david parter
play

David Parter Background: Threats and Security Policies Tools and - PowerPoint PPT Presentation

Network Security Topics David Parter Background: Threats and Security Policies Tools and Defenses: University of Wisconsin Firewalls Computer Sciences Department Virtual Private Networks Computer Systems Lab Network


  1. Network Security Topics David Parter � Background: Threats and Security Policies � Tools and Defenses: University of Wisconsin – Firewalls Computer Sciences Department – Virtual Private Networks Computer Systems Lab – Network Intrusion Detection Systems – Port Scanning – Network & Configuration Management CS640 27 November � CSL Network Security 2007 1 2 Threats and Security Policies Analyze The Threats � Analyze potential threats before choosing a defense � Without knowing threats, it is impossible to assess the defenses 3 4

  2. Types of Threats Types of Threats � Data corruption � Theft of service – Specific alteration – network – Random alteration (vandalism) – bandwidth – Equally dangerous – computers � Data disclosure – name ... � Denial of service – Keep your secrets secret � Damage to reputation 5 6 Damage to Reputation Cost of Data Disclosure � Financial Industry exec: #1 threat is a � Data Breach Notification Laws negative story “above the fold” in the Wall – CA Law, model for most states, including WI Street Journal or New York Times – Notify each individual if records released – That may have changed with new regulatory – Notify credit reporting agencies if more than requirements 1000 records involved 7 8

  3. Cost of Data Disclosure Example: Medical Industry � Very likely to be widely reported in the � Data corruption & Denial of service: news media – Could lead to incorrect diagnosis, treatment – Damage to reputation – Potentially life-threatening � Liability/remediation � Data disclosure – credit monitoring for all individuals? – Loss of patient record privacy – Civil actions? – Many potential social, legal and business costs � Damage to reputation 9 10 Example: A University Academic Example: Financial Industry Department � Data corruption � Data corruption: – Potential for incorrect (or less profitable) – Loss of experiments/experimental data stock market trades – Incorrect experimental results – Account records can probably be � Data disclosure reconstructed – Disclosure of confidential data: human � Data disclosure subjects data, industrial partner data, current – Loss of competitive advantage research, student grades, exams, peer reviews, ... – Violation of securities laws 11 12

  4. Security Policies Tools and Defenses � After threat analysis, develop security policies � Policies provide guidance – to employees in ongoing operations, – to security/system administration staff � Develop policies before a crisis hits 13 14 Firewalls References and Resources � Background & Security model � Firewalls and Internet Security: Repelling the Wily Hacker (2 nd ed) � Type of firewalls Cheswick, Bellovin and Rubin � Firewall rules � Building Internet Firewalls (2 nd ed) Zwicky, Chapman and Cooper � Firewall-wizards mailing list – http://honor.trusecure.com/mailman/ listinfo/firewall-wizards 15 16

  5. Security Model Why Use a Firewall? � Perimeter security � Protect vulnerable services – Like a guard at the gate, checking ID badges – Poorly designed protocols – Assumes that “inside” is trusted, “outside” is – Poorly implemented protocols/services not � Protect vulnerable computers/devices – Larger area “inside” perimeter -> more – Poorly configured complexity, weaker security – Can't be configured – Smaller perimeter -> more specific security – Can't be patched � Applies predefined access rules 17 18 Why Use a Firewall? Why Use a Firewall? � To protect an “appliance” � Defeat some denial of service (DOS) attacks � Protect a system that can not be upgraded – If the firewall has enough bandwidth – Version/upgrade restrictions from vendor � Considered an “easy” solution – ex: printers; data acquisition devices; scientific “instruments”; devices with – Satisfy “check-box” requirements customized & embedded versions of popular – Only need to deal with security in one place operating systems; devices with embedded (not really an advantage from a total security web servers for configuration/control ... point of view) 19 20

  6. Types of Firewalls: Packet Filtering Basic Technology options � Acts like a router or bridge � Basic Technology Options: – Does not modify network connections or – Packet Filtering (screening) packet headers – Application Proxy � Allow/Deny packets based on packet data � Other Factors: � Allow/Deny packets based on Input/Output – Statefull vs. Stateless interface – Router vs. Bridge – shorthand for source or destination – Configuration/Security model 23 24

