Presentation is loading. Please wait.

Presentation is loading. Please wait.

Richard Henson University of Worcester November 2017

Published byAltan İşcan Modified over 6 years ago

Similar presentations

Presentation on theme: "Richard Henson University of Worcester November 2017"— Presentation transcript:

1 Richard Henson University of Worcester November 2017
COMP3371 Cyber Security Richard Henson University of Worcester November 2017

2 Week 5: Securing LAN data using Firewalls, VPNs, etc.
Objectives: Relate Internet security issues to the TCP/IP protocol stack Explain principles of firewalls and firewalling TCP ports Explain what a Proxy Service is, and why it can be a more flexible solution than a firewall Explain Internet security solutions that use the principles of a VPN

3 Security and the OSI layers
Simplified TCP/IP model… Levels 5/6/7 combined as application Level 4: transport Levels 1/2/3 combined as network HTTP FTP HTTPS NFS DNS SNMP TCP UDP IP (network)

4 Vulnerabilities (Technical)
These are the gaps in defences, usually caused ultimately by dodgy software or poor software configuration For example: a TCP port left open on the firewall an unpatched operating system A badly set up webserver that doesn’t use https properly

5 TCP/IP Vulnerabilities
screen TCP (Transport Control Protocol) and IP (Internet Protocol) only make up part (layers 3 & 4) of the seven layers upper layers interface with TCP to produce the screen display lower layers required to interface with IP to create/convert electrical signals Each layer interface represents a potential security problem (!) TCP IP hardware

6 Threats None of the previous examples would be cause for concern if there were no hackers In practice, hackers would: use bots to detect open ports use scanning software to detect old/unpatched operating systems use web tools to find incorrect https setups

7 Managing Technical Vulnerabilities
Requires skilled people with time to do this important job! need time… time is money may need equipment/software… money the job is never done; need a budget! Organisations recommended to put an system (ISMS) in place, and get information assurance certification

8 More Organisational Vulnerabilities
Apart from software… people (!) could be working inside the organisation boundary maybe on the Intranet? maybe on Could be accessing resources through the firewall (i.e. Extranet) using username/password in hotel lobby

9 Intranet Misunderstood concept… Implemented as EITHER:
achieved by organisations using http(s) to share data internally in a www-compatible format security maintained through: user authentication data transmission system many still call a protected file structure on its own an Intranet… (incorrect!) Implemented as EITHER: single LAN (domain) with a web server several interconnected LANs (trusted domains) cover a larger geographic area

10 Extranet Extension of Intranet to cover selected trusted “links” outside the network boundary e.g. to registered customers and business partners e.g. to employees working “in the field” public Internet used for transmission, with TLS & SSL requires authentication to gain access (https) Can provide secure TCP/IP access to: paid research current inventories internal databases any information that is private and not published for everyone

11 Issues in creating an Extranet
Public networks… Security handled through appropriate use of secure authentication & transmission technologies… If using the Internet… client-server web applications across different sites BUT security issues need resolving Could use a VPN (Virtual Private Network Private leased lines between sites do not need to use http, etc. more secure, but expensive (BALANCE)

12 Securing Authentication through Extranets
Connected Windows networks? Use Kerberos authentication… ? VPN? BUT… STILL need several TCP ports for authentication when establishing a session… Solution: meticulous firewall configuration allows relevant ports to be opened only for “trusted” hosts

13 Unsecured LAN-Internet Connection: Router Only
INTERNET/EXTERNAL NETWORK ROUTER – packet navigation, no filtering Internal Network ...

14 An Unsecured LAN-Internet Connection via Router
Data through unchanged Routed by routing protocol & IP address tables Layer 3 Layer 3 Layer 2 Layer 2 Layer 1 Layer 1 router

15 The Internet generally uses IP - HOW can packets be secured?
2017: more than a billion hosts!

16 Securing the Extranet (using OSI levels 1-3)
Problem: IP protocol sends packets off in different directions according to: destination IP address routing data packets can be intercepted/redirected by MITM attack Solution VPN… controls the path of packets only routed through IP addresses of secure servers

17 VPNs (Virtual Private Networks)
Two pronged defence: physically keeping the data away from unsecured servers… several protocols available for sending packets along a pre-defined route data encapsulated and encrypted so it appears to travel as if on a point-point link but is still secure even if intercepted Result: secure system with pre-determined pathways for all packets

18 VPNs: OSI levels 1-3: restricted use of the Physical Internet
VPN shown in green

19 Principles of VPN protocols
The tunnel - where the private data is encapsulated (or ”wrapped”) The VPN connection interfaces - where the private data is encrypted before entering the tunnel (and vice versa)

20 Principles of VPN protocols
Emulate a point-to-point link: data encapsulated with header provides routing information allows packets to traverse the shared public network to its endpoint To emulate a private link: data encrypted for confidentiality Any packets intercepted on the shared public network are indecipherable without the encryption keys…

21 Using a VPN as part of an Extranet

22 Using a VPN for point-to-point

23 Using a VPN to connect a remote computer to a Secured Network

24 Potential weakness of the VPN
Once the data is encrypted and in the tunnel it is very secure BUT watch for gaps… if any part of that journey is outside the tunnel… e.g. network path to an outsourced VPN provider scope for security breaches

25 VPN-related protocols offering even greater Internet security
Two possibilities are available for creating a secure VPN: Layer 3: IPsec – fixed point routing protocol Layer 2 “tunnelling” protocols encapsulate the data within other data before converting it to binary data: PPTP (Point-point tunnelling protocol) L2TP (Layer 2 tunnelling protocol)

26 IPsec First VPN system defined by IETF RFC 2401 uses ESP (encapsulating security protocol) at the IP packet level IPsec provides security services at the IP layer by: enabling a system to select required security protocols (ESP possible with a number of encryption protocols) determining the algorithm(s) to use for the chosen service(s) putting in place any cryptographic keys required to provide the requested services

27 More about IPSec in practice
Depends on PKI for authentication both ends must be IPSec compliant, but not the various network systems that may be between them… Can therefore be used to protect paths between a pair of hosts a pair of security gateways a security gateway and a host Can work with IPv4 and IPv6

28 Layer 2 Security: PPTP, L2TP
Microsoft: PPTP CISCO L2F (layer 2 forwarding) Combine to create L2TP IPSec optional: Adv of L2TP: can use PPP authentication and access controls (PAP and CHAP!) uses NCP to handle remote address assignment of remote client no IPSec, no overhead of reliance on PKI

29 Server v “End-point” security
Servers (with Internet access) End-points (user devices) Strategies: Good security at network-Internet interface (firewall etc. by TCP port) Good security at user end (secure applications & operating systems)

30 Securing Sharing of Data through Extranets
One solution: Extranet client uses the web server & browser for user interaction secure level 7 application layer www protocols developed https: ensure that pages are only available to authenticated users ssh (secure shell) : secure download of files secure level 4 transport (TLS) protocol to restrict use of IP navigation to only include secure sites relevant firewall ports need to be opened Port 22 if SSH data Port 443 if TCP data sent using http-s (secure http) Port 1723 if data sent as packets using VPN (later…)

31 Secure level 4-7 protocols
Applications that connect through TCP (some use UDP) e.g. SSH SSH , University of Helsinki, secure file transfer enhanced SSH-2 (RFC 4252, in 2006) uses TCP port 22 runs on a variety of platforms uses the PKI including digital certificates e.g. DNS (Servers) uses UDP port 53 used to connect Internet servers

32 Unsecured LAN-Internet Connection via Router?
Security nightmare… (?) especially if router has an easily guessable password! Another problem: wrath of IANA IP address awarding & controlling body big penalties safeguard: use DHCP (dynamic host configuration protocol) allocate client IP from within a fixed range allocated for that purpose by IANA

33 Creating a “Secure Site”?
To put it bluntly, a secure site is a LAN that … provides formidable obstacles to potential hackers keeps a physical barrier between local server and the internet use of an “intermediary” computer - Firewall or Proxy Server Restrictions on access security provided by encryption/authentication between level 4 & 7

34 OSI layer 4-7 security (Stage 1)
Simple Firewall… packet filtering by header IP address fooled by “IP spoofing” TCP port filtering – data associated with blocked ports filtered out TCP port also held in packet header

35 Unsecured LAN-Internet Connection: Firewall
INTERNET/EXTERNAL NETWORK FIREWALL – packet filtering Internal Network ...

36 Firewall Configuration
Blocks data via TCP port (logical) used by each application protocol connects to TCP all ports blocked… no data gets through Configuration which ports to block as well as which IP addresses to block… auditing of packets for dodgy content

37 Susceptible TCP & UDP ports
Hackers use these to get inside firewalls etc. Essential to know the important ones: 20, 21 ftp 80 http 389 Ldap 22 ssh 88 Kerberos 443 https 23 telnet 110 pop Ldap/SSL 25 smtp 135 smb 53 (UDP) dns NetBIOS 60 tftp 161 (UDP) snmp

38 An Unsecured LAN-Internet Connection via Firewall
IP filtering slows down packet flow… may not be necessary? risk? Other potential issue… request by a LAN client for Internet data across a router reveals the client IP address generally a desired effect…. “local” IP address must be recorded on the remote server picks up required data & returns it via the router and server to the local IP address problem – could be intercepted, and future data to that IP address may not be so harmless…

39 A LAN-Internet connection via Gateway
INTERNET/EXTERNAL NETWORK e.g. TCP/IP GATEWAY – packet conversion local protocol Internal Network ...

40 A LAN-Internet connection via Gateway
At a gateway, processing can be at higher OSI levels: up to application layer (!) Local packets converted into other formats… remote network does not have direct access to the local machine IP packets only recreated at the desktop local client IP addresses therefore do not need to comply with IANA allocations

41 A LAN-Internet connection via Proxy Server
INTERNET/EXTERNAL NETWORK e.g. TCP/IP Proxy Server – local IP addresses local protocol Internal Network ...

42 The Proxy Server Acts like a Gateway in some respects:
provides physical block between external and internal networks but completely isolates internal/external IP addresses Still uses the same protocol (e.g. TCP/IP); can cache web pages for improved performance

43 That’s all! Thanks for staying with it! 

Download ppt "Richard Henson University of Worcester November 2017"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
Remote Networking Architectures

Remote Networking Architectures
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.

1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Similar presentations

Ads by Google