Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Similar documents
Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CSC Network Security

Implementing Firewall Technologies

Chapter 8 roadmap. Network Security

Unit 4: Firewalls (I)

CSC 474/574 Information Systems Security

Internet Security: Firewall

Introduction TELE 301. Routers. Firewalls. Gateways. Sample Large Network

Indicate whether the statement is true or false.

Configuring IP Session Filtering (Reflexive Access Lists)

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Why Firewalls? Firewall Characteristics

Prof. Bill Buchanan Room: C.63

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Network Security. Thierry Sans

CTS2134 Introduction to Networking. Module 08: Network Security

CyberP3i Course Module Series

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

CSC 4900 Computer Networks: Security Protocols (2)

CSE 565 Computer Security Fall 2018

Computer Security and Privacy

Broadcast Infrastructure Cybersecurity - Part 2

Fundamentals of Network Security v1.1 Scope and Sequence

HP High-End Firewalls

Advanced Security and Mobile Networks

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

CCNA Security. Chapter Four Implementing Firewall Technologies Cisco Learning Institute.

Inspection of Router-Generated Traffic

Computer Network Vulnerabilities

INFS 766 Internet Security Protocols. Lecture 1 Firewalls. Prof. Ravi Sandhu INTERNET INSECURITY

User Role Firewall Policy

Advanced Security and Forensic Computing

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Configuration Examples

CCNA Security PT Practice SBA

Cisco IPS AIM Deployment, Benefits, and Capabilities

ASA/PIX Security Appliance

ipro-04n Security Configuration Guide

Applied IT Security. Device Security. Dr. Stephan Spitz 10 Development Security. Applied IT Security, Dr.

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Network Security: Firewall, VPN, IDS/IPS, SIEM

Global Information Assurance Certification Paper

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Network Security 1. Module 8 Configure Filtering on a Router

Firewall and IDS/IPS. What is a firewall?

VG422R. User s Manual. Rev , 5

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Wireless LANs (CO72047) Bill Buchanan, Reader, School of Computing.

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Internet Security Firewalls

TCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

ISA 674 Understanding Firewalls & NATs

COSC 301 Network Management

HP Load Balancing Module

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

Table of Contents. Cisco Configuring IP Access Lists

Networks and Communications MS216 - Course Outline -

Definition of firewall

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

Object Groups for ACLs

Finding Feature Information

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

CS System Security 2nd-Half Semester Review

CE Advanced Network Security

ASA Access Control. Section 3

ICS 351: Networking Protocols

7 Filtering and Firewalling

Three interface Router without NAT Cisco IOS Firewall Configuration

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Chapter 9. Firewalls

Computer Networks. Wenzhong Li. Nanjing University

Teacher s Reference Manual

Introduction to Computer Security

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Configuring NAT for IP Address Conservation

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

Global Information Assurance Certification Paper

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

Context Based Access Control (CBAC): Introduction and Configuration

CSCI 680: Computer & Network Security

ECE 435 Network Engineering Lecture 23

Implementing Traffic Filtering with ACLs

Cisco IOS Firewall Authentication Proxy

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

Stateless Firewall Implementation

I N D E X. Numerics. 3DES (triple Data Encryption Standard), 199

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

ICS 451: Today's plan

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

Introduction to Network Security Missouri S&T University CPE 5420 Network Access Control

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

H3C SecPath Series High-End Firewalls

6 Network Security Elements

Transcription:

Applied IT Security System Security Dr. Stephan Spitz Stephan.Spitz@de.gi-de.com

Overview & Basics System Security Network Protocols and the Internet Operating Systems and Applications Operating System Security Security Threats on Networks Firewalls and Intrusion Detection Systems Applied Cryptography Device Security Public Key Infrastructures Authentication Protocols Encryption and digital Signatures in topical Applications Smart Cards, Secure µprocessors and Crypto Libraries Security Certification The Future of IT Security

Overview & Basics System Security Network Protocols and the Internet Operating Systems and Applications Operating System Security Security Threats on Networks Today Firewalls and Intrusion Detection Systems Applied Cryptography Device Security Public Key Infrastructures Authentication Protocols Encryption and digital Signatures in topical Applications Smart Cards, Secure µprocessors and Crypto Libraries Security Certification The Future of IT Security

Overview Firewalls and IDS Firewall Appliance Concepts and Limitations Integration in Networks Overview Firewall Products Firewall Components Static and dynamic IP Filtering TCP-/UDP-Relays and Socks Application Gateways and Proxies Address Translation (NAT and IGD) Intrusion Dedection Systems IDS / IPS Functionality IDS Integration with Firewalls

Firewall Concepts Simplest Concept: Single FW with IP-Filter and Proxy for certain application protocols IP-Filter checks the IP packets i.e. : - Type of packet (TCP, UDP, ICMP, ) - IP address of sender and receiver - Port number (TCP, UDP) of sender and receiver - Flags in the TCP header Proxy checks the data on application level (mail, WWW, etc.)

Firewall Limitations Firewalls can also have security holes in their OS A misconfiguration of the Firewall is not unlikely Proxy: Especially application level protocols are complex and sometimes have security holes Attacks do not necessarily come from the Internet, also internal users can be responsible for attacks Only one Firewall is a single point of failure

Firewall Integration (1) LAN INTERNET CheckPoint FireWall-1 Cisco PIX WWW-Server SMTP-Server Demilitarized Zone (DMZ)

Firewall Integration (2) LAN Intersystem NET (max. 14 IPs) Transfer NET (max. 14 IPs) INTERNET IP 140.252.90.224\28 IP 140.252.90.240\28 NIC 4 NIC 1 IP 140.252.90.225 NIC 1 NIC 1 IP 140.252.90.238 NIC 3 IP 140.252.90.241 NIC 2 NIC 2 Router 2 IP 10.10.60.1 NIC 2 IP 140.252.90.254 IP 172.25.250.30 IP 140.252.90.185 FW Router 1 DMZ (max. 6 IPs) IP 140.252.90.184\29 FW Mgmt IP 10.10.60.5 WWW-Server SMTP-Server IP 140.252.90.189 IP 140.252.90.190

Firewall Products Firewall Type Advantages/Disadvantages CheckPoint FireWall-1 Cisco PIX + Unix software FW with a lot of features (communication between several FWs, VPN & PKI integration, Attachment Modules) - Complex configuration + High-end Hardware-FW with the well known PIX configuration syntax - Support of less functionality than FireWall-1 Cisco Hardware Router + Cisco Routers can be configured as IP filter with the PIX syntax - Only filter functionality, no application gateway Harded Linux + The Linux kernel can be configured as IP filter with the tool ipfwadm + cheap, simple FW - Only filter functionality, no application gateway

Static IP Filtering ACL Outgoing e.g. FastEthernet 0/1 ACL Incoming e.g. FastEthernet 0/0 INTERNET e.g. internal mailserver IP 140.252.90.190 Firewall Stateless routing via fixed incoming/outgoing ACL Static routing rules (Cisco PIX syntax): e.g. yahoo.de Router (config)# ip access-list extended outgoing Router (config)# ip access-list extended incoming Router (config-ext-nacl)# permit tcp host 140.252.89.190 Router (config-ext-nacl)# permit tcp any eq SMTP host any eq SMTP 140.252.90.190 gt 1023 established Router (config)# interface FastEthernet 0/1 Router (config)# interface FastEthernet 0/0 Router (config-if)# ip access-group outgoing in Router (config-if)# ip access-group incoming in Fragmentation Attacks are still possible with static filtering

Dynamic IP Filtering Statelful routing via one reflexive ACL and a dynamic adapted table Example Dynamic routing rule (Cisco PIX syntax): Router (config)# ip access-list extended outgoing Router (config)# permit tcp host 140.252.89.190 0.0.0.0 255.255.255.255 eq 25 evaluate mailtraffic Router (config-ext-nacl)# ip access-list extended incoming Router (config)# permit tcp any any reflect mailtraffic A Temporary table is created containing the following information: ID protocol Source IP Source Port Dest. IP Dest. Port 1 TCP 140.252.90.190 2456 213.165.64.100 25 Problem: How long should the table information be stored i.e. timeout value (connection loss v.s. application)?

