INFS 766 Internet Security Protocols. Lecture 1 Firewalls. Prof. Ravi Sandhu INTERNET INSECURITY

Similar documents
20-CS Cyber Defense Overview Fall, Network Basics

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Chapter 8 roadmap. Network Security

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Interconnecting Networks with TCP/IP

Network Security. Thierry Sans

TCP/IP THE TCP/IP ARCHITECTURE

Network Security. Tadayoshi Kohno

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Lecture 17 Overview. Last Lecture. Wide Area Networking (2) This Lecture. Internet Protocol (1) Source: chapters 2.2, 2.3,18.4, 19.1, 9.

Overview of TCP/IP Overview of TCP/IP protocol: TCP/IP architectural models TCP protocol layers.

Software Engineering 4C03 Answer Key

Configuring attack detection and prevention 1

ELEC5616 COMPUTER & NETWORK SECURITY

TCP /IP Fundamentals Mr. Cantu

Computer Security and Privacy

The Internet Protocol (IP)

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Hands-On Ethical Hacking and Network Defense

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Internet Security: Firewall

Concept Questions Demonstrate your knowledge of these concepts by answering the following questions in the space that is provided.

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Unit 4: Firewalls (I)

ch02 True/False Indicate whether the statement is true or false.

Configuring attack detection and prevention 1

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

CSC 574 Computer and Network Security. TCP/IP Security

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

10 Defense Mechanisms

IP Protocols. ALTTC/Oct

IP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia

COMPUTER NETWORK SECURITY

CSC Network Security

TSIN02 - Internetworking

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

Syllabus: The syllabus is broadly structured as follows:

ET4254 Communications and Networking 1

CSc 466/566. Computer Security. 18 : Network Security Introduction

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Computer and Network Security

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

CSE 565 Computer Security Fall 2018

Why Firewalls? Firewall Characteristics

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Indicate whether the statement is true or false.

Networking interview questions

Chapter 9. Firewalls

Network Security and Cryptography. 2 September Marking Scheme

TSIN02 - Internetworking

06/02/ Local & Metropolitan Area Networks 0. INTRODUCTION. 1. History and Future of TCP/IP ACOE322

Introduction p. 1 The Need for Security p. 2 Public Network Threats p. 2 Private Network Threats p. 4 The Role of Routers p. 5 Other Security Devices

Scribe Notes -- October 31st, 2017

TCP/IP Protocol Suite and IP Addressing

Introduction to Internetworking

What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

8/19/2010. Computer Forensics Network forensics. Data sources. Monitoring

Firewall and IDS/IPS. What is a firewall?

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

CSC 4900 Computer Networks: Security Protocols (2)

Computer Network Vulnerabilities

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

ECE4110 Internetwork Programming. Introduction and Overview

CIT 380: Securing Computer Systems. Network Security Concepts

CCNA MCQS with Answers Set-1

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

CSE 565 Computer Security Fall 2018

Denial of Service. EJ Jung 11/08/10

UDP, TCP, IP multicast

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Internet Security Firewalls

TSIN02 - Internetworking

CIS 5373 Systems Security

Chapter 7. Local Area Network Communications Protocols

Lecture-4. TCP/IP-Overview:

COSC 301 Network Management

CSCI 680: Computer & Network Security

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Introduction to TCP/IP networking

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Chapter 09 Network Protocols

CHAPTER 8 FIREWALLS. Firewall Design Principles

CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

CIS 551 / TCOM 401 Computer and Network Security

Network Interconnection

Introduction to routing in the Internet

Novell. NetWare 6. TCP/IP ADMINISTRATION GUIDE

CSE/EE 461 The Network Layer. Application Presentation Session Transport Network Data Link Physical

Implementing Firewall Technologies

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Transcription:

INFS 766 Internet Security Protocols Lecture 1 Firewalls Prof. Ravi Sandhu INTERNET INSECURITY Internet insecurity spreads at Internet speed Morris worm of 1987 Password sniffing attacks in 1994 IP spoofing attacks in 1995 Denial of service attacks in 1996 Email borne viruses 1999 Distributed denial of service attacks 2000 Fast spreading worms and viruses 2003 Spam 2004 no end in sight Internet insecurity grows at super-internet speed security incidents are growing faster than the Internet (which has roughly doubled every year since 1988) 2

SECURITY OBJECTIVES CONFIDENTIALITY disclosure INTEGRITY modification AVAILABILITY access USAGE-CONTROL purpose 3 SECURITY TECHNIQUES Prevention access control Detection auditing/intrusion detection incident handling Acceptance practicality 4

