CSE 565 Computer Security Fall 2018

Similar documents
CSC Network Security

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

COMPUTER NETWORK SECURITY

Why Firewalls? Firewall Characteristics

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Chapter 9. Firewalls

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 8 roadmap. Network Security

CyberP3i Course Module Series

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Network Control, Con t

Internet Security: Firewall

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Network Security. Thierry Sans

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

Broadcast Infrastructure Cybersecurity - Part 2

Information Systems Security

Network Security Terms. Based on slides from gursimrandhillon.files.wordpress.com

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

Firewalls, Tunnels, and Network Intrusion Detection

Unit 4: Firewalls (I)

Computer Security and Privacy

Network Security: Firewalls. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Network Security: Firewall, VPN, IDS/IPS, SIEM

Indicate whether the statement is true or false.

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

Application Firewalls

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

10 Defense Mechanisms

CHAPTER 8 FIREWALLS. Firewall Design Principles

SYN Flood Attack Protection Technology White Paper

Network Security Fundamentals

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

ASA/PIX Security Appliance

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

CSCE 813 Internet Security Network Access Control

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

DMZ Networks Virtual Private Networks Distributed Firewalls Summary of Firewall Locations and Topologies

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

CSC 474/574 Information Systems Security

CSC 4900 Computer Networks: Security Protocols (2)

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Internet Security Firewalls

Protection of Communication Infrastructures

Contents at a Glance

Network Defenses 21 JANUARY KAMI VANIEA 1

CISNTWK-440. Chapter 5 Network Defenses

Cisco IPS AIM Deployment, Benefits, and Capabilities

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Network Interconnection

HP High-End Firewalls

Sirindhorn International Institute of Technology Thammasat University

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Implementing Firewall Technologies

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Firewall and IDS/IPS. What is a firewall?

CE Advanced Network Security

Computer Network Vulnerabilities

What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

COSC 301 Network Management

CSCI 680: Computer & Network Security

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

Network Defenses KAMI VANIEA 1

Simple and Powerful Security for PCI DSS

CS 161 Computer Security

Internet Protocol and Transmission Control Protocol

Network Defenses 21 JANUARY KAMI VANIEA 1

HikCentral V1.3 for Windows Hardening Guide

CSE 565 Computer Security Fall 2018

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Securing CS-MARS C H A P T E R

CS Computer and Network Security: Firewalls

Attack Prevention Technology White Paper

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

Exam : SCNS_EN. Title : SCNS SCNS Tactical Perimeter Defense. Version : Demo

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

2. INTRUDER DETECTION SYSTEMS

Overview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS)

Introduction to Security

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

CS 161 Computer Security

Module: Firewalls. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

Topexam. 一番権威的な IT 認定試験ウェブサイト 最も新たな国際 IT 認定試験問題集

HikCentral V.1.1.x for Windows Hardening Guide

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

20-CS Cyber Defense Overview Fall, Network Basics

HP High-End Firewalls

Transcription:

CSE 565 Computer Security Fall 2018 Lecture 20: Intrusion Prevention Department of Computer Science and Engineering University at Buffalo 1

Lecture Overview Firewalls purpose types locations Network perimeter security Defense in depth 2

Firewalls A firewall is security software that filters out unwanted or potentially dangerous traffic a firewall can be used to protect a network from the outside world external network (e.g., Internet) is considered to be untrusted firewall is used to implement and enforce a security policy it serves as a single protection point for entire enterprise security management becomes easier filtering can be done in both directions (with different rules) External network Firewall Internal network 3

Firewalls What can we expect from a firewall? singe point that blocks unauthorized users from the protected network and simplifies security management monitoring and reporting of security-related events implementation of virtual private networks by means of IPsec, tunneling convenient place for integration of other functions for network management A firewall does not protect against attacks that don t go through the firewall e.g., wireless connections, internal attacks, external devices connected directly to the internal machines/network 4

Firewalls Where can a firewall reside? on a router on a dedicated machine personal firewall on a host software that protects a single host rather than a network e.g., Windows firewall, iptables in Linux, etc. typically is configured to block most incoming traffic, but some applications can be let through can be bypassed/disabled if host is compromised A firewall must be immune to penetration ideally, it should run on a hardened system with a secured OS 5

Firewalls Types of firewalls packet filtering simplest kind of firewall router has a list of access control rules router checks each received packet against security rules to decide whether to forward or drop it each rule specifies which packets it applies to based on a packet s header fields can specify source and destination IP addresses, port numbers, protocol names, or wild cards actions areallow ordrop ACTION PTRCL SRC:PT DEST:PT 6

Firewalls Packet filtering (cont.) list of rules is examined one-by-one first matching rules determines how packet will be handled if no match is found, the default option can be to allow or drop if the default option is drop, it is more noticeable to users additional rules are added over time this option, however, is preferred from security management point of view 7

Packet Filtering Policies based on IP header fields a TCP or UDP service is specified by machine s IP address and port number e.g., web serverengineering.buffalo.edu is at 128.205.201.56 port 80 identify each service with triplet(addr, prot, port) addr is machine s IP address (a.b.c.d/[mask]) prot is TCP/UDP protocol identifier port is the port number example: all official web servers are located on subnet 12.34.56.x add (12.34.56.0/24, TCP, 80) to allowed list 8

Packet Filtering Let s examine a sample ruleset drop TCP *:* -> *:23 allow * *:* -> *:* what does it do? is this ruleset satisfactory? there is no notion of a connection, inbound vs outbound connections inbound and output packets to port 23 are dropped default allow policy is undesirable 9

Packet Filtering Another example assume that we want to allow inbound connections to web server 12.34.56.78 on port 80 all outbound connections nothing else we create the following ruleset allow TCP *:* -> 12.34.56.78:80 allow TCP (our-hosts):* -> *:* drop * *:* -> *:* there are problems with it TCP connections are bidirectional, data have to be able to go both ways 10

Packet Filtering Recall that TCP handshake is 3-way send SYN, receive SYN-ACK, send ACK, then send data with ACK Assume that we have the above ruleset and inside host connects to external machine on port 25 (mail) initial packets get through (using rule 2) SYN-ACK is dropped (fails the first two rules, matches the last) We need to distinguish between two types of inbound packets allow inbound packets associated with an outbound connection disallow inbound packets associated with an inbound connection 11

Packet Filtering We use TCP feature to make this distinction ACK bit is set on all packets except the first one recipients discard any TCP packet with ACK bit if it is not associated with existing TCP connection Revised ruleset allow TCP *:* -> 12.34.56.78:80 allow TCP (our-hosts):* -> *:* allow TCP *:* -> (our-hosts):* (if ACK bit set) drop * *:* -> *:* rules 1 and 2 permit inbound connections to 12.34.56.78 port 80 rules 2 and 3 allow outbound connections to any port 12

Packet Filtering Let s see how our firewall stops packets attacker wants to exploit finger service vulnerability (TCP port 79) attempt 1: attacker sends SYN packet to internal machine packet doesn t have ACK bit set, so firewall rule drops it attempt 2: attacker sends SYN-ACK packet to internal machine firewall permits the packets, but then it is dropped by TCP stack (i.e., ACK bit set, but it is not part of existing connection) We can customize the ruleset to let any types of packets through according to the policy Does it mean we done now? how about spoofed addresses? 13

Packet Filtering Suppose attacker can spoof source IP address and performs the following attack suppose 12.34.56.77 is internal host attacker sends spoofed TCP SYN packet from address 12.34.56.77 to another internal machine on port 79 rule 2 in the ruleset allows the packet target machine replies with SYN-ACK packet to 12.34.56.77 and waits for ACK (to finish handshake) attacker sends spoofed ACK packet attacker sends data packet(s) 14

Packet Filtering Attack above allows connections to internal hosts it violates our security policy it allows attacker to exploit security vulnerabilities in internal machines one difficulty: attacker has to guess initial sequence number set by target in SYN-ACK packet to 12.34.56.77 attacker doesn t see the response packet, but guessing might not be difficult What do we do now? solve this by taking the interface a packet is coming from into consideration mark a packet with interface id and incorporate ids into the rules 15

