network security fundamentals
play

Network Security Fundamentals Security Training Course Dr. Charles - PowerPoint PPT Presentation

Nov 02, 2023 •299 likes •778 views

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 6 Firewalls & VPNs Topics Firewall Fundamentals Case study: Linux iptables

  1. Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013

  2. Network Security Fundamentals Module 6 Firewalls & VPNs

  3. Topics • Firewall Fundamentals • Case study: Linux iptables • Virtual Private Networks (VPNs) 04/13 cja 2013 3

  4. Firewalls 04/13 cja 2013 4

  5. Firewalls 04/13 cja 2013 5

  6. Firewalls • A firewall limits the extent to which hosts on different networks can interact with one another 04/13 cja 2013 6

  7. Types of firewalls • Packet level • Application level • Host-based 04/13 cja 2013 7

  8. Packet level firewalls • Firewall inspects incoming packets • Blocks packets violating policy rules  => packets dropped without acknowledgement • Rules allow blocking based on  Source and destination IP address  Source and destination port  Protocol, flags, TOS, … 04/13 cja 2013 8

  9. Statelessness • Traditional packet level firewalls treated every packet independently  Stateless firewalling • Problem  Doesn ’ t relate packet information to overall packet flow  Doesn ’ t remember anything • Results in coarse-grained control  Forces overly liberal or conservative policies 04/13 cja 2013 9

  10. Example • H.323 video streaming protocol  Initiates two TCP connections and several RTP (real-time transport protocol) streams  The RTP streams contain no information relating them to the H.323 application  How should a stateless firewall decide if these streams are to be blocked? 04/13 cja 2013 10

  11. Example • IP Fragmentation  All but the first fragment don ’ t specify ports 04/13 cja 2013 11

  12. Statefulness • Solution: firewall keeps state about recent packet flows  Decides to block packet based on packet contents plus stored state  More fine-grained control  Obviates application-level firewalls • Problem  All that state consumes firewall resources 04/13 cja 2013 12

  13. Canonical firewalled network 04/13 cja 2013 13

  14. Zones Collection of networks with specified security properties • Perimeter • DMZ • Wireless • Intranet 04/13 cja 2013 14

  15. Perimeter zone The outside world  Untrusted zone  No control over hosts in this zone  Internet rules 04/13 cja 2013 15

  16. DMZ Demilitarized zone • Contains an organization ’ s publicly visible services (email, Web, DNS, FTP, …)  Hardened hosts  Proxies • Semi-trusted zone 04/13 cja 2013 16

  17. Intranet zone • Most trusted zone • Organizational assets placed here • Access blocked from untrusted zones  Access via proxies in the DMZ only 04/13 cja 2013 17

  18. Wireless zone A perimeter zone! • Untrusted hosts • Semi-trusted network 04/13 cja 2013 18

  19. Application-level firewalls Application proxy server • Accepts client traffic • Maintains state, validates traffic • Passes validated traffic to server 04/13 cja 2013 19

  20. Application-level firewalls • Firewall worries about security  Obviates security-related server changes  Hampers defense-in-depth • Firewall must understand application protocol  Increased complexity • Stateful packet-level firewalls are an alternative 04/13 cja 2013 20

  21. Host-based firewalls • Firewall run on individual hosts • Placed between incoming packets and the host network stack • Acts like a packet-level firewall 04/13 cja 2013 21

  22. Host-based firewalls • Each host requires policy management  Administration headache  Simple default policies in distributions • Defense-in-depth 04/13 cja 2013 22

  23. References • The Tao of Network Security Monitoring, Richard Bejtlich, Addison-Wesley, 2005. ISBN 0-321-24677-2 • Information Security Illuminated, Michael G.Solomon and Mike Chapple, Jones and Bartlett, 2005. • http://en.wikipedia.org/wiki/Firewall_(computing) (accessed March 2013) 04/13 cja 2013 23