THREATS, VULNERABILITIES ASSETS AND RISK THREATS are possible attacks VULNERABILITIES are weaknesses ASSETS are information and resources that need protection RISK requires assessment of threats, vulnerabilities and assets 5 RISK Outsider Attack insider attack Insider Attack outsider attack 6

PERSPECTIVE ON SECURITY No silver bullets A process NOT a turn-key product Requires a conservative stance Requires defense-in-depth A secondary objective Absolute security does not exist Security in most systems can be improved 7 PERSPECTIVE ON SECURITY absolute security is impossible does not mean absolute insecurity is acceptable 8

INTRUSION SCENARIOS 9 CLASSICAL INTRUSIONS SCENARIO 1 Insider attack The insider is already an authorized user Insider acquires privileged access exploiting bugs in privileged system programs exploiting poorly configured privileges Install backdoors/trojan horses to facilitate subsequent acquisition of privileged access 10

CLASSICAL INTRUSIONS SCENARIO 2 Outsider attack Acquire access to an authorized account Perpetrate an insider attack 11 NETWORK INTRUSIONS SCENARIO 3 Outsider/Insider attack Spoof network protocols to effectively acquire access to an authorized account 12

DENIAL OF SERVICE ATTACKS Flooding network ports with attack source masking TCP/SYN flooding of internet service providers in 1996 13 INFRASTRUCTURE ATTACKS router attacks modify router configurations domain name server attacks internet service attacks web sites ftp archives 14

INTERNET ARCHITECTURE AND PROTOCOLS 15 OSI REFERENCE MODEL END USER A END USER B Application Layer Application Layer higher level protocols Presentation Layer Session Layer End user functions Presentation Layer Session Layer higher level protocols Transport Layer Transport Layer lower level protocols or network services Network Layer Data Link Layer Physical Layer Network functions PHYSICAL MEDIUM Network Layer Data Link Layer Physical Layer lower level protocols or network services 16

OSI REFERENCE MODEL END USER A END USER B higher level protocols higher level protocols lower level protocols or network services SOURCE NODE INTERMEDIATE NETWORK NODE lower level protocols or network services DESTINATION NODE 17 TCP/IP PROTOCOL STACK BASIC PROTOCOLS layer 5-7 TELNET FTP SMTP HTTP etc 4 TCP UDP 3 IP 2 Ethernet Token-Ring ATM PPP etc 18

TCP/IP PROTOCOL STACK BASIC PROTOCOLS IP (Internet Protocol) connectionless routing of packets UDP (User Datagram Protocol) unreliable datagram protocol TCP (Transmission Control Protocol) connection-oriented, reliable, transport protocol 19 TCP/IP PROTOCOL STACK BASIC PROTOCOLS TELNET: remote terminal FTP (File Transfer Protocol) TFTP (Trivial File Transfer Protocol) SMTP (Simple Mail Transfer Protocol) RPC (Remote Procedure Call) HTTP (Hyper Text Transfer Protocol) and others 20

TCP/IP PROTOCOL STACK INFRASTRUCTURE PROTOCOLS layer 5-7 4 TELNET FTP SMTP HTTP etc DNS RIP EGP BGP TCP UDP 3 ICMP IP ARP RARP 2 Ethernet Token-Ring ATM PPP etc 21 TCP/IP PROTOCOL STACK INFRASTRUCTURE PROTOCOLS ICMP: Internet Control Message Protocol ARP: Address Resolution Protocol RARP: Reverse Address Resolution Protocol DNS: Domain Name Service RIP: Routing Information Protocol BGP: Border Gateway Protocol EGP: External Gateway Protocol 22

TCP/IP PROTOCOL STACK SECURITY PROTOCOLS layer 5-7 4 TELNET FTP SMTP HTTP DNS SSL RIP EGP BGP TCP UDP 3 ICMP IPSEC IP ARP RARP 2 Ethernet Token-Ring ATM 23 INTERNET STANDARDS PROCESS IETF: Internet Engineering Task Force Application Area General Area Internet Area Operational Requirements Area Routing Area Security Area Transport Area User Services Area 24

