firrewall and intrusion prevention system.pptxfirrewall and intrusion prevention system.pptx
firrewall and intrusion prevention system.pptxfatimagull32
 
CN. Presentation for submitting project term pptx
CN. Presentation for submitting project term pptxCN. Presentation for submitting project term pptx
CN. Presentation for submitting project term pptxsaad504633
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 

More Related Content

Similar to Ch06-NetworkSecurity2-firewall-tunneling-IDS.ppt

Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Radhika Talaviya
 
Introduction to Cyber security module - III
Introduction to Cyber security module - IIIIntroduction to Cyber security module - III
Introduction to Cyber security module - IIITAMBEMAHENDRA1
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2sweta dargad
 
Firewalls and packet filters
Firewalls and packet filtersFirewalls and packet filters
Firewalls and packet filtersMOHIT AGARWAL
 
A firewall is a network security device.
A firewall is a network security device.A firewall is a network security device.
A firewall is a network security device.abidhassan225
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet BawaPuneet Bawa
 
Network Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfNetwork Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfDr. Shivashankar
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Firewall protection
Firewall protectionFirewall protection
Firewall protectionVC Infotech
 
firrewall and intrusion prevention system.pptx
firrewall and intrusion prevention system.pptxfirrewall and intrusion prevention system.pptx
firrewall and intrusion prevention system.pptxfatimagull32
 
CN. Presentation for submitting project term pptx
CN. Presentation for submitting project term pptxCN. Presentation for submitting project term pptx
CN. Presentation for submitting project term pptxsaad504633
 

Similar to Ch06-NetworkSecurity2-firewall-tunneling-IDS.ppt (20)

Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters Cyber Security - Firewall and Packet Filters
Cyber Security - Firewall and Packet Filters
 
Introduction to Cyber security module - III
Introduction to Cyber security module - IIIIntroduction to Cyber security module - III
Introduction to Cyber security module - III
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
 
Firewalls and packet filters
Firewalls and packet filtersFirewalls and packet filters
Firewalls and packet filters
 
WLAN:VPN Security
WLAN:VPN SecurityWLAN:VPN Security
WLAN:VPN Security
 
A firewall is a network security device.
A firewall is a network security device.A firewall is a network security device.
A firewall is a network security device.
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewalls by Puneet Bawa
Firewalls by Puneet BawaFirewalls by Puneet Bawa
Firewalls by Puneet Bawa
 
FIREWALL
FIREWALLFIREWALL
FIREWALL
 
Network Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfNetwork Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdf
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
Firewall configuration
Firewall configurationFirewall configuration
Firewall configuration
 
Firewall
FirewallFirewall
Firewall
 
Insights of vpn
Insights of vpnInsights of vpn
Insights of vpn
 
Firewall
Firewall Firewall
Firewall
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
 
Firewall
FirewallFirewall
Firewall
 
Ch05 Network Defenses
Ch05 Network DefensesCh05 Network Defenses
Ch05 Network Defenses
 
firrewall and intrusion prevention system.pptx
firrewall and intrusion prevention system.pptxfirrewall and intrusion prevention system.pptx
firrewall and intrusion prevention system.pptx
 
CN. Presentation for submitting project term pptx
CN. Presentation for submitting project term pptxCN. Presentation for submitting project term pptx
CN. Presentation for submitting project term pptx
 

Recently uploaded

Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 

Recently uploaded (20)

Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 

Ch06-NetworkSecurity2-firewall-tunneling-IDS.ppt

  • 1. CIS3360: Security in Computing Chapter 6 : Network Security II - Firewall, Tunneling, Intrusion Detection Cliff Zou Spring 2012
  • 3. Firewalls  A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.  A network firewall is similar to firewalls in building construction, because in both cases they are intended to isolate one "network" or "compartment" from another. 3
  • 4. Firewall Policies  To protect private networks and individual machines from the dangers of the greater Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies. 4 Trusted internal network Firewall policies Untrusted Internet
  • 5. Policy Actions  Packets flowing through a firewall can have one of three outcomes:  Accepted: permitted through the firewall  Dropped: not allowed through with no indication of failure  Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was rejected  Policies used by the firewall to handle packets are based on several properties of the packets being inspected, including the protocol used, such as:  TCP or UDP  the source and destination IP addresses  the source and destination ports  the application-level payload of the packet (e.g., whether it contains a virus). 5
  • 6. Blacklists and White Lists  Two fundamental approaches to creating firewall policies (or rulesets)  Blacklist approach (default-allow)  All packets are allowed through except those that fit the rules defined specifically in a blacklist.  Pros: flexible in ensuring that service to the internal network is not disrupted by the firewall  Cons: unexpected forms of malicious traffic could go through  Whitelist approach (default-deny)  Packets are dropped or rejected unless they are specifically allowed by the firewall  Pros: A safer approach to defining a firewall ruleset  Cons: must consider all possible legitimate traffic in rulesets 6
  • 7. Firewall Types • packet filters (stateless) – If a packet matches the packet filter's set of rules, the packet filter will drop or accept it • "stateful" filters – it maintains records of all connections passing through it and can determine if a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. • application layer – It works like a proxy it can “understand” certain applications and protocols. – It may inspect the contents of the traffic, blocking what it views as inappropriate content (i.e. websites, viruses, vulnerabilities, ...) 7
  • 8. Stateless Firewalls  A stateless firewall doesn’t maintain any remembered context (or “state”) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously. 8 Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80 Client Server Firewall
  • 9. Stateless Restrictions  Stateless firewalls may have to be fairly restrictive in order to prevent most attacks. 9 Trusted internal network SYN Seq = y Port=80 Allow outbound SYN packets, destination port=80 Drop inbound SYN packets, Allow inbound SYN-ACK packets, source port=80 Client Attacker (blocked) Firewall
  • 10. Statefull Firewalls  Stateful firewalls can tell when packets are part of legitimate sessions originating within a trusted network.  Stateful firewalls maintain tables containing information on each active connection, including the IP addresses, ports, and sequence numbers of packets.  Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to a connection initiated from within the internal network. 10
  • 11. Statefull Firewall Example  Allow only requested TCP connections: 11 Trusted internal network SYN Seq = x Port=80 SYN-ACK Seq = y Ack = x + 1 ACK Seq = x + 1 Ack = y + 1 Allow outbound TCP sessions, destination port=80 Client SYN-ACK Seq = y Port=80 Attacker (blocked) Established TCP session: (128.34.78.55, 76.120.54.101) 128.34.78.55 76.120.54.101 Firewall state table Server Firewall
  • 12.  TCP-based connections are easy to check  TCP SYN packet  UDP-based traffic is not so clear  There is no UDP connection set up  Treat a UDP session starts when a legitimate UDP packet is allowed through the firewall (such as from inside to outside)  Session is defined by (source IP, source port, dest IP, dest port) 12
  • 13. Network Security 7-13 Application-level Firewall  Filters packets on application data as well as on IP/TCP/UDP fields.  Example: allow select internal users to telnet outside. host-to-gateway session gateway-to-remote host session application gateway router and filter 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway. r Example: block user access to know porn websites m Check if the Web URL is in a “black-list”
  • 14. Firewall on Windows and Linux  On Linux, Iptables is used to provide firewall function  http://en.wikipedia.org/wiki/I ptables 14  On Windows, use “control panel” “Windows Firewall”
  • 15. Tunnels  The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP connection, he can often see the complete contents of the payloads in this session.  One way to prevent such eavesdropping without changing the software performing the communication is to use a tunneling protocol.  In such a protocol, the communication between a client and server is automatically encrypted, so that useful eavesdropping is infeasible. 15
  • 16. Tunneling Prevents Eavesdropping  Packets sent over the Internet are automatically encrypted. 16 Server Client Tunneling protocol (does end-to-end encryption and decryption) Payloads are encrypted here TCP/IP TCP/IP Untrusted Internet
