Coursehero >> New York >> Hofstra >> SESS 07

Course Hero has millions of student submitted documents similar to the one below including study guides, homework solutions, papers, exam answer keys and textbook solutions.

Security Network Firewalls 04/19/06 Hofstra University Network Security Course, CSC290A 1 Just because you're paranoid, doesn't mean they're not out to get you! - Anonymous 04/19/06 Hofstra University Network Security Course, CSC290A 2 Firewalls Make It To The Movies 04/19/06 Hofstra University Network Security Course, CSC290A 3 Why Firewalls? Internet connectivity is no longer an option for most corporations The Internet allows you access to worldwide resources, but... ...the Internet also allows the world to try and access your resources This is a grave risk to most organizations Hofstra University Network Security Course, CSC290A 04/19/06 4 Why Firewalls? A firewall is inserted between the premises network and the Internet Establishes a perimeter Provides a choke point where security and audits can be imposed Single computer system or a set of systems can perform the firewall function 04/19/06 Hofstra University Network Security Course, CSC290A 5 Good Fences Make Good Neighbors Robert Frost, "Mending Wall" 04/19/06 Hofstra University Network Security Course, CSC290A 6 Design Goals All traffic, from inside to outside and vice versa, must pass through the firewall Only authorized traffic (defined by the security policy) is allowed to flow Firewall is immune to penetration uses a trusted system 04/19/06 Hofstra University Network Security Course, CSC290A 7 Access Control Techniques Service Control types of Internet service accessed inbound and outbound Direction Control direction in which particular services may be initiated User Control access to a service is controlled according to users Behavior Control controls how particular services are used 04/19/06 Hofstra University Network Security Course, CSC290A 8 Scope of Firewalls Single choke point - to protect vulnerable services from various kinds of attack (spoofing, DOS) Singular monitoring point location for monitoring, auditing and event triggering 04/19/06 Hofstra University Network Security Course, CSC290A 9 Scope of Firewalls Platform for non-security functions can be used for network address translation and network management Platform for IPSec implements VPN via tunnel mode 04/19/06 Hofstra University Network Security Course, CSC290A 10 Limitations of Firewalls Cannot protect against attack that bypasses the firewall bypass attack Does not protect against internal threats Cannot protect against the transfer of virus-infected programs 04/19/06 Hofstra University Network Security Course, CSC290A 11 CERT/CC Incidents Reported 04/19/06 Hofstra University Network Security Course, CSC290A 12 Types of Firewalls Packet Filtering Router Application Level Gateway Circuit Level Gateway 04/19/06 Hofstra University Network Security Course, CSC290A 13 Packet Filtering OSI Layers Addressed 04/19/06 Hofstra University Network Security Course, CSC290A 14 Packet Filtering Router Applies a set of rules to each incoming IP packet and forwards or discards the packet Filters packets in both directions 04/19/06 Hofstra University Network Security Course, CSC290A 15 Packet Filtering Router Rules based on source and destination address and port number List of rules looking for a match If no match, default action is taken 04/19/06 Hofstra University Network Security Course, CSC290A 16 Packet Filtering Router Two default policies: default = discard: That which is not expressly permitted is prohibited default = forward: That which is not expressly prohibited is permitted 04/19/06 Hofstra University Network Security Course, CSC290A 17 Packet Filtering Rules action block allow ourhost * OUR GW port * 25 theirhost SPIGOT * port * * comment we don't trust these guys connection to our SMTP port Inbound mail is allowed (port 25), but only to a gateway host Everything from SPIGOT is blocked 04/19/06 Hofstra University Network Security Course, CSC290A 18 Packet Filtering Rules action block ourhost * port * theirhost * port * comment default This is the default policy It is usually the last rule This rule drops everything 04/19/06 Hofstra University Network Security Course, CSC290A 19 Packet Filtering Rules action allow ourhost * port * theirhost * port 25 comment Connection to their SMTP port Inside host can send mail to the outside Some other application could be linked to port 25 Attacker could gain access through port 25 04/19/06 Hofstra University Network Security Course, CSC290A 20 Packet Filtering Rules action allow allow src our hosts * port * 25 dest * * port 25 * ACK flags comment connection to their SMTP port their replies This improves on the last situation Internal hosts can access SMTP anywhere ACKs from any SMTP server are permitted 04/19/06 Hofstra University Network Security Course, CSC290A 21 Packet Filtering Rules action allow allow allow src our hosts * * port * * * dest * * * port * * >1024 ACK flags comment outgoing calls replies to our calls Traffic to nonservers This handles FTP connections Two connections are used: one for control and the other for data transfer; different port numbers (20,21) Outgoing calls use a higher number port (above 1023) 04/19/06 Hofstra University Network Security Course, CSC290A 22 Packet Filtering Advantage: simple, transparent and very fast Disadvantage: difficulty in setting up rules correctly and authentication 04/19/06 Hofstra University Network Security Course, CSC290A 23 Packet Filtering Attacks IP address spoofing packets from the outside have internal addresses in their source IP address field Source routing attacks route of packet is specified to bypass security measures Tiny fragment attack designed to circumvent filtering rules that depend on TCP header information 04/19/06 Hofstra University Network Security Course, CSC290A 24 Real Life Example 04/19/06 Hofstra University Network Security Course, CSC290A 25 Real Life Example 04/19/06 Hofstra University Network Security Course, CSC290A 26 Stateful Inspection Layers Addressed By Stateful Inspection 04/19/06 Hofstra University Network Security Course, CSC290A 27 Stateful Inspection Inbound connections are above port 1023 Solve this problem by creating a directory of outbound TCP connections, along with each session's corresponding highnumbered client port State Table - used to validate any inbound traffic. 04/19/06 Hofstra University Network Security Course, CSC290A 28 Stateful Inspection More secure because the firewall tracks client ports individually rather than opening all highnumbered ports for external access. Adds Layer 4 awareness to the standard packet filter architecture. Useful or applicable only within TCP/IP network infrastructures Superset of packet filter firewall functionality 04/19/06 Hofstra University Network Security Course, CSC290A 29 Application Level Gateway 04/19/06 Hofstra University Network Security Course, CSC290A 30 Application Gateway Firewalls Layers Addressed by ApplicationProxy Gateway Firewalls 04/19/06 Hofstra University Network Security Course, CSC290A 31 Application Level Gateway Acts as a relay of application level traffic Also called a proxy User contacts gateway for TELNET to remote host, user is authenticated, then gateway contacts remote host and relays info between two end points 04/19/06 Hofstra University Network Security Course, CSC290A 32 Application Level Gateway If proxy code for application is not supported, no forwarding of packets Can examine the packets to ensure the security of the application full packet awareness Very easy to log since entire packet seen Disadvantage: additional processing overhead for each connection increase load 04/19/06 Hofstra University Network Security Course, CSC290A 33 Circuit-Level Gateway 04/19/06 Hofstra University Network Security Course, CSC290A 34 Circuit Level Gateway Does not permit an end-to-end TCP connection Sets up two TCP connections one between itself and a TCP user on the inside and one between itself and a TCP user on the outside Relays TCP segments from one connection to the other without examining the contents 04/19/06 Hofstra University Network Security Course, CSC290A 35 Circuit Level Gateway Security function (implements policy) determines which connections will be allowed Used where internal users are trusted for all outbound services Often combined with a proxy for inbound services 04/19/06 Hofstra University Network Security Course, CSC290A 36 Circuit Level Gateway SOCKS package V5 RFC 1928 Shim between application and transport layers Uses port 1080 Requires SOCKS-ified client Disadvantage: some implementations require a special client 04/19/06 Hofstra University Network Security Course, CSC290A 37 Dedicated Proxy Servers 04/19/06 Hofstra University Network Security Course, CSC290A 38 Hybrid Firewalls "blurring of lines" that differentiate types of firewalls Application proxy gateway firewall vendors have implemented basic packet filter functionality in order to provide better support for UDP based applications Stateful inspection packet filter firewall vendors have implemented application basic