Chapter 8 Network Security



Similar documents
FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Chapter 8 Security Pt 2

COSC4377. Chapter 8 roadmap

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

VLAN und MPLS, Firewall und NAT,

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Chapter 6: Network Access Control

Firewall Tutorial. KAIST Dept. of EECS NC Lab.

Chapter 8 Network Security

The International Conference for High Performance Computing, Networking, Storage and Analysis

Firewalls. Ahmad Almulhem March 10, 2012

CS5008: Internet Computing

Network Security in Practice

Network Security - Aecessary Job Description

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Lecture 23: Firewalls

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Overview of Network Security

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

FIREWALLS & CBAC. philip.heimer@hh.se

Firewalls. Chapter 3

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Security Technology White Paper

Introduction of Intrusion Detection Systems

Firewalls, IDS and IPS

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Cryptography and network security

ΕΠΛ 674: Εργαστήριο 5 Firewalls

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

TCP/IP Performance over Wireless Networks

IP Filter/Firewall Setup

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Firewalls. Network Security. Firewalls Defined. Firewalls

Solution of Exercise Sheet 5

Firewall Firewall August, 2003

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Networks: IP and TCP. Internet Protocol

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

FIREWALL AND NAT Lecture 7a

INTRODUCTION TO FIREWALL SECURITY

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

1. Firewall Configuration

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Proxy Server, Network Address Translator, Firewall. Proxy Server

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

Content Distribution Networks (CDN)

CMPT 471 Networking II

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

SonicOS 5.9 One Touch Configuration Guide

CIT 480: Securing Computer Systems. Firewalls

CSCI Firewalls and Packet Filtering

Deployment of Snort IDS in SIP based VoIP environments

Firewall Defaults and Some Basic Rules

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Chapter 9 Firewalls and Intrusion Prevention Systems

Stateful Firewalls. Hank and Foo

Outline (Network Security Challenge)

A S B

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

About Firewall Protection

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Chapter 11 Cloud Application Development

Firewall. User Manual

Internet Ideal: Simple Network Model

Denial of Service Attacks

What is a DoS attack?

Chapter 15. Firewalls, IDS and IPS

CIT 480: Securing Computer Systems. Firewalls

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Post-Class Quiz: Telecommunication & Network Security Domain

Lectures 1 and 2 INFS 766/INFT 865. Internet Security Protocols. Lectures 1 and 2 Firewalls and Their Limitations. Prof. Ravi Sandhu REFERENCE BOOKS

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Cisco Configuring Commonly Used IP ACLs

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Protecting and controlling Virtual LANs by Linux router-firewall

Chapter 4 Firewall Protection and Content Filtering

Security vulnerabilities in the Internet and possible solutions

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Packet filtering and other firewall functions

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Computer Security: Principles and Practice

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

Networking for Caribbean Development

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Transcription:

[Computer networking, 5 th ed., Kurose] Chapter 8 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 84Securing 8.4 e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing wireless LANs 8.8 Operational security: firewalls and IDS 38 Firewalls firewall isolates organization s internal net from larger Internet, ing some packets to pass, blocking others. administered network public Internet firewall 39

Firewalls: Why prevent denial of service attacks: SYN flooding: attacker establishes many bogus TCP connections, no res left for real connections prevent illegal modification/access of internal data. e.g., attacker replaces CIA s homepage with something else only authorized access to inside network (set of authenticated users/hosts) three types of firewalls: stateless t packet filters stateful packet filters application gateways 40 Stateless packet filtering Should arriving packet be ed in? Departing packet let out? mwc internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: IP, ination IP TCP/UDP and ination numbers ICMP message type TCP flag bits: SYN, ACK bits 41

Stateless packet filtering: example example 1: block incoming and outgoing g datagrams with IP protocol field = 17 and with either or = 23. all incoming, outgoing UDP flows and telnet connections are blocked. example 2: Block inbound TCP segments with ACK=0. prevents external clients from making TCP connections with internal clients, but s internal clients to connect to outside. 42 Stateless packet filtering: more examples Policy No outside Web access. No incoming TCP connections, except those for institution s public Web server only. Prevent Web-radios from eating up the available bandwidth. Prevent your network from being used for a smurf DoS attack. Prevent your network from being tracerouted Firewall Setting Drop all outgoing packets to any IP, 80 Drop all incoming TCP SYN packets to any IP except 130.207.244.203, 80 Drop all incoming UDP packets - except DNS and router broadcasts. Drop all ICMP packets going to a broadcast (eg 130.207.255.255). Drop all outgoing ICMP TTL expired traffic 43

Access Control Lists ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs action 22/16 protocol flag bit TCP > 1023 80 any TCP 80 > 1023 ACK UDP > 1023 53 --- 22/16 UDP 53 > 1023 ---- deny all all all all all all 44 Stateful packet filtering stateless packet filter: heavy-handed tool admits packets that make no sense, e.g., = 80, ACK bit set, even though no TCP connection established: action protocol flag bit TCP 80 > 1023 ACK stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN): can determine whether incoming, i outgoing packets makes sense timeout inactive connections at firewall: no longer admit packets 45

Stateful packet filtering ACL augmented to indicate need to check connection state table before admitting packet action 22/16 proto TCP > 1023 80 flag bit any check conxion TCP 80 > 1023 ACK x UDP > 1023 53 --- UDP 53 > 1023 ---- x deny all all all all all all 46 Application gateways filters packets on application data as well as on IP/TCP/UDP fields. example: select internal users to telnet outside. host-to-gateway telnet session application gateway gateway-to-remote to host telnet session router and filter Firewall consisting of an app. gateway and a filter 1. require all telnet users to telnet through gateway. 2. for authorized users, gateway sets up telnet connection to host. Gateway relays data between 2 connections 3. router filter blocks all telnet connections not originating from gateway. 47

Limitations of firewalls and gateways IP spoofing: router can t know if data really comes from claimed if multiple app s. need special treatment, each has own app. gateway. client software must know how to contact gateway. e.g., must set IP of proxy in Web browser filters often use all or nothing policy for UDP. tradeoff: degree of communication with outside world, level of security many highly protected sites still suffer from attacks. 48 Intrusion detection systems packet filtering: operates on TCP/IP headers only no correlation check among sessions IDS: intrusion detection system deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) s) examine correlation among multiple packets scanning network mapping DoS attack TCP stack scan 49

Intrusion detection systems multiple IDSs may be used: different types of checking at different locations internal network application gateway firewall Internet high-security region IDS sensors Web server FTP server lower-security region DNS server demilitarized zone 50 Intrusion detection systems mwc signature-based IDS: compares each sniffed packet with the signatures in database requires previous knowledge of the attack blind to new attacks every packet must be compared with an extensive collection of signatures anomaly-based IDS: creates a traffic profile as it observes traffic in normal operation. looks for packet streams that are statistically unusual e.g., inordinate percentage of ICMP packets, sudden exponential growth in scans and ping sweeps. challenging g problem to distinguish between normal traffic and statistically unusual traffic 51

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information