Security Product Roadmap
Download
Report
Transcript Security Product Roadmap
COPYRIGHT
This presentation is provided to specific parties on request.
All slides must be shown in its entirety, including the D-Link’s
logo and brand name, without any modification or deletion,
unless with the written consent of D-Link. Individual slides may
be removed in its entirety. Background colour may be changed.
Printed copies can be distributed freely for the specific purpose
when this presentation slide is used. Failure to observe this
violates the copyright agreement. D-Link reserves the right to
withdraw from the party the right to use the presentation slide
and/or any other actions deemed necessary by D-Link to
prevent the slides or part of it being used.
CONCEPTOS BASICOS EN LA
ADMINISTRACION DE REDES
GESTION DE SEGURIDAD
MSEE Ing. Héctor J. Simosa
22 Octubre 2004
Seguridad en Redes
La seguridad en las Redes
es mecanismo esencial. La
Internet es una red de redes
interconectadas sin
fronteras….
Debido a este hecho, las
redes de las organizaciones
son vulnerables por su
accesabilidad desde
cualquier computador en el
mundo.
Soluciones
• D-LINK ofrece soluciones de seguridad
bastante completas además de FW para proteger
su red, entre ellas tenemos:
–
–
–
–
Sistemas de Detección de Intrusión
Virtual Private Networks
Servicios de Identificación
Herramientas para Gerenciar la Seguridad.
Seguridad:
Por qué es importante?
Computer Hackers
• Estos pueden ser divididos en tres categorias:
– Los que rompen la seguridad de redes de
computadores
– Los que rompen la seguridad del software de
aplicaciones
– Los que crean programas maliciosos para vulnerar
las debilidades de los S.O.
• Hecho:
No existe una solución 100% segura!
Evolución de la Seguridad
Packet
Forging/Spoofing
Internet
Worm
Stealth
Diagnostics
High
DDoS
Sweepers
Sniffers
Backdoors
Hi jack
sessions
Exploit known
vulnerabilities
Disabling
Audit
Self Replicating
code
Password
Cracking
Technical
Knowledge
Required
Password
guessing
Low
1980
Sophisticated
Hacker Tools
1990
2000
Ataques a Redes de Información
• Protección es un Reto!
–La habilidad para atacar redes se ha
vuelto más sofisticada
–No es suficiente confiar en un Firewall
–Al igual que proteje fisicamente sus
instalaciones asi debe hacerlo con su Red.
•
Qué preguntas debemos hacernos?
Qué preguntas debemos hacer?
• Tiene Usted: Intranet/Extranet/Internet?
• Tiene pensado/planeado implementar algún tipo
de red?
• Tiene información crítica o estratégica
disponible en su red?
• Cómo saber si ha sido victima de una falla de
seguridad?
Qué és la Internet ?
Corporate
Network
Remote Partner
Remote User
Internet
Remote Office
Qué és la Intranet ?
Corporate
Network
Remote User
Internet
DMZ Network
Remote Office
Web Server
E-Mail Server
Qué és la Extranet ?
Corporate
Network
Partner Site
Remote User
Internet
DMZ Network
Web Server
E-Mail Server
Partner Site
Qué necesitamos proteger?
•
•
•
•
•
•
•
•
Routers are target
Managed Switches target
Hosts /Clients target
Databases target
Applications are target
Information are target
Web and email Servers
Management tools are target
Más Preguntas ……..
Es su solución de seguridad completa?
Puede Ud. soportar una amplia gama de
negocios sin comprometer la
organización?
Es su solución de seguridad extensible a
requerimientos de los usuarios que están
en evolución?
Cómo surgen Problemas de
Seguridad?
• Al conectar su computador a la Internet está
amenazado…….
• La primera amenaza es que sus paquetes IP
pueden ser escrutados al viajar por la
Internet.
• La segunda amenaza es que alguien use su
conectividad para atacar su OS.
• Hay una sola forma de proveer seguridad
contra estas amenazas…….
