Transcript Security - CS Course Webpages

Defining Network Security
Security is prevention of unwanted information
transfer
• What are the components?
–
–
–
–
...Physical Security
…Operational Security
…Human Factors
…Protocols
1
Areas for Protection
•
•
•
•
Privacy
Data Integrity
Authentication/Access Control
Denial of Service
2
Regulations and Standards
• Computer Crime Laws
• Encryption
• Government as “Big Brother”
3
Security
Threat, Value and Cost Tradeoffs
• Identify the Threats
• Set a Value on Information
• Add up the Costs (to secure)
Cost < Value * Threat
4
Threats
•
•
•
•
•
Hackers/Crackers (“Joyriders”)
Criminals (Thieves)
Rogue Programs (Viruses, Worms)
Internal Personnel
System Failures
5
Network Threats
•
•
•
•
•
IP Address spoofing attacks
TCP SYN Flood attacks
Random port scanning of internal systems
Snooping of network traffic
SMTP Buffer overrun attacks
6
Network Threats (cont.)
• SMTP backdoor command attacks
• Information leakage attacks via finger, echo,
ping, and traceroute commands
• Attacks via download of Java and ActiveX
scripts
• TCP Session Hijacking
• TCP Sequence Number Prediction Attacks
7
Threat, Value and Cost Tradeoffs
•
•
•
•
•
Operations Security
Host Security
Firewalls
Cryptography: Encryption/Authentication
Monitoring/Audit Trails
8
Host Security
•
•
•
•
Security versus Performance & Functionality
Unix, Windows NT, MVS, etc
PCs
“Security Through Obscurity” L
9
Host Security (cont)
• Programs
• Configuration
• Regression Testing
10
Network Security
• Traffic Control
• Not a replacement for Host-based
mechanisms
• Firewalls and Monitoring, Encryption
• Choke Points & Performance
11
Access Control
• Host-based:
–
–
–
–
Passwords, etc.
Directory Rights
Access Control Lists
Superusers L
• Network-based:
–
–
–
–
Address Based
Filters
Encryption
Path Selection
12
Network Security and Privacy
• Protecting data from being read by unauthorized persons.
• Preventing unauthorized persons from inserting and deleting
messages.
• Verifying the sender of each message.
• Allowing electronic signatures on documents.
13
FIREWALLS
•
•
•
•
•
Prevent against attacks
Access Control
Authentication
Logging
Notifications
14
Types of Firewalls
• Packet Filters
Application
– Network Layer
• Stateful Packet Filters
– Network Level
• Circuit-Level Gateways
– Session Level
• Application Gateways
– Application Level
15
Presentation
Session
Transport
Network
Data Link
Physical
Packet Level
• Sometimes part of router
• TAMU “Drawbridge”
Drawbridge
Campus
16
ROTW
Router
Circuit Level
• Dedicated Host
• Socket Interfaces
Local
FW
ROTW
17
Application Level
• Needs a dedicated host
• Special Software most everywhere
Firewall
telnet
ROTW
18
Firewall Installation Issues
FTP
INTERNET
DNS
Web
Router
19
Mail
Firewall Installation Issues
•
•
•
•
•
•
DNS Problems
Web Server
FTP Server
Mail Server
Mobile Users
Performance
20
Address Transparency
• Need to make some addresses visible to
external hosts.
• Firewall lets external hosts connect as if
firewall was not there.
• Firewall still performs authentication
21
Gateway
Internet
10.0.0.0
128.194.103.0
Network Address Translation
Firewall
22
Network Address Translation
Host B: External Host
Gateway Host
Host A: Internal Host
gw control
ftpd
ftp
proxy ftp
TCP
IP
TCP
Data Link
IP
Hardware
Data Link
TCP
IP
Data Link
Hardware
Hardware
A GW
Datagram
A B Datagram
23
IP Packet Handling
•
•
•
•
•
Disables IP Packet Forwarding
Cannot function as a insecure router
eg. ping packets will not be passed
Fail Safe rather than Fail Open
Only access is through proxies
24
DNS Proxy Security
INTERNET
External DNS Server
DNSd
Eagle Gateway
eagle.xyz.com
finance.xyz.com
sales.xyz.com
marketing.xyz.com
25
Virtual Private Tunnels
Encapsulate
Hello
Authenticate
Hello
Encrypt
Hello
INTERNET
!@@%*
!@@%*
!@@%*
Creates a “ Virtual Private Network “
26
Hello
Decapsulate
Hello
Authenticate
Hello
Decrypt
VPN Secure Tunnels
• Two types of Tunnels supported
– SwIPe and IPsec tunnels
• Encryption
– DES, triple DES and RC2
• Secret key used for used for authenticatio
and encryption
• Trusted hosts are allowed to use the tunnel
on both ends
27
Designing DMZ’s
DMZ
INTERNET
Web
FTP
Company
Intranet
Mail
28
Screening
Router
Firewall Design Project
San Jose
File Server
INTERNET
Mail Server
Wide Area Router
Dallas
Internet
Router
Raptor Eagle
Raptor Remote
Hawk Console
29
Monitoring
• Many tools exist for capturing network traffic.
• Other tools can analyze captured traffic for
“bad” things.
• Few tools are real-time.
30
Summary
• Security must be comprehensive to be
effective.
• Remember threat, value, cost when
implementing a system.
• Security is achievable, but never 100%.
• Make your system fault tolerant.
31