Firewalls, Tunnels, and Network Intrusion Detection

Similar documents
CIT 480: Securing Computer Systems

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

CSC 4900 Computer Networks: Security Protocols (2)

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

IPSec. Overview. Overview. Levente Buttyán

Sample excerpt. Virtual Private Networks. Contents

CSC Network Security

Service Managed Gateway TM. Configuring IPSec VPN

The IPsec protocols. Overview

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

IP Security. Have a range of application specific security mechanisms

CSC 6575: Internet Security Fall 2017

CTS2134 Introduction to Networking. Module 08: Network Security

Network Security. Thierry Sans

CSCE 715: Network Systems Security

IPV6 SIMPLE SECURITY CAPABILITIES.

Network Security Fundamentals

Virtual Private Network

Internet Protocol and Transmission Control Protocol

Virtual Private Networks (VPN)

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Virtual Private Networks

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

IPsec NAT Transparency

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

IP Security IK2218/EP2120

Cryptography and Network Security. Sixth Edition by William Stallings

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

Virtual Private Networks.

Chapter 6/8. IP Security

Module 9. Configuring IPsec. Contents:

CSE 565 Computer Security Fall 2018

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Network Encryption 3 4/20/17

Network Security: IPsec. Tuomas Aura

VPN Ports and LAN-to-LAN Tunnels

Internet security and privacy

IS-2150/TEL-2810 Introduction to Computer Security Quiz 2 Thursday, Dec 14, 2006

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

IPsec NAT Transparency

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Advanced Security and Mobile Networks

Chapter 11 The IPSec Security Architecture for the Internet Protocol

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Chapter 8 roadmap. Network Security

Configuring Security for VPNs with IPsec

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

(2½ hours) Total Marks: 75

Chapter 9. Firewalls

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Manual Key Configuration for Two SonicWALLs

Introduction to IPsec. Charlie Kaufman

Lecture 9: Network Level Security IPSec

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

VPN Overview. VPN Types

Network Control, Con t

Virtual Private Network. Network User Guide. Issue 05 Date

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

The IPSec Security Architecture for the Internet Protocol

Active Directory in Networks Segmented by Firewalls

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

VPN Option Guide for Site-to-Site VPNs

Lecture 12 Page 1. Lecture 12 Page 3

Fundamentals of Network Security v1.1 Scope and Sequence

Networking Security SPRING 2018: GANG WANG

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

Configuration of an IPSec VPN Server on RV130 and RV130W

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Virtual Private Cloud. User Guide. Issue 03 Date

Network Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Configuring IPsec and ISAKMP

Virtual Private Networks

Define information security Define security as process, not point product.

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

CSE543 Computer and Network Security Module: Network Security

COMPUTER NETWORK SECURITY

Networking interview questions

The EN-4000 in Virtual Private Networks

Integrating WX WAN Optimization with Netscreen Firewall/VPN

Network Security and Cryptography. December Sample Exam Marking Scheme

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

Transcription:

Firewalls, Tunnels, and Network Intrusion Detection 1

Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system. A network firewall is similar to firewalls in building construction, because in both cases they are intended to isolate one "network" or "compartment" from another. 2

Firewall Policies To protect private networks and individual machines from the dangers of the greater Internet, a firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules called firewall policies. Firewall policies Trusted internal network Untrusted Internet 3

Policy Actions Packets flowing through a firewall can have one of three outcomes: Accepted: permitted through the firewall Dropped: not allowed through with no indication of failure Rejected: not allowed through, accompanied by an attempt to inform the source that the packet was rejected Policies used by the firewall to handle packets are based on several properties of the packets being inspected, including the protocol used, such as: TCP or UDP the source and destination IP addresses the source and destination ports the application level payload of the packet (e.g., whether it contains a virus). 4

Blacklists and White Lists There are two fundamental approaches to creating firewall policies (or rulesets) to effectively minimize vulnerability to the outside world while maintaining the desired functionality for the machines in the trusted internal network (or individual computer). Blacklist approach All packets are allowed through except those that fit the rules defined specifically in a blacklist. This type of configuration is more flexible in ensuring that service to the internal network is not disrupted by the firewall, but is naïve from a security perspective in that it assumes the network administrator can enumerate all of the properties of malicious traffic. Whitelist approach A safer approach to defining a firewall ruleset is the default deny policy, in which packets are dropped or rejected unless they are specifically allowed by the firewall. 5

Firewall Types packet filters (stateless) If a packet matches the packet filter's set of rules, the packet filter will drop or accept it "stateful" filters it maintains records of all connections passing through it and can determine if a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. application layer It works like a proxy it can understand certain applications and protocols. It may inspect the contents of the traffic, blocking what it views as inappropriate content (i.e. websites, viruses, vulnerabilities,...) 6

Stateless Firewalls A stateless firewall doesn t maintain any remembered context (or state ) with respect to the packets it is processing. Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously. SYN Seq = x Port=80 Client SYN-ACK Seq = y Ack = x + 1 Trusted internal network ACK Seq = x + 1 Ack = y + 1 Firewall Server Allow outbound SYN packets, destination port=80 Allow inbound SYN-ACK packets, source port=80 7

Stateless Restrictions Stateless firewalls may have to be fairly restrictive in order to prevent most attacks. Client (blocked) SYN Seq = y Port=80 Attacker Trusted internal network Firewall Allow outbound SYN packets, destination port=80 Drop inbound SYN packets, Allow inbound SYN-ACK packets, source port=80 8

Statefull Firewalls Stateful firewalls can tell when packets are part of legitimate sessions originating within a trusted network. Stateful firewalls maintain tables containing information on each active connection, including the IP addresses, ports, and sequence numbers of packets. Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to a connection initiated from within the internal network. 9

