Operational Security. Speaking Frankly The Internet is not a very safe place. A sense of false security... Firewalls*

Similar documents
On the road again. The network layer. Data and control planes. Router forwarding tables. The network layer data plane. CS242 Computer Networks

Chapter 8 roadmap. Network Security

CCNA Security v2.0 Chapter 9 Exam Answers

Moving packets. Moving datagrams. Suppose host A want to send IP to host B. Host A wants to send to host E. Generalized forwarding and SDN

Transmission Control Protocol Introduction

CCNA 1 Chapter v5.1 Answers 100%

Link-layer switches. Jurassic Park* LANs with backbone hubs are good. LANs with backbone hubs are bad. Hubs, bridges, and switches

The transport layer. Transport-layer services. Transport layer runs on top of network layer. In other words,

Practical Exercises in Computer Networks and Distributed Systems

CCNA 1 Chapter v5.1 Answers 100%

Troubleshooting of network problems is find and solve with the help of hardware and software is called troubleshooting tools.

CCNA Security v2.0 Chapter 10 Exam Answers

Chapter 5. The Network Layer IP

CCNA 1 Chapter v5.1 Answers 100%

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

CCNA Security v2.0 Chapter 3 Exam Answers

The Internet protocol

CounterSnipe Software Installation Guide Software Version 10.x.x. Initial Set-up- Note: An internet connection is required for installation.

Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

CCNA Security v2.0 Chapter 1 Exam Answers

Using SPLAY Tree s for state-full packet classification

SafeDispatch SDR Gateway for MOTOROLA TETRA

CCNA Security v2.0 Chapter 2 Exam Answers

Welcome to Remote Access Services (RAS) Virtual Desktop vs Extended Network. General

Vulnerability Protection A Buffer for Patching

Chapter 6 Delivery and Routing of IP Packets. PDF created with FinePrint pdffactory Pro trial version

IT Essentials (ITE v6.0) Chapter 8 Exam Answers 100% 2016

Model 86A00-2 Home Theater Extender 2 (HTX2)

FIREWALL RULE SET OPTIMIZATION

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

SIEM Use Cases 45 use cases for Security Monitoring

Chapter 4. IP Addresses: Classful Addressing. PDF created with FinePrint pdffactory Pro trial version

CCNA 1 Chapter 1 v5.03 Exam Answers 2016

Connect+/SendPro P Series Networking Technical Specification

Networks: Communicating and Sharing Resources. Chapter 7: Networks: Communicating and Sharing Resources

E. G. S. Pillay Engineering College, Nagapattinam Computer Science and Engineering

Dynamic Storage (ECS)

Linking network nodes

DNS (Domain Name Service)

Chapter 2. The OSI Model and TCP/IP Protocol Suite. PDF created with FinePrint pdffactory Pro trial version

Communication across the ether

2. When logging is used, which severity level indicates that a device is unusable?

Adobe Connect 8 Event Organizer Guide

TRAINING GUIDE. Lucity Mobile

1. The first section examines common performance bottlenecks that need to be considered.

CCNA 1 Chapter v5.1 Answers 100%

ASM Educational Center (ASM) Est Authorized SCNS Security Certified Network Specialist Boot Camp

Users, groups, collections and submissions in DSpace. Contents

Knowledge Exchange (KE) System Cyber Security Plan

Packet Tracer - Skills Integration Challenge Topology

NiceLabel LMS. Installation Guide for Single Server Deployment. Rev-1702 NiceLabel

Apply power, the appliance may be powered by connecting:

Network programming 14/01/2013. Introduction. Session objectives. Client/Server working model. Advanced Java Programming Course

How to set up Dell SonicWALL Aventail SRA Appliance with OPSWAT GEARS Client

BMC Remedyforce Integration with Remote Support

Enterprise Installation

1. What is a characteristic of Frame Relay that provides more flexibility than a dedicated line?

CCNA 3 Chapter 2 v5.0 Exam Answers 2015 (100%)

RSA SOLUTION OVERVIEW

BMC Remedyforce Integration with Bomgar Remote Support

Questions and Answers

b) The browser is running HTTP version 1.1, as indicated just before the first <cr><lf> pair.