Servicios de Seguridad
• Qué significan?.
• Por qué son necesarios?.
• Cómo se implementan?.
Qué significan Servicios de
Seguridad?
• Privacidad…….?
•Autenticación..….?
•Control de Acceso….…….?
Propiedades Comunicación
Alice
Bob
Comunicarse con seguridad ??
•Secreto
•Autenticación
•Integridad Mensaje
Acceso Autenticado
2
1
Logon and
establish access
privileges
Instruct network to
connect user to
target VLAN(s)
Authentication
Server
Auth. VLAN
VLAN A
Target
Resource A
VLAN B
3
User is
connected
to target VLAN(s)
Target
Resource B
Por qué son necesarios?
• Perpetrador tiene conocimientos sólidos
de los protocolos usados.
• Puede interpretar el mensaje descubriendo
passwords, o información sensible, etc.
Cómo se implementan?
El reto de la Seguridad en una
Red de Computadoras
Firewall
Qué és un Firewall?
• Sistema diseñado para prevenir acceso no
autorizado desde o hacia una red privada
• Se implementa tanto en hardware como en
software, o una combinación de ambas
• Todo mensaje entrante/saliente de la red através
del FW será examinado evitando aquellos que
no cumplan con las políticas de seguridad.
Arquitecturas de
Firewall
•
•
•
•
1. Packet Filters
2. Application Proxies
3. Circuit-level Gateways
4. Network Address Translation (NAT)
Firewalls
Packet Filter Firewall
Server
Application
Presentation
Session
Transport
Network Layer
Data Link
Physical
Router with Packet
Filter
User
Application Gateways / Proxies
Gateway runs proxy applications for
Telnet
FTP
HTTP
SMTP
Application
Presentation
Session
Transport
Application
Network
Data Link
Physical
Layer
Stateful Inspection
Application
Presentation
Session
Transport
Network
Between Datalink
and Network Layers
Data Link
Physical
Dynamic
State
Tables
Packets intercepted between Data Link and Network layers.
Information on all higher layers saved in dynamic state tables.
Proxy Server Gateways
2. Repackage
request
1. Request
3. Response
4. Repackage
response
Firewall
Proxy Server
External Web Server
Internal
Client
Políticas de Seguridad
• Network Service Access Policy
• Firewall Design Policy
Políticas de Seguridad
• Network Service Access Policy
Define los servicios que serán permitidos o
negados explicitamente desde la red
restringida y que cumplan con las
propiedades de una comunicación segura.
Políticas de Seguridad
• Firewall Design Policy
Describe como el firewall va ser configurado
para aplicar las normas de restringir acceso o
filtrado de servicios.
Enterprise Security - Internet
Partner Site
Corporate
Network
Remote User
FW
Internet
DMZ Network
Remote Office
Enterprise Security - Internet
Partner Site
Corporate
Network
Remote User
FW
Internet
DMZ Network
Remote Office
Enterprise Security - Intranet
• Policies for enterprise-wide communication
Partner Site
Corporate
Network
Remote User
FW
Internet
DMZ Network
Remote Office
Enterprise Security - Intranet
• Policies for enterprise-wide communication
Partner Site
Corporate
Network
Remote User
FW
Internet
DMZ Network
Remote Office
Enterprise Security - Extranet
• Secure communication between partners
Partner Site
Corporate
Network
FW
Remote User
Internet
DMZ Network
Remote Office
Elementos de Seguridad
en Redes Inalámbricas
Seguridad en WLANs
Control de Acceso
• By Network Name
• By MAC address
Tecnología transmisión DSSS es dificíl de
interceptar.
DSSS permite ratas de transmisión altas al
dividir la banda 2.4-GHz en 14 canales 22-MHz
Seguridad es debíl
Amenazas en WLANs
•
•
•
•
•
•
•
Denial of Service
Interception/Eavesdropping
Manipulation
Masquerading
Repudiation
Transitive Trust
Infrastructure
Premisas Seguridad en
802.11b
•
•
•
•
Service Set Identifier (SSID)
Shared or Open Authentication
MAC Filtering/FireWall
Wired Equivalent Privacy (WEP)
– Link Level
– Poor security
SSID
• Mecanismo usado para segmentar WLANs
• Cada AP es programado con un SSID que
corresponde a su Red
• Cliente presenta SSID correcto para accesar el AP
• Existen compromisos de seguridad
– AP puede ser configurado para “broadcast” su SSID
– SSID puede ser compartido entre varios usuarios de un
segmento inalámbrico
Filtrado MAC
• Cada cliente identificado por su 802.11
NIC MAC Address
• El AP puede ser programado con un set
de direcciones MAC para acceptarlas
• Combinar el filtrado con el SSID de AP
• Incurrimos en un “Overhead”
manteniendo lista de direcciones MAC.
Criptografía
Criptografía usa el algoritmo RC4 definido en
el estandard IEEE 802.11 WEP.
Hay productos disponibles con 40 y 128 bits
de encriptamiento.
64 bit WEP es igual al de 40 bit WEP
40 bit (10 Hex caracter) "secret key"
(definido por usuario), y un " Vector
Initialization ” de 24 bits (que no esta bajo
control del usuario).
802.11 – Seguridad
Enterprise/Home
–
–
–
Data Encryption (WEP, TKIP, AES): Prevent 3rd
parties from viewing the content of wireless data
transmissions
User Authentication (802.1X): Prevent
unauthorized users from connecting to the wireless
network
Virtual LAN: Use VLAN-capable Access Points to tag
“guest traffic” and other “non-secure” traffic so that it
can be routed outside the firewall
Across the Public Infrastructure
–
Virtual Private Network: Maintain end-to-end
privacy through the use of Layer 3 tunneling
protocols (independent of 802.11 devices)
Autenticación WEP
• Acceso requerido por el cliente
• AP envia reto al cliente con texto
• El texto es codificado por cliente usando la
llave secreta enviada por la AP
• Si el texto es codificado adecuadamente el
AP permite el acceso o lo niega.
WEP en Acción
Network resources
Association Request
Authentication Request
Authentication Response
Association Response
Supplicant
WEP Key:
1234567890
Encrypted Data to Access Point
Access
Point
WEP Key
1234567890
Debilidades WEP
• Todos los clientes de un AP en una red
inalámbrica comparten la misma llave de
encriptamiento
• No existe un protocolo para la
distribución de la llave de encriptamiento.
• Se mejora con WPA.
WPA en Acción
Network resources
Client joins LAN with encrypted data
AP blocks
request until
user is
authenticated
Association Request
AP sends authentication request
Supplicant
Authenticator
Once authenticated, authentication
server will distributes TKIP encryption
key
Client proves credential
To authentication server
Authentication Server
802.11 – Security Portfolio
802.11a and a/b
Different Ways a Network
Needs to be Made Secure
Updated 802.11b
Original 802.11b
Encryption
WEP
TKIP
“SSN”
Authentication
nothing
802.1x
Application
Operation
AES
LEAP
PEAP
TLS
“Is my data secure?”
“How can I keep intruders from
entering my network?”
VPN
“Can I maintain the integrity of
my link from end to end?”
VLAN
“How can I avoid breaking my own
security mechanisms?”
802.1X Authentication
1
Using Extensible Authentication Protocol (EAP) an end-user
contacts a wireless access point and requests to be
authenticated.
2
The Access Point passes the
request to the Radius Server.
Wireless AP
RADIUS
(EAP)
EAPOL
(EAP)
End-User
Station
Request
Password
DRS-200
3
4
The Radius server authenticates the end user and the
access points opens a port to accept data from the end
user.
The Radius Server challenges the end
user for a password, and the end user
responds with a password to the Radius
server .
• Muchas Gracias
D-Link Security Solution
Basic Definitions
• Confidentiality
– Are you the only one who is viewing information
specific to you or authorized users?
• Integrity
– Are you communicating with whom you think?
– Is the data you are looking at correct or has it been
tampered with?
• Availability
– Are the required services there when you need them?
• Authentication
– Are you who you say you are?
Vocabulary in Security
•
•
•
•
•
•
•
•
•
•
•
•
AS – Authentication Server
EAP – Extensible Authentication Protocol
EAPOL – EAP Over LAN
IV – Initialization Vector
MIC – Message Integrity Code
PEAP – Protected EAP
PKI – Public Key Infrastructure
RADIUS – Remote Access Dial-In User Service
TKIP – Temporal Key Integrity Protocol
WEP – Wired Equivalent Privacy
WLAN – Wireless Local Area Network
AES – Advanced Encryption Standard
Hacker Prevention and
Network Protection
• Network Intrusion Detection System (NIDS) is
a real-time network intrusion detection sensor
• Identifies and takes action against suspicious
network activity
• Uses intrusion signatures, stored in the attack
database, to identify the most common attacks
• To notify system administrators of the attack,
the NIDS records the attack and any suspicious
traffic to the attack log
Hacker Prevention and
Network Protection
• NIDS protects DFL-xxxx and the network
connected to it by :
– Dropping the connection
– Blocking packets from the location of the attack
– Blocking network ports, protocols or services being
used by an attack
Hacker Prevention and
Network Protection
• Using Virtual Private Networking (VPN), you
can provide a secure connection between widely
separated office networks or securely link
telecommuters or travelers to an office network
• VPN features includeing
–
–
–
–
standard IPSec VPN (eg IPSec, DES, 3DES, etc)
PPTP
L2TP
IPSec and PPTP VPN pass through
Secure Installation, Configuration
Management
and
• Logging and Reporting
– Report traffic that connects to the firewall interfaces
– Report network services used
– Report traffic permitted by firewall policies
– Report events such as configuration changes and other
management events, IPSec tunnel negotiation, virus
detection, attacks and web page blocking
• Logs can be sent to a remote syslog server or to a WebTrends
server using WebTrends enhanced log format
DFL-200
•
•
•
•
•
•
3,000 concurrent sessions
Firewall performance: 60Mbps
3DES performance: 20Mbps
70 dedicated VPN tunnels
500 policies, 256 schedules
10/100BASE-TX port to connect to
DSL/cable modem
• 10/100BASE-TX dedicated DMZ
port
• 4 10/100BASE-TX LAN switch
ports
DFL-700
•
•
•
•
•
•
•
Support 100 users
10,000 concurrent sessions
Firewall performance: 100Mbps
3DES performance: 30Mbps
200 dedicated VPN tunnels
1,000 policies, 256 schedules
10/100BASE-TX port connect to
DSL/cable modem or external LAN
• 10/100BASE-TX port connect to
Internal LAN (Trusted)
• 10/100BASE-TX dedicated DMZ port
DFL-1100
•
•
•
•
•
•
•
•
•
200,000 concurrent sessions
Firewall performance: 250Mbps
3DES performance: 60Mbps
1,000 dedicated VPN tunnels
10/100BASE-TX port connect to
DSL/cable modem or External LAN
10/100BASE-TX dedicated DMZ
port
10/100BASE-TX LAN port connect
to Internal LAN (Trusted)
10/100BASE-TX backup port
connect to backup firewall
2,000 policies, 256 schedules
Securing Your Network with DFL-1100
????
????