IETF SECURITY AREA ACTIVE WORKING GROUPS An Open Specification for Pretty Good Privacy (openpgp) Authenticated Firewall Traversal (aft) Common Authentication Technology (cat) IP Security Policy (ipsp) IP Security Protocol (ipsec) IP Security Remote Access (ipsra) Intrusion Detection Exchange Format (idwg) Kerberized Internet Negotiation of Keys (kink) Kerberos WG (krb-wg) One Time Password Authentication (otp) Public-Key Infrastructure (X.509) (pkix) S/MIME Mail Security (smime) Secure Network Time Protocol (stime) Secure Shell (secsh) Securely Available Credentials (sacred) Security Issues in Network Event Logging (syslog) Simple Public Key Infrastructure (spki) Transport Layer Security (tls) Web Transaction Security (wts) XML Digital Signatures (xmldsig) 25 RFCs AND IETF DRAFTS RFCs Standards Proposed Standard Draft Standard Internet Standard Informational Experimental Historic IETF drafts work in progress expire after 6 months 26

MUST, SHOULD, MAY MUST mandatory, required of compliant implementations SHOULD strongly recommended but not required MAY possibility even if not stated a may is always allowed unless it violates MUST NOT 27 TCP/IP VULNERABILITIES 28

BASIC TCP/IP VULNERABILITIES many dangerous implementations of protocols sendmail many dangerous protocols NFS, X11, RPC many of these are UDP based 29 BASIC TCP/IP VULNERABILITIES solution allow a restricted set of protocols between selected external and internal machines otherwise known as firewalls 30

IP PACKET header data carries a layer 4 protocol TCP, UDP or a layer 3 protocol ICMP, IPSEC, IP or a layer 2 protocol IPX, Ethernet, PPP 31 TCP INSIDE IP IP HEADER TCP HEADER 32

IP HEADER FORMAT version: 4bit, currently v4 header length: 4 bit, length in 32 bit words TOS (type of service): unused total length: 16 bits, length in bytes identification, flags, fragment offset: total 16 bits used for packet fragmentation and reassembly TTL (time to live): 8 bits, used as hop count Protocol: 8 bit, protocol being carried in IP packet, usually TCP, UDP but also ICMP, IPSEC, IP, IPX, PPP, Ethernet header checksum: 16 bit checksum source address: 32 bit IP address destination address: 32 bit IP address 33 IP HEADER FORMAT options source routing enables route of a packet and its response to be explicitly controlled route recording timestamping security labels 34

TCP HEADER FORMAT source port number source IP address + source port number is a socket: uniquely identifies sender destination port number destination IP address + destination port number is a socket : uniquely identifies receiver SYN and ACK flags sequence number acknowledgement number 35 TCP 3 WAY HANDSHAKE initiator SYN(X) responder SYN(Y), ACK(X) ACK(Y) 36

TCP SYN FLOODING ATTACK TCP 3 way handshake send SYN packet with random IP source address return SYN-ACK packet is lost this half-open connection stays for a fairly long time out period Denial of service attack Basis for IP spoofing attack 37 IP SPOOFING Send SYN packet with spoofed source IP address SYN-flood real source so it drops SYN-ACK packet guess sequence number and send ACK packet to target target will continue to accept packets and response packets will be dropped 38

TCP SESSION HIJACKING Send RST packet with spoofed source IP address and appropriate sequence number to one end SYN-flood that end send ACK packets to target at other end 39 SMURF ATTACK Send ICMP ping packet with spoofed IP source address to a LAN which will broadcast to all hosts on the LAN Each host will send a reply packet to the spoofed IP address leading to denial of service 40

ULTIMATE VULNERABILITY IP packet carries no authentication of source address IP spoofing is possible IP spoofing is a real threat on the Internet IP spoofing occurs on other packet-switched networks also, such as Novell s IPX Firewalls do not solve this problem Requires cryptographic solutions 41 FIREWALLS 42

WHAT IS A FIREWALL? internal network FIRE- WALL external Internet 43 WHAT IS A FIREWALL? all traffic between external and internal networks must go through the firewall easier said than done firewall has opportunity to ensure that only suitable traffic goes back and forth easier said than done 44

ULTIMATE FIREWALL internal network Air Gap external Internet 45 BENEFITS secure and carefully administer firewall machines to allow controlled interaction with external Internet internal machines can be administered with varying degrees of care does work 46

BASIC LIMITATIONS connections which bypass firewall services through the firewall introduce vulnerabilities insiders can exercise internal vulnerabilities performance may suffer single point of failure 47 TYPES OF FIREWALLS Packet filtering firewalls IP layer Application gateway firewalls Application layer Circuit relay firewalls TCP layer Combinations of these 48

PACKET FILTERING FIREWALLS IP packets are filtered based on source IP address + source port number destination IP address + destination port number protocol field: TCP or UDP TCP protocol flag: SYN or ACK 49 FILTERING ROUTERS internal network packet filtering router external Internet mail gateway i-nw-to-router router-to-i-nw e-nw-to-router router-to-e-nw 50

