Transcript Internet and Intranet Fundamentals

Internet and Intranet
Fundamentals
Class 8
Session A
Intranet Security
• Assets Needing Protection
• Threats
• Firewalls
– Overview
– Various Architectures
– Ref: ref: Building Internet Firewalls, Chapman
& Zwicky ISBN: 1565921240
Assets Needing Protection
• Data
– stored on computers
• Resources
– the computers themselves
• Reputation
Protecting Data
• Secrecy / Privacy
• Integrity
• Availability
Protecting Data
Secrecy / Privacy
• Trade Secrets
– obligations to shareholders
• Competitive Intelligence
– competition sensitive
• Examples
– national defense
– patient medical records
– student records
Protecting Data
Integrity
• Keeping Data from Being Modified
– tampering
• Loss of Confidence
–
–
–
–
consumer
customer
investor
employee
Protecting Data
Availability
• Is your data accessible?
• Related to computing resource availability
Protecting Resources
• Computer Resources
– disk space
– CPU cycles
– memory
• Labor Resources
– $$$ spent in …
• tracking down intruders
• performing
• re-installing software
Protecting Reputation
• Confidence
• Intruders Masquerade as You
– identity theft
• Business/Technical Competence
• Example
– professor and racist hate mail
Threats
• Types of Attacks
• Types of Attackers
• Stupidity and Accidents
Types of Attacks
• Intrusion
• Denial of Service
• Information Theft
Intrusion
• People Gain Access to Your Network and
Computers
• How?
– social engineering
– guesswork
• crack program
• child/dog’s name
Denial of Service
• Preventing you (and others) from using your
own computers
• Mail Bombs
• Flooding a Systems Queues, Processes, etc.
– Internet Worm
– Distributed denial of service
(CNN/Ebay/Yahoo)
• Limited Number of Login Attempts
– they either get in, or they can force denial of
service to everyone else!
Information Theft
• Stealing Password Files
– download for offline cracking
• Packet Sniffers
– Ethernet is a party line
– A switch is your friend.
Types of Attackers
• Joyriders
– bored, looking for amusement
• Vandals
– like destroying things, or don’t like you
• Score Keepers
– bragging rights
• Spies
– industrial and international
Stupidity and Accidents
• 55% of all incidents result from naivete or
lack of training
• Apple’s buggy mail server
– hundreds of thousands of error messages
• Any system which doesn’t not assign
passwords.
• Hard to Protect Against!
Firewalls
• Overview
• Various Firewall Architectures
Overview
• How to Protect Your Intranet Assets?
–
–
–
–
no security
security through obscurity
host security
network security
• Your home is an intranet?
Overview
• No Security
• Security Through Obscurity
– nobody knows about it
– people figure a small company or home
machine isn’t of interest
– “obscurity” impossible on Internet
• InterNIC
– examples with Telnet
Overview
• Host Security
– geared to particular host
– scalability issue
– admin nightmare
• sheer numbers
• different OS, OS config, etc.
– OK for small sites or sites with extreme
requirements
Overview
• Network Security
– control network access
– kill lots of birds with one stone
– firewalls
• Security Technology Can’t Do It All
– policing internal time wasting, pranks, etc.
– no model is perfect
– Who watches the watcher?
Overview
• Internet Firewalls
– concept: containment
• choke point
– prevents dangers of Internet from spreading to
your Intranet
– restricts people to entering at carefully
controlled point(s)
• can only leave that point too
Overview
• Firewall
– prevents attackers from getting close to internal
defenses
– adequate if interactions conform to security
policy (tight vs. loose)
• Consists of
– hardware
• routers, computers, networks
– software
• proxy servers, monitors
Internet
Firewall
Internal Network
Desktop System
Desktop System
Desktop System
Internal Server
Firewall System
Exterior Router
Bastion Host
Perimeter Network
Interior Router
Exterior Router & Bastion Host may be combined.
Internet
Exterior Router
Bastion Host
Perimeter Network
Interior Router
Internal Network
Desktop System
Desktop System
Scre e ne d Subne t
Archite cture
Desktop System
Internal Server
Overview
• Firewall Limitations
– malicious insiders
– people going around it (e.g., modems)
– completely new threats
• designed to protect against known threats
– viruses
• Make vs. Buy
– lots of offerings (see Internet)
Various Firewall Architectures
• Screening Router Packet Filtering
• Proxy Services
– application level gateways
• Dual-Home Host
• Screened Host
• Screened Subnet
Various Firewall Architectures
IP Packet Filtering
•
•
•
•
•
•
IP source address
IP destination address
Transport Layer Protocol
TCP / UDP source port
TCP / UDP destination port
ICMP message type
Various Firewall Architectures
IP Packet Filtering
• Also Knows …
– inbound and outbound interfaces
• Examples
– block all incoming connection from outside
except SMTP
– block all connections to or from untrusted
systems
– allow SMTP, FTP, but block TFTP, X
Windows, RPC, rlogin, rsh, etc.
Various Firewall Architectures
Dual-Homed Host
• One Computer, Two Networks
– must proxy services
– can examine data coming in from app level on
down
Internet
Dual-Homed Host
Firewall
Internal Network
Desktop System
Desktop System
Dual-Hom e d Hos t
Archite cture
Desktop System
Tower box
Various Firewall Architectures
Screened Host
• Bastion Host
– controls connections to outside world
– If broken, your interior network is open.
• Packet Filtering by Router
– incoming
Internet
Screening Router
Internal Network
Desktop System
Desktop System
Desktop System Bastion Host
Scre e ning Route r
Archite cture
Various Firewall Architectures
Screened Subnet
• Bastion Host
– controls connections to outside world
– on perimeter network
• Packet Filtering
– two routers
– incoming
Internet
Exterior Router
Bastion Host
Perimeter Network
Interior Router
Internal Network
Desktop System
Desktop System
Scre e ne d Subne t
Archite cture
Desktop System
Internal Server