Insurance Business Sector
Tele worker
HQ Network
Mobile
Users
ADSL
DFL-1100
Backup
firewall
Internet
Backup
Link
DFL-1100
Active firewall
VPN
Access
Switches
Tele worker
500 users
Branch
Office
DFL-500 & DFL-1000
Network Protection Gateway (NPG)
• A dedicated easily managed security device that
delivers the following services :– application-level services such as virus protection
and content filtering
– network-level services such as firewall, intrusion
detection, VPN and traffic shaping
DFL-500 & DFL-1000
Accelerated Behaviour and Content Analysis System
(ABACASTM)
• Unique ASIC-based architecture
• Analyse contents and behaviour in real-time
• Enable key applications to be deployed right at
the network edge where they are most effective
at protecting the network
DFL-500 vs DFL-1000
DFL-500
Product Category
DFL-1000
SoHo
SMB
CPU
133MHz
300MHz
RAM
64MB
256MB
Flash
32MB
64MB
Ports
.
1 LAN, 1 WAN
.
1 LAN, 1 WAN, 1 DMZ
DFL-500 vs DFL-1000
(System Performance)
DFL-500
DFL-1000
Concurrent sessions
2,000
25,000
New session / speed
800
10,000
Firewall performance
30Mbps
180Mbps
Triple-DES (168 bit)
15Mbps
120Mbps
Policies
100
1,000
Schedules
30
256
DFL-500 vs DFL-1000
(Firewall Mode of Operation)
DFL-500
DFL-1000
Network Address Translation
Yes
Yes
Port Address Translation
Yes
Yes
Transparent mode
Yes
Yes
Route mode
Yes
Yes
Virtual IP
Yes
Yes
DFL-500 vs DFL-1000 (VPN)
DFL-500
DFL-1000
Dedicated tunnels
20
100
Manual key, IKE, PKI
Yes
Yes
DES (56-bit) & 3DES (168-bit) encryption
Yes
.
Yes
.
Perfect forward secrecy
Groups)
Yes
.
Yes
.
Remote access VPN
(DH
Yes
Yes
DFL-500 vs DFL-1000
(Firewall Attacks)
DFL-500
DFL-1000
DDOS and DOS detected
14
14
MAC address bind with IP
Yes
Yes
DFL-500 vs DFL-1000
(Logging / Monitoring)
DFL-500
DFL-1000
No
Yes
3 addresses
3 addresses
Syslog
Yes
Yes
SNMP
Yes
Yes
Device failure detection
Yes
Yes
Network notification on failover
Yes
Yes
Internal log space
E-mail notify
DFL-500 vs DFL-1000 (IPSec)
DFL-500
DFL-1000
Site-to-site VPN
Yes
Yes
Authentication
Yes
Yes
SHA-1 / MD5
Yes
Yes
DFL-500 vs DFL-1000
(Firewall & VPN User Authentication)
DFL-500
DFL-1000
Build-in database - user limit
Yes
Yes
RADIUS (external) database
No
Yes
RSA SecureID (external) database
No
Yes
LDAP (external) database
No
Yes
DFL-500 vs DFL-1000
(System Management)
DFL-500
DFL-1000
WebUI (HTTP and HTTPS)
Yes
Yes
Multi-language user interface
Yes
Yes
Command line interface (telnet)
Yes
Yes
Wizard / Quick Installation
Yes
Yes
Secure command shell
compatible)
(ssh v1
Yes
.
Yes
.
All management via VPN tunnel on any
interface
Yes
.
Yes
.
DFL-500 vs DFL-1000
(Traffic Management)
DFL-500
DFL-1000
Guaranteed bandwidth
Yes
Yes
Maximum bandwidth
Yes
Yes
Priority-bandwidth utilization
Yes
Yes
DFL-500 vs DFL-1000
(Administration)
DFL-500
DFL-1000
Yes
Yes
Multiple administrators
Root Admin, Admin &
levels
Read Only user
Software upgrades &
Configuration changes
Trust host
Yes
.
Yes
.
TFTP / WebUI TFTP / WebUI
Yes
Yes
DFL-500 vs DFL-1000
(Network Service)
DFL-500
DFL-1000
PPPoE
Yes
Yes
PPTP
Yes
Yes
DHCP client
Yes
Yes
DHCP server
Yes
Yes
VPN client pass through
Yes
Yes