Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security7-1 Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall.

Published byJulia Hart Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Security7-1 Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall."— Presentation transcript:

1 Network Security7-1 Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall

2 Network Security7-2 Firewalls: Why Prevent denial of service attacks: m Denial-of-Service (DoS) attack: Send many fake requests to congest link or consume server resource (CPU, memory) m SYN flooding: attacker sends many SYNs to victim; victim has to allocate connection resource; victim has no resource left for real connection requests any more. Usually with spoofed source IP address Prevent illegal modification/access of internal data. m e.g., attacker replaces CIA’s homepage with something else

3 Network Security7-3 Firewalls: Why Allow only authorized access to inside network m Set of authenticated users m Set of authorized IP addresses Two types of firewalls: m application-level Checking application level data m packet-filtering Checking TCP or IP packets only

4 Network Security7-4 Packet Filtering r internal network connected to Internet via router firewall r router filters packet-by-packet, decision to forward/drop packet based on: m source IP address, destination IP address m TCP/UDP source and destination port numbers m ICMP message type m TCP SYN and ACK bits Should arriving packet be allowed in? Departing packet let out?

5 Network Security7-5 Packet Filtering r Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. m All incoming and outgoing UDP flows and telnet connections are blocked. r Example 2: Block inbound TCP segments with SYN=1. m Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Example of Windows XP service pack 2 firewall

6 Network Security7-6 Application gateways r Filters packets on application data as well as on IP/TCP/UDP fields. r Example: allow select internal users to telnet outside. host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway. r Example: block user access to know porn websites m Check if the Web URL is in a “black-list”

7 Network Security7-7 Limitations of firewalls and gateways r IP spoofing: router can’t know if data “really” comes from claimed source m SYN flood attack m UDP traffic r client software must know how to contact application gateway. m e.g., must set IP address of proxy in Web browser r Speed constraint on high-bandwidth link m Application-level firewall is time consuming r filters often use all or nothing policy for UDP m Usually most incoming UDP ports are blocked m The trouble caused to real-time Internet video

8 Network Security7-8 Limitations of firewalls and gateways r tradeoff: degree of communication with outside world, level of security r Trend --- remote office m Blurred boundary between inside outside m Employee laptop threat r many highly protected sites still suffer from attacks

9 Network Security7-9 Internet security threats Mapping: m before attacking: “case the joint” – find out what services are implemented on network  Use ping to determine what hosts have addresses on network m Port-scanning: try to establish TCP connection to each port in sequence (see what happens) m nmap (http://www.insecure.org/nmap/) mapper: “network exploration and security auditing” Countermeasures?

10 Network Security7-10 Internet security threats Mapping: countermeasures m record traffic entering network m look for suspicious activity (IP addresses, pots being scanned sequentially) m Firewall to block incoming TCP/SYN to ports or computers not providing the services m Block ping traffic

11 Network Security7-11 Internet security threats Packet sniffing: m broadcast media m promiscuous NIC reads all packets passing by m can read all unencrypted data (e.g. passwords) m e.g.: C sniffs B’s packets A B C src:B dest:A payload Countermeasures?

12 Network Security7-12 Internet security threats Packet sniffing: countermeasures m all hosts in orgnization run software that checks periodically if host interface in promiscuous mode. m one host per segment of broadcast media (switched Ethernet at hub) A B C src:B dest:A payload

13 Network Security7-13 Internet security threats IP Spoofing: m can generate “raw” IP packets directly from application, putting any value into IP source address field m receiver can’t tell if source is spoofed m e.g.: C pretends to be B A B C src:B dest:A payload Countermeasures?

14 Network Security7-14 Internet security threats IP Spoofing: egress filtering m routers should not forward outgoing packets with invalid source addresses (e.g., datagram source address not in router’s network) m great, but egress filtering can not be mandated for all networks A B C src:B dest:A payload

15 Network Security7-15 Internet security threats Denial of service (DOS): m flood of maliciously generated packets “swamp” receiver m Distributed DOS (DDOS): multiple coordinated sources swamp receiver m e.g., C and remote host SYN-attack A A B C SYN Countermeasures?

16 Network Security7-16 Internet security threats Denial of service (DOS): countermeasures m filter out flooded packets (e.g., SYN) before reaaching host Cooperation with source routers Detect spoofed SYN based on TTL values m traceback to source of floods (most likely an innocent, compromised machine) A B C SYN

17 Network Security7-17 Secure e-mail (suppose K + B known) Alice:  generates random symmetric private key, K S.  encrypts message with K S (for efficiency)  also encrypts K S with Bob’s public key.  sends both K S (m) and K B (K S ) to Bob.  Alice wants to send confidential e-mail, m, to Bob. K S ( ). K B ( ). + + K S (m ) K B (K S ) + m KSKS KBKB + Internet KSKS

18 Network Security7-18 Secure e-mail (suppose K + B known) Bob:  uses his private key to decrypt and recover K S  uses K S to decrypt K S (m) to recover m  Alice wants to send confidential e-mail, m, to Bob. K S ( ). K B ( ). + + - K S (m ) K B (K S ) + m KSKS KSKS KBKB + Internet K S ( ). K B ( ). - KBKB - KSKS m K S (m ) K B (K S ) +

19 Network Security7-19 Secure e-mail (continued) Alice wants to provide sender authentication message integrity. Alice digitally signs message. sends both message (in the clear) and digital signature. H( ). K A ( ). - + - H(m ) K A (H(m)) - m KAKA - Internet m K A ( ). + KAKA + K A (H(m)) - m H( ). H(m ) compare

20 Network Security7-20 Secure e-mail (continued) Alice wants to provide secrecy, sender authentication, message integrity. Alice uses three keys: her private key, Bob’s public key, newly created symmetric key H( ). K A ( ). - + K A (H(m)) - m KAKA - m K S ( ). K B ( ). + + K B (K S ) + KSKS KBKB + Internet KSKS

21 Network Security7-21 Pretty good privacy (PGP) r Internet e-mail encryption scheme, de-facto standard. r uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described. r provides secrecy, sender authentication, integrity. r inventor, Phil Zimmerman, was target of 3-year federal investigation. ---BEGIN PGP SIGNED MESSAGE--- Hash: SHA1 Bob:My husband is out of town tonight.Passionately yours, Alice ---BEGIN PGP SIGNATURE--- Version: PGP 5.0 Charset: noconv yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJ hFEvZP9t6n7G6m5Gw2 ---END PGP SIGNATURE--- A PGP signed message:

22 Network Security7-22 Secure sockets layer (SSL) r transport layer security to any TCP- based app using SSL services. r used between Web browsers, servers for e-commerce (https). r security services: m server authentication m data encryption m client authentication (optional) r server authentication: m SSL-enabled browser includes public keys for trusted CAs. m Browser requests server certificate, issued by trusted CA. m Browser uses CA’s public key to extract server’s public key from certificate. r check your browser’s security menu to see its trusted CAs.

23 Network Security7-23 SSL (continued) Encrypted SSL session: r Browser generates symmetric session key, encrypts it with server’s public key, sends encrypted key to server. r Using private key, server decrypts session key. r Browser, server know session key m All data sent into TCP socket (by client or server) encrypted with session key. r SSL: basis of IETF Transport Layer Security (TLS). r SSL can be used for non-Web applications, e.g., IMAP. r Client authentication can be done with client certificates. m Not widely used since too many clients

24 Network Security7-24 How SSL works? K B + Client Server B time Three-way handshake Request server certificate K - CA (K + B ) K + B (K A-B ) K A-B (m) Symmetric session key Certificate from CA

25 Network Security7-25 IPsec: Network Layer Security r Network-layer secrecy: m sending host encrypts the data in IP datagram m Applicable toTCP and UDP segments; ICMP and SNMP messages. m IP header in clear text, the other is in encrypted text r Network-layer authentication m destination host can authenticate source IP address m Also use a similar public key authority for public key distribution

26 Network Security7-26 IEEE 802.11 security r Packet sniffing is unavoidable r War-driving: drive around Bay area, see what 802.11 networks available? m More than 9000 accessible from public roadways m 85% use no encryption/authentication m packet-sniffing and various attacks easy! r Wired Equivalent Privacy (WEP): authentication as in protocol ap4.0 (require shared symmetric key) m host requests authentication from access point m access point sends 128 bit nonce m host encrypts nonce using shared symmetric key m access point decrypts nonce, authenticates host