  7. Allow/Deny packets based on Allow/Deny packets based on packet data: packet data: � Layer 2: � Layer 4: – Source or Destination MAC addresses – Service-specific (ex: by URL) � Layer 3: – Source or Destination addresses, ports – Protocol or Protocol details – ex: disallow IP Source Routing – disallow ICMP redirect packets – disallow common “malicious” packet signatures 25 26 Packet Filtering Rules � Typically applied in a specific order – First match applies � One filter per rule � Default rule? – “Default Deny” safest – Warning: implied default rule: Deny or Allow? 28

  8. Example Packet Filtering Rules: Example Packet Filtering Rules: � Protect 128.105.0.0 network with Cisco � Protect 128.105.0.0 network with OpenBSD router access control lists pf: � Apply rules from top to bottom: block in log all block in log quick on $campus_if from deny ip 128.105.0.0 0.0.255.255 any 128.105.0.0/16 to any permit tcp any 128.105.1.1 eq 25 pass in quick on $campus_if proto tcp permit tcp any 128.105.1.2 eq 80 from any to 128.105.1.1/32 port = 25 permit tcp any 128.105.1.3 eq 22 ... deny icmp any any redirect log pass in quick on $cs_if proto tcp from permit icmp any 128.105.1.4 echo 128.105.0.0/16 to any keep state deny icmp any any echo log 29 30 deny ip any any log Packet Filtering Advantages Packet Filtering Advantages � Can be placed at a few “strategic” locations � Widely available – Internet/Internal network border router – Implemented in most routers – To isolate critical servers – Firewall appliances � Efficient – Open Source operating systems and software – Specialized network interface cards with � Simple concept filtering capabilities – Download up to 64k rules to some 31 32

  9. Packet Filtering Disadvantages Packet Filtering Disadvantages � Hard to configure � Can Reduce router performance � Some policies don't map to packet filtering – Rules can get complex � Hard to test and verify rules � Incomplete implementations � Bugs often “fail unsafe” -- allow unintended traffic to pass 33 34 Proxy Firewalls � Specialized application to handle specific traffic � Protocol gateways – Creates new network connection, forwards data between “inside” and “outside” connection � May apply service-specific rules & policies 35

  10. Proxy Advantages Proxy Advantages � Can do “intelligent” filtering � Can provide application/service-specific services or actions: � Can perform user-level authentication – data caching � Can use information from outside the – data/connection logging connection or packet stream – data filtering/selection or server selection � Can protect weak/faulty IP based on source/destination or other status implementations visible to proxy – Separate network connections to source, – add or apply routing/bandwidth policy destination 37 38 Proxy Disadvantages Dealing with Connections � Typical scenario: � Need to write/install proxy for each service – Restrict incoming connections to specific services and servers – Lag time to develop proxy for new service – Allow traffic to public web site � May need dedicated proxy servers for each – Allow inbound e-mail to mail gateway service – Allow unlimited outgoing connections � Often need cooperation of clients, servers – Employees can browse the web, send e-mail, etc – Firewall needs to track connections to do this 39 40

  11. TCP Connections TCP Connection Setup � Outbound new connections often from SRC PORT: ABC dynamic (unpredictable) src port DST PORT: 25 SYN SRC PORT: XYZ – Can't use firewall rule based on src port DST PORT: ABC � Destination may be “well-known” port SYN ACK SRC PORT: ABC – But not always DST PORT: XYZ SRC PORT: XYZ ACK � Destination may move to dynamic port DST PORT: ABC during connection establishment ACK 41 42 UDP “Connections” UDP Session: DNS Query � UDP is stateless SRC PORT: ABC � “Connection” or “Session” implied by one or DST PORT: 53 more packets from SRC to DST, one or SRC PORT: XYZ more packets back DST PORT: ABC – May or may not be on “well-known” port – May or may not be on same port as original SRC PORT: XYZ traffic DST PORT: ABC 43 44

Recommend


More recommend