COSC4377. Chapter 8 roadmap



Similar documents
Chapter 8 Network Security

Chapter 8 Security Pt 2

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

VLAN und MPLS, Firewall und NAT,

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Public Key Infrastructure in idrac

Chapter 6: Network Access Control

Chapter 8 Network Security

Firewalls. Ahmad Almulhem March 10, 2012

CS5008: Internet Computing

Network Security in Practice

Lecture 23: Firewalls

FIREWALLS & CBAC. philip.heimer@hh.se

Overview of Network Security

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Introduction of Intrusion Detection Systems

FIREWALL AND NAT Lecture 7a

Firewalls. Chapter 3

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

Cryptography and network security

Firewalls, IDS and IPS

Solution of Exercise Sheet 5

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewalls. Network Security. Firewalls Defined. Firewalls

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Chapter 9 Firewalls and Intrusion Prevention Systems

Security Technology White Paper

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Content Distribution Networks (CDN)

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Computer Security: Principles and Practice

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

IP Filter/Firewall Setup

Computer Security DD2395

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

INTRODUCTION TO FIREWALL SECURITY

Computer Networks. Secure Systems

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Cornerstones of Security

Chapter 8 Network Security. Slides adapted from the book and Tomas Olovsson

CMPT 471 Networking II

Firewall Firewall August, 2003

Chapter 15. Firewalls, IDS and IPS

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

CSCI Firewalls and Packet Filtering

Security vulnerabilities in the Internet and possible solutions

Network Security Fundamentals

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Cisco Configuring Commonly Used IP ACLs

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Firewall Defaults and Some Basic Rules

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Firewall Design Principles Firewall Characteristics Types of Firewalls

Chapter 11 Cloud Application Development

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

Firewalls, Tunnels, and Network Intrusion Detection

Stateful Firewalls. Hank and Foo

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

OS/390 Firewall Technology Overview

A S B

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

CIT 480: Securing Computer Systems. Firewalls

What is a DoS attack?

Networks: IP and TCP. Internet Protocol

Network Security CS 192

Firewalls (IPTABLES)

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Post-Class Quiz: Telecommunication & Network Security Domain

CSCE 465 Computer & Network Security

Internetwork Expert s CCNA Security Bootcamp. IOS Firewall Feature Set. Firewall Design Overview

Protecting and controlling Virtual LANs by Linux router-firewall

ΕΠΛ 674: Εργαστήριο 5 Firewalls

SonicOS 5.9 One Touch Configuration Guide

Transcription:

Lecture 28 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing wireless LANs 8.8 Operational security: firewalls and IDS 1

Firewalls firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others administered network trusted good guys firewall public Internet untrusted bad guys Firewalls: why prevent denial of service attacks: SYN flooding: attacker establishes many bogus TCP connections, no res left for real connections prevent illegal modification/access of internal data e.g., attacker replaces CIA s homepage with something else allow only authorized access to inside network set of authenticated users/hosts three types of firewalls: stateless packet filters stateful packet filters application gateways 2

Stateless packet filtering Should arriving packet be allowed in? Departing packet let out? internal network connected to Internet via router firewall router filters packet by packet, decision to forward/drop packet based on: IP, ination IP TCP/UDP and ination numbers ICMP message type TCP SYN and ACK bits Stateless packet filtering: example example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either or = 23 result: all incoming, outgoing UDP flows and telnet connections are blocked example 2: block inbound TCP segments with ACK=0. result: prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. 3

Stateless packet filtering: more examples Policy No outside Web access. No incoming TCP connections, except those for institution s public Web server only. Prevent Web-radios from eating up the available bandwidth. Prevent your network from being used for a smurf DoS attack. Prevent your network from being tracerouted Firewall Setting Drop all outgoing packets to any IP, 80 Drop all incoming TCP SYN packets to any IP except 130.207.244.203, 80 Drop all incoming UDP packets - except DNS and router broadcasts. Drop all ICMP packets going to a broadcast (e.g. 130.207.255.255). Drop all outgoing ICMP TTL expired traffic Access Control Lists ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs action protocol any allow TCP > 1023 80 allow TCP 80 > 1023 ACK allow UDP > 1023 53 --- allow UDP 53 > 1023 ---- deny all all all all all all flag bit 4

Stateful packet filtering stateless packet filter: heavy handed tool admits packets that make no sense, e.g., = 80, ACK bit set, even though no TCP connection established: action protocol flag bit allow TCP 80 > 1023 ACK stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets makes sense timeout inactive connections at firewall: no longer admit packets Stateful packet filtering ACL augmented to indicate need to check connection state table before admitting packet action allow allow proto TCP > 1023 80 flag bit any check conxion TCP 80 > 1023 ACK x allow UDP > 1023 53 --- allow UDP 53 > 1023 ---- x deny all all all all all all 5

Application gateways filters packets on application data as well as on IP/TCP/UDP fields. example: allow select internal users to telnet outside. host-to-gateway telnet session application gateway gateway-to-remote host telnet session router and filter 1. require all telnet users to telnet through gateway. 2. for authorized users, gateway sets up telnet connection to host. Gateway relays data between 2 connections 3. router filter blocks all telnet connections not originating from gateway. Application gateways filter packets on application data as well as on IP/TCP/UDP fields. example: allow select internal users to telnet outside host-to-gateway telnet session application gateway router and filter gateway-to-remote host telnet session 1. require all telnet users to telnet through gateway. 2. for authorized users, gateway sets up telnet connection to host. Gateway relays data between 2 connections 3. router filter blocks all telnet connections not originating from gateway. 6

Limitations of firewalls, gateways IP spoofing: router can t know if data really comes from claimed if multiple app s. need special treatment, each has own app. gateway client software must know how to contact gateway. e.g., must set IP of proxy in Web browser filters often use all or nothing policy for UDP tradeoff: degree of communication with outside world, level of security many highly protected sites still suffer from attacks Intrusion detection systems packet filtering: operates on TCP/IP headers only no correlation check among sessions IDS: intrusion detection system deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) examine correlation among multiple packets scanning network mapping DoS attack 7

Intrusion detection systems multiple IDSs: different types of checking at different locations firewall internal network Internet IDS sensors Web DNS server FTP server server demilitarized zone Network Security (summary) basic techniques... cryptography (symmetric and public) message integrity end point authentication. used in many different security scenarios secure email secure trans (SSL) IP sec 802.11 operational security: firewalls and IDS 8

Certificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5withrsaencryption Sample Certificate Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server certs@thawte.com Validity Not Before: Jul 9 16:04:02 1998 GMT Not After : Jul 9 16:04:02 1999 GMT Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=baccala@freesoft.org Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f Exponent: 65537 (0x10001) Signature Algorithm: md5withrsaencryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72: 0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1: 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22: 68:9f http://en.wikipedia.org/wiki/x.509 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information