Presentation is loading. Please wait.

Presentation is loading. Please wait.

@Yuan Xue Announcement Homework 4 graded Homework 5 due next Tuesday Online class evaluation Final Poster Time Tentative: Monday.

Published byJayson Nash Modified over 8 years ago

Similar presentations

Presentation on theme: "@Yuan Xue Announcement Homework 4 graded Homework 5 due next Tuesday Online class evaluation Final Poster Time Tentative: Monday."— Presentation transcript:

1 @Yuan Xue (yuan.xue@vanderbilt.edu) Announcement Homework 4 graded Homework 5 due next Tuesday Online class evaluation Final Poster Time Tentative: Monday Dec 12 3-5pm

2 @Yuan Xue (yuan.xue@vanderbilt.edu) Firewall Yuan Xue

3 @Yuan Xue (yuan.xue@vanderbilt.edu) What is Firewall? Design goals All traffic from inside to outside and vice versa must pass through the firewall A single checking point that keeps unauthorized traffic (i.e., worm) out of the protected network Internet

4 @Yuan Xue (yuan.xue@vanderbilt.edu) How it functions? Technique Control access via security policy Types Packet filter router Application-level gateway Stateful filter vs. stateless filter Personal firewall

5 @Yuan Xue (yuan.xue@vanderbilt.edu) Packet-Filtering Router Applies a set of rules to each incoming IP packet Decides forwarding or discarding the packet Only examine the header, do not “ see inside ” a packet Pros & Cons Simple No application-specific protection Internet HTTP Telnet 129.10.10.1 209.10.10.1

6 @Yuan Xue (yuan.xue@vanderbilt.edu) Packet-Filtering Router Filtering rules Src/dest IP address; src/dest port; protocol field; etc. Default  Discard vs. forward actionInternal host address Internal portExternal host address External portfunction block**192.10.*.**Block all packets from 192.10.*.* actionInternal host address Internal portExternal host address External portfunction allow129.10.10.325**Allow inbound mail to 129.10.10.3

7 @Yuan Xue (yuan.xue@vanderbilt.edu) Packet-Filtering Router The dangerous services finger (port 79) telnet (port 23) ftp (port 21) rlogin (port 513) ICMP Internet finger Telnet ftp rlogin

8 @Yuan Xue (yuan.xue@vanderbilt.edu) Stateful Inspection Firewall Maintains state information from one packet to another in the input stream Tightens up the rules for TCP traffic Source addressSource portDestination addressDestination portState 192.10.10.163321216.10.18.12380established

9 @Yuan Xue (yuan.xue@vanderbilt.edu) Application-level gateway Application level proxy/gateway Relay of application traffic Run pseudoapplications Looks to the inside as if it is the outside connection Looks to the outside as if it is the inside Pros & Cons Processing overhead Diverse functionality Internet SMTP HTTP FTP TELNET

10 @Yuan Xue (yuan.xue@vanderbilt.edu) Web Application Firewall A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked.Cross-site Scripting (XSS)SQL Injection References: http://www.owasp.org/index.php/Web_Application_Firewall http://projects.webappsec.org/Web-Application-Firewall-Evaluation- Criteria http://projects.webappsec.org/Web-Application-Firewall-Evaluation- Criteria

11 @Yuan Xue (yuan.xue@vanderbilt.edu) Deployment Considerations Performance Security of firewall itself Runs on minimized OS  non-firewall functions should not be done on the same machine Network Topology Internet SMTP HTTP FTP TELNET Packet filter Application gateway

12 @Yuan Xue (yuan.xue@vanderbilt.edu) Personal Firewall An application that runs on a personal computer to block unwanted traffic Product ZoneAlarm  www.zonelabs.com BlackICE Defender  blackice.iss.net Tiny Personal Firewall  www.tinysoftware.com Norton Personal Firewall  www.symantec.com www.symantec.com Windows XP

13 @Yuan Xue (yuan.xue@vanderbilt.edu) Demo of Windows personal firewall

14 @Yuan Xue (yuan.xue@vanderbilt.edu) Benefit & Limitation Benefit Provides a location for monitoring security-related events Provides a platform for security-related functions: NAT, IPSec Limitations Attacks that bypass firewall Internal threats Performance Usability vs. security

15 @Yuan Xue (yuan.xue@vanderbilt.edu) Intrusion Detection System Yuan Xue

16 @Yuan Xue (yuan.xue@vanderbilt.edu) Background What is Intrusion An intrusion can be defined as any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource. [Heady R. 1990] Three classes of intruder  Masquerader – illegitimate user penetrates the system using a legitimate user ’ s account  Misfeasor – legitimate user misuses his/her privileges, accessing resources that is not authorized  Clandestine user -- privileged user uses supervisory control to suppress audit control

17 @Yuan Xue (yuan.xue@vanderbilt.edu) Background What is Intrusion Detection System An Intrusion Detection System (IDS) must identify, preferably in real time, unauthorized use, misuse and abuse of computer systems It is a reactive, rather than proactive, form of system defense. Classification Misuse intrusion detection vs. Anomaly intrusion detection  Misuse intrusion detection -- detect attacks on known weak points of a system.  Anomaly intrusion detection -- detect by building up a profile of the system being monitored and detecting significant deviations from this profile. Host-based detection vs. Network-based detection

18 @Yuan Xue (yuan.xue@vanderbilt.edu) History Conventional approach to system security: Authentication, Access control and Authorization. In 1980, James Anderson first proposed that audit trails should be used to monitor threats. In 1987, Dorothy Denning presented an abstract model of an Intrusion Detection System. In 1988, IDES (Intrusion Detection Expert System) – host-based IDS is developed. In 1990, Network Security Monitor is developed – network-based IDS is developed. In 1994, Mark Crosbie and Gene Spafford suggested the use of autonomous agents in order to improve the scalability, maintainability, efficiency and fault tolerance of an IDS.

19 @Yuan Xue (yuan.xue@vanderbilt.edu) Structure of IDS Data collection system Data reduction system Classifier Alerting system Data collection System Call Data reduction Audit Files Agent Manager Agent I Agent III Agent II Agent IV Alerting System Classifier

20 @Yuan Xue (yuan.xue@vanderbilt.edu) Data Collection and Reduction Data source Audit files  system audit files: messages,xferlog,syslog,sulog,.bash_ history...  application audit files: Web server log files, …. System Call Audit record [Denning 87] Subject, Action, Object, Exception, Resource usage, Time stamp User operation  elementary actions COPY GAME.EXE to /usr/GAME.EXE SmithexecCOPY.EXE0CPU = 000021058721678 SmithreadGAME.EXE0RECORDS = 11058721679 SmithexecCOPY.EXEWrite-violRECORDS = 01058721680

21 @Yuan Xue (yuan.xue@vanderbilt.edu) Misuse intrusion detection Use patterns of well-known attacks or weak spots of the system to match and identify intrusions Perform pattern matching Used in the environment where a rule can be recognized. Example  Misuse Intrusion Detection (Purdue) using Patten Matching  USTAT, a real-time IDS (UCSB) using State Transition Analysis  IDES using rule - based expert system

22 @Yuan Xue (yuan.xue@vanderbilt.edu)

23 Password guessing Port scan

24 @Yuan Xue (yuan.xue@vanderbilt.edu) Anomaly Intrusion Detection Establish normal usage profiles Observe deviation from the normal usage patterns Example profiles: loginfrequency, locationfrequency, UseofCPU,UseofIO, ExecutionFrequencyFileReadFails 、 FileWriteFails Metrics Mean and standard deviation Multivariate Markov process Time Series Approaches Data Mining Approaches Neural Networks Colored-petri-net Further reading: Outside the Closed World: On Using Machine Learning For Network Intrusion Detection Outside the Closed World: On Using Machine Learning For Network Intrusion Detection

25 @Yuan Xue (yuan.xue@vanderbilt.edu)

26 Distributed IDS

27 @Yuan Xue (yuan.xue@vanderbilt.edu) Honey Pot Honeypots are closely monitored network decoys Distract adversaries from more valuable machines on a network Provide early warning about new attack and exploitation trends Example Honeypot can simulate one or more network services that you designate on your computer's ports.

28 @Yuan Xue (yuan.xue@vanderbilt.edu) Product http://www.snort.org/ Snort ® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. http://www.dshield.org/ A distributed intrusion detection system, or a distributed firewall system. an attempt to collect data about cracker activity from all over the internet. This data will be cataloged and summarized. It can be used to discover trends in activity and prepare better firewall rules. Right now, the system is tailored to simple packet filters. As firewall systems that produce easy to parse packet filter logs are now available for most operating systems, this data can be submitted and used without much effort. NFR Security Inc. NFR Security provides a comprehensive, integrated intrusion detection system that protects networks and hosts from known/unknown attacks, misuse, abuse and anomalies. http://www.nfr.com http://www.nfr.com Real Secure by ISS http://www.iss.net/products_services/enterprise_protection/

29 @Yuan Xue (yuan.xue@vanderbilt.edu) Demo of Snort

30 @Yuan Xue (yuan.xue@vanderbilt.edu) Reference Intrusion detection FAQ http://www.sans.org/resources/idfaq/ Purdue Information Security Center http://www.cerias.purdue.edu/ http://www.cert.org/ http://www.first.org/

Download ppt "@Yuan Xue Announcement Homework 4 graded Homework 5 due next Tuesday Online class evaluation Final Poster Time Tentative: Monday."

Similar presentations

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
—On War, Carl Von Clausewitz

—On War, Carl Von Clausewitz
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Similar presentations

Ads by Google