Statefull Firewall Example Allow only requested TCP connections: 76.120.54.101 128.34.78.55 SYN Seq = x Port=80 Server Client SYN-ACK Seq = y Ack = x + 1 Trusted internal network ACK Seq = x + 1 Ack = y + 1 (blocked) SYN-ACK Seq = y Port=80 Attacker Allow outbound TCP sessions, destination port=80 Firewall Established TCP session: (128.34.78.55, 76.120.54.101) Firewall state table 10

Tunnels The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP connection, he can often see the complete contents of the payloads in this session. One way to prevent such eavesdropping without changing the software performing the communication is to use a tunneling protocol. In such a protocol, the communication between a client and server is automatically encrypted, so that useful eavesdropping is infeasible. 11

Tunneling Prevents Eavesdropping Packets sent over the Internet are automatically encrypted. Client Tunneling protocol (does end-to-end encryption and decryption) Server TCP/IP Untrusted Internet TCP/IP Payloads are encrypted here 12

A secure interactive command session: Secure Shell (SSH) 1. The client connects to the server via a TCP session. 2. The client and server exchange information on administrative details, such as supported encryption methods and their protocol version, each choosing a set of protocols that the other supports. 3. The client and server initiate a secret key exchange to establish a shared secret session key, which is used to encrypt their communication (but not for authentication). 4. This session key is used in conjunction with a chosen block cipher (typically AES, 3DES) to encrypt all further communications. 13

SSH 1- Client and server establish a TCP session 2- Client and server exchange information (e.g. encryption, protocol version) 3- Secret key exchange protocol and establish a shared key 4- negotiate for authentication type 4.1 Client send a public key 4.2 server send a challenge E Pk (RN) 4.3 client decrypt the challenge D Pr (E Pk (RN)) 4.4 client send the challenge (RN) Encrypted data (e.g. 3DES or AES)

SSH 4. The server sends the client a list of acceptable forms of authentication, which the client will try in sequence. The most common mechanism is to use a password or the following public key authentication method: a) If public key authentication is the selected mechanism, the client sends the server its public key. b) The server then checks if this key is stored in its list of authorized keys. If so, the server encrypts a challenge using the client s public key and sends it to the client. c) The client decrypts the challenge with its private key and responds to the server, proving its identity. 5. Once authentication has been successfully completed, the server lets the client access appropriate resources, such as a command prompt. 15

IPSec IPSec defines a set of protocols to provide confidentiality and authenticity for IP packets Each protocol can operate in one of two modes, transport mode or tunnel mode. In transport mode, additional IPsec header information is inserted before the data of the original packet, and only the payload of the packet is encrypted or authenticated. In tunnel mode, a new packet is constructed with IPsec header information, and the entire original packet, including its header, is encapsulated as the payload of the new packet. 16

IPSEC The two parties must first set up a set of security associations (SAs) SAs contains encryption keys and encryption algorithms, and other parameters 1- Client and server established SAs (SPI1) in + IP (SPI2) in +IP (SPI3) in +IP (SPI4) in +IP SA1 SA2 SA3 SA4 SADB(inbound) (SPI1) in + IP (SPI2) in +IP (SPI3) in +IP (SPI4) in +IP SA1 SA2 SA3 SA4 Inbound (SPI1) out +IP (SPI2) out +IP (SPI3) out +IP (SPI4)out+IP SA1 SA2 SA3 SA4 SADB(outbound) (SPI1) out +IP (SPI2) out +IP (SPI3) out +IP (SPI4)out+IP SA1 SA2 SA3 SA4 outbound

Internet Key Exchange (IKE) IPSEC use the IKE protocol to handle the negotiation of Sas SAs includes hash function, encryption algorithm, and authentication methods 1- client and server execute the IKE 2- client and server established a shared key 3- client and server exchanged encrypted E k (SAs) 18

IPSEC The Authentication Header (AH) The Authentication header protocol is used to authenticate the IP header, and provide data integrity. Data is not encrypted 19

Components of the Authentication Header AH contains SPI a randomly initialized sequence number AH contains Integrity check value (ICV) ICV is computed using MAC based applying SHA 256 hash function on packet information (IP header and payload) that do not change during routing. AH do not support NAT. Because the source IP address is part of AH header. 20

The Encapsulating security protocol (ESP) ESP provide data confidentiality by encrypting the packet payload ESP encapsulate its payload by adding a header and a trailer ESP use block cipher (AES, 3DES, or Blowfish) ESP authenticate the payload and ESP header and not the IP header 21

ESP header 22

Virtual Private Networking (VPN) Virtual private networking (VPN)allows private networks to be safely extended over long physical distances by making use of a public network VPN provides guarantees of data confidentiality, integrity, and authentication, despite the use of an untrusted network for transmission. There are two primary types of VPNs, remote access VPN and site to site VPN. 23

Types of VPNs Remote access VPNs allow authorized clients to access a private network that is referred to as an intranet. To accomplish this, the organization sets up a VPN endpoint, known as a network access server, or NAS. Point to point tunneling protocol (PPTP) Layer 2 tunneling protocol (L2TP) 24

VPN (site to site) Site to site VPN solutions are designed to provide a secure bridge between two or more physically distant networks. Before VPN, organizations wishing to safely bridge their private networks purchased expensive leased lines to directly connect their intranets with cabling. 25

Risk from allowing tunneling VPN can be used to bypass firewall polices VPN can be used for information leakage attacks It can be used as wrapper for forbidden protocol An insider can establish a tunnel to external VPN server and use the external VPN server to route traffic to the target. 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback