Zone - Aleksandr Lenin

Download Report

Transcript Zone - Aleksandr Lenin

Securing networks and systems
Aleksandr Lenin
Outline
• Networking (recap)
– Networks, Isolation domains: VLAN, subnets
– CIDR/VLSM, Network zoning
• Firewalls
– Securing networks and hosts
• Network zoning
• IDS/IPS Systems
– Detecting and preventing intrusions
Networking recap
• Network
– A set of hosts
– Sharing same network part in an IP address
– Having unique host part in an IP address
– Broadcast domain
Networking recap (contd.)
• Address space:
– The size of address space = 2^n (n being the number of hosts’
bits in an IPv4 address)
– CIDR notation
• /24 = 8 bits for hosts. 2^8 = 256 addresses for 254 hosts.
– Hosts’ address space
– 2 reserved addresses
• Gateway (first or last address in the address space)
• Broadcast (last possible address in an address space)
Networking recap (contd.)
• Subnetting – why should we split our network into subnets?
– It’s all about trust. Hosts within a network:
• “trust” each other
• freely communicate to each other
– Establish trust boundaries
• Trusted subnets, semi-trusted subnets, untrusted subnets
• If an attacker controls one host in the network, consider that it will not
be a major challenge to take others under control as well
• More difficult to cross the boudaries of subnetting and get into another
subnetwork.
– Broadcast domain
Networking recap (contd.)
• Isolating groups of hosts within a network
– VLAN
– CIDR/VLSM – reduces the amount of “spare” addresses.
• Networks are interconnected with gateways (routers)
• Routers route packets between networks (primary
objective).
• Additionally, monitoring and filtering of the traffic
passing by.
Firewall
• A wall built to stop (or slow down) the spread of fire.
• A piece of software or dedicated hardware
monitoring and filtering network traffic.
• Protects network against unauthorized access.
• Protects hosts against unauthorized access.
Firewalling (contd.)
Firewalls - classification
By architecture:
• Hardware firewalls
• Software firewalls
By functionality/capabilities:
• Network layer firewalls
– Stateless
– Stateful
• Application layer firewalls
By type:
• Network-based firewalls
• Host-based firewalls
Network layer firewalls
Stateful (1st generation)
• Packet filters
• Examine packet headers.
• Filtering is done on the
transport layer (on the
address/port basis)
Stateless (2nd generation)
• Performs Stateful Packet
Inspection (SPI).
• Blocks packets not matching a
known active connection.
• Falls back to packet filtering for
stateless protocols.
Examples:
• IPFilter (various), ipfw (FreeBSD/Mac OS X), NPF (NetBSD), PF
(OpenBSD, and some other BSDs), iptables/ipchains (Linux)
Application layer firewalls
• 3rd generation of firewalls (current).
• Work on the application level of the TCP/IP stack
• Inspect actual packet data. May intercept all packets traveling to or
from an application.
• Filtering on a process basis, instead of filtering connections.
• Decide if a process should accept any given connection.
• May help preventing the spread of networked computer worms and
trojans.
• Result - increased latency to packet forwarding.
• Problem – too complex rulesets, limited efficacy.
Rulesets
• Permissive
– By default traffic is allowed to pass
– Rulesets specify which packets should be dropped
• Restrictive
– By default traffic is dropped
– Rulesets specify which packets are allowed to pass
Network zoning
• A zone is a LAN segment
– Set aside for specific function and/or IP range.
– Routes to a gateway
– Gateway provide networking interconnection between the
zones
– Gateway is typically some firewall-like interface
– Ruleset on a gateway define which data may be transferred
from one zone to another.
– Access is granted in accordance with local security policies
and best practices.
Network zoning (contd.)
• Zoning – grouping of computer resources by
– Location
– Function
– Purpose
– Access type
– Subnet
– Etc.
Network zoning (contd.)
• Zone members are placed within their own subnet.
• Can talk to devices outside their subnet/VLAN
– only if the router/firewall allows this.
– enables flexible filtering.
• Each zone is self-contained.
• Each zone is isolated from other zones before
reaching the firewall.
Network zoning (contd.)
• Historical approach:
– Place a firewall on the external touch-points of your
network.
– Place all public servers in the DMZ zone.
– Restrict access to/from these devices for internal systems.
– Modern approaches to network security do not stop at
the perimeter – more thorough zoning is required.
Network zoning (contd.)
• Modern approach:
– The DMZ concept + consider principles of trust/privacy
– Split internal network into segments
– Provides increased security and privacy
– Zones form boundaries within a network
– Zones isolate trusted, semi-trusted, and untrusted devices
from each other.
Network zoning (contd.)
Network zoning (contd.)
• Pay attention to the following facts:
– The trusted zone of the external firewall is actually
untrusted zone for the internal firewall.
– Trusted zone of the external firewall receives traffic which
passes the rulesets of the external firewall.
– Internal firewall can be configured with the same blocking
rules as the external one, and, additionally, new rules
applicable for protecting internal networks.
Network zoning (contd.)
Network zoning (contd.)
• Similar access rules and restrictions across the zone.
• Makes management of firewalling and routing
simpler over-time.
• Zoned areas may be simply extended
• 4 zones: Users, Administrators, Servers, Sensitive
Data Servers.
Network zoning (contd.)
1. Decide how to group the resources.
2. Describe and qualify what is unique and different
about each grouping – groups should not overlap.
3. Clarify what each zone can and cannot access (e.g.
Sensitive Data Servers do not surf the web or have
access to email).
4. Implement the designed grouping.
Network zoning (contd.)
• Zone – Servers
– Subnet: 10.0.0.0/24 (10.0.0.0 – 10.0.0.255)
– Size: 256 Server IP Addresses
– Description: Zone dedicated to application servers and
services, no end-users and no sensitive customer data
• Examples: Intranet server, Email server, File server
Network zoning (contd.)
• Zone – SENSITIVE
– Subnet: 10.0.1.0/24 (10.0.1.0 – 10.0.1.255)
– Size: 256 Server IP Addresses
– Description: Zone dedicated to servers that contain
sensitive customer data (could also be employee data)
• Examples: Oracle database server
Network zoning (contd.)
• Zone – SYSADMIN
– Subnet: 10.0.2.0/24 (10.0.2.0 – 10.0.2.255)
– Size: 256 System Administrator IP Addresses
– Description: Zone dedicated to privileged administrators
of systems, applications, or infrastructure, requires extra
access to servers, network elements, etc.
• Examples: Network Management Team, Firewall
Administrators, Database Administrators, etc.
Network zoning (contd.)
• 4 zones: Users, Administrators, Servers, Sensitive
Data Servers.
• Zone – USERS
– Subnet: 10.0.3.0/22 (10.0.3.0 – 10.0.6.255)
– Size: 1,024 Desktop User IP Addresses
– Description: Zone dedicated to the general user base
• Example: Average Joe user
Network zoning (contd.)
• Zone – NETCORE
– Network: 10.255.0.0/24 (10.255.0.0 – 10.255.0.255)
– Size: 256 Network Core IP Addresses
– Description: Zone dedicated to network interface on
routers to facilitate core communications and isolate
zones
• Examples: each router has an interface on this Zone
Network zoning (contd.)
IDS/IPS Systems
Intrusion Detection System (IDS) – a piece of hardware or
software, which:
• monitors network or system activity
• detects malicious activities
• detects policy violations
• produces reports to management station
• keeps track of suspicious activities in logs
“Observe, identify, report” idea.
IDS/IPS Systems (contd.)
Intrusion Prevention System (IPS) is a piece of
hardware or software, which does everything that an
IDS can do, additionally:
• Attempt to stop detected malicious activity by
adaptively deploying various protective and
defensive security measures
“Observe, identify, report, protect (act back)” ideology
IDS/IPS Systems (contd.)
• Network based and host based IDS/IPS systems.
• Protect the network/host consecutively.
• Differ in their approach how to detect suspicious
activities.
IDS/IPS Systems (contd.)
Are used for:
• Detecting / preventing malicious activities in hosts
and networks
• Increased security awareness
• Identifying problems with security policies
• Keeping track of existing threats
• Deferring individuals from violating security policies
IDS / IPS Systems (contd.)
Typical behavior:
• Perform monitoring, observe and classify events
• Log information about suspicious activities
• In case a suspicious activity has been detected,
deploy security measures (IPS systems)
• Notify security administrator(s) of important/critical
suspicious activities that have been observed.
IDS/IPS Systems (contd.)
Network Intrusion Detection System (NIDS):
• is placed in the strategic points within a network
• performs analysis of the entire traffic passed through the
subnet
• performs pattern matching – matches traffic to a library
of known attacks
• Once possible attack is detected – classify its potential
impact and proceed as intended (just report, or prevent
and report)
IDS/IPS Systems (contd.)
Host Intrustion Detection System (HIDS):
• runs on individual hosts or devices
• monitors incoming and outgoing traffic from/to this
device only
• takes a snapshot of existing system files and compares to
the previous snapshot
• if critical system files were modified or deleted – sends
notification to system administrator
IDS/IPS Systems (contd.)
Application protocol-based system
• Performs stateful protocol analysis.
• Focuses its attention on the specific application
protocol(s) in use by the computing system.
• Monitoring of dynamic behavior and state of the
protocols
• Example: APIDS deployed between the web server and
the database management system monitoring the SQL
protocol communications.
IDS/IPS Systems (contd.)
Statistical anomaly based system
• Compares network traffic against an established
baseline.
• The baseline establishes what is “normal” for that
particular system (the amount of bandwidth, protocols,
ports, devices generally connect to each other, etc.)
• May raise false-positive alarms for legitimate use of
resources.
IDS/IPS Systems (contd.)
Signature based system
• Matches observed traffic against patterns of known
malicious threats.
• Methods similar to the one antivirus software
works.
• Problem – lag time during which IDS/IPS is unable to
identify the threat.
IDS/IPS Systems
Examples:
• Snort
• Suricata
???