Network Security: Firewall, VPN, IDS/IPS, SIEM

Similar documents
How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Firewalls. Outlines: By: Arash Habibi Lashkari July Network Security 06

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

INTRODUCTION TO FIREWALL SECURITY

SIEM FOR BEGINNERS. Or: Everything You Wanted to Know About Log Management But were Afraid to Ask

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

IPv6 Firewalls. ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok. Last updated 17 th May 2016

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Introduction of Intrusion Detection Systems

Firewalls. Ahmad Almulhem March 10, 2012

CMPT 471 Networking II

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls. Chapter 3

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewall Security. Presented by: Daminda Perera

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

FIREWALL AND NAT Lecture 7a

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Overview. Firewall Security. Perimeter Security Devices. Routers

8. Firewall Design & Implementation

INTRUSION DETECTION SYSTEMS and Network Security

Firewalls, Tunnels, and Network Intrusion Detection

How To Protect Your Network From Attack From Outside From Inside And Outside

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Secure Network Design: Designing a DMZ & VPN

Chapter 9 Firewalls and Intrusion Prevention Systems

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Security Technology: Firewalls and VPNs

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Chapter 15. Firewalls, IDS and IPS

Firewalls. Chien-Chung Shen

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Maruleng Local Municipality

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Lecture 23: Firewalls

Network Security Topologies. Chapter 11

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Cisco PIX vs. Checkpoint Firewall

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

FIREWALLS & CBAC. philip.heimer@hh.se

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Development of a Network Intrusion Detection System

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Network Defense Tools

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Fuzzy Network Profiling for Intrusion Detection

SonicWALL PCI 1.1 Implementation Guide

Firewalls, IDS and IPS

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Achieving PCI-Compliance through Cyberoam

Firewall Firewall August, 2003

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Enabling Security Operations with RSA envision. August, 2009

Stateful Inspection Technology

Firewall Environments. Name

Information Technology Policy

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

74% 96 Action Items. Compliance

Cisco Configuring Commonly Used IP ACLs

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Basics of Internet Security

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

Computer Security: Principles and Practice

Chapter 20. Firewalls

FIREWALL POLICY November 2006 TNS POL - 008

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Chapter 8 Security Pt 2

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Bridging the gap between COTS tool alerting and raw data analysis

Firewalls and System Protection

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Fig : Packet Filtering

Performance Evaluation of Intrusion Detection Systems

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Guideline on Auditing and Log Management

Level 3 Public Use. Information Technology. Log/Event Management Guidelines

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Transcription:

Network Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1

What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer 2

What is a Firewall? A firewall : Acts as a security gateway between two networks Tracks and controls network communications Decides whether to pass, reject, encrypt, or log communications (Access Control) Internet Block Allow traffic Traffic from to Internet Corporate Site 3

Hardware vs. Software Firewalls Hardware Firewalls Protect an entire network Implemented on the router level Usually more expensive, harder to configure Software Firewalls Protect a single computer Usually less expensive, easier to configure 4

Evolution of Firewalls Stateful Inspection Application Proxy Packet Filter Stage of Evolution 5

Packet Filter Packets examined at the network layer Useful first line of defense - commonly deployed on routers Simple accept or reject decision model No awareness of higher protocol layers Applications Presentations Sessions Transport Network Data Link Physical Applications Presentations Sessions Transport Network Data Link Physical Applications Presentations Sessions Transport Network Data Link Physical 6

Packet Filter Simplest of components Uses transport-layer information only IP Source Address, Destination Address Protocol/Next Header (TCP, UDP, ICMP, etc) TCP or UDP source & destination ports TCP Flags (SYN, ACK, FIN, RST, PSH, etc) ICMP message type Examples DNS uses port 53 No incoming port 53 packets except known trusted servers 7

How to Configure a Packet Filter Start with a security policy Specify allowable packets in terms of logical expressions on packet fields Rewrite expressions in syntax supported by your vendor General rules - least privilege All that is not expressly permitted is prohibited If you do not need it, eliminate it 8

Packet Filter Configuration - 1 Every ruleset is followed by an implicit rule reading like this. action src port dest port flags comment block * * * * * default Suppose we want to allow inbound mail (SMTP, port 25) but only to our gateway machine. Also suppose that mail from some particular site SPIGOT is to be blocked. 9

Packet Filter Configuration - 2 action src port dest por t flags comment block SPIGOT * * * * We don t trust these site allow * * OUR-GW 25 * Connection to our SMTP port Example 2: Now suppose that we want to implement the policy any inside host can send mail to the outside. 10

Packet Filter Configuration - 3 action src port dest por t flags comment allow * * * 25 * Connection to outside SMTP port This solution allows calls from any port on an inside machine, and will direct them to port 25 on an outside machine. So why is it wrong? 11

Packet Filter Configuration - 4 Our defined restriction is based solely on the destination s port number. With this rule, an enemy can access any internal machines on port 25 from an outside machine. What can be a better solution? 12

Packet Filter Configuration - 5 action src port dest por t flags comment allow {our hosts} * * 25 * Connection to outside SMTP port allow * 25 * * ACK SMTP replies The first rule restricts that only inside machines can access to outside machines on port 25. In second rule, the ACK signifies that the packet is part of an ongoing conversation. Packets without ACK are connection establishment messages, which are only permited from internal hosts by the first rule. With the second rule, outside hosts can send back packets to inside hosts on port 25. 13

Application Gateway or Proxy Packets examined at the application layer Application/Content filtering possible - prevent FTP put commands, for example Modest performance Scalability limited Applications Presentations Sessions Transport Network Data Link Physical Applications Presentations Sessions Transport Network Data Link Physical Applications Presentations Sessions Transport Network Data Link Physical 14

Stateful Inspection Packets Inspected between data link layer and network layer in the OS kernel State tables are created to maintain connection context Invented by Check Point Applications Applications Presentations Sessions Transport Network Data Link Physical Presentations Sessions Transport Network Data Link Physical Applications Presentations Sessions Transport Network Data Link Physical INSPECT Engine Dynamic State Dynamic Tables State Dynamic Tables State Tables 15

Network Address Translation (NAT) 192.172.1.1-192.172.1.254 Internal IP Addresses Corporate LAN 219.22.165.1 Internet Public IP Address(es) Converts a network s illegal IP addresses to legal or public IP addresses Hides the true addresses of individual hosts, protecting them from attack Allows more devices to be connected to the network 16

Firewall Deployment Corporate Network Gateway Internal Segment Gateway Protect sensitive segments (Finance, HR, Product Development) Provide second layer of defense Ensure protection against internal attacks and misuse Internet Corporate Site Human Resources Network Public Servers Demilitarized Zone (Publicly-accessible servers) Internal Segment Gateway 17

What is a VPN? A VPN is a private connection over an open network A VPN includes authentication and encryption to protect data integrity and confidentiality VPN Internet Acme Corp Acme Site Corp 1 VPN Acme Corp Site 2 18

Types of VPNs Remote Access VPN Provides access to internal corporate network over the Internet Reduces long distance, modem bank, and technical support costs PAP,CHAP,RADIUS Corporate Site Internet 19

Types of VPNs Corporate Site Remote Access VPN Site-to-Site VPN Connects multiple offices over Internet Reduces dependencies on frame relay and leased lines Internet Branch Office 20

Types of VPNs Remote Access VPN Site-to-Site VPN Extranet VPN Provides business partners access to critical information (leads, sales tools, etc) Reduces transaction and operational costs Internet Corporate Site Partner #2 Partner #1 21

Types of VPNs Remote Access VPN Site-to-Site VPN Extranet VPN Client/Server VPN Protects sensitive internal communications LAN clients Database Server Internet LAN clients with sensitive data 22

Overview of IDS/IPS Intrusion A set of actions aimed at compromising the security goals (confidentiality, integrity, availability of a computing/networking resource) Intrusion detection The process of identifying and responding to intrusion activities Intrusion prevention The process of both detecting intrusion activities and managing responsive actions throughout the network. 23

Overview of IDS/IPS Intrusion detection system (IDS) A system that performs automatically the process of intrusion detection. Intrusion prevention system (IPS) A system that has an ambition to both detect intrusions and manage responsive actions. Technically, an IPS contains an IDS and combines it with preventive measures (firewall, antivirus, vulnerability assessment) that are often implemented in hardware. 24

Components of Intrusion Detection System system activities are observable Audit Data Preprocessor Audit Records Detection Models Decision Table Activity Data Detection Engine Alarms Decision Engine Action/Report normal and intrusive activities have distinct evidence 25

Intrusion Detection Approaches Modeling Features: evidences extracted from audit data Analysis approach: piecing the evidences together Misuse detection (a.k.a. signature-based) Anomaly detection (a.k.a. statistical-based) Deployment: Network-based or Host-based Network based: monitor network traffic Host based: monitor computer processes 26

Security Information and Event Management (SIEM) LMS - Log Management System a system that collects and store Log Files (from Operating Systems, Applications, etc) from multiple hosts and systems into a single location, allowing centralized access to logs instead of accessing them from each system individually. SLM /SEM Security Log/Event Management an LMS, but marketed towards security analysts instead of system administrators. SEM is about highlighting log entries as more significant to security than others. SIM Security Information Management - an Asset Management system, but with features to incorporate security information too. Hosts may have vulnerability reports listed in their summaries, Intrusion Detection and AntiVirus alerts may be shown mapped to the systems involved. SEC - Security Event Correlation To a particular piece of software, three failed login attempts to the same user account from three different clients, are just three lines in their logfile. To an analyst, that is a peculiar sequence of events worthy of investigation, and Log Correlation (looking for patterns in log files) is a way to raise alerts when these things happen. SIEM Security Information and Event Management SIEM is the All of the Above option, and as the above technologies become merged into single products, became the generalized term for managing information generated from security controls and infrastructure. We ll use the term SIEM for the rest of this presentation 27

Background on Network Components Router Switch (L2 & L3) Servers (Application, Database, etc.) Firewall Demilitarized Zone (DMZ) Virtual Private Network IPS/IDS 28

Defense in Depth 29

Typical Corporate Environment 30

Log Management Log management (LM) comprises an approach to dealing with large volumes of computer-generated log messages (also known as audit records, audit trails, event-logs, etc.). LM covers log collection, centralized aggregation, long-term retention, log analysis (in real-time and in bulk after storage) as well as log search and reporting. 31

Log Management 32

Log Management Challenges Analyzing Logs for Relevant Security Intelligence Centralizing Log Collection Meeting IT Compliance Requirements Conducting Effective Root Cause Analysis Making Log Data More Meaningful Tracking Suspicious User Behavior 33

Introduction to SIEM The term Security Information Event Management (SIEM), coined by Mark Nicolett and Amrit Williams of Gartner in 2005. Describes the product capabilities of gathering, analyzing and presenting information from network and security devices; identity and access management applications; vulnerability management and policy compliance tools; operating system, database and application logs; and external threat data. Security Information and Event Management (SIEM) is a term for software and products services combining security information management (SIM) and security event manager (SEM). 34

Key Objectives Identify threats and possible breaches Collect audit logs for security and compliance Conduct investigations and provide evidence 35

SIEM vs LM Functionality Security Information and Event Management (SIEM) Log collection Collect security relevant logs + context data Log preprocessing Parsing, normalization, categorization, enrichment Log Management (LM) Collect all logs Indexing, parsing or none Log retention Retail parsed and normalized data Retain raw log data Reporting Security focused reporting Broad use reporting Analysis Alerting and notification Other features Correlation, threat scoring, event prioritization Advanced security focused reporting Incident management, analyst workflow, context analysis, etc. Full text analysis, tagging Simple alerting on all logs High scalability of collection and storage 36

A SIEM Scenario

SIEM Process Flow Data Collection Extract Intelligent Information Add Value Presentation Dashboards & Reports 38

Typical Working of an SIEM Solution 39

SIEM Architecture System Inputs Event Data Operating Systems Applications Devices Databases Contextual Data Vulnerability Scans User Information Asset Information Threat Intelligence Data Collection Normalization SIEM Correlation Logic/Rules Aggregation System Outputs Analysis Reports Real Time Monitoring 40

Typical Features of SIEM 41

Context 42

Adding Context Examples of context Add geo-location information Get information from DNS servers Get User details(full Name, Job Title& Description) Add context aids in identifying Access from foreign locations Suspect data transfer 43

How a Log File is Generated in your Network

The Beauty of Log Correlation Log Correlation is the difference between: 14:10 7/4/20110 User BRoberts Successful Auth to 10.100.52.105 from 10.10.8.22 and An Account belonging to Marketing connected to an Engineering System from an office desktop, on a day when nobody should be in the office

Why is SIEM Necessary? Rise in data breaches due to internal and external threats Attackers are smart and traditional security tools just don t suffice Mitigate sophisticated cyber-attacks Manage increasing volumes of logs from multiple sources Meet stringent compliance requirements 46

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information