27 Network Security7-27 802.11 WEP Security Concern r 40 bits in encryption is too short r RC4 is not properly used in 802.11 r A more sure protocol is just standardized, 802.11i

28 Network Security7-28 Internet Worm propagation r Find new targets m IP random scanning Compromise targets  Exploit vulnerability Newly infected join infection army

29 Network Security7-29 Worm Infection Incidents r Code Red (Jul. 2001) : 360,000 infected in 14 hours  Slammer (Jan. 2003) : 75,000 infected in 10 minutes Congested parts of Internet (ATMs down … )  Blaster (Aug. 2003) : 150,000 ~ 8 million infected DDOS attack (shut down domain windowsupdate.com ) r Witty (Mar. 2004) : 12,000 infected in half an hour Attack vulnerability in ISS security products r Sasser (May 2004) : 500,000 infected within two days Infection faster than human response !

30 Network Security7-30 Email Virus and Attacks r Email Viruses: m Executable code in email attachment m Social engineering trick to fool users to click attachment Sender is your friend (faked email header information) Email appears to come from security, failed report, etc r Infection procedure: m Set up SMTP engine m Find all email addresses to send email to Avoid some email domains

31 Network Security7-31 Email Spam r You know how easy to fake sender info r Money is the driving force m Sending millions of spam email costs pennies m Using many compromised machines sending spam r Defense is not perfect m Most email servers have spam filters Check your cs.ucf email header! m Email users do not tolerate false alarms m 10% going through will be good enough for spammers!

32 Network Security7-32 Honeypot and HoneyNet r Honeypot: A honeypot is a fictitious vulnerable IT system used for the purpose of being attacked, probed, exploited and compromised m Attract attack m Analyze attacking code, attacking behavior m Find out how to defend r HoneyNet: a network (physical/virtual) of honeypots m Covering a large number of IP addresses m Monitor more attacking incidents

33 Network Security7-33 New Attack Trend --- Botnet r Botnet: a network of infected hosts controlled by an attacker  Each host is installed with “ bot ” m Hosts can be compromised by any mechansims Email, worm scan, network share, malicious web … m Attacks: DDoS (extortion), spam, phishing, ads abuse, new attack bot controller attacker bot

Download ppt "Network Security7-1 Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall."

Similar presentations

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Security in Networks (Part 2) CPSC 363 Computer Networks Ellen Walker Hiram College (Includes figures from Computer Networking by Kurose & Ross, © Addison.

Security in Networks (Part 2) CPSC 363 Computer Networks Ellen Walker Hiram College (Includes figures from Computer Networking by Kurose & Ross, © Addison.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
PGP Overview 2004/11/30 Information-Center meeting peterkim.

PGP Overview 2004/11/30 Information-Center meeting peterkim.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Lecture 25 Secure Communications CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose & Keith Ross and Dave Hollinger.

Lecture 25 Secure Communications CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose & Keith Ross and Dave Hollinger.
7: Network Security1 Chapter 7: Network security Foundations: r what is security? r cryptography r authentication r message integrity Security in practice:

7: Network Security1 Chapter 7: Network security Foundations: r what is security? r cryptography r authentication r message integrity Security in practice:
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 Network Security What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures.

1 Network Security What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures.
Chapter 7: Network Security

Chapter 7: Network Security
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
8: Network Security8-1 22 – Integrity, Firewalls.

8: Network Security – Integrity, Firewalls.
Network Security7-1 Network Security 1. What is network security 2. Principles of cryptography 3. Authentication 4. Integrity 5. Key Distribution and certification.

Network Security7-1 Network Security 1. What is network security 2. Principles of cryptography 3. Authentication 4. Integrity 5. Key Distribution and certification.
Review and Announcement r Ethernet m Ethernet CSMA/CD algorithm r Hubs, bridges, and switches m Hub: physical layer Can’t interconnect 10BaseT & 100BaseT.

Review and Announcement r Ethernet m Ethernet CSMA/CD algorithm r Hubs, bridges, and switches m Hub: physical layer Can’t interconnect 10BaseT & 100BaseT.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Similar presentations

Ads by Google