Advanced Computer Networks & Computer and Network Security: Prof. Dr. Hasan Hüseyin BALIK (8 Week)

Download as pdf or txt
Download as pdf or txt
You are on page 1of 37

Advanced Computer

Networks & Computer and


Network Security

Prof. Dr. Hasan Hüseyin BALIK

(8th Week)
Outline
• 2. Computer security technology and
principles
—2.1. Cryptographic Tools
—2.2. User Authentication
—2.3 Access Control
—2.4 Malicious Software
—2.5. Denial-of-Service Attacks
—2.6 Intrusion Detection
—2.7 Firewalls and Intrusion Prevention Systems
2.7 Firewalls and Intrusion Prevention
Systems
2.7.Outline
• The Need for Firewalls
• Firewall Characteristics and Access Policy
• Types of Firewalls
• Firewall Basing
• Firewall Location and Configurations
• Intrusion Prevention Systems
• Example: Unified Threat Management Products
The Need For Firewalls
• Internet connectivity is essential
• However it creates a threat
• Effective means of protecting LANs
• Inserted between the premises network and the
Internet to establish a controlled link
• Can be a single computer system or a set of two or more systems
working together
• Used as a perimeter defense
• Single choke point to impose security and auditing
• Insulates the internal systems from external networks
Firewall Characteristics

Design goals
All traffic from inside to outside, and vice versa, must pass through
the firewall
Only authorized traffic as defined by the local security policy will
be allowed to pass
The firewall itself is immune to penetration
Firewall Access Policy
• A critical component in the planning and
implementation of a firewall is specifying a suitable
access policy
• This lists the types of traffic authorized to pass through the firewall
• Includes address ranges, protocols, applications and content types
• This policy should be developed from the organization’s
information security risk assessment and policy
• Should be developed from a broad specification of which
traffic types the organization needs to support
• Then refined to detail the filter elements which can then be
implemented within an appropriate firewall topology
Firewall Filter
Characteristics
• Characteristics that a firewall access policy could use to filter
traffic include:

IP address
Application User Network
and protocol
protocol identity activity
values
This type of
filtering is used by This type of
packet filter and filtering is used by
stateful inspection Typically for
an application- Controls access
firewalls inside users who
level gateway that based on
identify
relays and considerations
themselves using
monitors the such as the time or
some form of
exchange of request, rate of
secure
information for requests, or other
authentication
Typically used to specific activity patterns
technology
limit access to application
specific services protocols
Firewall Capabilities And Limits
Capabilities:
• Defines a single choke point
• Provides a location for monitoring security
events
• Convenient platform for several Internet
functions that are not security related
• Can serve as the platform for IPSec

Limitations:
• Cannot protect against attacks bypassing
firewall
• May not protect fully against internal threats
• Improperly secured wireless LAN can be
accessed from outside the organization
• Laptop, PDA, or portable storage device may be
infected outside the corporate network then
used internally
Internal (protected) network External (untrusted) network
(e.g. enterprise network) Firewall (e.g. Internet)

(a) General model

End-to-end Application End-to-end End-to-end Application End-to-end


transport transport transport transport
connection connection connection connection
Transport Transport

Internet Internet

Network Network
access access

Physical State Physical


info

(b) Packet filtering firewall (c) Stateful inspection firewall

Application proxy Circuit-level proxy

Internal Application Application External Internal Application Application External


transport transport transport transport
connection connection connection connection
Transport Transport Transport Transport

Internet Internet Internet Internet

Network Network Network Network


access access access access

Physical Physical Physical Physical

(d) Application proxy firewall (e) Circuit-level proxy firewall

Figure 9.1 Types of Firewalls


Packet Filtering Firewall
• Applies rules to each incoming and outgoing IP packet
• Typically a list of rules based on matches in the IP or TCP header
• Forwards or discards the packet based on rules match

Filtering rules are based on information contained in a network packet

• Source IP address
• Destination IP address
• Source and destination transport-level address
• IP protocol field
• Interface

• Two default policies:


• Discard - prohibit unless expressly permitted
• More conservative, controlled, visible to users
• Forward - permit unless expressly prohibited
• Easier to manage and use but less secure
Packet-Filtering Examples
Packet Filter
Advantages And Weaknesses
• Advantages
• Simplicity
• Typically transparent to users and are very fast
• Weaknesses
• Cannot prevent attacks that employ application
specific vulnerabilities or functions
• Limited logging functionality
• Do not support advanced user authentication
• Vulnerable to attacks on TCP/IP protocol bugs
• Improper configuration can lead to breaches
Stateful Inspection
Firewall

Tightens rules for TCP traffic Reviews packet information


by creating a directory of but also records information
outbound TCP connections about TCP connections
•There is an entry for each •Keeps track of TCP sequence
currently established connection numbers to prevent attacks that
depend on the sequence number
•Packet filter allows incoming
traffic to high numbered ports •Inspects data for protocols like
only for those packets that fit the FTP, IM and SIPS commands
profile of one of the entries in this
directory
Example Stateful Firewall
Connection State Table
Application-Level
Gateway
• Also called an application proxy
• Acts as a relay of application-level traffic
• User contacts gateway using a TCP/IP application
• User is authenticated
• Gateway contacts application on remote host and relays TCP
segments between server and user
• Must have proxy code for each application
• May restrict application features supported
• Tend to be more secure than packet filters
• Disadvantage is the additional processing overhead on
each connection
Circuit-Level
Circuit level proxy
Gateway
• Sets up two TCP connections, one between itself and a TCP user
on an inner host and one on an outside host
• Relays TCP segments from one connection to the other without
examining contents
• Security function consists of determining which connections
will be allowed

Typically used when inside users are trusted

• May use application-level gateway inbound and circuit-level


gateway outbound
• Lower overheads
SOCKS Circuit-Level
Gateway
• SOCKS v5 defined in RFC1928
• Designed to provide a
framework for client-server
applications in TCP/UDP
domains to conveniently and SOCKS-ified
SOCKS
client
securely use the services of a applications server
network firewall
• Client application contacts
SOCKS server, authenticates,
sends relay request SOCKS client
library
• Server evaluates and either
establishes or denies the
connection
Components
Bastion Hosts
• System identified as a critical strong point in the
network’s security
• Serves as a platform for an application-level or
circuit-level gateway
• Common characteristics:
• Runs secure O/S, only essential services
• May require user authentication to access proxy or host
• Each proxy can restrict features, hosts accessed
• Each proxy is small, simple, checked for security
• Each proxy is independent, non-privileged
• Limited disk use, hence read-only code
Host-Based Firewalls
• Used to secure an individual host
• Available in operating systems or can be provided as an
add-on package
• Filter and restrict packet flows
• Common location is a server

Advantages:
• Filtering rules can be tailored to the host
environment
• Protection is provided independent of topology
• Provides an additional layer of protection
Personal Firewall
• Controls traffic between a personal computer or workstation
and the Internet or enterprise network
• For both home or corporate use
• Typically is a software module on a personal computer
• Can be housed in a router that connects all of the home
computers to a DSL, cable modem, or other Internet interface
• Typically much less complex than server-based or stand-alone
firewalls
• Primary role is to deny unauthorized remote access
• May also monitor outgoing traffic to detect and block worms
and malware activity
Internet

Boundary
router

Internal DMZ network


External
firewall

LAN
switch
Web Email DNS
server(s) server server

Internal protected network Internal


firewall

LAN
switch
Application and database servers

Workstations

Figure 9.2 Example Firewall Configuration


User system
with IPSec
IP IPSec Secure IP
Header Header Payload
Public (Internet)
or Private Network

He
IP er H
yl I P

ad
Pa cure
d
oa

IP ader
Se

Se
e
c
ad c
He PSe
er

Se ayloa
I

cu
P
re d
He IP
er

IP
ad
Ethernet Ethernet
switch IP IP
switch IP IP
Header Payload Header Payload

Firewall Firewall
with IPSec with IPSec

Figure 9.3 A VPN Security Scenario


Remote
users
Internet

Boundary
router
External
DMZ network

Web
server(s) External
firewall
Internal DMZ network

LAN
switch

Web Email DNS


server(s) server server
Internal
firewall
Internal protected network

LAN
switch

Application and database servers

host-resident
firewall

Workstations
Figure 9.4 Example Distributed Firewall Configuration
Firewall Topologies
•Includes personal firewall software and firewall software
Host-resident firewall on servers

•Single router between internal and external networks with


Screening router stateless or full packet filtering

•Single firewall device between an internal and external


Single bastion inline router

•Has a third network interface on bastion to a DMZ where


Single bastion T externally visible servers are placed

Double bastion inline •DMZ is sandwiched between bastion firewalls

•DMZ is on a separate network interface on the bastion


Double bastion T firewall

Distributed firewall
•Used by large businesses and government organizations
configuration
Intrusion Prevention Systems
(IPS)
• Also known as Intrusion Detection and Prevention
System (IDPS)
• Is an extension of an IDS that includes the capability to
attempt to block or prevent detected malicious activity
• Can be host-based, network-based, or distributed/hybrid
• Can use anomaly detection to identify behavior that is
not that of legitimate users, or signature/heuristic
detection to identify known malicious behavior can
block traffic as a firewall does, but makes use of the
types of algorithms developed for IDSs to determine
when to do so
Host-Based IPS
(HIPS)
• Can make use of either signature/heuristic or anomaly
detection techniques to identify attacks
• Signature: focus is on the specific content of application network
traffic, or of sequences of system calls, looking for patterns that
have been identified as malicious
• Anomaly: IPS is looking for behavior patterns that indicate
malware
• Examples of the types of malicious behavior addressed by a
HIPS include:
• Modification of system resources
• Privilege-escalation exploits
• Buffer-overflow exploits
• Access to e-mail contact list
• Directory traversal
HIPS
• Capability can be tailored to the specific platform
• A set of general purpose tools may be used for a desktop or
server system
• Some packages are designed to protect specific types of servers,
such as Web servers and database servers
• In this case the HIPS looks for particular application attacks
• Can use a sandbox approach
• Sandboxes are especially suited to mobile code such as Java
applets and scripting languages
• HIPS quarantines such code in an isolated system area then runs
the code and monitors its behavior
• Areas for which a HIPS typically offers desktop protection:
• System calls
• File system access
• System registry settings
• Host input/output
The Role of HIPS
• Many industry observers see the enterprise endpoint, including
desktop and laptop systems, as now the main target for
hackers and criminals
• Thus security vendors are focusing more on developing endpoint
security products
• Traditionally, endpoint security has been provided by a collection
of distinct products, such as antivirus, antispyware, antispam,
and personal firewalls
• Approach is an effort to provide an integrated, single-product
suite of functions
• Advantages of the integrated HIPS approach are that the various
tools work closely together, threat prevention is more
comprehensive, and management is easier
• A prudent approach is to use HIPS as one element in a defense-
in-depth strategy that involves network-level devices, such as
either firewalls or network-based IPSs
Network-Based IPS
(NIPS)
• Inline NIDS with the authority to modify or discard
packets and tear down TCP connections
• Makes use of signature/heuristic detection and anomaly
detection
• May provide flow data protection
• Requires that the application payload in a sequence of packets
be reassembled
• Methods used to identify malicious packets:

Pattern Stateful Protocol Traffic Statistical


matching matching anomaly anomaly anomaly
Digital Immune System

• Comprehensive defense against malicious behavior


caused by malware
• Developed by IBM and refined by Symantec
• Motivation for this development includes the rising
threat of Internet-based malware, the increasing speed of
its propagation provided by the Internet, and the need to
acquire a global view of the situation
• Success depends on the ability of the malware analysis
system to detect new and innovative malware strains
Internet
Enterprise network Firewall
sensor 1. Malware scans or
infection attempts

2. Notifications Passive
Correlation sensor Honeypot
server
1. Malware
execution
Remote sensor
Application
3. Forward
server
features
6. Application update

Sandboxed Hypothesis testing


and analysis 5. Possible fix generation
environment
Patch
generation
4. Vulnerability
testing and
identification

Instrumented applications

Figure
Figure 9.5 Placement of 9.5 Placement
Malware of Worm
Monitors Monitors
(adapted from [SIDI05])
Snort Inline
• Enables Snort to function Drop Reject Sdrop
as an intrusion prevention
system
Snort
• Includes a replace option rejects a
Packet is
rejected
which allows the Snort packet
and
based on
user to modify packets result is Packet is
the
rather than drop them options
logged rejected
and an but not
• Useful for a honeypot defined
error logged
implementation in the
message
rule and
• Attackers see the failure logs the
is
returned
but cannot figure out result
why it occurred
Raw incoming traffic

Routing module
VPN module
Firewall module

Logging and reporting module


Heuristic
Antivirus
scan

Data analysis engine


engine
engine

Anomaly
IDS engine
detection

Activity
IPS engine inspection
engine
Web filtering module
Antispam module
VPN module
Bandwidth shaping module

Clean controlled traffic

Figure 9.6 Unified Threat Management Appliance


(based on [JAME06])
Sidewinder G2 Security Appliance Attack Protections
Summary - Transport Level Examples
Sidewinder G2
Security Appliance
Attack Protections
Summary -
Application Level
Examples (page 1 of 2)
Sidewinder
G2 Security
Appliance
Attack
Protections
Summary –
Application
Level
Examples
(page 2 of 2)

You might also like