PACKET FILTERING FIREWALLS drop packets based on filtering rules static (stateless) filtering no context is kept dynamic (statefull) filtering keeps context 51 PACKET FILTERING FIREWALLS Should never allow packet with source address of internal machine to enter from external internet Cannot trust source address to allow selective access from outside 52

FILTERING ROUTERS internal network 1 internal network 2 packet filtering router external Internet mail gateway (internal network 3) 53 FILTERING HOST internal network packet filtering firewall host external router external Internet one can use a packet filtering firewall even if connection to Internet is via an external service provider 54

PACKET FILTERING FIREWALLS packet filtering is effective for coarse-grained controls not so effective for fine-grained control can do: allow incoming telnet from a particular host cannot do: allow incoming telnet from a particular user 55 APPLICATION GATEWAY FIREWALLS internal network application gateway firewall host external router external Internet SIMPLEST CONFIGURATION 56

APPLICATION PROXIES have to be implemented for each service may not be safe (depending on service) 57 CLIENT-SIDE PROXIES Internal-Client External-Server allow outgoing http for web access to external machines from internal users requires some client configuration 58

SERVER-SIDE PROXIES External-Client Internal-Server allow incoming telnet for access to selected internal machines from selected external users requires some cryptographic protection to thwart sniffing and IP spoofing becoming increasingly important for electronic commerce VPN remote access security 59 FIREWALL ARCHITECTURES DUAL HOMED HOST I n t r a n e t Router Bastion Host (Application Gateway) Bastion Host (External Service) Router I n t e r n e t 60

FIREWALL ARCHITECTURES SCREENED SUBNET I n t r a n e t Router Packet Filter Bastion Host (External Service) Router I n t e r n e t 61 INTRUSION DETECTION 62

RELATED TECHNOLOGIES Intrusion detection Vulnerability assessment Incident response Honey pots Sniffer probes 63 INTRUSION DETETCION TECHNIQUES Policy detection (or knowledge-based) default permit attack-signature based detection also called misuse detection default deny specification-based detection Anomaly detection (or behavior-based) requires user profiling requires some learning capability in the system Combinations of these 64

INTRUSION DETECTION DATA SOURCE network-based intrusion detection multiple sensor points host-based intrusion detection multi-host based application-based intrusion detection combinations of these 65 ATTACKER Outsider easier insider harder 66

INTRUSION DETECTION ISSUES effectiveness efficiency security inter-operability ease of use transparency 67 INTRUSION DETECTION CHALLENGES False alarm rate Performance and scalability 68

BASE RATE FALLACY Test for a disease is 99% accurate 100 disease-free people tested, 99 test negative 100 diseased people tested, 99 test positive Prevalence of disease is 1 in 10,000 Alice tests positive What is probability Alice has the disease? 69 BASE RATE FALLACY Test for a disease is 99% accurate 100 disease-free people tested, 99 test negative 100 diseased people tested, 99 test positive Prevalence of disease is 1 in 10,000 Alice tests positive What is probability Alice has the disease? 1 in 100 False alarm rate: 99 in 100!!!!! 70

BASE RATE FALLACY BAYE S THEOREM population: 1,000,000 diseased: 100 disease free: 999,900 false positive: 9,999 true positive: 99 Alice s chance of disease: 99/(9,999+99) = 1/100 71 BASE RATE FALLACY 99.99% ACCURACY population: 1,000,000 diseased: 100 disease free: 999,900 false positive: 99.99 true positive: 99.99 Alice s chance of disease: 99.99/(99.99+99.99) = 1/2 72

NETWORK-BASED INTRUSION DETECTION SIGNATURES port signatures header signatures string signatures 73 NETWORK-BASED INTRUSION DETECTION ADVANTAGES Complements firewalls broad visibility into network activity no impact on network performance transparent installation 74

NETWORK-BASED INTRUSION DETECTION DISADVANTAGES False positives miss new unknown attacks scalability with high-speed networks passive stance emergence of switched Ethernet 75 HOST-BASED INTRUSION DETECTION host wrappers or personal firewalls look at all network packets, connection attempts, or login attempts to the monitored machine example, tcp-wrapper host-based agents monitor accesses and changes to critical system files and changes in user privilege example, tripwire 76

INTRUSION DETECTION STANDARDS None exist ongoing efforts CIDF: common intrusion detection framework for sharing information IETF Intrusion Detection Working Group just started 77 INTRUSION DETECTION Needs to integrate with other security technologies such as cryptography and access control one component of defense-in-depth layered security strategy incident-response and recovery are important considerations 78

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback