Network Security in Practice



Similar documents
Chapter 8 Security Pt 2

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Chapter 8 Network Security

CS5008: Internet Computing

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

VLAN und MPLS, Firewall und NAT,

Firewalls. Ahmad Almulhem March 10, 2012

COSC4377. Chapter 8 roadmap

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Solution of Exercise Sheet 5

Content Distribution Networks (CDN)

Lecture 23: Firewalls

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Security vulnerabilities in the Internet and possible solutions

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Chapter 6: Network Access Control

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Kick starting science...

CS155: Computer and Network Security

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

CMPT 471 Networking II

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

SECURITY ADVISORY FROM PATTON ELECTRONICS

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

FIREWALL AND NAT Lecture 7a

What is a DoS attack?

Protocol Security Where?

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Attack Lab: Attacks on TCP/IP Protocols

Overview. Firewall Security. Perimeter Security Devices. Routers

co Characterizing and Tracing Packet Floods Using Cisco R

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Introduction to Computer Security

Introduction to Computer Security

A S B

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Denial Of Service. Types of attacks

Safeguards Against Denial of Service Attacks for IP Phones

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Denial of Service Attacks

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewall Design Principles Firewall Characteristics Types of Firewalls

Secure Software Programming and Vulnerability Analysis

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

Cryptography and network security

Slide 1 Introduction cnds@napier 1 Lecture 6 (Network Layer)

Firewalls, Tunnels, and Network Intrusion Detection

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

Chapter 7: Network security

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Distributed Denial of Service Attack Tools

Firewall Implementation

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Lecture 6: Network Attacks II. Course Admin

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

What is network security?

Sitefinity Security and Best Practices

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Denial of Service. Tom Chen SMU

Network Instruments white paper

FIREWALLS & CBAC. philip.heimer@hh.se

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

A Research Study on Packet Sniffing Tool TCPDUMP

Firewalls P+S Linux Router & Firewall 2013

INTRUSION DETECTION SYSTEMS and Network Security

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Firewalls. Chapter 3

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Security Awareness. Wireless Network Security

Project Overview and Setup. CS155: Computer and Network Security. Project Overview. Goals of the assignment. Setup (2) Setup

- Basic Router Security -

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Security: Focus of Control. Authentication

Firewalls and Intrusion Detection

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Proxy Server, Network Address Translator, Firewall. Proxy Server

Transcription:

Network Security in Practice Practices of Network Security ccess control: firewalls ttacks and counter measures Security protocol case studies Kai Shen 12/8/2014 CSC 257/457 - Fall 2014 1 12/8/2014 CSC 257/457 - Fall 2014 2 ccess Control: Firewalls firewall isolates organization s internal network from the public Internet through filtering, allowing some data to pass, blocking others. Network layer Packet Filtering Should arriving packet be allowed in? Departing packet let out? internal network firewall public Internet Firewall is built into the edge router connected to the Internet Router filters packet by packet, decision to forward/drop packet based on: Source IP address, destination IP address CP/UDP source and destination port numbers CP flags ( and CK bits) 12/8/2014 CSC 257/457 - Fall 2014 3 12/8/2014 CSC 257/457 - Fall 2014 4 1

Policies in Network layer Packet Filtering Example 1: blocking all incoming CP datagrams with dest port = 80 No external clients can access internal Web servers. Example 2: blocking all CP datagrams with source or dest port = 23, except for those with source or dest IP = 128.151.67.155 (a particular internal machine) ll incoming and outgoing telnet connections have to go through a telnet gateway. Example 3: blocking all incoming CP datagrams with CK bit set to 0 Prevents external clients from initiating CP connections with internal clients, but allows internal clients to connect to outside. More on Network layer Packet Filtering dvantage: transparent to network applications incurring little extra overhead/latency Limitation: relying only on IP/CP/UDP header info not flexible enough, e.g., firewall can know the IP of the source, but not the user 12/8/2014 CSC 257/457 - Fall 2014 5 12/8/2014 CSC 257/457 - Fall 2014 6 pplication layer Gateways ccess control according to application layer information. Example: allow selected internal users to telnet outside. host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter Practices of Network Security ccess control: firewalls network layer firewall application layer firewall ttacks and countermeasures Security protocol case studies 1. Router filter blocks all telnet connections not originating from gateway require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. 12/8/2014 CSC 257/457 - Fall 2014 7 12/8/2014 CSC 257/457 - Fall 2014 8 2

Network Security hreat: Mapping Network Security hreat: Packet Sniffing efore attacking: scout the area find out what services are implemented on network ry to determine what host addresses are valid on the network Port scanning: try to establish CP connection to each port in sequence (see what happens) Record traffic entering network Look for suspicious activity (e.g., IP addresses, ports being scanned sequentially) Promiscuous NIC reads all packets passing by a broadcast media (e.g. shared link Ethernet, WiFi) Can read all unencrypted data (e.g. passwords) src: dest: payload Checks periodically if host interface in promiscuous mode. One host per segment of broadcast media (switched Ethernet) Encrypt all packets. 12/8/2014 CSC 257/457 - Fall 2014 9 12/8/2014 CSC 257/457 - Fall 2014 10 Network Security hreat: IP Spoofing with root privilege, one can generate raw IP packets with any value into IP source address field receiver can t tell if source is spoofed e.g.: pretends to be authentication src: dest: payload ingress filtering routers should not forward outgoing packets with invalid source addresses 12/8/2014 CSC 257/457 - Fall 2014 11 Network Security hreat: Cross Site Scripting Cross site scripting: duped to run script unintended by the original site most significant vulnerability for web applications today Examples: attacker supplies attack string (including HML tag and JavaScript code) as msg to msg board FOOR; a user who trusts FOOR views msgs and his/her browser would run attack JavaScript search engine FOOR displays the input search keywords in the return page; attacker prepares a search query with attack string; a user who trusts FOOR clicks the search attacker embeds attack strings in machine names Countermeasures? Careful input checking. Dependence tracking through tainting. 12/8/2014 CSC 257/457 - Fall 2014 12 3

Network Security hreat: Denial of service ttack flooding: attacker establishes many bogus CP connections, flood of maliciously generated packets swamp receiver Resource use at victim; resource use by the attacker Distributed DOS (DDOS): multiple coordinated sources swamp receiver e.g., and remote host attack Countermeasures? Countermeasure 1: Packet Filtering Filtering out attack packets: attack packets carry spoofed IP addresses hard to filter based on IP address if filtering out all packets, then no good connections if filtering out some packets, throw out good and bad connections 12/8/2014 CSC 257/457 - Fall 2014 13 12/8/2014 CSC 257/457 - Fall 2014 14 Countermeasure 2: race ack Countermeasure 3: Delayed Processing DoS victim Delayed processing or resource allocation: connection request client server race back to flood source: attack packets with spoofed IPs trace back through network statistics sources are most likely innocent, compromised machines ttacker Data structure allocation and initialization at receipt of real data request, not at receipt of first What if attacker sends, waits for CK, and then sends some dummy data? 12/8/2014 CSC 257/457 - Fall 2014 15 12/8/2014 CSC 257/457 - Fall 2014 16 4

Stateless CP Disclaimer Stateless CP [Shieh et al. NSDI 2005]: server side maintains no state about CP connections advantage: CP connections only require temporary space during packet processing state for a CP connection: receive buffer send buffer various control parameters and network statistics how to avoid maintaining such state at server side? timeout management for continuation state is a bit tricky Parts of the lecture slides contain original work of James Kurose, Larry Peterson, and Keith Ross. he slides are intended for the sole purpose of instruction of computer networks at the University of Rochester. ll copyrighted materials belong to their original owner(s). also useful for transparent server fail over/migration/load balancing 12/8/2014 CSC 257/457 - Fall 2014 17 12/8/2014 CSC 257/457 - Fall 2014 18 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information