Chapter 9 Firewalls and Intrusion Prevention Systems



Similar documents
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Computer Security: Principles and Practice

Computer Security DD2395

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Computer Security DD2395

ACS-3921/ Computer Security And Privacy Lecture Note 8 October 28 th 2015 Chapter 9 Firewalls and Intrusion Prevention Systems

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Firewalls CSCI 454/554

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Proxy Server, Network Address Translator, Firewall. Proxy Server

What would you like to protect?

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Firewalls. Ahmad Almulhem March 10, 2012

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Lecture slides for Computer Security: Principles and Practice, 2/e, by William Stallings and Lawrie Brown, Chapter 9 Firewalls and Intrusion

Firewalls (IPTABLES)

Chapter 20. Firewalls

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewall Design Principles Firewall Characteristics Types of Firewalls

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Security Technology: Firewalls and VPNs

Introduction of Intrusion Detection Systems

Security threats and network. Software firewall. Hardware firewall. Firewalls

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

Firewalls, Tunnels, and Network Intrusion Detection

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

CSCI Firewalls and Packet Filtering

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

How To Protect Your Network From Attack From Outside From Inside And Outside

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Lecture 23: Firewalls

FIREWALLS CHAPTER The Need for Firewalls Firewall Characteristics Types of Firewalls

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Firewalls. Chien-Chung Shen

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

INTRODUCTION TO FIREWALL SECURITY

INTRUSION DETECTION SYSTEMS and Network Security

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Internet Security Firewalls

CMPT 471 Networking II

Cryptography and network security

CSCE 465 Computer & Network Security

Proxy firewalls.

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Firewalls. Chapter 3

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Chapter 6: Network Access Control

Firewalls. Mahalingam Ramkumar

Fig : Packet Filtering

Intranet, Extranet, Firewall

12. Firewalls Content

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Training Course on Network Administration

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Guideline on Firewall

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Firewall Environments. Name

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Networking for Caribbean Development

Chapter 8 Security Pt 2

Overview. Firewall Security. Perimeter Security Devices. Routers

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Chapter 15. Firewalls, IDS and IPS

Intrusion Detection Systems

8. Firewall Design & Implementation

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Network Access Security. Lesson 10

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Network Instruments white paper

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Application Firewalls

COORDINATED THREAT CONTROL

Architecture Overview

Firewall Design Principles

13 Ways Through A Firewall

Lesson 5: Network perimeter security

FIREWALLS & CBAC. philip.heimer@hh.se

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Transcription:

Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish a controlled link Can be a single computer system or a set of two or more systems working together Used as a perimeter defense Single choke point to impose security and auditing Insulates the internal systems from external networks 1

Design goals All traffic from inside to outside, and vice versa, must pass through the Only authorized traffic as defined by the local security policy will be allowed to pass The itself is immune to penetration Firewall Access Policy A critical component in the planning and implementation of a is specifying a suitable access policy o This lists the types of traffic authorized to pass through the o Includes address ranges, protocols, applications and content types This policy should be developed from the organization s information security risk assessment and policy Should be developed from a broad specification of which traffic types the organization needs to support o Then refined to detail the filter elements which can then be implemented within an appropriate topology Firewall Filter Characteristics Characteristics that a access policy could use to filter traffic include: IP address and protocol values protocol User identity activity This type of filtering is used by packet filter and stateful inspection s Typically used to limit access to specific services This type of filtering is used by an applicationlevel gateway that relays and monitors the exchange of information for specific application protocols Typically for inside users who identify themselves using some form of secure authentication technology Controls access based on considerations such as the time or request, rate of requests, or other activity patterns 2

Defines a single choke point Provides a location for monitoring security events Convenient platform for several functions that are not security related Can serve as the platform for IPSec Cannot protect against attacks bypassing May not protect fully against internal threats Improperly secured wireless LAN can be accessed from outside the organization Laptop, PDA, or portable storage device may be infected outside the corporate network then used internally Internal (protected) network (e.g. enterprise network) Firewall External (untrusted) network (e.g. ) (a) General model End-to-end End-to-end End-to-end End-to-end Transport Transport access access Physical State info Physical (b) Packet filtering (c) Stateful inspection proxy Circuit-level proxy Internal External Internal External Transport Transport Transport Transport access access access access Physical Physical Physical Physical (d) proxy (e) Circuit-level proxy Figure 9.1 Types of Firewalls Packet Filtering Firewall Applies rules to each incoming and outgoing IP packet o Typically a list of rules based on matches in the IP or TCP header o Forwards or discards the packet based on rules match Filtering rules are based on information contained in a network packet Source IP address Destination IP address Source and destination -level address IP protocol field Interface Two default policies: o Discard - prohibit unless expressly permitted More conservative, controlled, visible to users o Forward - permit unless expressly prohibited Easier to manage and use but less secure 3

Packet Filter Advantages And Weaknesses Advantages o Simplicity o Typically transparent to users and are very fast Weaknesses o Cannot prevent attacks that employ application specific vulnerabilities or functions o Limited logging functionality o Do not support advanced user authentication o Vulnerable to attacks on TCP/IP protocol bugs o Improper configuration can lead to breaches Stateful Inspection Firewall Tightens rules for TCP traffic by creating a directory of outbound TCP s There is an entry for each currently established Packet filter allows incoming traffic to high numbered ports only for those packets that fit the profile of one of the entries in this directory Reviews packet information but also records information about TCP s Keeps track of TCP sequence numbers to prevent attacks that depend on the sequence number Inspects data for protocols like FTP, IM and SIPS commands 4

Table 9.2 Example Stateful Firewall Connection State Table -Level Gateway Also called an application proxy Acts as a relay of application-level traffic User contacts gateway using a TCP/IP application User is authenticated Gateway contacts application on remote host and relays TCP segments between and user Must have proxy code for each application May restrict application features supported Tend to be more secure than packet filters Disadvantage is the additional processing overhead on each Circuit level proxy Circuit-Level Gateway Sets up two TCP s, one between itself and a TCP user on an inner host and one on an outside host Relays TCP segments from one to the other without examining contents Security function consists of determining which s will be allowed Typically used when inside users are trusted May use application-level gateway inbound and circuitlevel gateway outbound Lower overheads 5

SOCKS Circuit-Level Gateway SOCKS v5 defined in RFC1928 Designed to provide a framework for client- applications in TCP/UDP domains to conveniently and securely use the services of a network Client application contacts SOCKS, authenticates, sends relay request Server evaluates and either establishes or denies the SOCKS-ified client applications SOCKS client library SOCKS Components Bastion Hosts System identified as a critical strong point in the network s security Serves as a platform for an application-level or circuit-level gateway Common characteristics: Runs secure O/S, only essential services May require user authentication to access proxy or host Each proxy can restrict features, hosts accessed Each proxy is small, simple, checked for security Each proxy is independent, non-privileged Limited disk use, hence read-only code Host-Based Firewalls Used to secure an individual host Available in operating systems or can be provided as an add-on package Filter and restrict packet flows Common location is a Advantages: Filtering rules can be tailored to the host environment Protection is provided independent of topology Provides an additional layer of protection 6

IPSec Header 10/27/2015 Personal Firewall Controls traffic between a personal computer or workstation and the or enterprise network For both home or corporate use Typically is a software module on a personal computer Can be housed in a router that connects all of the home computers to a DSL, cable modem, or other interface Typically much less complex than -based or standalone s Primary role is to deny unauthorized remote access May also monitor outgoing traffic to detect and block worms and malware activity Boundary router Internal DMZ network External Web (s) Email DNS LAN switch Internal protected network Internal and database s LAN switch Workstations Figure 9.2 Example Firewall Configuration User system with IPSec IP IPSec Header Header Secure IP Payload Public () or Private Secure IP Payload IP Header IPSec Header Secure IP Payload Ethernet switch IP Header IP Payload IP Header Ethernet switch IP Header IP Payload Firewall with IPSec Firewall with IPSec Figure 9.3 A VPN Security Scenario 7

Remote users External DMZ network Boundary router Internal DMZ network Web (s) External LAN switch Web (s) Email DNS Internal protected network Internal LAN switch and database s host-resident Workstations Figure 9.4 Example Distributed Firewall Configuration Firewall Topologies Host-resident Screening router Single bastion inline Single bastion T Includes personal software and software on s Single router between internal and external networks with stateless or full packet filtering Single device between an internal and external router Has a third network interface on bastion to a DMZ where externally visible s are placed Double bastion inline DMZ is sandwiched between bastion s Double bastion T Distributed configuration DMZ is on a separate network interface on the bastion Used by large businesses and government organizations Intrusion Prevention Systems (IPS) Also known as Intrusion Detection and Prevention System (IDPS) Is an extension of an IDS that includes the capability to attempt to block or prevent detected malicious activity Can be host-based, network-based, or distributed/hybrid Can use anomaly detection to identify behavior that is not that of legitimate users, or signature/heuristic detection to identify known malicious behavior can block traffic as a does, but makes use of the types of algorithms developed for IDSs to determine when to do so 8

Host-Based IPS (HIPS) Can make use of either signature/heuristic or anomaly detection techniques to identify attacks Signature: focus is on the specific content of application network traffic, or of sequences of system calls, looking for patterns that have been identified as malicious Anomaly: IPS is looking for behavior patterns that indicate malware Examples of the types of malicious behavior addressed by a HIPS include: Modification of system resources Privilege-escalation exploits Buffer-overflow exploits Access to e-mail contact list Directory traversal HIPS Capability can be tailored to the specific platform A set of general purpose tools may be used for a desktop or system Some packages are designed to protect specific types of s, such as Web s and database s In this case the HIPS looks for particular application attacks Can use a sandbox approach Sandboxes are especially suited to mobile code such as Java applets and scripting languages HIPS quarantines such code in an isolated system area then runs the code and monitors its behavior Areas for which a HIPS typically offers desktop protection: System calls File system access System registry settings Host input/output The Role of HIPS Many industry obs see the enterprise endpoint, including desktop and laptop systems, as now the main target for hackers and criminals Thus security vendors are focusing more on developing endpoint security products Traditionally, endpoint security has been provided by a collection of distinct products, such as antivirus, antispyware, antispam, and personal s Approach is an effort to provide an integrated, singleproduct suite of functions Advantages of the integrated HIPS approach are that the various tools work closely together, threat prevention is more comprehensive, and management is easier A prudent approach is to use HIPS as one element in a defense-in-depth strategy that involves network-level devices, such as either s or network-based IPSs 9

-Based IPS (NIPS) Inline NIDS with the authority to modify or discard packets and tear down TCP s Makes use of signature/heuristic detection and anomaly detection May provide flow data protection Requires that the application payload in a sequence of packets be reassembled Methods used to identify malicious packets: Pattern matching Stateful matching Protocol anomaly Traffic anomaly Statistical anomaly Digital Immune System Comprehensive defense against malicious behavior caused by malware Developed by IBM and refined by Symantec Motivation for this development includes the rising threat of -based malware, the increasing speed of its propagation provided by the, and the need to acquire a global view of the situation Success depends on the ability of the malware analysis system to detect new and innovative malware strains Enterprise network Firewall sensor 1. Malware scans or infection attempts Correlation 2. Notifications Passive sensor Honeypot 3. Forward features 1. Malware execution 6. update Remote sensor Sandboxed environment 4. Vulnerability testing and identification Hypothesis testing and analysis 5. Possible fix generation Patch generation Instrumented applications Figure 9.5 Placement of Worm Monitors 10

Snort Inline Enables Snort to function as an intrusion prevention system Includes a replace option which allows the Snort user to modify packets rather than drop them Useful for a honeypot implementation Attackers see the failure but cannot figure out why it occurred Drop Snort rejects a packet based on the options defined in the rule and logs the result Reject Packet is rejected and result is logged and an error message is returned Sdrop Packet is rejected but not logged Raw incoming traffic Routing module VPN module Fir ewall module Antivirus engine IDS engine IPS engine Data analysis engine Web filtering module Heuristic scan engine Anomaly detection Activity inspection engine Logging and reporting module Antispam module VPN module Bandwidth shaping module Clean contr olled traffic Figur e 9.6 Unified Threat Management Appliance (based on [JAME06]) Table 9.3 Sidewinder G2 Security Appliance Attack Protections Summary Transport Level Examples (Table can be found on page 328 in textbook) 11

Table 9.4 Sidewinder G2 Security Appliance Attack Protections Summary - Level Examples (page 1 of 2) (Table can be found on pages 329-330 in textbook) Table 9.4 Sidewinder G2 Security Appliance Attack Protections Summary Level Examples (page 2 of 2) (Table can be found on pages 329-330 In textbook) Summary The need for s Firewall characteristics and access policy Types of s o Packet filtering o Stateful inspection s o -level gateway o Circuit-level gateway Firewall basing o Bastion host o Host-based s o Personal Firewall location and configurations o DMZ networks o Virtual private networks o Distributed s o Firewall locations and topologies Intrusion prevention systems o Host-based IPS o -based IPS o Distributed or hybrid IPS o Snort inline Example: Unified Threat Management Products 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information