  • 17. Secure Shell (SSH)  A secure interactive command session:  The client connects to the server via a TCP session.  The client and server exchange information on administrative details, such as supported encryption methods and their protocol version, each choosing a set of protocols that the other supports.  Example: check ssh client software to see what are supported.  The client and server initiate a secret-key exchange to establish a shared secret session key, which is used to encrypt their communication (but not for authentication). This session key is used in conjunction with a chosen block cipher (typically AES, 3DES) to encrypt all further communications. 17
  • 18.  The server sends the client a list of acceptable forms of authentication, which the client will try in sequence.  Password based authentication  Public-key authentication method  Client sends the server its public key  The server then checks if this key is stored in its list of authorized keys. If so, the server encrypts a challenge using the client’s public key and sends it to the client  The client decrypts the challenge with its private key and responds to the server, proving its identity 18
  • 19. IPSec  IPSec defines a set of protocols to provide confidentiality and authenticity for IP packets  Authentication Header (AH)  provide connectionless integrity and data origin authentication for IP datagrams  provides protection against replay attacks  No confidentiality (packets are still unencrypted)  Encapsulating Security Payload (ESP)  provide confidentiality, data-origin authentication, connectionless integrity, and limited traffic-flow confidentiality.  Port numbers are encrypted, poses challenge for NAT  http://en.wikipedia.org/wiki/IPsec 19
  • 21. 21
  • 22. Virtual Private Networking (VPN)  Virtual private networking (VPN) is a technology that allows private networks to be safely extended over long physical distances by making use of a public network, such as the Internet, as a means of transport.  VPN provides guarantees of data confidentiality, integrity, and authentication, despite the use of an untrusted network for transmission.  There are two primary types of VPNs, remote access VPN and site-to-site VPN. 22
  • 23. Types of VPNs  Remote access VPNs allow authorized clients to access a private network that is referred to as an intranet.  E.g., UCF VPN. Computer has internal IP when connected.  Set up a VPN endpoint, network access server (NAS)  Clients install VPN client software on their machines.  Site-to-site VPN solutions are designed to provide a secure bridge between two or more physically distant networks.  Before VPN, organizations wishing to safely bridge their private networks purchased expensive leased lines to directly connect their intranets with cabling. 23
  • 24. Intrusion Detection Systems  Intrusion  Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking resources)  Intrusion detection  The identification through intrusion signatures and report of intrusion activities  Intrusion prevention  The process of both detecting intrusion activities and managing automatic responsive actions throughout the network 24
  • 25. IDS Components  IDS manager compiles data from the IDS sensors to determine if an intrusion has occurred.  If an IDS manager detects an intrusion, then it sounds an alarm. 25 Untrusted Internet IDS Manager IDS Sensor router router router IDS Sensor Firewall
  • 26. Possible Alarm Outcomes  Alarms can be sounded (positive) or not (negative) 26 Intrusion Attack No Intrusion Attack Alarm Sounded No Alarm Sounded True Positive False Positive True Negative False Negative Bad (miss attack) Bad (reject normal)
  • 27. The Base-Rate Fallacy  true-positive rate is conflict with false-negative rate.  There is a trade-off  If # of intrusions << # of all events, the effectiveness of an intrusion detection system can be reduced.  In particular, the effectiveness of some IDSs can be misinterpreted due to a statistical error known as the base-rate fallacy.  This type of error occurs when the probability of some conditional event is assessed without considering the “base rate” of that event. 27
  • 28. Base-Rate Fallacy Example  Suppose an IDS has 1% chance of false positives, and 1% of false negatives. Suppose further…  An intrusion detection system generates 1,000,100 log entries.  Only 100 of the 1,000,100 entries correspond to actual malicious events.  Among the 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative.  Among the 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives!  Thus, there will be 10,099 alarms sounded, 10,000 of which are false alarms. That means false alarm rate is roughly 99%! 28
  • 29. Types of Intrusion Detection Systems  Rule-Based Intrusion Detection  Rules and signatures identify the types of actions that match certain known profiles for an intrusion attack  Alarm raised can indicate what attack triggers the alarm  Problem: Cannot deal with unknown attacks  Statistical Intrusion Detection  Statistical representation (profile) of the typical ways that a user acts or a host is used  Determine when a user or host is acting in highly unusual, anomalous ways.  Alarm when a user or host deviates significantly from the stored profile for that person or machine  Problem: High false positive rate, cannot tell which attack triggers the alarm 29
  • 30. Port Scanning  Purpose: Attackers need to know where a potential target is  TCP scan: use OS system call to check if TCP connection can be set up on a target machine on any port  Example scanner: nmap  See how nmap works on department eustis machine!  SYN scan: low-level TCP program to send out SYN packet without intent to finish the TCP connection setup  On receiving SYN/ACK, issues a RST packet to terminate 30
  • 31. Port Scanning  Two port scanning mode:  Vertical scan: target numerous destination ports on a singular host (e.g., nmap)  Horizontal scan: target the same port on many target hosts, effectively looking for a specific vulnerability  E.g., worm  E.g., attacker conduct reconnaissance before real attack 31