Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3123 Internet Security Richard Henson University of Worcester November 2011.

Published byKelley Ford Modified over 8 years ago

Similar presentations

Presentation on theme: "COMP3123 Internet Security Richard Henson University of Worcester November 2011."— Presentation transcript:

1

2 COMP3123 Internet Security Richard Henson University of Worcester November 2011

3 Week 6: Securing a LAN connected to the Internet against Attack n Objectives:  Explain what a Firewall is, why it is needed, and why users find it frustrating…  Explain what a Proxy Service is, and why it can be a more flexible solution than a firewall  Relate the principles of IP and TCP port filtering to the challenge posed by threats to LAN server security from Internet

4 ... ROUTER – no packet filtering INTERNET/EXTERNAL NETWORK Internal Network Unsecured LAN-Internet Connection via Router

5 An Unsecured LAN-Internet Connection via Router router Layer 3 Layer 1 Layer 2 Layer 3 Layer 2 Layer 1 Data through unchanged

6 An Unsecured LAN-Internet Connection via Router n Routers only process data up to OSI level 3  even with full user authentication on network services… »outgoing IP packets are untouched unless IP filtering is used  BUT, IP filtering will slow down packet flow… n Also…  request by a LAN client for Internet data across a router reveals the client IP address »this is a desired effect…. »“local” IP address must be recorded on the remote server »picks up required data & returns it via the router and server to the local IP address  problem – could be intercepted, and future data to that IP address may not be so harmless…

7 An Unsecured LAN-Internet Connection via Router n Another problem: wrath of IANA  IP address awarding & controlling body  big penalties if ANY internal LAN IP address conflicts with an existing Internet IP address they allocated… n If local clients have direct access to the Internet and they can be allocated locally, this COULD happen  Safeguard: »use DHCP (dynamic host configuration protocol) »allocate client IP from within a fixed range allocated to that domain by IANA

8 ... GATEWAY – packet conversion INTERNET/EXTERNAL NETWORK Internal Network A LAN-Internet connection via Gateway e.g. TCP/IP e.g. Novell IPX/SPX

9 A LAN-Internet connection via Gateway n At a gateway, processing goes up the protocol stack:  to at least level 4  Possibly right up to level 7 n Because local packets can be converted into other formats:  remote network therefore does not have direct access to the local machine  IP packets only recreated at the desktop  local client IP addresses therefore do not need to comply with IANA allocations

10 Creating a “Secure Site”? n To put it bluntly – a secure site is a LAN that provides formidable obstacles to potential hackers  keep a physical barrier between local server and the internet n Physical barrier linked through an intermediate computer called a Firewall or Proxy Server  may place unnecessary restrictions on access  security could be provided at one of the seven layers of the TCP/IP stack

11 Security Architecture & Secure sites n This includes all aspects of security controls  can be imposed on internal users through group policy objects  external attempts to hack cannot be controlled in this way, because they are not authorised users n What about external threats?  need to focus on external data and security controls to deal with it…

12 ... Firewall INTERNET/EXTERNAL NETWORK Internal Network The Firewall… TCP/IP out TCP/IP No data in…

13 Using a Firewall to secure Routed Connections n Completely separate local network data from Internet data using a physical barrier:  Firewall (robust but inflexible)  Proxy Server (flexible) n Either solution will have a similar safeguarding effect to using a gateway:  client IP addresses will not interact with the Internet  therefore do not need to be IANA approved  but makes good sense to use DHCP anyway…

14 What is a Firewall? n “A set of components that restricts access between a protected network and the Internet”  therefore divides a potential internetwork into internal and external components: »Internal Network n under consideration from a security point of view n kept logically separate from the Internet »External Network n Generally assumed to be the Internet or network that cannot be secured

15 A Firewall should… n Protect the network from:  TCP/IP attacks, probes and scans  denial of service attacks  malicious code such as viruses, worms and trojans n Provide, depending upon the security policy and the type of firewall used:  Network Address Translation (NAT)  authentication or encryption services  web filtering n To do this, it must be appropriately configured…

16 The Screening Router Screening Router Blocked Services X

17 n Every IP packet contains:  IP address of source  IP address of destination  source and destination TCP port(s)  protocol being used (e.g. FTP, SMTP, etc) n A router simply routes the packet towards its destination address n A screening router:  scrutinises whole packet headers  decides what to do with the packet Screening Routers

18 The Screening Router n Packets checked individually  therefore requires more processing power than a standard router n Once a packet has been scrutinised, the screening router can take one of three actions:  block the packet  forward it to the intended destination  forward it to another destination n IP addresses on the internal network can therefore be “protected” from external packets with a particular source address

19 The Proxy Server... Firewall with Proxy service Internal Network Request to proxy server Real server

20 The Proxy Server n A firewall that offers a client-server “proxy” service  allows the firewall to act as an intermediate party between the Internet and local network services: »intercepts user (client) requests for services such as FTP »decides whether or not to forward them to the true server n The effect is that the internal and external computers talk to the proxy service rather than directly to each other

21 n The user on either side of the firewall is presented with an illusion that they are talking to a real server  in fact they are both dealing with a proxy n So if an outside user tries to “hack” into the network server…  the actual internal network architecture is hidden n A proxy server can be programmed to block certain requests, sites, actions e.g:  blocking certain WWW sites  preventing FTP downloads Proxy Service - continued

22 DMZ (Demilitarized Zone) n Beyond the firewall but not yet through the Internet Router/Gateway… n A router normally stops incoming Internet traffic from getting on your network  unless the traffic is in response to one of your computers  or when using port forwarding n Alternately…  incoming traffic can go to one computer on your network by establishing a "Default DMZ Server“ (humorous reference to "Demilitarized Zone")  avoids having to figure out what ports an Internet application wants »all ports are open for that computer…

23 Bastion Host n n Acts as a firewall, and also runs the proxy and other services n n Main or only point of contact between users of an internal network and the external network n n Must be highly secured because it is vulnerable to attack n n External logins to the Bastion Host must not be allowed as user accounts represent an easy way to attack networks…

24 Dual Homed Host n Based on dual homed computer (2+ interfaces) n Does NOT allow through routing of packets n Communication through the DHH occurs as follows:  via proxies  Users login to DHH n However:  logging in of users to DHH will create further security problems…  Not all Internet services can be proxied for technical reasons

25 ** Firewall ** Dual-homed Host with proxy services INTERNET Dual Homed Host

26 n Uses a screening router  can block certain types of service n Routes packets to internal bastion only  may act as a proxy for services n Disadvantage:  if the internal bastion is hacked into  then other computers on the internal network can then easily be accessed Screened Host

27 INTERNET Screened Host Blocked Services X Screening Router Bastion Host (Proxy Services) Firewall

28 Typical Types of External Attacks - 1 n Exhaustive  “brute force” attacks using all possible combinations of passwords to gain access n Inference  taking educated guesses on passwords, based on information gleaned n TOC/TOU (Time of check/use)  1. use of a “sniffer” to capture log on data  2. (later) using captured data & IP address in an attempt to impersonate the original user/client

29 Typical Types of External Attacks - 2 n Three other types of attacks that firewalls should be configured to protect against:  denial of service (DOS) attacks  distributed denial of service (DDOS) attacks  IP Spoofing (pretence that the data is coming from a “safe” source IP address

30 Firewalls and TCP, UDP ports n Remember this model? TELNETFTP NFSDNS SNMP TCP UDP IP SMTP

31 TCP ports that may be open to attack n TCP and UDP ports  both important features of TCP/IP  provide logical links for passing data between the transport layer and an application layer service n Usually defined by an RFC (remember those?) n Examples:  FTP: port 21 Telnet: port 23  SMTP: port 25DNS: port 53  HTTP: port 80POP3: port 110 n Problem…  what if the service isn’t being used?…

32 Blocking TCP ports with a Firewall n Very many TCP and UDP ports:  0 - 1023 are tightly bound to application services  1024 – 49151 more loosely bound to services  49152 – 65535 are private, or “dynamic” n In practice, any port over 1023 could be assigned dynamically to a service… n One of the more useful features of a firewall is that ports can be configured, and therefore data flow can be monitored and controlled

33 Blocking TCP ports with a Firewall n Generally, TCP ports should be:  EITHER open for a service (e.g. HTTP on port 80)  OR… blocked if no service, to stop opportunists n But if the firewall only allows “official services” this can cause problems for legitimate users  e.g. if port 25 is blocked, email data cannot be sent

34 Protecting Against TCP/IP Attacks, Probes and Scans n TCP/IP protocol stack has been largely unchanged since the early 1980's:  more than enough time for hackers to discover their weaknesses  often attack through a particular TCP port

35 TCP Port 21: FTP (File Transfer Protocol) n FTP servers excellent  BUT by their very nature they open up very big security holes  those that allow anonymous logins are used: »to launch attacks on the server itself, by connecting to the C: drive and downloading viruses or overwriting/deleting files »to store pirated files and programs n Precaution:  configure FTP servers NOT to accept anonymous logins  only allow access to port 21 through the firewall to that particular server

36 Making Effective use of the DMZ  Ever better alternative for port 21 security: »place FTP server on a perimeter network, or "DMZ" of the firewall  A DMZ is used to segregate inherently insecure servers that require a higher degree of network access from the rest of your network »an FTP server on a DMZ that has been compromised will then not be able to be used to attack the rest of the network »of course, if there is no FTP server, a DMZ might not be necessary…

