Download presentation
Presentation is loading. Please wait.
Published byMalcolm Mathews Modified over 9 years ago
1
Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University
2
References Security in Computing, 3 rd Ed. Security in Computing, 3 rd Ed. Chapter 7 (pgs. 457-479) Chapter 7 (pgs. 457-479)
3
Section Overview Firewall Components Firewall Components Firewall Architectures Firewall Architectures Network Intrusion Systems Network Intrusion Systems Honeypots Honeypots
4
Internet Firewalls DMZ Internet InternalNetwork
5
Firewall Benefits Host Service Protection Host Service Protection Host Access Control Host Access Control Centralized Point of Security Centralized Point of Security Enhanced Privacy Enhanced Privacy Increased Audit Logging Increased Audit Logging Policy Enforcement Policy Enforcement
6
Implementation Issues Service Restrictions Service Restrictions Allowed Service Vulnerabilities Allowed Service Vulnerabilities User Backdoors User Backdoors Insider Attacks Insider Attacks Viruses Viruses Network Throughput to/from Internet Network Throughput to/from Internet Single Point of Failure Single Point of Failure
7
Firewall Components Network Policy Network Policy Advanced Authentication Advanced Authentication Packet Filtering Packet Filtering Application Gateways Application Gateways
8
Network Policy Service Access Policy Service Access Policy Extension of Site Security Policy Extension of Site Security Policy Which services are allowed to/from which hosts Which services are allowed to/from which hosts Who is authorized to change policy Who is authorized to change policy Firewall Design Policy Firewall Design Policy How Service Access Policy is implemented How Service Access Policy is implemented Either… Either… Permit any service unless it is expressly denied Permit any service unless it is expressly denied Deny any service unless it is expressly permitted Deny any service unless it is expressly permitted
9
Advanced Authentication UnauthenticatedAuthenticated Using one-time password techniques to allow access via certain services Internet Internal Network
10
Packet Filtering Routers Allowing/Restricting access based on: IP Addresses (source/destination) IP Addresses (source/destination) Protocol (TCP/UDP/ICMP) Protocol (TCP/UDP/ICMP) TCP/UDP Ports (source/destination) TCP/UDP Ports (source/destination) ICMP Message Type ICMP Message Type Packet Size Packet Size Router Interface/Direction Router Interface/Direction Single and multiple addresses/ports per entry Single and multiple addresses/ports per entry Screening Routers Screening Routers
11
Packet Filtering Options Send the packet Send the packet Reject the packet Reject the packet Drop the packet Drop the packet Log information about the packet Log information about the packet Notify administrator (set off an alarm) Notify administrator (set off an alarm)
12
Packet Filtering Weaknesses Hard to configure Hard to configure Hard to test Hard to test More complex the rules, more performance might be impacted More complex the rules, more performance might be impacted No Advanced Authentication support No Advanced Authentication support
13
Application Gateways Service components allowed/denied based on rule set Service components allowed/denied based on rule set Each packet repackaged after examination Each packet repackaged after examination Information hiding Information hiding Robust authentication and logging Robust authentication and logging
14
Application GW Weaknesses Scalability Scalability Each service requires it’s own proxy Each service requires it’s own proxy Difficult to manage Connectionless Protocols Difficult to manage Connectionless Protocols Performance Performance Each packet gets repackaged Each packet gets repackaged OS/Service Bugs OS/Service Bugs
15
Circuit Gateways Similar to Application Gateway Similar to Application Gateway No packet processing done at the gateway No packet processing done at the gateway
16
Stateful Multi-Layer Inspection Inspects raw packets Inspects raw packets Inspection engine intercepts packet at the OSI Network Layer Inspection engine intercepts packet at the OSI Network Layer Context Aware Context Aware Creates a virtual state for connectionless protocols Creates a virtual state for connectionless protocols Source: Checkpoint Software Checkpoint SoftwareCheckpoint Software Technologies Ltd. Technologies Ltd.
17
Firewall Architectures Single Device Single Device Screening Router Screening Router Dual-Homed Host Dual-Homed Host Multi-Device Multi-Device Screened Host Screened Host Screened Subnet Screened Subnet Split-Screened Subnet Split-Screened Subnet
18
Screening Router Internet InternalNetwork ScreeningRouter
19
Dual-Homed Gateway Internet InternalNetwork ProxyServer InfoServer
20
Network Address Translation Not specifically for security (RFC 1918) Not specifically for security (RFC 1918)RFC 1918RFC 1918 Hides internal network configuration Hides internal network configuration 1 to 1 allocation 1 to 1 allocation Static Static Dynamic Dynamic IP Masquerading IP Masquerading Many internal addresses using 1 external address Many internal addresses using 1 external address Only internal hosts can initiate a connection Only internal hosts can initiate a connection
21
Screened Host Internet InternalNetwork BastionHost InternetServer ScreeningRouter
22
Screened Subnet Internet InternalNetwork BastionHost InternetServer ScreeningRouter ScreeningRouter
23
Split Screened Subnet Internet InternalNetwork Dual-HomedProxy InternetServer ScreeningRouter ScreeningRouter IntranetServer
24
Network Intrusion Detection Internet InternalNetwork Dual-HomedProxy ScreeningRouter ScreeningRouter AnalysisStation Sensors
25
IDS Analysis Knowledge based (attack signatures) Knowledge based (attack signatures) Port Scans Port Scans Denial of Service Denial of Service Known Service Attacks Known Service Attacks Spoofing Spoofing Content Content Behavioral based Behavioral based
26
IDS Weaknesses Very young technology Very young technology False Positives False Positives False Negatives False Negatives Scalability Scalability
27
Honeypots Sacrificial host used to lure attackers Sacrificial host used to lure attackers Simulates a vulnerable system Simulates a vulnerable system Used to study attacker techniques Used to study attacker techniques Firewall/IDS traffic logs Firewall/IDS traffic logs System logs System logs File Integrity Checker logs File Integrity Checker logs Keystroke capturing Keystroke capturing Early Case – “Berferd” Early Case – “Berferd”Berferd
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.