Packet Filtering New ruleset internal interface isin, external interfaceout allow TCP *:*/out -> 12.34.56.78:80/in allow TCP *:*/in -> *:*/out allow TCP *:*/out -> *:*/in (if ACK bit set) drop * *:* -> *:* this allows inbound packets only to 12.34.56.78:80 (rule 1) or if ACK bit set (rule 3) all other inbound packets are dropped Simple modification cleanly defeats IP spoofing threat it simplifies ruleset administration (no need to hardcode internal hosts) 16

Other Types of Firewalls Stateless packet filtering has its limitations small fragment attacks TCP header can be split among several tiny IP packets the hope is to circumvent filtering rules based on TCP fields the easiest solution is to drop all packets that don t contain enough information in the first fragment inability to recognize connections most traffic is two-way inability to examine upper-layer data and prevent application-specific attacks inability to support advanced user authentication 17

Other Types of Firewalls Stateful packet inspection packet decision is made in the context of a connection if packet is a new connection, check against security policy if packet is part of existing connection, find it in the state table and update the table this can be viewed as packet filtering with rules dynamically updated Example connection state table source address source port dest address dest port conn state 219.22.123.32 2112 124.33.44.5 80 established 124.33.44.129 1030 132.65.89.2 80 established 124.33.44.7 1035 190.3.15.4 25 established 18

Other Types of Firewalls Application layer firewalls (or proxy firewalls) is used as a relay for connections: Client Proxy Server understands specific applications limited versions of applications are available proxy impersonates both sides of a connection tends to be more secure than simple packet filters (can block application-specific attacks, can support authentication) is resource-intensive (i.e., one process per connection) certain proxies (e.g., HTTP) may cache data (e.g., web pages) 19

Firewall Location Firewall location firewall can be placed at different locations within network multiple firewalls can be used It is very common to have a firewall at the boundary of the entire network Subnets (especially with sensitive information and services) might have additional firewall(s) Finally, individual hosts might run firewall elements 20

Network Perimeter Security We often want to have fortified boundary of our network The idea is to secure a small number of entry points into the network similar concept is used in airports Tools we can use border router the last router you control before untrusted network (i.e., Internet) firewall a chokepoint device that decides what traffic is allowed intrusion detection systems an alarm system that detects malicious events and alerts administrators 21

Network Perimeter Security Tools we can use (cont.) intrusion prevention system inline IDS provides automatic defense without administrators involvement demilitarized zone (DMZ) small network providing public services not as well protected as the rest of the network there is often a firewall between DMZ and Internet there is also a firewall between DMZ and internal network 22

Network Perimeter Security Firewall configuration with DMZ switch internal firewall switch external firewall border router Cisco 7000 SERIES CiscoSystems Workgroup Switch Workgroup Switch Catalyst CiscoSystems Catalyst CiscoSystems web server Internet workstations email server servers protected network DNS server DMZ network untruster users and networks 23

Network Perimeter Security Tools we can use (cont.) virtual private network (VPN) protected network session formed across unprotected channel such as Internet hosts that connect through a VPN are part of the trusted network a secure tunnel can be formed using IPsec a user who is away from her network encrypts her connections and forwards them across internet firewall at the boundary of home network decrypts traffic user gets to use internal resources as she was on the internal network 24

Network Perimeter Security Illustration of VPN switch Workgroup Switch CiscoSystems Catalyst firewall with IPsec border router Cisco 7000 SERIES CiscoSystems workstations Internet servers user with IPsec 25

Defense in Depth Defense in depth security strategy that consists of layers of defense placed at various points in the enterprise addresses vulnerabilities in all of technology, personnel, and operations of a system Defense in depth components perimeter static packet filter, stateful firewall, proxy firewall, IDS and IPS, VPN device internal network ingress and egress filtering on every router, internal firewalls, IDS sensors 26

Defense in Depth Defense in depth components (cont.) individual hosts host-centric firewalls anti-virus software configuration management audit human factor user education training appropriate privilege assignment 27

Conclusions Now we have the global picture of network and systems protection anti-virus software intrusion detection systems intrusion prevention systems firewalls audit training 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback