Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.

Published byMalcolm Mathews Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University."— Presentation transcript:

1 Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University

2 References Security in Computing, 3 rd Ed. Security in Computing, 3 rd Ed. Chapter 7 (pgs. 457-479) Chapter 7 (pgs. 457-479)

3 Section Overview Firewall Components Firewall Components Firewall Architectures Firewall Architectures Network Intrusion Systems Network Intrusion Systems Honeypots Honeypots

4 Internet Firewalls DMZ Internet InternalNetwork

5 Firewall Benefits Host Service Protection Host Service Protection Host Access Control Host Access Control Centralized Point of Security Centralized Point of Security Enhanced Privacy Enhanced Privacy Increased Audit Logging Increased Audit Logging Policy Enforcement Policy Enforcement

6 Implementation Issues Service Restrictions Service Restrictions Allowed Service Vulnerabilities Allowed Service Vulnerabilities User Backdoors User Backdoors Insider Attacks Insider Attacks Viruses Viruses Network Throughput to/from Internet Network Throughput to/from Internet Single Point of Failure Single Point of Failure

7 Firewall Components Network Policy Network Policy Advanced Authentication Advanced Authentication Packet Filtering Packet Filtering Application Gateways Application Gateways

8 Network Policy Service Access Policy Service Access Policy Extension of Site Security Policy Extension of Site Security Policy Which services are allowed to/from which hosts Which services are allowed to/from which hosts Who is authorized to change policy Who is authorized to change policy Firewall Design Policy Firewall Design Policy How Service Access Policy is implemented How Service Access Policy is implemented Either… Either… Permit any service unless it is expressly denied Permit any service unless it is expressly denied Deny any service unless it is expressly permitted Deny any service unless it is expressly permitted

9 Advanced Authentication UnauthenticatedAuthenticated Using one-time password techniques to allow access via certain services Internet Internal Network

10 Packet Filtering Routers Allowing/Restricting access based on: IP Addresses (source/destination) IP Addresses (source/destination) Protocol (TCP/UDP/ICMP) Protocol (TCP/UDP/ICMP) TCP/UDP Ports (source/destination) TCP/UDP Ports (source/destination) ICMP Message Type ICMP Message Type Packet Size Packet Size Router Interface/Direction Router Interface/Direction Single and multiple addresses/ports per entry Single and multiple addresses/ports per entry Screening Routers Screening Routers

11 Packet Filtering Options Send the packet Send the packet Reject the packet Reject the packet Drop the packet Drop the packet Log information about the packet Log information about the packet Notify administrator (set off an alarm) Notify administrator (set off an alarm)

12 Packet Filtering Weaknesses Hard to configure Hard to configure Hard to test Hard to test More complex the rules, more performance might be impacted More complex the rules, more performance might be impacted No Advanced Authentication support No Advanced Authentication support

13 Application Gateways Service components allowed/denied based on rule set Service components allowed/denied based on rule set Each packet repackaged after examination Each packet repackaged after examination Information hiding Information hiding Robust authentication and logging Robust authentication and logging

14 Application GW Weaknesses Scalability Scalability Each service requires it’s own proxy Each service requires it’s own proxy Difficult to manage Connectionless Protocols Difficult to manage Connectionless Protocols Performance Performance Each packet gets repackaged Each packet gets repackaged OS/Service Bugs OS/Service Bugs

15 Circuit Gateways Similar to Application Gateway Similar to Application Gateway No packet processing done at the gateway No packet processing done at the gateway

16 Stateful Multi-Layer Inspection Inspects raw packets Inspects raw packets Inspection engine intercepts packet at the OSI Network Layer Inspection engine intercepts packet at the OSI Network Layer Context Aware Context Aware Creates a virtual state for connectionless protocols Creates a virtual state for connectionless protocols Source: Checkpoint Software Checkpoint SoftwareCheckpoint Software Technologies Ltd. Technologies Ltd.

17 Firewall Architectures Single Device Single Device Screening Router Screening Router Dual-Homed Host Dual-Homed Host Multi-Device Multi-Device Screened Host Screened Host Screened Subnet Screened Subnet Split-Screened Subnet Split-Screened Subnet

18 Screening Router Internet InternalNetwork ScreeningRouter

19 Dual-Homed Gateway Internet InternalNetwork ProxyServer InfoServer

20 Network Address Translation Not specifically for security (RFC 1918) Not specifically for security (RFC 1918)RFC 1918RFC 1918 Hides internal network configuration Hides internal network configuration 1 to 1 allocation 1 to 1 allocation Static Static Dynamic Dynamic IP Masquerading IP Masquerading Many internal addresses using 1 external address Many internal addresses using 1 external address Only internal hosts can initiate a connection Only internal hosts can initiate a connection

21 Screened Host Internet InternalNetwork BastionHost InternetServer ScreeningRouter

22 Screened Subnet Internet InternalNetwork BastionHost InternetServer ScreeningRouter ScreeningRouter

23 Split Screened Subnet Internet InternalNetwork Dual-HomedProxy InternetServer ScreeningRouter ScreeningRouter IntranetServer

24 Network Intrusion Detection Internet InternalNetwork Dual-HomedProxy ScreeningRouter ScreeningRouter AnalysisStation Sensors

25 IDS Analysis Knowledge based (attack signatures) Knowledge based (attack signatures) Port Scans Port Scans Denial of Service Denial of Service Known Service Attacks Known Service Attacks Spoofing Spoofing Content Content Behavioral based Behavioral based

26 IDS Weaknesses Very young technology Very young technology False Positives False Positives False Negatives False Negatives Scalability Scalability

27 Honeypots Sacrificial host used to lure attackers Sacrificial host used to lure attackers Simulates a vulnerable system Simulates a vulnerable system Used to study attacker techniques Used to study attacker techniques Firewall/IDS traffic logs Firewall/IDS traffic logs System logs System logs File Integrity Checker logs File Integrity Checker logs Keystroke capturing Keystroke capturing Early Case – “Berferd” Early Case – “Berferd”Berferd

Download ppt "Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University."

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewall Configuration Strategies

Firewall Configuration Strategies
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.

Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security.

Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewall Slides by John Rouda

Firewall Slides by John Rouda

Similar presentations

Ads by Google