 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

Delivery and Forwarding of

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Security Firewall Firewall design principle. Firewall Characteristics.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

CS292 Computational Vision and Language Pattern Recognition and Classification.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Network Security Testing Techniques Presented By:- Sachin Vador.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

Department Of Computer Engineering

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.

A Brief Taxonomy of Firewalls

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Traffic Classification through Simple Statistical Fingerprinting M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli ACM SIGCOMM Computer Communication Review,

1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.

Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.

1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Telecommunications Networking II Lecture 41e Firewalls.

FIREWALLS Prepared By: Hilal TORGAY Uğurcan SOYLU.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Visual Information Systems Recognition and Classification.

Presented by Rebecca Meinhold But How Does the Internet Work?

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

Retina Network Security Scanner

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

INTRODUCTION Firewall is a concept which blocks unwanted traffic and passes desirable traffic to and from both sides of the network.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:

Role Of Network IDS in Network Perimeter Defense.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Pattern Recognition. What is Pattern Recognition? Pattern recognition is a sub-topic of machine learning. PR is the science that concerns the description.

Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.

Cryptography and Network Security

Securing Access to Data Using IPsec Josh Jones Cosc352.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

Defining Network Infrastructure and Network Security Lesson 8.

Working at a Small-to-Medium Business or ISP – Chapter 8

Securing the Network Perimeter with ISA 2004

Network Security: IP Spoofing and Firewall

Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH

MESSAGE ACCESS AGENT: POP AND IMAP

Presentation transcript:

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users connect to ▪ (Try to) limit attacks coming from the Internet  Firewalls check TCP ports and destination addresses  ALGs verify that the nature of the traffic crossing the network boundary is conforming to the security policies and that is not malicious

 Tunneling techniques  Disguise one application-layer protocol into another one  Make security policies ineffective and can lead to a dangerous illusion of security  Can be based on DNS, HTTP or SSH protocols

 Packets are encoded at the application-layer conforming to specific allowed protocol(s).  Most commonly, three protocols are used to tunnel Internet traffic: DNS, HTTP, SSH.

 DNS Tunneling  Exploits the way regular DNS requests for a given domain are forwarded  Powerful technique since DNS is rarely blocked  Can rarely achieve throughputs higher than a few kb/s due to the mechanism’s complexity and is therefore rarely used

 HTTP Tunneling  The packets of the tunneled flow are encoded so that they can be incorporated in one or more regular, semantically valid HTTP sessions  SSH Tunneling  SSH tunneling is also known as port forwarding ▪ Deep-packet-inspection techniques become useless due to data encryption ▪ Therefore, today’s ALGs allow any protocol to be tunneled through SSH ▪ That makes SSH tunneling a very powerful technique

 The two previous authentication phases are not used by possible tunnels:  The host authentication is not encrypted therefore its packets can be easily discarded.  The user authentication is encrypted therefore it is difficult to know when it ends and the actual data exchange begins.

 Definition: Automatic (machine) recognition, description, classification, and grouping of patterns according to specific features.  If the information about how to group the data into classes is known before examining the data, the approach is called supervised, otherwise it is called unsupervised  The goal of a pattern recognition technique is to represent each element as a pattern and to assign the pattern to the class that best describes it

 Stages in a pattern recognition problem Data collection Feature selection or feature extraction Definition of patterns and classes Definition and application of the discrimination procedure Assessment and interpretation of results

 Class description…revisited  Once classes have been identified, a training set T s (ω i ) can be created for every class ω i  A thorough inspection of T s can lead to an analytical model describing the corresponding class  Then, a decision function f has to be determined with input the observed data x and output a prediction of the class that generated it, ω(x) = f(x)

 Aims at detecting tunneling activities over the HTTP and SSH protocols  Focuses on building an accurate description of legitimate traffic  Builds on known pattern recognition techniques

 Building patterns and classes (1/2)  The features are gathered directly from the legitimate flows composing the TCP session  TCP flow represented by a pattern which takes into account the: ▪ packet size s i ▪ inter-arrival time Δt between two consecutive packets ▪ number of packets r that are useful for measurement

 Building patterns and classes (2/2)  Class model: the concept of protocol fingerprint ▪ A protocol may be used for N different purposes ▪ Issue: How many classes one has to consider ▪ Two approaches to the issue 1.Train the classifier with flows from a single target class (one-class classifier) 2.New classes composed of outlier flows are added to the analysis (multi-class classifier)

 One-class tunnel detection algorithm  Algorithm definition: the decision function ▪ App = The application-layer protocol that is examined ▪ ω t = The acceptance region (“legitimate” use of App) ▪ ω r = The rejected region (complementary to ω t ) ▪ Given an unknown flow F, the algorithm compares its pattern representation with the fingerprint (for ω t and ω r ) and returns an index of (dis-)similarity (anomaly score)

 Tunnel Hunter can perform better if is provided with more knowledge about the nature of the traffic.  Multi-class classification adds an outlier class ω o which can reduce the number of cases where the uncertainty could allow a packet that should have been rejected.

 Experiments are for HTTP and SSH  Run on a 100Base-TX link  Packet size s range [40, 1500]  Inter-arrival times Δt range [10 -7, 10 3 ] sec

 The HTTP case (1/2)  20,000 flows used for gathering the training sets T s and T ” s  About 17,000 tunneled sessions were collected, divided among four protocols: POP3, SMTP, CHAT, P2P  At the same time, about 15,000 non-tunneled sessions were collected in order to detect if the classifier lets legitimate HTTP traffic to pass

 The HTTP case (2/2)

 The SSH case (1/2)  4,000 flows used for gathering the training sets T s and T ” s  About 10,000 tunneled sessions were collected, divided among four protocols: POP3, SMTP, CHAT, P2P  At the same time, about 600 interactive sessions and about 1700 bulk-transfer sessions were collected in order to detect if the classifier lets legitimate SSH/SCP traffic to pass

 The SSH case (2/2)

 State A results (same as in one-class algorithm)

 State B results

 State C results

 Tunnel Hunter problems  If an SSH tunnel is initially used for remote administration and then for tunneling other protocols ▪ The first state is legitimate and the classifier will label the session as authorized  Sensitive to packet-size and timing value manipulation

 Tunnel Hunter can successfully recognize whenever a generic application protocol is tunneled on top of HTTP or SSH  Increasing the knowledge of the system can significantly improve its performance  The experimental results are very promising  Virtually no legitimate traffic is blocked  The vast majority of tunneled traffic is blocked  Completeness near 100% (exactly 100% for HTTP)

 Tunnel Hunter can be used to improve existing ALGs  By augmenting their ability to recognize tunneled traffic  The model can be improved  By introducing new variables and studying better the role of the existing variables in order to produce stronger fingerprints

Questions?