proxy functionality to offset some of the weaknesses associated with packet filtering 04/19/06 Hofstra University Network Security Course, CSC290A 39 Schematic of a Firewall Filter Filter Inside Gateway(s) Outside Demilitarized Zone (DMZ) 04/19/06 Hofstra University Network Security Course, CSC290A 40 Bastion Host Exposed gateway is called the bastion host Sits in the DMZ Usually a platform for an application or circuit level gateway Hardened, trusted system Only essential services 04/19/06 Hofstra University Network Security Course, CSC290A 41 Bastion Host Allows access only to specific hosts Maintains detailed audit information by logging all traffic Choke point for discovering and terminating intruder attacks Each proxy is a small, highly secure network software package that is a subset of the general application 04/19/06 Hofstra University Network Security Course, CSC290A 42 Bastion Host Proxies on bastion host are independent of each other No disk access other that to read initial configuration Proxies run as non-privileged users Limited access to bastion host 04/19/06 Hofstra University Network Security Course, CSC290A 43 Bastion Host, SingleHomed 04/19/06 Hofstra University Network Security Course, CSC290A 44 Bastion Host, Single-Homed Two systems: packet filtering router and bastion host For traffic from the Internet, only IP packets destined for the bastion host are allowed For traffic from the internal network, only relayed packets from the bastion host are allowed out 04/19/06 Hofstra University Network Security Course, CSC290A 45 Bastion Host, Single-Homed Bastion host performs authentication Implements both packet level and application level filtering Intruder penetrates two separate systems before internal network is compromised May contain a public information server What happens if this is compromised? Hofstra University Network Security Course, CSC290A 04/19/06 46 Bastion Host, Dual-Homed 04/19/06 Hofstra University Network Security Course, CSC290A 47 Bastion Host, Dual-homed Bastion host second defense layer Internal network is completely isolated Packet forwarding is turned off More secure 04/19/06 Hofstra University Network Security Course, CSC290A 48 Screened Subnet 04/19/06 Hofstra University Network Security Course, CSC290A 49 Screened Subnet Most secure Isolated subnet with bastion host between two packet filtering routers Traffic across screened subnet is blocked Three layers of defense Internal network is invisible to the Internet 04/19/06 Hofstra University Network Security Course, CSC290A 50 Typical DMZ Clients E 250 Internet ns1 Primary DNS Server FAQ39 U 10 Frac/T3 RTR Frac/T3 RTR external network .10 .11 Secondary ns2 DNS Server FAQ38 U 10 Packet Filtering Routers BGP-4 (fwinet .22) .20 fw1 .21 fw2 web web DMZ database nas internal network fw3 fw4 Internal Network 04/19/06 Hofstra University Network Security Course, CSC290A 51 DMZ Building Guidelines Keep It Simple - KISS principle - the more simple the firewall solution, the more secure and more manageable Use Devices as They Were Intended to Be Used don't make switches into firewalls Create Defense in Depth use layers, routers and servers for defense Pay Attention to Internal Threats "crown jewels" go behind internal firewall adage: "all rules are meant to be broken" 04/19/06 Hofstra University Network Security Course, CSC290A 52 Taming the DNS Need two DNS servers Don't want to reveal internal names and addresses Internal network has an isolated, pseudo-root DNS Forwards requests to the external DNS "Split DNS" or "Split Brain" 04/19/06 Hofstra University Network Security Course, CSC290A 53 Taming the DNS 04/19/06 Hofstra University Network Security Course, CSC290A 54 Network Address Translation Solves address depletion problems with IPv4 RFC 2663 IP Network Address Translator Terminology and Considerations, 1996 Gateways to disparate networks Hides internal addresses Port Address Translation (PAT) a variation using ports 04/19/06 Hofstra University Network Security Course, CSC290A 55 Secure Shell (SSH) Eliminates "Crunchy Cookie" DMZ Everything is encrypted Used for system administration and remote access SSH2 www.ssh.com 04/19/06 Hofstra University Network Security Course, CSC290A 56 VPN's Another Type of Firewall Connecting remote users across the Internet Connecting offices across Internet 04/19/06 Hofstra University Network Security Course, CSC290A 57 Other Types Of Firewalls Host Based Firewalls comes with some operating systems (LINUX, WIN/XP) ipfilter is a popular one http://coombs.anu.edu.au/~avalon/ Avoids Crunchy Cookie Syndrome hard and crunchy on the outside, soft and chewy on the inside 04/19/06 Hofstra University Network Security Course, CSC290A 58 Other Types Of Firewalls Personal Firewalls Appliances personal firewall appliances are designed to protect small networks such as networks that might be found in home offices (NB: This is not an endorsement of any product) Provide: print server, shared broadband use, firewall, DHCP server and NAT 04/19/06 Hofstra University Network Security Course, CSC290A 59 Network Security Trusted Systems 04/19/06 Hofstra University Network Security Course, CSC290A 60 Access Matrix General model of access control: Subject entity capable of accessing objects (user = process= subject) Object anything to which access is controlled (files, programs, memory) Access right way in which an object is accessed by a subject (read, write, exe) 04/19/06 Hofstra University Network Security Course, CSC290A 61 Access Matrix 04/19/06 Hofstra University Network Security Course, CSC290A 62 Access Control List decomposed by columns decomposed by rows "compability ticket" 04/19/06 Hofstra University Network Security Course, CSC290A 63 Concept of Trusted Systems We've been concerned with protecting a message from active or passive attack by given user Different requirement is to protect data or resources on the basis of security levels (unclassified, confidential, secret and top secret) Hofstra University Network Security Course, CSC290A 04/19/06 64 Concept of Trusted Systems Multilevel security subject at a high level may not convey information to a subject at a lower or non-comparable level unless that flow accurately reflects the will of an authorized user No read up: Subject can only read an object of less or equal security level No write down: Subject can only write into an object of greater or equal security level 04/19/06 Hofstra University Network Security Course, CSC290A 65 Reference Monitor 04/19/06 Hofstra University Network Security Course, CSC290A 66 Reference Monitor Reference monitor is a controlling element in hardware and OS Enforces the security rules in the security kernel database (no read up, no write down) 04/19/06 Hofstra University Network Security Course, CSC290A 67 Trusted System Properties Complete mediation security rules enforced on every access Isolation reference monitor and database are protected from unauthorized modification Verifiability reference monitor's correctness must be mathematically provable 04/19/06 Hofstra University Network Security Course, CSC290A 68 Trojan Horse Defense Alice installs trojan horse program and gives Bob write only permission 04/19/06 Hofstra University Network Security Course, CSC290A 69 Trojan Horse Defense Alice induces Bob to invoke the trojan horse. Program detects it is being executed by Bob, reads the sensitive character string and writes it into Alice's backpocket file 04/19/06 Hofstra University Network Security Course, CSC290A 70 Trojan Horse Defense Two security levels are assigned, sensitive(higher) and public. Bob's stuff is sensitive and Alice's stuff is public. 04/19/06 Hofstra University Network Security Course, CSC290A 71 Trojan Horse Defense If Bob invokes the trojan horse program, that program acquires Bob's security and is able to read the character string. However, when the program attempts to store the string, the no write down policy is invoked 04/19/06 Hofstra University Network Security Course, CSC290A 72 A classic in the field published in 1994. Know for its "bombs" which indicated a serious risk 04/19/06 Hofstra University Network Security Course, CSC290A 73 Important URLs Evolution of the Firewall Industry - Discusses different architectures and their differences, how packets are processed, and provides a timeline of the evolution http://csrc.nist.gov/publications/nistpubs/800-41/sp8 NIST Guidelines On Firewalls and Firewall Policy Trusted Computing Group Vendor group involved in developing and promoting trusted computer standards 04/19/06 Hofstra University Network Security Course, CSC290A 74 Homework Read Chapter Ten Read "An Evening With Berferd" notice the techniques used (traces, protocols, etc.) Do not attempt this at home 04/19/06 Hofstra University Network Security Course, CSC290A 75 Remember Hans Brinker... 04/19/06 Hofstra University Network Security Course, CSC290A 76

Find millions of documents here - Study Guides, Homework Solutions, Papers, Exam Answer Keys and more. Course Hero has millions of course related materials that will enable you to learn better, faster and get an A in all your courses.
Below is a small sample set of documents: