Transcript Lecture 7 Network & ISP security Firewall Simple packet

Lecture 7
Network & ISP security
Firewall Simple packet-filters
• Simple packet-filters evaluate packets based solely on IP
headers.
• Source-IP spoofing attacks generally aren't blocked by
packet-filters, and since allowed packets are literally
passed through the firewall, packets with "legitimate" IP
headers but dangerous data payloads (as in bufferoverflow attacks) can often be sent intact to "protected"
targets.
Stateful packet filtering
Application-layer proxies
• A proxying firewall acts as an intermediary in all
transactions that traverse it (see figure).
• proxying firewalls are often called "applicationlayer" proxies because, unlike other types of
proxies that enhance performance but not
necessarily security, proxying firewalls usually
have a large amount of application-specific
intelligence about the services they broker.
Placing Firewall
"Inside Versus Outside" Architecture
•Because public
services such as SMTP,
DNS, and HTTP must
either be sent through
the firewall to internal
servers or hosted on the
firewall itself the risk of
server compromising is
increased.
•As result the DMZ
(DeMilitarized Zone)
network is used.
The "Three-Homed Firewall" DMZ Architecture
A Weak Screened-Subnet Architecture
• Rarely used
• Lack of firewall is the
weak point
• obsolete
A Strong Screened-Subnet Architecture
What Do ISPs Need to Do?
Security incidence are a normal part of an ISP’s operations!
2) Secure Resources
Firewall, Encryption, Authentication, Audit
5) Manage and Improve
Post Mortem, Analyze the
Incident, modify the
plan/procedures
1) ISP’s
Security
Policy
4) Test, Practice, Drill
Vulnerability Scanning
3) Monitor and Respond
Intrusion Detection, work the
incidence,
Six Phases of Incident
Response
PREPARATION
POST MORTEM
What was done?
Can anything be done to
prevent it?
How can it be less painful in the
future?
Prep the network
Create tools
Test tools
Prep procedures
Train team
Practice
IDENTIFICATION
How do you know about the
attack?
What tools can you use?
What’s your process for
communication?
REACTION
What options do you have to
remedy?
Which option is the best under
the circumstances?
CLASSIFICATION
TRACEBACK
Where is the attack coming from?
Where and how is it affecting the
network?
What kind of attack is it?
Router CPU
The Old World: Router
Perspective
“untrusted”
Attacks, junk
• Policy enforced at process level (VTY
ACL, SNMP ACL, etc.)
• Some early features such as ingress ACL
used when possible
Router CPU
“untrusted”
Protection
The New World: Router
Perspective
Attacks, junk
• Central policy enforcement, prior to
process level
• Granular protection schemes
• On high-end platforms, hardware
implementations
Secure Routing
Route Authentication
Configure Routing Authentication
Campus
Signs Route
Updates
Verifies
Signature
Signature
Route Updates
Certifies Authenticity of Neighbor
and Integrity of Route Updates
References
•
•
http://www.cs.fsu.edu/~burmeste/CIS4360/Physical%20Security.ppt
http://www.google.com/url?sa=t&rct=j&q=datacenter%20security%20design%20
examplee%20ppt&source=web&cd=10&ved=0CHEQFjAJ&url=http%3A%2F%2
Fwww.nanog.org%2Fmeetings%2Fnanog36%2Fpresentations%2Fgreene.ppt&
ei=6usCT8rmAsfQ4QSN6_GCDw&usg=AFQjCNHw7IRd4CrNra6tKNR_3Dfp7D_Ig&cad=rja
• http://www.cs.fsu.edu/~burmeste/CIS4360/Physical%20Security.ppt
•
•
•
•
•
•
•
•
https://www.owasp.org/index.php/Threat_Risk_Modeling
http://www.cert.org/octave/
Joseph G. Boyce Dan W. Jennings, Information Assurance - Managing
Organizational IT Security Risks, Elsevier Science, 2002
https://www.networkworld.com/news/2010/020210-black-hat-processorsecurity.html
http://www.backupcentral.com/mr-backup-blog-mainmenu-47/13-mr-backupblog/167-encrypted-data-hacked.html
http://www.csoonline.com/article/220665/19-ways-to-build-physical-security-intoa-data-center?page=3
http://fengnet.com/book/bssl/bssrvrlnx-CHP-2-SECT-2.html
http://www.checkpoint.com/
Any wall have some weak points