Chapter 31 Network Security

Similar documents
Network Security. Raj Jain. The Ohio State University. Columbus, OH Raj Jain 31-1

Virtual Private Networks

12. Firewalls Content

Network Security Concepts: Review

How To Protect Your Network From Attack

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Internet Security Firewalls

Security in Computer Networks

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Internet Security Firewalls

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

CMPT 471 Networking II

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Cornerstones of Security

Firewall Design Principles Firewall Characteristics Types of Firewalls

Chapter 32 Internet Security

Firewalls and System Protection

CIT 480: Securing Computer Systems. Firewalls

Security vulnerabilities in the Internet and possible solutions

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

ICTTEN8195B Evaluate and apply network security

Cryptography and network security CNET4523

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Department of Computer & Information Sciences. CSCI-445: Computer and Network Security Syllabus

Proxy Server, Network Address Translator, Firewall. Proxy Server

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

What would you like to protect?

CIT 480: Securing Computer Systems. Firewalls

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Protocol Specification & Design. The Internet and its Protocols. Course Outline (trivia) Introduction to the Subject Teaching Methods

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Security Technology: Firewalls and VPNs

Packet filtering and other firewall functions

Network Security Topologies. Chapter 11

NETWORK ADMINISTRATION AND SECURITY

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

z/os Firewall Technology Overview

How To Protect Your Data From Attack

21.4 Network Address Translation (NAT) NAT concept

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Intranet, Extranet, Firewall

Internet infrastructure. Prof. dr. ir. André Mariën

ΕΠΛ 674: Εργαστήριο 5 Firewalls

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Chapter 10. Network Security

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Introduction to Computer Security

NETWORK SECURITY. Farooq Ashraf. Department of Computer Engineering King Fahd University of Petroleum and Minerals Dhahran 31261, Saudi Arabia

Firewalls. Ahmad Almulhem March 10, 2012

Raptor Firewall Products

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

NETWORK SECURITY (W/LAB) Course Syllabus

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Internet Firewalls and Security. A Technology Overview

Firewalls CSCI 454/554

CSCI Firewalls and Packet Filtering

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

IP Security. Ola Flygt Växjö University, Sweden

Firewalls. Mahalingam Ramkumar

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

ABSTRACT CHAPTER I. Preliminary Background

Introduction to Computer Security

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Chapter 12 Supporting Network Address Translation (NAT)

Network Security. Chapter 13. Internet Firewalls. Network Security (WS 07/08): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

IPV6 vs. SSL comparing Apples with Oranges

Lecture 23: Firewalls

Compter Networks Chapter 9: Network Security

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Computer Security: Principles and Practice

Steelcape Product Overview and Functional Description

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Firewalls and Virtual Private Networks

Chapter 20. Firewalls

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Computer Security DD2395

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

CS5008: Internet Computing

Guideline on Firewall

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Michal Ludvig, SUSE Labs, 01/30/2004, Secure networking, 1

Network Security and Firewall 1

Transcription:

Chapter 31 Network Security Columbus, OH 43210 Jain@CIS.Ohio-State.Edu http://www.cis.ohio-state.edu/~jain/ 31-1

Overview Security Aspects Secret Key and Public Key Encryption Firewalls: Packet Filter, Bastion Host, Perimeter Nets Variations of firewalls Proxy servers 31-2

Security Aspects Data Integrity: Received = sent? Data Availability: Legal users should be able to use. Ping continuously No useful work gets done. Data Confidentiality and Privacy: No snooping or wiretapping Authentication: You are who you say you are. A student at Dartmouth posing as a professor canceled the exam. Authorization = Access Control: Only authorized users get to the data 31-3

Secret Key Encryption Encrypted_Message = Encrypt(Key, Message) Message = Decrypt(Key, Encrypted_Message) Example: Encrypt = division 433 = 48 R 1 (using divisor of 9) Text Ciphertext Key Ciphertext Text 31-4

Public Key Encryption Invented in 1975 by Diffie and Hellman Encrypted_Message = Encrypt(Key1, Message) Message = Decrypt(Key2, Encrypted_Message) Key1 Text Ciphertext Key2 Ciphertext Text 31-5

Public Key Encryption: Example RSA: Encrypted_Message = m 3 mod 187 Message = Encrypted_Message 107 mod 187 Key1 = <3,187>, Key2 = <107,187> Message = 5 Encrypted Message = 5 3 = 125 Message = 125 107 mod 187 = 125 (64+32+8+2+1) mod 187 = (125 64 mod 187)(125 32 mod 187)... (125 2 mod 187)(125) = 5 31-6

Public Key (Cont) One key is private and the other is public Message = Decrypt(Public_Key, Encrypt(Private_Key, Message)) Message = Decrypt(Private_Key, Encrypt(Public_Key, Message)) 31-7

Digital Signature Encrypted_Message = Encrypt(Private_Key, Message) Message = Decrypt(Public_Key, Encrypted_Message) Authentic Private Key Text Signed text Public Key Signed text Text 31-8

User 1 to User 2: Confidentiality Encrypted_Message = Encrypt(Public_Key2, Encrypt(Private_Key1, Message)) Message = Decrypt(Public_Key1, Decrypt(Private_Key2, Encrypted_Message) Authentic and Private Your Public Key My Private Key Message 31-9

Simple Firewall: Packet Filter Internet Internal net Example: Only email gets in/out ftp to/from nodes x, y, z, etc. Problem: Filter is accessible to outside world 31-10

Filter Table: Example Interface Source Dest Prot. Src Port Dest Port 2 * * TCP * 21 2 * * TCP * 23 1 128.5.*.* * TCP * 25 2 * * UDP * 43 2 * * UDP * 69 2 * * TCP * 79 31-11

Bastion Host Internet R1 Bastion Host R2 Internal net Bastions overlook critical areas of defense, usually having stronger walls Inside users need a mechanism to get outside services Inside users log on the Bastion Host and use outside services. Later they pull the results inside. 31-12

Bastion Host (Cont) Perimeter Network: Outside snoopers cannot see internal traffic even if they break in the firewall (Router 2) Also known as "Stub network" 31-13

Screened Host Architecture Internet Firewall Bastion Host Router Internal Net 31-14

Screened subnet Architecture Internet Bastion Host Exterior Router Interior Router Firewall Perimeter Network Internal Net 31-15

Multiple Bastion Hosts Internet FTP Bastion Host Exterior Router Interior Router SMTP/DNS Bastion Host Firewall Perimeter Network Internal Net 31-16

Merged Interior and Exterior Routers Internet FTP Bastion Host Firewall Exterior Router Perimeter Network Internal Net 31-17

Merged Bastion Host and Exterior Router Also known as a dual-homed gateway Internet Firewall Bastion Host/ Exterior Router Interior Router Perimeter Network Internal Net 31-18

Dual-Homed Host Architecture Internet Firewall Dual-Homed Host Internal Net 31-19

Merged Bastion Host and Interior Router (Not Recommended) Internet Firewall Exterior Router Bastion Host/ Interior Router Perimeter Network Internal Net 31-20

Multiple Interior Routers Internet Bastion Host Interior Router Exterior Router Firewall Perimeter Network Interior Router Internal Net 31-21

Multiple Internal Networks Internet Bastion Host Exterior Router Interior Router Firewall Perimeter Network Internal Nets 31-22

Multiple Internal Networks with a Bastion Host Backbone Internet Exterior Router Interior Router Firewall Perimeter Network Router Backbone Router Internal Nets 31-23

Multiple Exterior Routers Internet Supplier Network Bastion Host Exterior Router Exterior Router Firewall Interior Router Perimeter Network Internal Net 31-24

Multiple Perimeter Networks Internet Firewall Bastion Host Exterior Router Supplier Network Firewall Exterior Router Bastion Host Perimeter Net Interior Router Interior Router Internal Net 31-25

Proxy Client Proxy Server Proxy Servers Dual- Homed Host Specialized server programs on bastion host Take user's request and forward them to real servers Take server's responses and forward them to users Enforce site security policy May refuse certain requests. Also known as application-level gateways With special "Proxy client" programs, proxy servers are almost transparent 31-26 Internet Real Server

What Firewalls Can't Do Can't protect against malicious insiders Can't protect against connections that do not go through it, e.g., dial up Can't protect completely new threats Can't protect against viruses 31-27

Security Mechanisms on The Internet Kerberos Privacy Enhanced Mail (PEM) Pretty Good Privacy (PGP) MD5 31-28