  24. iptables 04/13 cja 2013 24

  25. IP Tables • Linux packet-level firewall • Successor to IP Chains • NAT/NAPT support • Extended functionality via modules • Stateful filter support • Applications  Host based firewall  Stateful packet firewall  net.ipv4.ip_forward=1 in /etc/sysctl.conf 04/13 cja 2013 25

  26. IP Tables Architecture • Three tables for organization  filter, nat, mangle • Each table contains several chains  built-in (invoked at fixed points in network layer)  user-defined • Each chain contains several rules  first rule matched determines action taken • Each rule contains matching criteria and target • Built-in chains have policies  specifies default target if no rule in chain matches 04/13 cja 2013 26

  27. Rules • (Standard) matching criteria  protocol  source IP (address/mask)  dest IP (address/mask)  port (source/dest/both)  interface (input/output) • Target 04/13 cja 2013 27

  28. Rules • Extended matching criteria  Implemented via modules • Connection state matching  INVALID  packet not associated with any connection  NEW  packet is starting a new connection  ESTABLISHED  packet is associated with existing connection  RELATED  packet is starting a new connection, but is associated with an existing connection » FTP DATA, ICMP error • Several other extended matching criteria 04/13 cja 2013 28

  29. Predefined targets • All terminate processing in this chain for this packet  ACCEPT  accept packet for processing  DROP  drop packet  QUEUE  pass packet to userland (not common)  RETURN  return to calling chain (use policy if no calling chain) 04/13 cja 2013 29

  30. Extended targets • Both terminating and non-terminating targets  REJECT (terminating)  return packet indicating error  LOG (non-terminating)  generate log entry  … 04/13 cja 2013 30

  31. filter table • Default table • Built-in chains  INPUT  incoming network packets  FORWARD  packets being routed by the host  OUTPUT  locally-generated packets output to network 04/13 cja 2013 31

  32. nat table • For network address translation • Built-in chains  PREROUTING (DNAT)  alter packets as they arrive  OUTPUT  alter locally-generated packets before routing  POSTROUTING (SNAT)  alter packets as they depart 04/13 cja 2013 32

  33. mangle table • For specialized packet changes  change TOS/DSCP header  set netfilter mark value  … • Built-in chains  PREROUTING  INPUT  OUTPUT  FORWARDING  POSTROUTING 04/13 cja 2013 33

  34. Firewall traversal Prerouting Input Route Local Forward Output Postrouting 04/13 cja 2013 34

  35. Firewall Traversal Rob Mayoff 04/13 cja 2013 35

  36. Some caveats • iptables and ipchains don ’ t mix • rule additions are atomic  … rule set additions are not • avoid leaving firewall open while editing  … use DROP, DENY, REJECT policies • policy actions do not log • rules are not removed when an interface goes down • raw sockets are unaffected by rules 04/13 cja 2013 36

  37. iptables lab • Examine iptables man page  man iptables • Examine existing firewall settings  sudo service iptables status  sudo iptables -L • Add firewall rules  sudo iptables -I … 04/13 cja 2013 37

  38. Virtual Private Networks (VPNs) 04/13 cja 2013 38

  39. Roadmap • Definition • VPN Uses • Types of VPNs • Protocol Details 04/13 cja 2013 39

  40. Definition A VPN is a link over a shared public network, typically the Internet, that simulates the behavior of dedicated WAN links over leased lines. A VPN uses encryption to authenticate the communications endpoints and to secure your data as it travels over an insecure network . 04/13 cja 2013 40

  41. VPN motivators • Confidentiality, Integrity & Authentication  Encryption • Bypass blocks  Border  Local ISP • Extends the office network  VoIP  Drive mapping • Collaboration • Enabling technology 04/13 cja 2013 41

  42. Some VPNs • Protocol  IPSec  Standards-based  Varied Encryption Levels  Flexible  SSL  Clientless (Web Browser) • Application  SSH VPN is not a single solution 04/13 cja 2013 42

  43. IPSec Details IPSec protocol • Internet Standard • Two complementary protocols  Authentication Headers (AH) Prevents tampering with packet headers  Encapsulating Security Protocol (ESP) Provides confidentiality and integrity of packet contents 04/13 cja 2013 43

