CPSC 6126 Computer Security

Download Report

Transcript CPSC 6126 Computer Security

Firewalls

Firewall sits between the corporate
network and the Internet
• Prevents unauthorized access from the
Internet
• Facilitates internal users’ access to the
Internet
Firewall
OK
No
Access only if
Authenticated
Firewalls

Packet Filter Firewalls
• Examine each incoming IP packet
• Examine IP and TCP header fields
• If bad behavior is detected, reject the
packet
• No sense of previous communication:
analyzes each packet in isolation
IP
Firewall
IP Packet
Firewalls

Application (Proxy) Firewalls
• Filter based on application behavior
• Do not examine packets in isolation:
use history

In HTTP, for example, do not accept a
response unless an HTTP request has just
gone out to that site
Application
Firewalls

Application (Proxy) Firewalls
• Hide internal internet addresses
• Internal user sends an HTTP request
• HTTP proxy program replaces user
internet address with proxy server’s IP
address, sends to the webserver
HTTP
Request
Request with
Proxy Server’s
IP Address
Firewalls

Application (Proxy) Firewalls
• Webserver sends response to proxy
server, to proxy server IP address
• HTTP proxy server sends the IP packet
to the originating host
• Overall, proxy program acts on behalf of
the internal user
HTTP
Response
Response to
Proxy Server’s
IP Address
Firewalls

Why Hide Internal IP Addresses?
• The first step in an attack usually is to
find potential victim hosts
• Sniffer programs read IP packet
streams for IP addresses of potential
target hosts
• With proxy server, sniffers will not learn
IP addresses of internal hosts
Sniffer
Host
IP Address
False
IP Address
Firewalls

Application Firewalls
• Need a separate program (proxy) for
each application
• Not all applications have rules that
allow filtering
Intrusion Detection

Intrusion detection software to
detect and report intrusions as they
are occurring
• Lets organization stop intruders so that
intruders do not have unlimited time to
probe for weaknesses
• Helps organization assess security
threats
• Audit logs list where intruder has been:
vital in legal prosecution
Intrusion Detection
Signature-based IDS – performs
simple pattern-matching and report
situtations that match a pattern
corresponding to a known attack
type
 Heuristic IDS (anomaly based) –
build model of acceptable behavior
and flag exceptions to that model

Intrusion Detection
Network-based IDS – stand-alone
device attached to the network to
monitor traffic throughout network
 Host-based IDS – runs on a single
workstation or client or host, to
protect that one host

Default-Deny Posture

Perimeter Settings: block all protocols except

Internal Settings: block all unnecessary traffic

Security Configurations: harden servers &


those expressly permitted [i.e. SMTP(25),
DNS(53), HTTP(80), SSL(443),…]
between internal network segments, remote &
VPN connections
workstations to run only necessary services and
applications
Segment Networks
Patch Management