Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 13 Page 1 CS 136, Spring 2009 Network Security: Firewalls continued, VPNS, Honeypots CS 136 Computer Security Peter Reiher May 14, 2009.

Published byCaitlin Harris Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 13 Page 1 CS 136, Spring 2009 Network Security: Firewalls continued, VPNS, Honeypots CS 136 Computer Security Peter Reiher May 14, 2009."— Presentation transcript:

1 Lecture 13 Page 1 CS 136, Spring 2009 Network Security: Firewalls continued, VPNS, Honeypots CS 136 Computer Security Peter Reiher May 14, 2009

2 Lecture 13 Page 2 CS 136, Spring 2009 Outline More on firewalls –Network access control Virtual private networks Honeypots and honeynets

3 Lecture 13 Page 3 CS 136, Spring 2009 Firewall Configuration and Administration Again, the firewall is the point of attack for intruders Thus, it must be extraordinarily secure How do you achieve that level of security?

4 Lecture 13 Page 4 CS 136, Spring 2009 Firewall Location Clearly, between you and the bad guys But you may have some very different types of machines/functionalities Sometimes makes sense to divide your network into segments –Most typically, less secure public network and more secure internal network –Using separate firewalls

5 Lecture 13 Page 5 CS 136, Spring 2009 Firewalls and DMZs A standard way to configure multiple firewalls for a single organization Used when organization runs machines with different openness needs –And security requirements Basically, use firewalls to divide your network into segments

6 Lecture 13 Page 6 CS 136, Spring 2009 A Typical DMZ Organization Your production LAN Your web server The Internet Firewall set up to protect your LAN Firewall set up to protect your web server DMZ

7 Lecture 13 Page 7 CS 136, Spring 2009 Firewall Hardening Devote a special machine only to firewall duties Alter OS operations on that machine –To allow only firewall activities –And to close known vulnerabilities Strictly limit access to the machine –Both login and remote execution

8 Lecture 13 Page 8 CS 136, Spring 2009 Firewalls and Logging The firewall is the point of attack for intruders Logging activities there is thus vital The more logging, the better Should log what the firewall allows And what it denies Tricky to avoid information overload

9 Lecture 13 Page 9 CS 136, Spring 2009 Keep Your Firewall Current New vulnerabilities are discovered all the time Must update your firewall to fix them Even more important, sometimes you have to open doors temporarily –Make sure you shut them again later Can automate some updates to firewalls How about getting rid of old stuff?

10 Lecture 13 Page 10 CS 136, Spring 2009 Closing the Back Doors Firewall security is based on assumption that all traffic goes through the firewall So be careful with: –Modem connections –Wireless connections –Portable computers Put a firewall at every entry point to your network And make sure all your firewalls are up to date

11 Lecture 13 Page 11 CS 136, Spring 2009 What About Portable Computers? Local Café BobCarolXavierAlice

12 Lecture 13 Page 12 CS 136, Spring 2009 Now Bob Goes To Work... Bob’s Office Worker Bob

13 Lecture 13 Page 13 CS 136, Spring 2009 How To Handle This Problem? Essentially quarantine the portable computer until it’s safe Don’t permit connection to wireless access point until you’re satisfied that the portable is safe UCLA did it first with QED Now very common in Cisco, Microsoft, and other companies’ products –Network access control

14 Lecture 13 Page 14 CS 136, Spring 2009 Microsoft Network Access Protection In recent Microsoft OS platforms –Vista, XP service pack 3,Server 2008 Allows administrators to specify policies governing machines on network Automatically checks “health” of machines –If non-compliant, can provide updates Can limit access until compliant Highly configurable and customizable

15 Lecture 13 Page 15 CS 136, Spring 2009 How To Tell When It’s Safe? Local network needs to examine the quarantined device Looking for evidence of worms, viruses, etc. If any are found, require decontamination before allowing the portable machine access

16 Lecture 13 Page 16 CS 136, Spring 2009 Single Machine Firewalls Instead of separate machine protecting network, A machine puts software between the outside world and the rest of machine Under its own control To protect itself Available on most modern systems

17 Lecture 13 Page 17 CS 136, Spring 2009 Pros and Cons of Individual Firewalls +Customized to particular machine +Under machine owner’s control +Provides defense in depth −Only protects that machine −Less likely to be properly configured Generally considered a good idea

18 Lecture 13 Page 18 CS 136, Spring 2009 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts of the US How can you have secure cooperation between them?

19 Lecture 13 Page 19 CS 136, Spring 2009 Leased Line Solutions Lease private lines from some telephone company The phone company ensures that your lines cannot be tapped –To the extent you trust in phone company security Can be expensive and limiting

20 Lecture 13 Page 20 CS 136, Spring 2009 Another Solution Communicate via the Internet –Getting full connectivity, bandwidth, reliability, etc. –At a lower price, too But how do you keep the traffic secure? Encrypt everything!

21 Lecture 13 Page 21 CS 136, Spring 2009 Encryption and Virtual Private Networks Use encryption to convert a shared line to a private line Set up a firewall at each installation’s network Set up shared encryption keys between the firewalls Encrypt all traffic using those keys

22 Lecture 13 Page 22 CS 136, Spring 2009 Actual Use of Encryption in VPNs VPNs run over the Internet Internet routers can’t handle fully encrypted packets Obviously, VPN packets aren’t entirely encrypted They are encrypted in a tunnel mode

23 Lecture 13 Page 23 CS 136, Spring 2009 Is This Solution Feasible? A VPN can be half the cost of leased lines (or less) And give the owner more direct control over the line’s security Ease of use improving –Often based on IPsec

24 Lecture 13 Page 24 CS 136, Spring 2009 Key Management and VPNs All security of the VPN relies on key secrecy How do you communicate the key? –In early implementations, manually –Modern VPNs use IKE or proprietary key servers How often do you change the key? –IKE allows frequent changes

25 Lecture 13 Page 25 CS 136, Spring 2009 VPNs and Firewalls VPN encryption is typically done between firewall machines –VPN often integrated into firewall product Do I need the firewall for anything else? Probably, since I still need to allow non-VPN traffic in and out Need firewall “inside” VPN –Since VPN traffic encrypted –Including stuff like IP addresses and ports –“Inside” means “later in same box” usually

26 Lecture 13 Page 26 CS 136, Spring 2009 VPNs and Portable Computing Increasingly, workers connect to offices remotely –While on travel –Or when working from home VPNs offer secure solution Typically software in portable computer Usually needs to be pre-configured

27 Lecture 13 Page 27 CS 136, Spring 2009 VPN Deployment Issues Desirable not to have to pre-deploy VPN software –Clients get access from any machine Possible by using downloaded code –Connect to server, download VPN applet, away you go –Often done via web browser –Leveraging existing SSL code –Authentication via user ID/password Issue of compromised user machine

28 Lecture 13 Page 28 CS 136, Spring 2009 VPN Products VPNs are big business Many products are available Some for basic VPN service Some for specialized use –Such as networked meetings –Or providing remote system administration and debugging

29 Lecture 13 Page 29 CS 136, Spring 2009 Juniper Secure Access 700 A hardware VPN Uses SSL Accessible via web browser –Which avoids some pre-deployment costs –Downloads code using browser extensibility Does various security checks on client machine before allowing access

30 Lecture 13 Page 30 CS 136, Spring 2009 Citrix GoToMeeting Service provided through Citrix web servers Connects many meeting participants via a custom VPN –Care taken that Citrix doesn’t have VPN key Basic interface through web browser

31 Lecture 13 Page 31 CS 136, Spring 2009 Honeypots and Honeynets A honeypot is a machine set up to attract attackers Classic use is to learn more about attackers Ongoing research on using honeypots as part of a system’s defenses

32 Lecture 13 Page 32 CS 136, Spring 2009 Setting Up A Honeypot Usually a machine dedicated to this purpose Probably easier to find and compromise than your real machines But has lots of software watching what’s happening on it Providing early warning of attacks

33 Lecture 13 Page 33 CS 136, Spring 2009 What Have Honeypots Been Used For? To study attackers’ common practices There are lengthy traces of what attackers do when they compromise a honeypot machine Not clear these traces actually provided much we didn’t already know

34 Lecture 13 Page 34 CS 136, Spring 2009 Can a Honeypot Contribute to Defense? Perhaps can serve as an early warning system –Assuming that attacker hits the honeypot first –And that you know it’s happened If you can detect it’s happened there, why not everywhere?

35 Lecture 13 Page 35 CS 136, Spring 2009 Honeynets A collection of honeypots on a single network –Maybe on a single machine with multiple addresses –Perhaps using virtualization techniques Typically, no other machines are on the network Since whole network is phony, all incoming traffic is probably attack traffic

36 Lecture 13 Page 36 CS 136, Spring 2009 What Can You Do With Honeynets? Similar things to what can be done with honeypots (at network level) Also good for tracking the spread of worms –Worm code typically knocks on their door repeatedly Main tool for detecting and tracking botnets Has given evidence on prevalence of DDoS attacks –Through backscatter –Based on attacker using IP spoofing

37 Lecture 13 Page 37 CS 136, Spring 2009 Backscatter Some attacks are based on massive spoofing of IP addresses –Particularly distributed denial of service attacks Packets are typically reasonably well formed If target gets them, it will reply to them This can be helpful

38 Lecture 13 Page 38 CS 136, Spring 2009 Backscatter In Action 117.15.202.74 95.113.27.1256.29.138.2 FAKE! What does the target do with this packet? It probably sends a reply 56.29.138.295.113.27.12 To the forged address! 95.113.27.12 56.29.138.295.113.27.12 What if this machine is a honeypot?

39 Lecture 13 Page 39 CS 136, Spring 2009 So What? The honeypot knows it didn’t ask for this response So it must have resulted from spoofing Which means the source of the packet is under attack With sufficient cleverness, you can figure out a lot more

40 Lecture 13 Page 40 CS 136, Spring 2009 What Can Backscatter Tell Us? Who’s being attacked For how long With what sorts of packets Even estimates of the volume of attack

41 Lecture 13 Page 41 CS 136, Spring 2009 How Do We Deduce This Stuff? Who’s being attacked –Whoever sends us reply packets For how long –How long do we see their replies? With what sorts of packets –What kind of reply? Even estimates of the volume of attack –This is trickier

42 Lecture 13 Page 42 CS 136, Spring 2009 Estimating Attack Volumes Assume the attacker uses random spoofing –He chooses spoofed addresses purely randomly Your honeynet owns some set of addresses –Perhaps 256 of them Your addresses will be spoofed proportionally to all others –Allowing you to calculate how many total packets were sent

43 Lecture 13 Page 43 CS 136, Spring 2009 Complicating Factors in This Calculation Not all spoofed packets delivered –It’s a denial of service attack, after all Not all delivered packets responded to Not all responses delivered Attackers don’t always spoof at random

44 Lecture 13 Page 44 CS 136, Spring 2009 Do You Need A Honeypot? Not in the same way you need a firewall Only worthwhile if you have a security administrator spending a lot of time watching things Or if your job is keeping up to date on hacker activity More something that someone needs to be doing –Particularly, security experts who care about the overall state of the network world

45 Lecture 13 Page 45 CS 136, Spring 2009 So, You Want a Honeypot? If you decide you want to run one, what do you do? Could buy a commercial product –E.g., NeuralIQ Event Horizon Could build your own Could look for open source stuff

46 Lecture 13 Page 46 CS 136, Spring 2009 The Honeynet Project A non-profit organization dedicated to improving Internet security Many activities related to honeynets –White papers based on information gained from honeynets –Tools to run honeypots and honeynets www.honeynet.org

Download ppt "Lecture 13 Page 1 CS 136, Spring 2009 Network Security: Firewalls continued, VPNS, Honeypots CS 136 Computer Security Peter Reiher May 14, 2009."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or 415.514-3333 UCSF Campus VPN.

OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or UCSF Campus VPN.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
CS682 – Network Management and Security Session 7.

CS682 – Network Management and Security Session 7.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Day 19. Security Tools Firewalls –Host Based –Network based IDS/IPS –Host Based –Network based –Signature based detection –Anomaly based detection Anti.

Day 19. Security Tools Firewalls –Host Based –Network based IDS/IPS –Host Based –Network based –Signature based detection –Anomaly based detection Anti.

Similar presentations

Ads by Google