ppt-security-issues-02

Download Report

Transcript ppt-security-issues-02

Security Issues
Onno W. Purbo
Computer Network Research Group
Institute of Technology Bandung
[email protected]
Computer Network Research Group ITB
Perspective ...
less then 200 security incident in 1989.
 about 400 in 1989.
 about 1400 in 1993.
 estimated more than 2241 in 1994.
 Nobody knows the correct statistics on how
many attacks are actually detected by the
sites broken into.

Computer Network Research Group ITB
Layout Firewall
InterNet
Firewall
Internal
Network
Computer Network Research Group ITB
What are you trying to
protect?
Your Data.
 Your Resources.
 Your Reputation.

Computer Network Research Group ITB
What Are You Trying To
Protect Against?

Type of attacks
Intrusion.
 Denial of Service.
 Information Theft.

Computer Network Research Group ITB
Type of Attackers
Joyriders.
 Vandals.
 Score Keepers.
 Spies (Industrial & Otherwise).
 Stupidity & Accidents.

Computer Network Research Group ITB
How Can You Protect Your
Site
No Security.
 Security Through Obscurity.
 Host Security.
 Network Security.
 No Security Model Can Do It All.

Computer Network Research Group ITB
What Can A Firewall Do?
A firewall is a focus for security decisions.
 A firewall can enforce security policy.
 A firewall can log Internet activity
efficiently.
 A firewall limits your exposure.

Computer Network Research Group ITB
What Can’t A Firewall Do?
A firewall can’t protect you against
malicious insiders.
 A firewall can’t protect you against
connections that don’t go through it.
 A firewall can’t protect against completely
new threats.
 A firewall can’t protect against viruses.

Computer Network Research Group ITB
List of A Must Secure Internet
Services
Electronic mail (SMTP).
 File Transfer (FTP).
 Usenet News (NNTP).
 Remote Terminal Access (Telnet).
 World Wide Web Access (HTTP).
 Hostname / Address lookup (DNS).

Computer Network Research Group ITB
Security Strategies.
Least Privilege.
 Defense in Depth (multiple security
mechanism).
 Choke Point forces attackers to use a
narrow channel.
 Weakest Link.
 Fail-Safe Stance.
 Diversity of Defense.
 Simplicity.

Computer Network Research Group ITB
Building Firewalls
Computer Network Research Group ITB
Some Firewall Definitions

Firewall
– A component or set of components that restricts
access between a protected network and the
Internet, or between other sets of networks.

Host
– A computer system attached to a network.
Computer Network Research Group ITB
Firewall Def’s Cont’ ..

Bastion Host
– A computer system that must be highly secured
because it is vulnerable to attack, usually
because it is exposed to the Internet and is a
main point of contact for users of internal
networks.

Dual-homed host
– A general-purpose computer system that has at
least two network interfaces (or homes).
Computer Network Research Group ITB
Firewall Def’s Cont ...

Packet.
– The fundamental unit of communication on the
Internet.

Packet filtering.
– The action a device takes to selectively control
the flow of data to and from a network.

Perimeter network.
– a network added between a protected network
and external network, to provide additional
layer of security.
Computer Network Research Group ITB
Firewall Def’s Cont ...

Proxy Server
– A program that deals with external servers on
behalf of internal clients. Proxy client talk to
proxy servers, which relay approved client
requests on to real servers,and relay answer
back to clients.
Computer Network Research Group ITB
Packet Filtering
InterNet
Routes or blocks packets,
as determined by site's
security policy.
Screening
Router
Internal
Network
Computer Network Research Group ITB
Proxy Services
InterNet
External Host
Real Server
Firewall
Internal
Network
Internal Host
Proxy Client
Computer Network Research Group ITB
Proxy Server
Dual homed Host
Screened Host Architecture
InterNet
Firewall
Screening
Router
Bastion Host
Internal
Network
Computer Network Research Group ITB
De-Militarized Zone
Architecture
Firewall
InterNet
Exterior Router
Bastion Host
Internal
Network
Perimeter
Network
Interior Router
Choke Router
Computer Network Research Group ITB
DMZ With Two Bastion Hosts
Firewall
InterNet
Exterior Router
FTP/WWW Host
Internal
Network
Perimeter
Network
Interior Router
Choke Router
Computer Network Research Group ITB
SMTP / DNS Host
It’s OK
Merge Interior & Exterior Router
 Merge Bastion Host & Exterior Router
 Use Mutiple Exterior Router
 Have Multiple Perimeter Network
 Use Dual -Homed Hosts & Screened
Subnets

Computer Network Research Group ITB
It’s Dangerous
Use Multiple Interior Router
 Merge Bastion Host and Interior Router

Computer Network Research Group ITB
Private IP Address
Use within Internal Network
 Reference RFC 1597
 IP address alocation:

– Class A:
– Class B:
– Class C:
Computer Network Research Group ITB
10.x.x.x
172.16.x.x - 172.31.x.x
192.168.0.x - 192.168.255.x
Bastion Host

It is our presence in Internet.
Keep it simple.
 Be prepared for the bastion host to be
compromised.

Computer Network Research Group ITB
Special Kinds of Bastion
Hosts
Nonrouting Dual-Homed Hosts.
 Victim Machine.
 Internal Bastion Hosts.

Computer Network Research Group ITB
Choosing A Bastion Host

What Operating System?
– Unix

How Fast a Machine?
– 386-based UNIX.
– MicroVAX II
– Sun-3
Computer Network Research Group ITB
Proxy Systems

Why Proxying?
– Proxy systems deal with the insecurity
problems by avoiding user logins on the dualhomed host and by forcing connections through
controlled software.
– It’s also impossible for anybody to install
uncontrolled software to reach Internet; the
proxy acts as a control point.
Computer Network Research Group ITB
Proxy - Reality & Illusion
Percieved Connection
Actual Connection
Re
Proxy Server
Client
User's Illusion
Computer Network Research Group ITB
al
Se
r
ve
r
's
Server
Ill
us
io
n
Advantages of Proxying
Proxy services allow users to access
Internet services “directly”
 Proxy services are good at logging.

Computer Network Research Group ITB
Disadvantages of Proxying
Proxy services lag behind non-proxied
services.
 Proxy services may require different servers
for each service.
 Proxy services usually require
modifications to clients, procedures, or
both.
 Proxy services aren’t workable for some
services.
 Proxy services don’t protect you from all
protocol
weaknesses.
Computer Network
Research Group
ITB

Proxying without a Proxy
Server
Store-and-Forward services naturally
support proxying.
 Examples:

– E-mail (SMTP).
– News (NNTP).
– Time (NTP).
Computer Network Research Group ITB
Internet Resources on
Security Issues
Computer Network Research Group ITB
WWW Pages
http://www.telstra.com.au/info/security.html
 http://www.cs.purdue.edu/coast/coast.html

Computer Network Research Group ITB
Mailing Lists

[email protected]
– ftp://ftp.greatcircle.com/pub/firewalls/
– http://www.greatcircle.com/firewalls/
[email protected][email protected]

– ftp://net.tamu.edu/pub/security/lists/academicfirewalls

[email protected]
Computer Network Research Group ITB
Newsgroups
comp.security.announce.
 comp.security.unix.
 comp.security.misc.
 comp.security.firewalls.
 alt.security.
 comp.admin.policy.
 comp.protocols.tcp-ip.
 comp.unix.admin.
 comp.unix.wizards

Computer Network Research Group ITB
Summary
In these dangerous times, firewalls are the
best way to keep your site secure.
 Although you’ve got to include other tipes
of security in the mix, if you’re serious
about connecting to the Internet, firewall
should be at the very center of your security
plans.

Computer Network Research Group ITB