2 What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall function Protect the internal network from Internet based attacks A single choke point to impose security and audit
3 Design Goals All traffic from inside to outside, or outside to inside, must pass through the firewall - Configuration Only authorized traffic allowed to pass Security policy The firewall itself is secure.
5 Packet Filters Apply rules to each incoming IP packet and then forward or discard the packet Rules based on information contained in the packet Source IP address Destination IP address Source and destination transport level address IP protocol field Interface Default policy: discard/forward
6 Packet Filtering Examples
7 Stateful Packet Filter Problem: high-numbered port numbers are dynamic, could be exploited Solution: Remember the established connections
8 Application Level Gateway Bastion host, Proxy server Support specific applications, and specific features More secure, easy to log and audit Additional processing overhead
9 Encrypted Tunnels
10 What a Firewall can t do Cannot protect against internal threat Cannot protect against attacks that bypass the firewall Cannot protect against the transfer of virus-infected programs or files.
11 Why we need IDS? IDS: Intrusion Detection System Second line of defense: Prevention, Detection, Recovery Motivation: Detect an attack: the sooner an attack is detected, the less the amount of damage and the more quickly that recovery can be achieved. An effective IDS can serve as a deterrent, so acting to prevent intrusions. IDS collects information about intrusion techniques that can be used to strengthen the intrusion prevention facility.
12 Intrusion Detection Approaches Rule-based or misuse detection Attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder Define improper behavior, or attack signature, for known attacks False negative rate is high Anomaly detection Collect data relating to the behavior of legitimate users over a period of time, then apply statistical tests to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior Define normal, or expected, behavior, use threshold or profile to detect abnormal behavior, could be used for unknown attacks False positive rate is high
13 Intrusion Examples Spam coming from a machine in your network Packets with forged source addresses A machine trying to contact a known bad service such as an IRC channel that s being used to control a botnet Multiple failed login attempts
14 Attacks on Rule-based IDS Insertion attack: to evade the detection by NIDS Approach: insert certain packet that will be seen by NIDS but not be seen by the destination host, such that the attack signature is garbled at NIDS.
15 Evasion Attack Goal: evade the detection by NIDS Approach: construct certain packet that will not be seen by NIDS but will be seen by the destination host, such that the attack signature is garbled at NIDS.
16 Denial-of-Service Attacks
17 DoS Attacks An explicit attempt by attackers to prevent legitimate users of a service from using that service. Overpowering the victim Small resource consumption at the attacker side; larger resource consumption at the victim side Brute-force: Flooding by a large number of attackers Concealing the attacker s identity Forge source addresses Examples: one-packet kill, land attack, TCP SYN flooding attack, smurf attack, WinFreeze, Loki, TFN, Trinoo, Stacheldraht Firewalls can help protect against DoS attacks by keeping nuisance traffic off your net but cannot eliminate IPspoofed packets.
18 One-Packet Kill Exploit the software vulnerability or bugs by sending a single packet that causes a system to crash For example, sending a packet to port 427 of a Windows 98 system running the Novell Intranet Client will cause the blue screen of death.
19 Land Attack Exploit the flaw of some IP stack implementation by sending a forged packet with the source address the same as the destination address, which causes the operation system to crash
20 Smurf Attack
21 WinFreeze Using a large number of ICMP redirect messages to keep the victim host busy in updating its route table, achieving DoS
22 Loki A Loki server is installed on a compromised machine, listening to ICMP traffic The attacker sends ICMP echo request to the Loki server, which transfers data by ICMP echo reply An implementation of tunneling, where data is transmitted secretly across a network by hiding it in traffic that normally does not contain payloads It is used as a backdoor into a Unix system after root access has been compromised
23 Distributed DoS Increase the resources available for offense Make it harder to trace the attacker A typical DDoS architecture The attacker operates from its console, communicating with a group of masters. Each master controls a group of daemons, which actually launch the attacks. Masters and daemons are compromised machines, on which the attack software is installed.
24 Trinoo Communication means: TCP and UDP Attacks: UDP floods to random ports of the victim
25 Why not TCP Flooding? UDP does not have flow control. The attacker can send at the highest rate that its network connection allows. If the attacker has a faster Internet link than the victim, the attacker can congest the victim s Internet connection.
26 Tribe Flood Network (TFN) Communication means: ICMP echo reply Attacks: UDP flood, TCP SYN flood, ICMP echo flood
27 TFN2k First DDoS program on Windows Communication means: encryption over TCP, UDP, or ICMP with no identifying ports Attacks: UDP flood, TCP SYN flood, ICMP echo flood
28 Stacheldraht Combination of Trinoo and TFN Communication means: encryption over TCP or ICMP echo reply Attacks: UDP flood, TCP SYN flood, ICMP echo flood
31 Client Puzzle The victim can exhaust the attacker s resources. Can prevent spams and DoS attacks.
32 Anti-Address Spoofing Ingress filtering An edge router filters packets with sources not belonging to the network. Require wide deployment to be effective.
33 Route-based Distributed Packet Filtering A router drops a packet if the packet is received from an adjacent link that is not on any routing path from the packet s source to the packet s destination.
34 IP Traceback in Flooding Attack
35 IP Traceback Fit traceback information (distance, edge fragment, path identifier) in the IP header
36 Path Identifier Encode the path information in the packet header and allow the victim to filter the attack packets.
37 Perimeter-Based Defense Rate-limit is pushed directly to the edge routers. Rate-limit AIMD. Rate limit with IP traceback.
1 DDoS Attack and Defense: Review of Some Traditional and Current Techniques Muhammad Aamir and Mustafa Ali Zaidi SZABIST, Karachi, Pakistan Abstract Distributed Denial of Service (DDoS) attacks exhaust
A Tutorial on Network Security: Attacks and Controls Natarajan Meghanathan Associate Professor of Computer Science Jackson State University Jackson, MS 39217, USA Phone: 1-601-979-3661; Fax: 1-601-979-2478
Defense Readiness Strategies Security Audit Security audits measure an information system s performance against a list of criteria. Vulnerability Assessment A vulnerability assessment involves a comprehensive
CHAPTER 9 Firewalls and Virtual Private Networks Introduction In Chapter 8, we discussed the issue of security in remote access networks. In this chapter we will consider how security is applied in remote
Enterprise Security Architecture Jian Ren and Tongtong Li, Michigan State University Introduction 1 Security Policies and Requirements 3 Enterprise Network Security Zones 5 Internet................ 5 Internet
W H I T E P A P E R By Atul Verma Engineering Manager, IP Phone Solutions Communications Infrastructure and Voice Group email@example.com Introduction The advantages of a converged voice and data network are
Multi-Layered VoIP Security A DefensePro White Paper - Avi Chesla, VP Security Table of Content Abstract...3 What is VoIP...3 VoIP Protocols...4 VoIP Architecture...4 The VoIP Market & Standards...6 The
Report Number: I332-016R-2005 Security Guidance for Deploying IP Telephony Systems Systems and Network Attack Center (SNAC) Released: 14 February 2006 Version 1.01 SNAC.Guides@nsa.gov ii This Page Intentionally
McAfee NGFW Reference Guide for Firewall/VPN Role 5.7 NGFW Engine in the Firewall/VPN Role Legal Information The use of the products described in these materials is subject to the then current end-user
WHITE PAPER SAFE: A Security Blueprint for Enterprise Networks Authors Sean Convery (CCIE #4232) and Bernie Trudel (CCIE #1884) are the authors of this White Paper. Sean is the lead architect for the reference
Security Issues in Mobile Ad Hoc Networks - A Survey Wenjia Li and Anupam Joshi Department of Computer Science and Electrical Engineering University of Maryland, Baltimore County Abstract In this paper,
ii Copyright 2006 Comcast Communications, Inc. All Rights Reserved. Comcast is a registered trademark of Comcast Corporation. Comcast Business IP Gateway is a trademark of Comcast Corporation. The Comcast
1. Veronika DURCEKOVA, 2. Ladislav SCHWARTZ, 3. Nahid SHAHMEHRI NOVEL TRENDS AND TECHNIQUES USABLE FOR SOPHISTICATED APPLICATION LAYER DENIAL OF SERVICE ATTACKS DETECTION 1,2. UNIVERSITY OF ŽILINA, FACULTY
VOICE OVER IP SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
3 Com Technical Papers Internet Firewalls and Security A Technology Overview Internet Firewalls and Security A Technology Overview Contents Internet Firewalls 2 Benefits of an Internet Firewall 2 Limitations
C H A P T E R 3 IP Network Traffic Plane Security Concepts IP traffic plane concepts provide the mechanisms from which comprehensive IP network security strategies can be implemented. Before discussing
9854_C034.qxd 7/1/2004 6:05 PM Page 1 34 Network Security and Secure Applications Christopher Kruegel University of California 34.1 Introduction...34-1 34.2 Security Attacks and Security Properties...34-2
Volume 3, Issue 1, January 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Protecting Against
Unified Security Monitoring Best Practices June 8, 2011 (Revision 1) Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of
Bachelor s Thesis (UAS) Degree Program In Information Technology Specialization: Internet Technology 2012 SULAIMON ADENIJI ADEBAYO NETWORK SECURITY BACHELOR S THESIS ABSTRACT TURKU UNIVERSITY OF APPLIED
How can I protect a system from cyber attacks? System Technical Note Cyber security recommendations Design your architecture 2 Disclaimer This document is not comprehensive for any systems using the given
ZyWALL 5 Internet Security Appliance Support Notes Version 4.02 Dec. 2006 INDEX Application Notes...12 Seamless Incorporation into your network...12 Using Transparent (Bridge Mode) Firewall...12 Internet