Advantages of Dynamic IP Filtering Only one filter rule per connection is necessary, extra rule for response packet is not necessary Response packets are only accepted on the specified source port, no port filtering necessary (RPCs!) Response packets are only accepted during an active connection, later the packets are discarded (FIN flag in TCP signals con. end) After a configured timeout the filter rule is removed from the temporary table But FTP/RPC problem (flexible port definition inside protocol)

Stateful Inspection IP filtering does not address the problem of data analysis on application level which is necessary, because a special port for the answer is specified on application level e.g. RPC calls as used in SUN s NFS (Network File System) a port for data is negotiated over the control flow port of the FTP protocol on application level Statful Inspection means to look deeper in the traffic to make additional decisions based on the application-level information e.g. knowledge of the portmapper protocol for RPCs Statful Inspection opens smaller "holes" through which traffic can pass e.g. instead of permitting any program to send TCP traffic on port 80, it is ensured that packets belong to an existing HTTP session.

TCP-/UDP Relays and Socks Relays/Socks are little server programs listening on a certain port and opening a connection to a predefined target computer on demand Computer X Relay Computer with fixed forwarding table Target Computer INTERNET Typical application: Domain Name replication from an internal to an external Name Server Still no security on application level, only network security is addressed

Application Gateways / Proxies Application Gateways/Proxies process data on application level independently of IP packets HTTP Request HTTP Request INTERNET Computer X HTTP Response Internet Proxy HTTP Response Complete division of both sides of the network i.e. the proxy has to emulate the communication protocol (HTTP, SMTP, RPC, etc.) Many proxies can additionally cache data, e.g. WWW pages for performance reasons Proxies need in many cases a user authentification

Network Adress Translation (NAT) Internet proxy translates the IP addresses static or dynamic: internal IP + (port) internet IP INTERNET Computer X with internal IP Internet Proxy with real Internet IP Internal IPs (which are not routed in the Internet RFC 1918): 10.0.0.0-10.255.255.255 (10/8) 172.16.0.0-172.31.255.255 (172.16/12) 192.168.0.0-192.168.255.255 (192.168/16)

IDS Functionality How can an attack be identified by an Intrusion Detection System: Log file analysis (host based IDS) Network traffic analysis (network based IDS) Network traffic analysis in a segment based on certain statically configured constraints (static IDS) Certain attacks (Ping-of-Death, SYN-Flood, etc.) can be identified by their unique network fingerprint Another possibility is the detection of exceptions to the normal network traffic with heuristic anaylsis over a (long) period of time An IDS tries to hijack unwished network transit like a hacker (IP Spoofing, Sequence Number Guessing) to find out more information An IDS can cause a significant impact on the network performance

Structure of an IDS (Example Snort) Snort tries to detect an attack with pattern matching i.e. certain attack patterns are stored in a database e.g. ICMP portscan Snort analyses packets according to sender and receiver IPs, source and destination ports, TCP flags and analysis of the payload (string matching) Snort reports an attack via syslog, SMB messages or Unix sockets An attack is traced in log files or in a SQL database; the ACID or SnortSnarf PlugIns provide a Graphical User Interface An IDS can malfunction in two directions: false positives and false negatives

IDS and Firewall Integration (1) LAN INTERNET Firewall 1 Firewall 2 Intrusion Detection System 1 Internal network protection e.g. viruses and worms Intrusion Detection System 2 Detection of external attacks

IDS and Firewall Integration (2) An IDS traces the complete progress of an attack, unlike a FW An IDS can try to find out more information about the attacker than the FW and try to apply countermeasures An IDS can act inside the LAN whereas a FW acts only on segment borders An IDS can support a FW with extra logging information Certain IDS act very close with a FW and can even change the FW configuration higher flexibility regarding application protocols Example: RealSecure/IIS is designed to protect and interact with CheckPoint s FireWall-1

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback