How To Protect Your Network From Attack

Similar documents
Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Security Technology: Firewalls and VPNs

12. Firewalls Content

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Cornerstones of Security

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Internet Security Firewalls

Network Security Topologies. Chapter 11

What would you like to protect?

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewall Security. Presented by: Daminda Perera

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Intro to Firewalls. Summary

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Security perimeter. Internet. - Access control, monitoring and management. Differentiate between insiders and outsiders - Different types of outsiders

This chapter covers the following topics:

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

INTRODUCTION TO FIREWALL SECURITY

CMPT 471 Networking II

Network Security. Raj Jain. The Ohio State University. Columbus, OH Raj Jain 31-1

Secure Network Design: Designing a DMZ & VPN

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Guideline on Firewall

Fig : Packet Filtering

Network Access Security. Lesson 10

Firewalls and Virtual Private Networks

Proxy Server, Network Address Translator, Firewall. Proxy Server

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Internet infrastructure. Prof. dr. ir. André Mariën

Firewall Architecture

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Internet Security Firewalls

VPN. Date: 4/15/2004 By: Heena Patel

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Firewalls. Mahalingam Ramkumar

Firewalls CSCI 454/554

Overview. Firewall Security. Perimeter Security Devices. Routers

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Firewalls, Tunnels, and Network Intrusion Detection

Lesson 5: Network perimeter security

Basics of Internet Security

FIREWALLS & CBAC. philip.heimer@hh.se

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Implementing Cisco IOS Network Security v2.0 (IINS)

SonicWALL PCI 1.1 Implementation Guide

Security threats and network. Software firewall. Hardware firewall. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Virtual Private Networks

Chapter 15. Firewalls, IDS and IPS

NETWORK SECURITY (W/LAB) Course Syllabus

IPv6 Security: How is the Client Secured?

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

CISCO IOS NETWORK SECURITY (IINS)

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Introduction to Cyber Security / Information Security

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Chapter 9 Firewalls and Intrusion Prevention Systems

Cisco PIX vs. Checkpoint Firewall

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Computer Security: Principles and Practice

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Computer Security DD2395

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

IINS Implementing Cisco Network Security 3.0 (IINS)

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Achieving PCI-Compliance through Cyberoam

Introduction of Intrusion Detection Systems

7.1. Remote Access Connection

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Network Security and Firewall 1

Firewalls, IDS and IPS

Intranet, Extranet, Firewall

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Packet filtering and other firewall functions

Firewall Environments. Name

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

ICANWK406A Install, configure and test network security

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Security Design.

Implementing Cisco IOS Network Security

Recommended IP Telephony Architecture

information security and its Describe what drives the need for information security.

Developing Network Security Strategies

Transcription:

Department of Computer Science Institute for System Architecture, Chair for Computer Networks Internet Services & Protocols Internet (In)Security Dr.-Ing. Stephan Groß Room: INF 3099 E-Mail: stephan.gross@tu-dresden.de

Why is security crucial for the Internet? Internet = Network of networks Wide-spread use of the Internet for transportation of sensitive informations, e.g. Online Banking E-Commerce E-Government Problem: The Internet's roots were based on the academic world and the free exchange of information If at all, security was only a secondary design goal The basic Internet protocols suffer from severe security holes 2

Today's Agenda What is to be protected? Protection Goals Against what to protect? Threats and fundamental problems of the Internet How to protect? Firewalls Virtual Private Networks (VPN) Secure E-Mail Intrusion Detection 3

Basic Protection Goals Confidentiality information only known to entitled users. Integrity Data integrity information are correct, complete and up-to-date or that is recognizably not the case. Authenticity The quality or condition of being authentic, trustworthy, or genuine. Availability information are accessible where and when they are used by entitled users. 4

Security Threats against IP Networks Address Spoofing Attacking the authenticity, integrity and availability Attacker sends IP packets with forged source address Problem: no authentication of IP addresses Objective: impersonation, Denial-of-Service, avoid access control Sniffing Attacking the confidentiality Everyone within a subnet can listen to the whole network communications Routing attacks Attacking the confidentiality and availability Loose Source Routing to specify a packets route 5

Fundamental Security Problems in IP (or at least IPv4) Authentication based on IP addresses No protection of integrity No protection of confidentiality No protection against malicious attacks against availability IPv4 alone is by no means usable for security critical applications! 6

One goal, several defence lines Application layer Transport layer Network layer Proxies & Secure Apps Secure Programming, OS Security SSL/TLS IPSec, Packet Filter Link layer Physical layer The assumptions made imply the weakest link! 7

One goal, several ways of defence Prevention: Do not allow an attacker to succeed! E.g. confidentiality cannot be restored! Monitoring: Security is not a tool but a process! How good is your protection performing? Reaction: Recover from an attack Respond to an attack 8

Exemplary approaches for protecting your networks Prevention Firewalls Virtual Private Networks Secure Email Monitoring Intrusion Detection Systems 9

Firewall What is an Internet Firewall? Restricts people to entering at a carefully controlled point Restricts people to leaving at a carefully controlled point A firewall is a component or set of components that restricts access between a protected network and the Internet, or between other sets of networks. 10

Firewall What Can a Firewall Do? A firewall is a focus for security decisions A firewall can enforce security policy A firewall can log Internet activity A firewall limits your exposure What a Firewall Can t Do: A firewall can't protect against malicious insiders A firewall can't protect against connections that don't go through it A firewall can't protect against completely new threats A firewall can't protect against viruses 11

Some Firewall Definitions Bastion host A computer system that must be highly secured because it is exposed to the Internet and thus, it is vulnerable to attack. Dual-homed host A general-purpose computer system that has at least two network interfaces (or homes) Perimeter network A network added between a protected network and an external network, in order to provide an additional layer of security. A perimeter network is sometimes called a DMZ, which stands for De-Militarized Zone. Packet filtering The action a device takes to selectively control the flow of data to and from a network. Packet filters allow or block packets, usually while routing them from one network to another (most often from the Internet to an internal network, and vice versa). Proxy server A program that deals with external servers on behalf of internal clients. 12

Packet Filtering Filtering is based on IP header information Pros and Cons: Cheap and easy Authenticity and Integrity of IP header Stateless filtering versus dynamically assigned port numbers (FTP, H.323,...) Severe performance issues of dynamic filtering 13

Proxy Services Also known as Application-Level Gateways Control application-level data flows Pros and Cons: Intrusion Detection using stateful inspection Accounting Performance issues Dedicated proxy for each service 14

Firewall Architectures Dual-Homed Host Isolating network segments (no routing/forwarding) Based on Bastion host (Proxy + packet filter) Scalability issues and single-pointof-failure Screened Host Bastion host connected to the internal network Additional packet filter (critical component) Circumvent proxy for specific applications more flexibility (but also more risks) 15

Firewall Architectures (continued) Screened Subnet Today's state of the art Additional net segment for exposed systems isolated from both, internal and external network Hides internal network structure from external view Circumvent proxy for specific applications but do not allow access to interior from exterior network Good balance between flexibility and security 16

Problems with Firewalls Complexity Expert knowledge necessary for the definition of security policies, configuration and administration Open standard ports, e.g. 80 increasing dissemination of web services Tunnelling Mobile devices Multimedia applications 17

Virtual Private Networks (VPNs) Network infrastructure to transparently connect private networks over a public transportation network like the Internet 18

VPN Characteristics Interconnection of (physically) secured private networks using tunnelling techniques Company headquarters and branch office Business partners Mobile worker Telecommuter Extends geographic connectivity Connection completely transparent for the end-user Appears to be a separate physical network, but is not VPN maintains addressing and routing VPN has to enforce local security restrictions Reduce operational costs versus traditional WAN and RAS Show a good economy of scale 19

Types of VPNs Site-to-Site Connecting two local networks VPN-Gateway (aka concentrator) Site-to-End Connecting single host with local network VPN Client Software connecting to a VPN-Gateway Also used to secure WLAN Secure VPNs use cryptographic protocols to provide confidentiality, authentication, and message integrity e.g. L2TP, PPTP, IPSec, SSL Trusted VPNs do not use cryptographic tunnelling rely on the security of a single provider's network to protect the traffic. e.g. BGP/MPLS VPN [RFC 2547bis] 20

BGP/MPLS VPN Network Components Customer Edge (CE) device Provides customer access to the service provider network over a data link to one or more PE routers Provider Edge (PE) device Exchanges routing information with CE routers using static routing, RIP, OSPF or EBGP Provider (P) device Any router in the provider's network that does not attach to CE devices 21

Secure VPNs 22

Secure Email Public key encryption and signatures -> confidentiality & non-repudiation Certificates to verify a key s authenticity Secure / Multipurpose Internet Mail Extensions (S/MIME) X.509 Hierarchical public key infrastructure Certificates issued by certification authorities (CA) OpenPGP (Pretty Good Privacy) Distributed public key infrastructure Certificates within web of trust 23

Intrusion Detection Systems Used to monitor (networked) systems Check so-called audit data for indications of an attack Classification based on audit source: Host IDS: locally generated data by applications & operating system e.g. log files, system calls,... Network IDS: analysis of on-going network traffic e.g. network protocol analysis Classification based on analysis approach: Anomaly-based: deviation from normal use Misuse-based: detection of known attack patterns 24

General IDS Architecture Monitored System Audit data Agent Reconfiguration Event Director Alarm Intrusion Detection System Notifier Notification Configuration User Concrete system architecture can be either centralised or distributed. 25

Conclusion Common IPv4 without any amendments is known to be vulnerable. Security is essential for the proliferation of Internet services. Security must be considered when designing new services. Security is not a product but a process! Different stakeholders may have different security requirements multilateral security 26

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information