Transcript CIS3200Class25 - Eastern Illinois University

School of Business
Eastern Illinois University
Security (Continued)
(Week 12, Friday 11/13/2002)
© Abdou Illia, Fall 2002
Learning Objectives

Describe types of message attacks
–
–

(Denial of service attacks)
Malicious content attacks
Describe the two main kinds of Firewall
–
–
Packet filter firewall
Application (proxy) firewall
2
3
Denial-of-Service (DoS) Attacks

Bombard a site (usually a server or a router) with so many
messages that the site is incapable of answering valid
requests

Make the system unusable (crash it or make it run very
slowly).
Message Stream DOS Attack
(Overloads the Victim)
Server
Attacker
Distributed DoS (DDoS) Attack
4

Attacker hacks into multiple clients and plants Zombie programs on them

Attacker sends commands to Zombie programs which execute the attacks
Messages Come from Many Sources
Message Stream
Computer with
Zombie
Attack
Command
Attacker
Attack
Command
Server
Message Stream
Computer with
Zombie
What is common to DoS messages

DoS messages
–
–
Are, usually, supervisory or request messages
Include Heading fields that might hide false identity
IP-H
TCP-H Application Message
IP-H
UDP-H Application Message
Security systems for protecting against DoS
attacks are designed based on DoS messages
common characteristics
5
Malicious content attacks

6
Incoming messages containing illicit content:
–
–
–
–
–
–
Viruses (infect files on a single computer)
Worms (Propagate across system by themselves)
Trojan horses (programs that appear to be one thing,
such as a game, but really execute unwanted instructions
Pornography
Sexually or racially harassing e-mails
Spam (unsolicited commercial e-mails)
Q: Briefly describe the various types of malicious content attacks
What is common to Malicious content attacks

Malicious messages
–
–
Don’t require answers
Include illicit content in the data filed of the message
IP-H
TCP-H Application Message
IP-H
UDP-H Application Message
Security systems for protecting against
Malicious content attacks are designed to
filter Application layer messages.
7
Firewall?

A security system that implement an access control
policy between two networks
–

Usually between the corporate network and an external network.
A firewall limits

The types of messages that enter a network

The types of messages that leaves the network
8
Kinds of Firewall

All firewalls
–
–

Examine parts (field) of incoming messages
Permit or deny access based on a list of rules
Based on the way they operate, we have
–
–
Packet Filter firewalls
Application (proxy) firewalls
9
10
Packet Filter Firewall
Corporate Network
The Internet
Permit
Packet
Filter
Firewall
Deny
IP-H
TCP-H Application Message
IP-H
UDP-H Application Message
IP-H
ICMP Message
Arriving Packets
Examines content of IP header, TCP
header, UDP header, and content of
ICMP supervisory messages
Packet Filter Firewall: Common rules

IP headers include IP addresses
–

11
A company could decide to block messages with specific IP
addresses. So the firewall could be configured to do so.
TCP headers include port numbers that indicate which
application service is desired
–
–
A company could decide to block any outsider from trying to telnet
into the company. So, it could configure its firewall to stop all
incoming message requesting port 23
A company could decide to stop outgoing messages requesting
Usenet (port 119)
Example of rule for denying access
IF Interface = External
And Destination port = 80
And Destination IP address = 172.16.210.22
THEN DENY
Typical TCP port numbers
Telnet (remote login): port 23
Usenet (newsgroup service): port 119
E-Mail (SMTP): port 25
Web browsing: port 80
Application (Proxy) Firewall

Application firewall, also known as Proxy firewalls
–

12
Examine Application layer messages to check for illicit
content
Application firewall and Packet filter firewalls are
complementary
–
In terms of what part of a message they examine.
IP-H
TCP-H Application Message
IP-H
UDP-H Application Message
Application (Proxy) Firewall
13
Acts like a server program to a client program, and like a client program to
a server program
2. Examined
HTTP Request
1. HTTP Request
Browser
4. Examined
HTTP Response
FTP
Proxy
Client PC
3. HTTP
Response
HTTP
Proxy
Webserver
Application
SMTP
(E-Mail)
Proxy
Webserver
Application Firewall
Application (Proxy) Firewall
14

Intercepts messages from a client to its server and
intercepts messages from a server to its client

Reads Application layer messages to scan for illicit content

IF illicit content detected, discards the message

Multiple application proxy programs because
–
Different application programs have different characteristics to
examine.
15
Summary Questions
1.
Briefly describe the various types of malicious content
attacks
Answer:
1.
What headers and messages do Packet filter firewalls
examine?
Answer:
2.
What part of a packet do application firewalls examine?
b) What do they look for? c) Must there be a separate
application proxy program for each application being
examined
Answer: