Presentation is loading. Please wait.

Presentation is loading. Please wait.

Day 19. Security Tools Firewalls –Host Based –Network based IDS/IPS –Host Based –Network based –Signature based detection –Anomaly based detection Anti.

Published byGriffin Sims Modified over 9 years ago

Similar presentations

Presentation on theme: "Day 19. Security Tools Firewalls –Host Based –Network based IDS/IPS –Host Based –Network based –Signature based detection –Anomaly based detection Anti."— Presentation transcript:

1 Day 19

2 Security Tools Firewalls –Host Based –Network based IDS/IPS –Host Based –Network based –Signature based detection –Anomaly based detection Anti Virus, Anti Spyware, Anti-spam Forensic tools Authentication tools Encryption Tools

3 What is a firewall A firewall is a choke point where network traffic can be permitted or denied. –A set of rules (Access Control List/Policy list) are used to determin what to allow. For example: –A machine is a web server (HTTP only) –Everyone in the world should be able to connect to the web server on port 80 TCP –All other ports should be blocked by a firewall, this prevents unintentional services being exposed, and lessens the overall likelyhood that the server would be compromised. –If nobody should ever use this server as a workstation, you could also limit outbound traffic from this machine » Helpful for preventing the machine from being used to attack other machines

4 Network based Firewalls A network firewall is a network device which acts like a router, but has a set of policies it enforces in addition to routing. –Sometimes this device is the router Most high end routers support ACL lists Access-list 101 permit tcp any host 100.1.1.1 eq 80 -Sometimes the device is actually a separate firewall: -Juniper, Checkpoint, Sonicwall, etc.

5 Host based firewalls Sometimes the firewall is built into the OS of the machine it is protecting –Windows Windows Firewall Black Ice Firewall –Unix IPtables IPchains IPF

6 Should I use host or network based? How many machines do you have? –If you are protecting 2 machines host based will probably work fine. –If you had to install host based on 500 computers, might have been easier to install network. Who has access to the machines? –If the machines are publicly accessible what stops a malicious person from disabling the firewall –Network based firewalls are typically more difficult to disable. What do you want your machine spending its time on. –If a machine is a webserver you want it spending its time on serving web pages, not denying traffic, that is probably best done by a network device.

7 Packet Filter Firewalls Each time you receive a packet, check: –Who sent it –Where is it going –What port did it come from and what is it destined for –When did it arrive –What TCP/IP flags are set in the header –Is it part of an established connection or the start of a new one Based on current set of policies either allow or deny this packet.

8 Proxy based firewalls When a machine attempts to establish a connection intercept it. When the client attempts to connect to the server, the firewall acts like a server to the client. Next the firewall creates a separate connection to the server (thus acting like a client) Now the firewall acts like a traffic cop between the client and server be deciding how much of the traffic to pass between them. Client Server Firewall

9 Proxy vs. Packet Filter A Proxy based firewall can do much more intelligent filtering because it understands what is being said between the client and the server. –For example, a proxy can alter HTML pages or eMails (for example, stripping out sensitive information, or adding a signature/disclaimer to the end of each message) A packet filter is much more limited because it only understands the header of the packets, not the data in them.

10 Intrusion Detection System One of the most basic security principles is to know when you’ve been compromised. –Worst case is you were compromised and don’t even know it because more info can be stolen, or more damage can be done. In the real world it’s obvious, but with complex computers it’s less obvious. IDS systems are designed to help you track intrusions and identify how they were done.

11 File Integrity Checkers One way to know if your system has been compromised is to know if any files on your system were changed without your knowledge. –Hackers frequently install software on compromised machines to give them a guaranteed way back on, or to do their bidding (send email, attack someone else) –File integrity monitors hash all the files on your system periodically and notify you of any changes. Tripwire, GFI LanGuard etc.

12 Network based IDS Network based IDSs typically monitor all packets coming into/out of your network looking for “interesting patterns”. –Interesting patterns are defined by a set of signatures which either a company or the internet community develop based on previous intrusions. –When a pattern is noticed it logs it, or possibly notifies someone (pager, email, phone) –E.G. Snort, ISS Realsecure etc.

13 Logs/Event Viewer A frequently overlooked but critical security tool is logs. –Most things which happen on your computer are logged Windows: Event Viewer Unix/Mac: Logs –Allow for analysis of what is going on your computer –Gives you an audit trail after a compromise to see how it was done, and thus prevent it from happening again. Of course this assumes the logs aren’t erased by the attacker.

14 Intrusion Prevention Systems A sort of combination of IDS and Firewall. –The smarts of an IDS with the ability to block traffic like a firewall. –Thing about it as a firewall which can build its own policies based on what’s happening to it. –E.g. You suddenly see a spike of ICMP (ping) traffic from a single address, perhaps after a few thousand packets you should think about stopping it, the IPS might build a rule to block it.

15 IDS/IPS False Positive problem One of the biggest problems with IPS is the signatures. If a popular virus happens to send the string “BLABLA” in an HTTP message to distribute itself, then any webpage with “BLABLA” in it will appear to be an attack. False positives are frustrating and counter-productive. Worse yet, if your IPS decides that the attack must be stopped and builds a firewall rule to block it.

16 Anomaly based detection Another approach which is being worked on is to watch what is normal and then look for things which are abnormal. –E.g. You use your computer at clayton from 7:30PM-8:45PM Monday and Wed. If your computer is at clayton on Friday night at 3am, maybe something is up. Very difficult to be correct, requires lots more work to get right.

17 Viruses, Spys Anti-Virus –Specialized form of IDS. –Looks for patterns in files on your hard drive. –Once one is found assume it is a virus, and remove it Quarantine it, or delete it at users request Anti-Spywear –Look for software which may get installed without your knowledge E.g. Here is a free screensaver, you also get something which monitors all web pages you go to for opportunities to send you ads

18 VPN Virtual Private Networks –Allow users into your private network from across the internet securely. –VPNs are based on encryption. All traffic leaving the client are encrypted by software on their end. That encrypted traffic is routed across the internet The other end decrypts the resulting traffic and routes it on the private network Traffic is typically encrypted with Symmetric cryptography such as AES or TripleDES. Keys are typically exchanged either manually or automatically via IKE.

Download ppt "Day 19. Security Tools Firewalls –Host Based –Network based IDS/IPS –Host Based –Network based –Signature based detection –Anomaly based detection Anti."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Web Servers Security: What You Should Know. The World Wide Web (WWW) is one of the best ways to develop an e-commerce business presence and interact with.

Web Servers Security: What You Should Know. The World Wide Web (WWW) is one of the best ways to develop an e-commerce business presence and interact with.
Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)

Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
Department Of Computer Engineering

Department Of Computer Engineering
Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.

Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.

Similar presentations

Ads by Google