Summary Integrity, Availability, Authentication, Confidentiality Private Key and Public Key encryption Packet filter, Bastion node, perimeter network, internal and external routers 31-29

Read Chapter 31 Homework Submit answer to Exercise 31.3 31-30

References D. B. Chapman and E. D. Zwicky, Building Internet Firewalls, O Reilly & Associates, 1995 D. E. Comer, Internetworking with TCP/IP, Vol. 1, 3rd Ed, Prentice Hall, 1995, Chapter 28. C. Kaufman, R. Perlman, M. Speciner, Network Security, Prentice-Hall, 1995. Coast Security Project at Purdue University http://www.cs.purdue.edu/coast/coast.html 31-31

Security: RFCs [RFC1848] S. Crocker, N. Freed, J. Galvin, S. Murphy, "MIME Object Security Services", 10/03/1995, 48 pages. [RFC1847] J. Galvin, S. Murphy, S. Crocker, N. Freed, "Security Multiparts for MIME: Multipart/Signed and Multipart/Encrypted", 10/03/1995, 11 pages. [RFC1108] S. Kent, "U.S. Department of Defense Security Options for the Internet Protocol", 11/27/1991, 17 pages. [RFC1244] P. Holbrook, J. Reynolds, "Site Security Handbook", 07/23/1991, 101 pages. (FYI 8) [RFC1352] J. Davin, J. Galvin, K. McCloghrie, "SNMP Security Protocols", 07/06/1992, 41 pages. [RFC1446] J. Galvin, K. McCloghrie, "Security Protocols for version 2 of the Simple Network Management Protocol (SNMPv2)", 05/03/1993, 51 pages. 31-32

[RFC1455] D. Eastlake, III, "Physical Link Security Type of Service", 05/26/1993, 6 pages. [RFC1457] R. Housley, "Security Label Framework for the Internet", 05/26/1993, 14 pages. [RFC1472] F. Kastenholz, "The Definitions of Managed Objects for the Security Protocols of the Point-to-Point Protocol", 06/08/1993, 11 pages. [RFC1507] C. Kaufman, "DASS - Distributed Authentication Security Service", 09/10/1993, 119 pages. [RFC1509] J. Wray, "Generic Security Service API : C-bindings", 09/10/1993, 48 pages. [RFC1535] E. Gavron, "A Security Problem and Proposed Correction With Widely Deployed DNS Software", 10/06/1993, 5 pages. [RFC1636] I. Architecture Board, R. Braden, D. Clark, S. Crocker, C. Huitema, "Report of IAB Workshop on Security in the Internet Architecture - February 8-10, 1994", 06/09/1994, 52 pages. [RFC1675] S. Bellovin, "Security Concerns for IPng", 08/08/1994, 4 pages. [RFC1750] D. Eastlake, S. Crocker, J. Schiller, "Randomness Recommendations for Security", 12/29/1994, 25 pages. 31-33

[RFC1824] H. Danisch, "The Exponential Security System TESS: An Identity-Based Cryptographic Protocol for Authenticated Key-Exchange (E.I.S.S.-Report 1995/4)", 08/11/1995, 21 pages. [RFC1825] R. Atkinson, "Security Architecture for the Internet Protocol", 08/09/1995, 22 pages. [RFC1827] R. Atkinson, "IP Encapsulating Security Payload (ESP)", 08/09/1995, 12 pages. [RFC1858] P. Ziemba, D. Reed, P. Traina, "Security Considerations for IP Fragment Filtering", 10/25/1995, 10 pages. [RFC1910] G. Waters, "User-based Security Model for SNMPv2", 02/28/1996, 44 pages. [RFC2015] M. Elkins, "MIME Security with Pretty Good Privacy (PGP)", 10/14/1996, 8 pages. [RFC2065] D. Eastlake, C. Kaufman, "Domain Name System Security Extensions", 01/03/1997, 41 pages. (Updates RFC1034) [RFC2078] J. Linn, "Generic Security Service Application Program Interface, Version 2", 01/10/1997, 85 pages. 31-34

[RFC2084] G. Bossert, S. Cooper, W. Drummond, "Considerations for Web Transaction Security", 01/22/1997, 6 pages. 31-35

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information