Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Similar presentations


Presentation on theme: "Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:"— Presentation transcript:

1 Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

2 Destination server Gateway Interne t Client Information direction Client Proxy Interne t Destination server Information direction Proxies and gateways A gateway is a network point that acts as an entrance to another network. a proxy server acts as a go-between requests from clients seeking resources and servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server evaluates the request according to its filtering rules and pass on the request, if allowed, to the appropriate server. A computer server acting as a gateway node is often also acting as a proxy server and a firewall server.

3 Internet Allowable outgoing IP addresses: 146.176.151.10 146.176.151.112 146.176.155.122 Net 1 Net 2 Firewall Allowable incoming IP addresses: 55.65.100.10 192.54.192.3 Packet filter router or Firewall A firewall is an integrated collection of security measures designed to prevent unauthorized access to an intranet network. It is also a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.

4 Application-level firewall Client Proxy (FTP) Proxy (HTTP) External systems Network connection

5 Gateway Internet Firewall A Firewall A Firewall A only accepts data packets addressed to the gateway Firewall B Firewall B Firewall B only accepts data packets addressed to the gateway Net 1 Net 2 Application-level firewall

6 Router Firewall Site 1 Firewall Site 2 Firewall Site 3 Firewall Audit monitor Audit monitor Single external connection To the Internet Ring-fenced firewall

7 Filtering routers (Firewalls) Firewall IP TCP/UDP Source IP address Destination IP address Source Port Destination Port Protocol (TCP/UDP) INCOMING OUTGOING Allowed Disallowed Firewall Monitoring Software Monitoring Software Site 2 Site 3 Site 1

8 Internet Firewall Net 3 Net 4 Net 2 Firewall Net 1 Routers with encyption/ decryption Intranet over the Internet Encryption tunnels or Virtual Private Network (VPN)

9 Encryption tunnels Public key Private key Public key Private key User’s public key is used to encrypt data User’s private key is used to decrypt data Encrypted data INFO ENCR INFO

10 Virtual Private Network (VPN) A typical VPN might have a main LAN at the corporate headquarters of a company, other LANs at remote offices or facilities and individual users connecting from out in the field. Basically, a VPN is a private network (LAN) that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real- world connection such as leased line, a VPN uses "virtual“connections routed through the Internet from the company's private network to the remote site or employee.

11 Security Risks Security 1.Data protection. This is typically where sensitive or commercially important information is kept. It might include information databases, design files or source code files. One method of reducing this risk is to encrypt important files with a password and/or some form of data encryption. 2.Software protection. This involves protecting all the software packages from damage or from being misconfigured. A misconfigured software package can cause as much damage as a physical attack on a system, because it can take a long time to find the problem. 3.Physical system protection. This involves protecting systems from intruders who might physically attack the systems. Normally, important systems are locked in rooms and then within locked rack-mounted cabinets. 4.Transmission protection. This involves a hacker tampering with a transmission connection. It might involve tapping into a network connection or total disconnection. Tapping can be avoided by many methods, including using optical fibres which are almost impossible to tap into (as it would typically involve sawing through a cable with hundreds of fibre cables, which would each have to be connected back as they were connected initially). Underground cables can avoid total disconnection, or its damage can be reduced by having redundant paths (such as different connections to the Internet). Security 1.Data protection. This is typically where sensitive or commercially important information is kept. It might include information databases, design files or source code files. One method of reducing this risk is to encrypt important files with a password and/or some form of data encryption. 2.Software protection. This involves protecting all the software packages from damage or from being misconfigured. A misconfigured software package can cause as much damage as a physical attack on a system, because it can take a long time to find the problem. 3.Physical system protection. This involves protecting systems from intruders who might physically attack the systems. Normally, important systems are locked in rooms and then within locked rack-mounted cabinets. 4.Transmission protection. This involves a hacker tampering with a transmission connection. It might involve tapping into a network connection or total disconnection. Tapping can be avoided by many methods, including using optical fibres which are almost impossible to tap into (as it would typically involve sawing through a cable with hundreds of fibre cables, which would each have to be connected back as they were connected initially). Underground cables can avoid total disconnection, or its damage can be reduced by having redundant paths (such as different connections to the Internet).

12 Security issues Hacking methods IP spoofing. Involves a hacker stealing an authorized IP address, and using it. Packet-sniffing. Listens from TCP/IP. Password attack. Hacker runs programs which determine the password of a user. Once into the system the hacker can then move onto other, more trusted, users. Session hi-jacking attacks. Hacker taps into a conversation between two computers. A remote trusted user could start the conversation, but the hacker could continue it. Shared library attacks. Social engineering attacks. Typically a hacker uses social methods to determine a user’s password. Technological vulnerability attack. The hacker attacks a vulnerable part of the system, such as rebooting the computer, spreading viruses, etc. Trust-access attacks. Hacker adds their system to one of the trusted systems. The hacker can then get full administrator privileges. Hacking methods IP spoofing. Involves a hacker stealing an authorized IP address, and using it. Packet-sniffing. Listens from TCP/IP. Password attack. Hacker runs programs which determine the password of a user. Once into the system the hacker can then move onto other, more trusted, users. Session hi-jacking attacks. Hacker taps into a conversation between two computers. A remote trusted user could start the conversation, but the hacker could continue it. Shared library attacks. Social engineering attacks. Typically a hacker uses social methods to determine a user’s password. Technological vulnerability attack. The hacker attacks a vulnerable part of the system, such as rebooting the computer, spreading viruses, etc. Trust-access attacks. Hacker adds their system to one of the trusted systems. The hacker can then get full administrator privileges.

13 1.BAN EXTERNAL CONNECTIONS. In a highly secure network, all external traffic should go through a strong firewall. There should be no other external connections on the network. If possible, telephone lines should be monitored to stop data being transferred over without going through firewall. 2.SECURE ACCESS TO RESOURCES. Typically users must use swipe cards, or some biometric technique to gain access to a restricted domain. 3.VIRUSES PROTECTION. All computers which access the Internet should be well protected against malicious programs and viruses. 4.FIREWALLS USED BETWEEN DOMAINS. Internal hackers can be as big a problem as external hackers. Thus firewalls should be used between domains to limit access. 5.BASE AUTHENTICATION ON MAC ADDRESSES. Network addresses do not offer good authentication of a user, as they can be easily spoofed. An improved method is to check the MAC address of the computer (as no two computers have the same MAC address). 6.MONITORING of LOG EVENT. All the important security related events should be monitored within each domain. If possible they should be recorded over a long period of time. Software should be used to try and determine incorrect usage. 1.BAN EXTERNAL CONNECTIONS. In a highly secure network, all external traffic should go through a strong firewall. There should be no other external connections on the network. If possible, telephone lines should be monitored to stop data being transferred over without going through firewall. 2.SECURE ACCESS TO RESOURCES. Typically users must use swipe cards, or some biometric technique to gain access to a restricted domain. 3.VIRUSES PROTECTION. All computers which access the Internet should be well protected against malicious programs and viruses. 4.FIREWALLS USED BETWEEN DOMAINS. Internal hackers can be as big a problem as external hackers. Thus firewalls should be used between domains to limit access. 5.BASE AUTHENTICATION ON MAC ADDRESSES. Network addresses do not offer good authentication of a user, as they can be easily spoofed. An improved method is to check the MAC address of the computer (as no two computers have the same MAC address). 6.MONITORING of LOG EVENT. All the important security related events should be monitored within each domain. If possible they should be recorded over a long period of time. Software should be used to try and determine incorrect usage. Best practices for high-security networks

14 Intrusion Detection System (IDS) intrusion detection is an important part of solid network security strategy, especially for administrator that implement the best practice of defense in depth. provides monitoring of network resources to detect intrusion and attacks that were not stopped by the preventative techniques. For many reasons, it is impossible for firewalls to prevent all attacks.

15

16 Intrusion Detection approach anomaly detection: *Baseline is defined to describe normal state of network or host *Any activity outside baseline is considered to be an attack

17 signature detection: *Also know as misuse detection *IDS analyzes information it gathers and compares it to a database of known attacks, which are identified by their individual signatures. The signature detection method is good at detecting known attacks.Signature enable the IDS to detect an attack without any knowledge of normal traffic in given network, but also requires a signature be created and entered onto the sensors database

18 Protected System primarily two types of intrusion detection systems on the market today, those that are host based and those that are network based.

19 Host-based IDS to protect a critical network server host-based IDS agent use resources on the host server (disk space, memory, and processor time) analyzing the logs of operating systems and applications monitoring of file checksums to identify change

20 Network-based IDS monitor activity on one or more network segments, while host- based IDS are software agents that reside on the protected system NIDS analyze all passing traffic NIDS sensors usually have two network connection, one that operates to sniff passing traffic, and to send data such as alerts to a centralized management system

21 NIDS Architecture Place IDS sensors strategically to defend most valuable assets Typical locations of IDS sensors –Just inside the firewall –On the DMZ –On the server farm segment –On network segments connecting mainframe or midrange hosts

22 Firewalls Basic packet filtering –Protocol type –IP address –TCP/UDP port –Source routing information Access control lists (ACL) Rules built according to organizational policy that defines who can access portions of the network.

23 Demilitarized zone (DMZ) Area set aside for servers that are publicly accessible or have lower security requirements Sits between the Internet and internal network’s line of defense

24

25 shunning or blocking

26 Network IDS reactions Tcp resets


Download ppt "Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:"

Similar presentations


Ads by Google