  44. IPSec Details – AH (Protocol 51) • AH Transport – Used to authenticate the integrity of the datagram IP Header (with A Transport Layer Transport Layer options) H Header Data All Authenticated (except non mutable fields), e.g., TTL As the entire packet is authenticated, there are some limitations. If using NAT or a firewall where a gateway changes your address, then the packet will fail to authenticate at the far end as the source IP has changed. This is not to say that you cannot use IPSec with a NAT gateway, just that the Gateway will have to be considered the endpoint. 04/13 cja 2013 44

Recommend

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 7 Intrusion Detection Topics Fundamentals Network IDS Snort Host-based IDS

1.03k views • 72 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 3 Network Protocol Attacks Roadmap Network security The basic objectives: CIA

1.68k views • 39 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 8 Scanning Topics Scanning fundamentals Nessus installation & examination 04/13

235 views • 21 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 9 Linux Security & Logging Linux Security Real-World Linux Security RHEL

739 views • 41 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 4 Password Strength & Cracking Roadmap Password Authentication How Passwords are

512 views • 32 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 5 Viruses & Worms, Botnets, Todays Threats Viruses & Worms Viruses Program

693 views • 31 slides
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define Access Controls List the four Access Control Models Describe logical Access Control Methods Explain the

128 views • 8 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Installing the Lab Environment Virtual Lab Environment Student-supplied hosts IA32-compatible The more CPU(s) and

261 views • 8 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Introduction Introduction Welcome to the course! Instructor: Dr. Charles J. Antonelli

209 views • 10 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Fundamentals of Computer Security Spring 2015 Radu Sion Intro Encryption Hash Functions A

Fundamentals of Computer Security Spring 2015 Radu Sion Intro Encryption Hash Functions A

Fundamentals of Computer Security Spring 2015 Radu Sion Intro Encryption Hash Functions A Message From Our Sponsors Computer Security Fundamentals Fundamentals System/Network Security, crypto How do things work Why How to

824 views • 26 slides
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used Describe the components of

569 views • 7 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher Lecture 18 CS 118 Page 1 Winter 2016 Another type of layer deficiency Some layers of protocol do not provide any security or privacy What if

708 views • 59 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 6 Firewalls & VPNs Topics Firewall Fundamentals Case

881 views • 51 slides
Fundamentals of Cryptography: Algorithms, and Security Services Professor Guevara Noubir

Fundamentals of Cryptography: Algorithms, and Security Services Professor Guevara Noubir

Fundamentals of Cryptography: Algorithms, and Security Services Professor Guevara Noubir Northeastern University noubir@ccs.neu.edu Network Security: Private Communication in a Public World [Chap. 2-8] Charles Kaufman, Mike Speciner, Radia

697 views • 59 slides
Fundamentals of Cryptography: Algorithms, and Security Services Professor Guevara Noubir

Fundamentals of Cryptography: Algorithms, and Security Services Professor Guevara Noubir

Fundamentals of Cryptography: Algorithms, and Security Services Professor Guevara Noubir Northeastern University noubir@ccs.neu.edu Cryptography: Theory and Practice, Douglas Stinson, Chapman & Hall/CRC Network Security: Private

711 views • 56 slides
1 Terminology Security services: Authentication, confidentiality, integrity,

1 Terminology Security services: Authentication, confidentiality, integrity,

Fundamentals of Cryptography: Algorithms, and Security Services Professor Guevara Noubir Northeastern University noubir@ccs.neu.edu Network Security: Private Communication in a Public World [Chap. 2-8] Charles Kaufman, Mike Speciner, Radia

454 views • 20 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
Security Fundamentals for Educational Leaders Steve Palmer K-12 Information Systems Security

Security Fundamentals for Educational Leaders Steve Palmer K-12 Information Systems Security

Security Fundamentals for Educational Leaders Steve Palmer K-12 Information Systems Security Analyst EduTech User Awareness Preparing our Digital Citizens for the Future The Numbers State of North Dakota has over 530 schools All connecting

432 views • 22 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides

More recommend