37 TCP Port 23: Telnet n Telnet is really good for providing access to servers and other devices  accessing a server via Telnet is very much like being physically located at the server console n Protecting against Telnet is simple:  block ALL access to port 23 from the outside  block perimeter networks to the inside n Protecting internal servers from attack from the inside:  configure them to accept telnet connections from very few sources  block port 23 completely…

38 TCP Port 25: SMTP n Email programs large, complex, accessible…  Therefore an easy target…  Buffer overrun: »attacker enters more characters – perhaps including executable code - into an email field (e.g. To: ) than is expected by an email server –error could be generated –hackers could gain access to the server and the network  SPAM attack: »protocol design allows a message to go directly from the originator's email server to the recipient's email server n can ALSO be relayed by one or more mail servers in the middle n BUT… this is routinely abused by spammers –forward message to thousands of unwilling recipients

39 Port 25 SMTP: solution… n Buffer Overrun:  Solution: put server on a perimeter network n Spam Attack  Solution: DISABLE the relaying facility…

40 TCP and UDP Port 53: DNS (Domain Name Service) n One of the core protocols of the Internet  without it, domain name to IP address translation would not exist n PROBLEMS: If a site hosts DNS, attackers will try to:  modify DNS entries  download a copy of your DNS records (a process called zone transfer)

41 Port 53 DNS: Solution… n Solution:  configure firewall to accept connections from the outside to TCP port 53 only from your secondary DNS server »the one downstream from you e.g. your ISP  consider creating two DNS servers: one on your perimeter network, the other on the internal network: »perimeter DNS will answer queries from the outside »internal DNS will respond to all internal lookups »configure a Stateful inspection firewall to allow replies to internal DNS server, but deny connections being initiated from it

42 TCP Port 79: Finger n A service that enumerates all the services you have available on your network servers:  invaluable tool in probing or scanning a network prior to an attack! n To deny all this information about network services to would-be attackers, just block port 79…

43 TCP Ports 109-110: POP (Post Office Protocol) n POP easy-to-use…  but sadly it has a number of insecurities n The most insecure version is POP3 which runs on port 110  if the email server requires POP3, block all access to port 110 except to that server  if POP3 not used, block port 110 entirely…

44 TCP Ports 135 and 137 NetBIOS n The Microsoft Windows protocol used for file and print sharing  last thing you probably want is for users on the Internet to connect to your servers' files and printers! n Block NetBIOS. Period!

45 UDP Port 161 SNMP n SNMP is important for remote management of network devices:  but also it poses inherent security risks  stores configuration and performance parameters in a database that is then accessible via the network… n If network is open to the Internet, hackers can gain a large amount of very valuable information about the network… n So… if SNMP is used:  allow access to port 161 from internal network only  otherwise, block it entirely

46 Denial of Service (DoS) Attacks n An attempt to harm a network by flooding it with traffic so that network devices are overwhelmed and unable to provide services. n One of the primary DOS attacks uses Ping, an ICMP (Internet Control Message Protocol) service:  sends a brief request to a remote computer asking it to echo back its IP address

47 “Ping” Attacks n Dubbed the "Ping of Death“ n Two forms:  the attacker deliberately creates a very large ping packet and then transmits it to a victim »ICMP can't deal with large packets »the receiving computer is unable to accept delivery and crashes or hangs  an attacker will send thousands of ping requests to a victim so that its processor time is taken up answering ping requests, preventing the processor from responding to other, legitimate requests n Protection:  block ICMP echo requests and replies  ensure there is a rule blocking "outgoing time exceeded" & "unreachable" messages

48 Distributed Denial of Service Attacks/IP Spoofing n Related :  A DDOS attack has occurred when attackers gain access to a wide number of PCs and then use them to launch a coordinated attack against a victim »often rely on home computers, since they are less frequently protected (they can also use worms and viruses)  If IP spoofing is used, attackers can gain access to a PC within a protected network by obtaining its IP address and then using it in packet headers

49 Protection against DDOS & IP Spoofing n Block traffic coming into the network that contains IP addresses from the internal network… n In addition, block the following private IP, illegal and unroutable addresses:  Illegal/unroutable: »255.255.255.255, 27.0.0.0, 240.0.0.0, & 0.0.0.0  “Private” addresses useful for NAT, or Proxy Servers (RFC 1918): »10.0.0.0-10.255.255.255 »172.16.0.0-172.31.255.255 »192.168.0.0-192.168.255.255 n Finally, keep anti-virus software up-to-date, & firewall software patched and up-to-date

Download ppt "COMP3123 Internet Security Richard Henson University of Worcester November 2011."

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.

Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.
Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.

Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Similar presentations

Ads by Google