CCNA 1 v5.1 Practice Final Exam Answers %

IT Essentials (ITE v6.0) Chapter 7 Exam Answers 100% 2016

Getting it there in one piece

Software Defined Networking and OpenFlow. Jeffrey Dalla Tezza and Nate Schloss

TN How to configure servers to use Optimise2 (ERO) when using Oracle

App Orchestration 2.6

CAMPBELL COUNTY GILLETTE, WYOMING

Recommended Minimum Requirements for Cisco Meeting Application Web RTC Use

TRAINING GUIDE. Overview of Lucity Spatial

Avaya 9610 IP Telephone End User Guide

Image publishing on the web. Frank Gasking

KNX integration for Project Designer

The VMs in the CIS VLab (Virtual Lab) We will be using a number of different Virtual Machines (VMs) in VLab for this course.

2. Which command can be used to view the cable type that is attached to a serial interface?

Secure Mobile Access to the Local ICS Network. Jan Vossaert Veilige industriële netwerken 29/09/2016

An Introduction to Crescendo s Maestro Application Delivery Platform

Release Notes System Software

Infinity Connect Web App via Chrome Quick Guide

Instructions for Accessing Online Testing Resources

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

2. What is the most cost-effective method of solving interface congestion that is caused by a high level of traffic between two switches?

LIN101 RS232 / LAN INTERFACE

Iowa State University

Please contact technical support if you have questions about the directory that your organization uses for user management.

Telkom VPN-Lite router setup User Manual Billion 810VGTX

SeaLinx Guide. Table of Contents

Imagine for MSDNAA Student SetUp Instructions

Comprehensive LAN Security for the Banking Financial Services and Insurance Industries

SUB-USER ADMINISTRATION HELP GUIDE

Network Layer. Internet Control Message Protocol (ICMP)

SASAC v1.0 Implementing Core Cisco ASA Security Cisco Training

CCNA 3 Chapter 8 v5.0 Exam Answers 2015 (100%) CCNA 5 Page 1

These tasks can now be performed by a special program called FTP clients.

Telecommunication Protocols Laboratory Course

Secure File Transfer Protocol (SFTP) Interface for Data Intake User Guide

HP OpenView Performance Insight Report Pack for Quality Assurance

REST; WebSocket (RFC 6455)

CCNA course contents:

Transcription:

Operatinal Security Firewalls and Intrusin Detectin CS242 Cmputer Netwrks Speaking Frankly The Internet is nt a very safe place Frm ur netwrk administratr s pint f view, the wrld divides int tw camps: Us - gd; able t access lcal resurces and Them - suspicius; access must be carefully scrutinized and perhaps restricted. Department f Cmputer Science Wellesley Cllege Firewalls 25-2 Firewalls* A sense f false security... In thery, nly authrized traffic, as defined by lcal security plicy, is allwed t pass. Administered Netwrk trusted gd guys Public Internet untrusted bad guys Of curse the firewall itself is a device cnnected t the netwrk. It had better be carefully designed and installed r else we are nly fling urselves. firewall *A firewall islates an rganizatins internal netwrk frm larger Internet, allwing sme packets t pass, blcking thers. Firewalls 25-3 Firewalls 25-4 1

Firewalls cme in three flavrs Traditinal (stateless) packet filters Traditinal packet filters exam each datagram in islatin at the pint f entry/exit. The internal netwrk is cnnected t Internet via ruter firewall which filters packet-by-packet. Stateful filters track TCP cnnectins, and use this knwledge t make filtering decisins. Applicatin s are applicatin-specific servers thrugh which all applicatin data must pass. Filtering decisins typically based n: IP surce r inatin ; Prtcl type in IP datagram field; TCP r UDP surce and inatin prt; TCP s (SYN, ACK, etc.); ICMP message type. Firewalls 25-5 Firewalls 25-6 Plicy decisins Plicy N utside Web access. N incming TCP cnnectins, except thse fr institutin s public Web server nly. Prevent Web-radis frm eating up the available bandwidth. Prevent yur netwrk frm being used fr a smurf DS attack. Prevent yur netwrk frm being traceruted Firewall Setting Drp all utging packets t any IP, prt 80 Drp all incming TCP SYN packets t any IP except 130.207.244.203, prt 80 Drp all incming UDP packets - except DNS and ruter bradcasts. Drp all ICMP packets ging t a bradcast (e.g. 130.207.255.255). Drp all utging ICMP TTL expired traffic We culd get tricky And base ur plicy n a cmbinatin f es and prt numbers. Fr example, ur ruter culd filter all Telnet datagrams (prt 23) except thse ging t and cming frm a list f specific IP. This allws Telnet cnnectins t and frm hsts n the allwed list. Hwever,... Firewalls 25-7 Firewalls 25-8 2

Filtering TCP handshakes Access cntrl list fr ruter interface* Filtering can be based n whether r nt the TCP ACK is set. This lets internal clients cnnect t external servers, but...... prevents external clients frm cnnecting t internal servers. actin surce allw allw utside f allw allw utside f utside f utside f prtcl surce prt prt TCP > 1023 80 any UDP > 1023 53 --- UDP 53 > 1023 ---- deny all all all all all all Firewalls 25-9 *Table f rules, applied tp t bttm t incming packets: (actin, cnditin) pairs. Firewalls 25-10 Prblems with stateless filters Stateful packet filters Althugh restrictive, the access cntrl list in the previus table allws packets arriving frm the utside with ACK=1 and surce prt 80, even when n TCP cnnectin has been established. actin allw surce utside f prtcl surce prt prt Such packets culd be used by attackers in attempts t crashed internal systems with malfrmed packets, carry ut denial-f-service attacks, r map the internal netwrk. Stateful filters track all nging TCP cnnectins in a cnnectin table. The firewall bserves the beginning f a new cnnectin (SYN, SYNACK, and ACK); and it can bserve the end f the cnnectin with it sees a FIN packet.* surce addr addr surceprt prt 222.22.1.7 37.96.87.123 12699 80 222.22.93.2 199.1.205.23 37654 80 222.22.65.143 203.77.240.43 48712 80 Firewalls 25-11 *The firewall can (cnservatively) assume that the cnnectin is ver when it hasn t seen any activity fr say 60 secnds. Firewalls 25-12 3

Augmented access cntrl list fr stateful filter actin surce allw allw utside f allw allw utside f utside f utside f prt surce prt prt TCP > 1023 80 any check cnxin x UDP > 1023 53 --- UDP 53 > 1023 ---- deny all all all all all all x S far, s gd, but suppse nw that...... Wellesley wants t prvide Telnet services t a restricted set f internal users, as ppsed t IP es)...... and suppse Wellesley wants such privileged users t authenticate themselves first befre being allwed t create a Telnet sessin t the utside wrld. *ACL augmented t indicate need t check cnnectin state table befre admitting packet Firewalls 25-13 *Such tasks are beynd stateful filters. The identity f internal users is an applicatin-layer data and is nt included in the IP/TCP/UDP headers. Firewalls 25-14 Applicatin T d this, we must... An applicatin is an applicatin-specific server thrugh which all applicatin data must pass. It lks beynd IP/TCP/ UDP headers t make plicy decisins based n applicatin data. We design a firewall that allws nly a restricted set f internal users t Telnet utside and prevents all external clients frm Telneting inside. hst-t- telnet sessin applicatin -t-remte hst telnet sessin ruter and filter 1. Require all Telnet users t Telnet thrugh the applicatin. 2. Fr authrized users, sets up Telnet cnnectin t hst. Gateway relays data between 2 cnnectins 3. Ruter filter blcks all telnet cnnectins nt riginating frm. hst-t- telnet sessin applicatin ruter and filter -t-remte hst telnet sessin Firewalls 25-15 Firewalls 25-16 4

Intrusin detectin systems Multiple IDS sensrs Packet filtering: perates n TCP/IP headers nly; n crrelatin check amng sessins. T detect many attacks, we need a deep packet inspectin, e.g., check character strings in packet against database f knwn virus strings. Additinally we may wish t examine crrelatin amng multiple packets t detect: prt scanning; netwrk mapping; DS attack. Firewalls 25-17 IDS sensrs Internal netwrk Applicatin Firewall Web DNS server FTP server server demilitarized zne Internet Firewalls 25-18 Curse grain classificatin Signature-based IDS maintains an database f attack signatures, sniffs every packet, cmparing cntents with tis database.* Anmaly-based IDS creates a traffic prfile in nrmal peratin, then lks fr statistically unusual packet streams.** *Mst cmmn, but cmpletely blind t new attacks. Subject t false psitives. **Can ptentially detect new attacks, but ften difficult t distinguish between nrmal traffic and statistically unusual traffic. Handshake pitfalls 18-19 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback