Firewalls and intrusion detection systems



Similar documents
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Introduction of Intrusion Detection Systems

Chapter 9 Firewalls and Intrusion Prevention Systems

NETWORK SECURITY (W/LAB) Course Syllabus

INTRODUCTION TO FIREWALL SECURITY

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Firewalls and Intrusion Detection

Firewalls. Ahmad Almulhem March 10, 2012

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Security threats and network. Software firewall. Hardware firewall. Firewalls

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Computer Security: Principles and Practice

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

Computer Security DD2395

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Security Technology: Firewalls and VPNs

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Firewalls, Tunnels, and Network Intrusion Detection

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

What would you like to protect?

Overview. Firewall Security. Perimeter Security Devices. Routers

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Firewalls P+S Linux Router & Firewall 2013

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

INTRUSION DETECTION SYSTEMS and Network Security

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Computer Security DD2395

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

ΕΠΛ 674: Εργαστήριο 5 Firewalls

PROFESSIONAL SECURITY SYSTEMS

FIREWALLS & CBAC. philip.heimer@hh.se

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08

Intrusion Detection Systems

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

How To Protect Your Network From Attack

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

74% 96 Action Items. Compliance

Securing end devices

Firewalls and System Protection

CSCI 4250/6250 Fall 2015 Computer and Networks Security

A Survey of IP Traceback Mechanisms to overcome Denial-of-Service Attacks

Ficha técnica de curso Código: IFCAD111

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Internet Security Firewalls

Lecture 23: Firewalls

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

8. Firewall Design & Implementation

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

How To Protect Your Network From Attack From Outside From Inside And Outside

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewalls. Chapter 3

VPN Lesson 2: VPN Implementation. Summary

IDS / IPS. James E. Thiel S.W.A.T.

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

CS5008: Internet Computing

Networking for Caribbean Development

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Network Security and Firewall 1

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Network Defense Tools

BlackRidge Technology Transport Access Control: Overview

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

Firewalls & Intrusion Detection

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

March

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

CSCI Firewalls and Packet Filtering

CMPT 471 Networking II

VPN. Date: 4/15/2004 By: Heena Patel

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Architecture Overview

Transcription:

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls Security model with firewalls Intrusion detection systems Intrusion prevention systems How to prevent and detect attacks What is a firewall Divides network into two (or more) parts with different security policy internal network engineering accounting: the other network must not be less secure that the other one. They just have different security policies or different assets to protect. internal network public servers building automation VoIP surveillance system Enforces security policy allowed traffic prohibited traffic Refer to IPsec security policy database (SPD): traffic is bypassed, discarded, or bypassed as protected. May have additional roles, such as VPN endpoint Firewall types Packet-filtering makes decision based only packet fields router ACL (access control list) TCP implicit state: for example to disallow incoming connections, firewall will drop any packet that has SYN flag set but no ACK and allows any packet with SYN+ACK. difficult with UDP, also some other TCP-based protocols such as FTP in active mode, where server establishes connection to client. Stateful keeps track on connections maintains connection state single point of failure has to have some timeout mechanism as the state space is limited. Some attacks may exhaust state space. random disconnections 1

possible to accept related connections: for some protocols this needs application gateway. Application gateway interpret connection on application level checks if application traffic is valid protects from simple port changes may provide payload inspection to detect malicious payload proxy servers call-out in-line (transparent) Address-translation between internal numbering and external addresses using NAPT provides same as prohibiting incoming TCP internal topology can be hidden Host-based or software firewalls add on application security completes application security and access control possibly user- and application-level control Hybrid use combination of different types for performance check start of connection with application gateway, switch to stateful filtering better performance as bulk of traffic is handled by fast path. Firewall topologies private network bastion host server bastion host DMZ modem / WLAN server bastion host server Building firewall rules Defining default policy everything not prohibited is allowed router ACL enumerate vulnerable services and protect them everything not allowed is prohibited enumerate needed and safe services and allow them both policies need continuous updating There should be one rule for one packet multiple overlapping rules 2

order of rules matters performance issues: hardware-based routers/firewalls can handle certain number of rules without significant performance penalty. For software-based firewalls order of rules does matter. Possibility to oversight High-level languages not solution Deploying multiple firewalls Helps to limit the impact of attack Protection by diversity on other hand, multiple systems to update Designing rules even more complicated What firewall protects and what not Protects from known, vulnerable protocols static network configuration Does not protect for / from executable/active content malicious insider loopholes: modems, WLAN, mobile networks carry-in attacks such as notebooks, mass storage new attacks most DoS attacks May result hard perimeter, mellow inside failure to update internal systems selecting insecure protocols and applications Security in organisation 3

How secure are firewalls Common Vulnerabilities and Exposures: 110 matches on firewall Check Point FireWall-1 34 entries Cisco 13 entries Juniper 1 entry Linux 6 Symantec 17 WatchGuard 11 entries More features (VPN, virus checks, QoS protection) more code more bugs more vulnerabilities Intrusion Detection Systems How to make sure that firewall is not leaking How to detect internal attacks IDS is designed to detect, identify, and report malicious activity IDS can be located different places application host network Application and host IDS Application instrumented to identify abnormal actions high level of abstraction user actions monitored policy violations application log analysis access to encrypted data may not protect application flaws Host instrumented reference monitor actions by user and application host log analysis Log analysis best on separate host provides after-the-fact analysis vulnerable to network attacks 4

Network IDS Monitors traffic best done with signal splitters Large volume of data low level of abstraction encrypted traffic problematic Mostly misuse detection recorded patterns of misuse (signatures) frequent updates (like virus scanners) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 ( msg:"exploit ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; ) Anomaly detection detecting differences to normal threshold detection statistical profile rule-based detection learning system Large number of alerts 3700 alerts from corporate network per day 48 should be studied in detail 2 warrant an action IDS in large network One should monitor every link very expensive Select important links full census on those Do random sampling on other links if one samples every 512th packet not a big increase in traffic large problems notified immediately Honeypots A false system similar to production system all access illegal any accessing is potential intruder Used as part of IDS a connection results monitoring How to keep attacker from telling difference from real system should be not too weak should have real data and traffic if virtual host, should not be visible 5

IDS reaction too slow IDS identifies attack analysis may not be real-time corrective actions may take time Epidemic security problem may be instant [4] System can be scanned, attacked, and compromised in a minute or less Need for automation Intrusion Prevention Systems (IPS) IDS with automatic response Suffers from large number of false alerts A firewall with automatic ACL update Virus scanners are host-based IPS Still at early stages does not stop vendors from marketing... Traffic traceback Problem: where incoming attack traffic originates Source IP cannot be trusted sender can put it to any address ingress filtering not deployed universally Should not need additional hardware or load on routers Scalability problems, few proposals [1, 2, 3] Security in Ad-hoc networks Ad-hoc networks interesting topic self-building topology extending network coverage Must rely on other hosts no central authority, block lists no trusted core network routing done by devices Public key-based per-packet authentication too heavy modern PC throughput few ten kbit/s How to communicate trustfulness? 6

Challenges in All-IP world Large number of non-technical users the --:-- generation rightful ignorance: I want to watch movies fixing security problems does not match to my idea of relaxing. Service provider responsibility Multi-vendor environment Summary Firewall and IDS are good tools Must know their limitations Future challenges accurate detection of malicious activity security in ubiquitous computing trust in autonomous systems Easter holiday 2005-03-29, no lecture References [1] Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson. Practical network support for IP traceback. In Proceedings of the 2000 ACM SIGCOMM Conference, August 2000. An early version of the paper appeared as techreport UW-CSE-00-02-01 available at: http://www.cs.washington.edu/homes/savage/traceback.html. [2] Alex C. Snoeren, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer. Hash-Based IP traceback. In Roch Guerin, editor, Proceedings of the ACM SIGCOMM 2001 Conference (SIGCOMM-01), volume 31, 4 of Computer Communication Review, pages 3 14, New York, August 27 31 2001. ACM Press. [3] Alex C. Snoeren, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Beverly Schwartz, Stephen T. Kent, and W. Timothy Strayer. Single-packet ip traceback. IEEE/ACM Trans. Netw., 10(6):721 734, 2002. [4] Stuart Staniford, Vern Paxson, and Nicholas Weaver. How to 0wn the internet in your spare time. In Proceedings of the 11th USENIX Security Symposium (Security 02). To be appear. URL:http://www.cs.berkeley.edu/~nweaver/cdc.web/. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information